Hi there, I’ve been reading up on selfhosting for a couple of weeks now and I got my feet wet with a couple of things.
However, before really getting serious with it, I feel I need to get down the basics and make sure that my server will not end up a security hazard. My final goal would be to self-host my socials (Mastodon, Lemmy, Matrix) - just for myself.
What basic security do I need to have in place, considering these services? I’ll be running this on a VPS and so far I consider the following: disable password login (login with ssh key only) then set up nginx, fail2ban, and a basic firewall. I’d try to close all ports that are not required for the services I run. I’ll also change ssh port from 22 to something else and close port 22 as well.
Would this be a sufficient basis, or am I missing something crucial?
Bonus question: do you know of good tutorials to learn the above stuff? I’ve been following the guides on DigitalOcean (e.g. https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-20-04) and they seem decent enough - but I think I’ll need to get into more depth than that :)
Maybe try out FreedomBox?
freedomboxis a Debian package which automatically sets upapache2,firewalld,fail2banand Letʼs Encrypt. It also automatically adds pre-canned configuration files for applications you install with it (e.g. Mediawiki, WordPress, Matrix, Postfix/Dovecot). The theoretical goal of FreedomBox is to allow anyone to set up a webserver and administer it via a webUI. So, although I would say itʼs not quite there yet for command-line-illiterate users, I have found the software useful as a turnkey server to see what makes certain web applications tick, albeït in mostly vanilla form.For example, after installing a new app like WordPress, you could examine what exactly the FreedomBox scripts changed in the
/etc/apache2/or/etc/fail2ban/configuration files.