I just spun up a private instance of lemmy on the cheapest Linode. So far so good.
I used the ansible method of installing the instance on the default Debian 11 image from Linode (link below).
I feel a bit worried that there are no firewall instructions in the install documents. And no notes on securing your instance.
Any thoughts on how to set up ufw for a lemmy instance? Or thoughts on other security tips?
So a good exercise for threat modeling is to think through what would happen if your instance is compromised. Are there shared passwords on the machine? Other services? Private user data? Etc. Most likely your answer is there is nothing particularly sensitive on your Lemmy machine. If the instance is compromised they just have access to your compute resources at which point they might try to mine crypto with it or something.
So with that in mind, I might check on your billing model to make sure there isnt any sort of scaling cost they might be able to run up if that happened. Perhaps put some resource usage alarms in place. Im honestly not familiar with Linode, but have a lot of experience with AWS and GCP from my job.
I also recently found a nice general guide to securing a Linux server on GitHub you might find useful or interesting.
Great insights! Yeah, you’re right. There is nothing they can get from the machine that really compromises anything important. It is indeed the compute resources that are what needs to be kept an eye on.
It’s a really good idea to put usage restrictions in place. There are already alerts in place, but I have scaled the triggers way down, as lemmy really doesn’t use a lot of resources ATM. Will look into restrictions also.