Inspired by this comment to try to learn what I’m missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?
I don’t put it on the Internet.
I have automatic updates enabled and once in a while I scan with Nessus. Also I have backups. Stuff dying or me breaking it is a much greater risk than getting hacked.
I agree - I don’t expose anything to the internet other than the WireGuard endpoint.
I’m only hosting services that my immediate family need to access, so I just set up WireGuard on their devices, and only expose the services on the LAN.
I used to expose services to the internet, until one of my #saltstack clients was exploited through a very recent vulnerability I hadn’t yet patched (only a week or so since it was announced). I was fortunate that the exploit failed due to the server running FreeBSD, so the crontab entry to download the next mailicious payload failed because wget wasn’t available on the server.
That’s when I realised - minimise the attack surface - if you’re not hosting services for anyone in the world to access, don’t expose them to everyone in the world to exploit.
This is the way
TBF if you want, you can have a bastion server which is solely whitelisted by IP to stream your content from your local server. It’s obviously a pivot point for hackers, but it’s the level of effort that 99% of hackers would ignore unless they really wanted to target you. And if you’re that high value of a target, you probably shouldn’t be opening any ports on your network, which brings us back to your original solution.
I, too, don’t expose things to the public because I cannot afford the more safe/obfuscated solutions. But I do think there are reasonable measures that can be taken to expose your content to a wider audience if you wanted.
Is Nessus free for personal use?
For up to 16 endpoints or something like that, yes.