I understand that people enter the world of self hosting for various reasons. I am trying to dip my toes in this ocean to try and get away from privacy-offending centralised services such as Google, Cloudflare, AWS, etc.
As I spend more time here, I realise that it is practically impossible; especially for a newcomer, to setup any any usable self hosted web service without relying on these corporate behemoths.
I wanted to have my own little static website and alongside that run Immich, but I find that without Cloudflare, Google, and AWS, I run the risk of getting DDOSed or hacked. Also, since the physical server will be hosted at my home (to avoid AWS), there is a serious risk of infecting all devices at home as well (currently reading about VLANS to avoid this).
Am I correct in thinking that avoiding these corporations is impossible (and make peace with this situation), or are there ways to circumvent these giants and still have a good experience self hosting and using web services, even as a newcomer (all without draining my pockets too much)?
Edit: I was working on a lot of misconceptions and still have a lot of learn. Thank you all for your answers.
DDOS against a little self hosted instance isn’t really a concern I’d have. I’d be more concerned with the scraping of private information, ransomware, password compromises, things of that nature. If you keep your edge devices on the latest security patches and you are cognizant on what you are exposing and how, you’ll be fine.
Of course security comes with layers, and if you’re not comfortable hosting services publically, use a VPN.
However, 3 simple rules go a long way:
-
Treat any machine or service on a local network as if they were publically accesible. That will prevent you from accidentally leaving the auth off, or leaving the weak/default passwords in place.
-
Install services in a way that they are easy to patch. For example, prefer phpmyadmin from debian repo instead of just copy pasting the latest official release in the www folder. If you absolutely need the latest release, try a container maintained by a reasonable adult. (No offense to the handful of kids I’ve known providing a solid code, knowledge and bugreports for the general public!)
-
Use unattended-upgrades, or an alternative auto update mechanism on rhel based distros, if you don’t want to become a fulltime sysadmin. The increased security is absolutely worth the very occasional breakage.
-
You and your hardware are your worst enemies. There are tons of giudes on what a proper backup should look like, but don’t let that discourage you. Some backup is always better than NO backup. Even if it’s just a copy of critical files on an external usb drive. You can always go crazy later, and use snapshotting abilities of your filesystem (btrfs, zfs), build a separate backupserver, move it to a different physical location… sky really is the limit here.
The DDOSED hype on this site is so over played. Oh my god my little self hosted services are going to get attacked. Is it technically possible yes but it hasn’t been my experience.
99% of people think they are more important than they are.
If you THINK you might be the victim of an attack like this, you’re not going to be a victim of an attack like this. If you KNOW you’ll be the victim of an attack like this on the other hand…
If you do it right you shouldn’t get hacked. Even if you do you can keep good immutable backups so you can restore. Also make sure you monitor everything for bad behavior or red flags.
Use any old computer you have lying around as a server. Use Tailscale to connect to it, and don’t open any ports in your home firewall. Congrats, you’re self-hosting and your risk is minimal.
Exactly what I do and works like a dream. Had a VPS and nginx to proxy domain to it but got rid of it because I really had no use for it, the Tailscale method worked so well.
I’ve been thinking of trying this (or using Caddy instead of nginx) so I could get Nextcloud running on an internal server but still have an external entry point (spousal approval) but after setting up the subdomain and then starting caddy and watching how many times that subdomain started to get scanned from various Ips all over the world, I figured eh that’s not a good plan. And I’m a nobody and don’t promote my domain anywhere.
