this post was submitted on 14 Jun 2023
13 points (93.3% liked)

Selfhosted

40165 readers
909 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I just spun up a private instance of lemmy on the cheapest Linode. So far so good.

I used the ansible method of installing the instance on the default Debian 11 image from Linode (link below).

I feel a bit worried that there are no firewall instructions in the install documents. And no notes on securing your instance.

Any thoughts on how to set up ufw for a lemmy instance? Or thoughts on other security tips?

https://github.com/LemmyNet/lemmy-ansible

you are viewing a single comment's thread
view the rest of the comments
[–] macgregor@lemmy.world 2 points 1 year ago (1 children)

So a good exercise for threat modeling is to think through what would happen if your instance is compromised. Are there shared passwords on the machine? Other services? Private user data? Etc. Most likely your answer is there is nothing particularly sensitive on your Lemmy machine. If the instance is compromised they just have access to your compute resources at which point they might try to mine crypto with it or something.

So with that in mind, I might check on your billing model to make sure there isnt any sort of scaling cost they might be able to run up if that happened. Perhaps put some resource usage alarms in place. Im honestly not familiar with Linode, but have a lot of experience with AWS and GCP from my job.

I also recently found a nice general guide to securing a Linux server on GitHub you might find useful or interesting.

[–] flea@hive.atlanten.se 1 points 1 year ago

Great insights! Yeah, you're right. There is nothing they can get from the machine that really compromises anything important. It is indeed the compute resources that are what needs to be kept an eye on.

It's a really good idea to put usage restrictions in place. There are already alerts in place, but I have scaled the triggers way down, as lemmy really doesn't use a lot of resources ATM. Will look into restrictions also.