bro i actually dealt with the smae topic for weeks now and you forgot network segmentation using vlans, iptables or ebpf. also zero trust access instead of ssh is missing
I'm a sysadmin specializing in security and I block countries at work. It saved us a ton from exploit scans and from attempted exploits that we've previously patched. Our firewall can detect and block exploits and there is tons coming from a handful of countries. Also, it may have also saved us from being exploited on one occasion when an exploit attempt came from Russia going to an unpatched Pulse VPN appliance. There is a possibility that other measures would have caught it as well, but it was an excellent first layer of security in this instance. I highly recommend blocking Countries. I highly recommend blocking Russia, China, Ukraine, Crimea, and North Korea. You are correct that most attacks that I see originate from the US, so a layered security model is important but this one rules kills about 60% of all exploit and exploit scanning activity.
Blocking countries can be a terrible idea in some instances so it would be case by case. Where I work, we can’t. You end up blocking edge locations and CDNs. Not to mention our clients customers. Usually I can only block middle eastern countries.
Security professional here. Thanks for making this video! I'll be recommending folks view this video. You've described everything I suggest folks with home-labs do. The only minor disagreement I have is with setting up the proxy authentication after everything else is working. Set it up from the start and apply it to all services behind the proxy. You're in a much better spot if everything on your home-lab requires authentication on the proxy. Even if it means logging-in twice (to the proxy and the back-end service). This drastically lowers the attack surface. You can later exclude any services you'd like to remain public. Also, use some type of split DNS; where you serve the internal IP of the proxy to all internal clients. That way you can skip the hop to Cloudflare internally. And you can still access all your home-lab services if your internet connection goes out.
Good idea with internal DNS, it fixed my problem with all my selfhosted apps being routed through my slow 10mbps upload speed via cloudflare. I even get SSL still when using local dns for routing my domain to my server's local IP
As a tenured engineer (over 10 years in networking, security, and more) this was video was a fairly comprehensive guide to the extent of touching on different layers of protection for self-hosted solutions. Major kudos and for sure a sub from me. I'd say the only "aspect" missing is the time to do all this, aside from your job (if you have one). This has been the biggest thing for me. I host things internally, just not exposed to the Internet.
Would actually appreciate if Linode would sponsor a series on your channel with topics of your choosing that compare and contrast and shows how to run services remotely for distributed friends and family
I would so much rather listen to Linode tutorials from Tim rather than the guy they seem to have buddied with currently who spends a 20 minute video giving you the first 3 sentences of a man page.
You should make a video of home lab hosting from square 0 if you were to start from nothing (or start over) and how to set it up. Episode one: bare necessary hardware and how to set up Vlans. Episode two set up server (old pc), setup docker, and setup backups. Etc
I don’t think you need VLANs on your homelab. You have L3 switches and huge variety of internal networks, so, you can just use port isolation. It’s good for learning, but if your case is not learning or you want just to make it done with less configuring, you can skip VLANs and lose nothing.
Are we not gonna talk about the awesome illustration using those stickers or cardboard!, this video is amazing end to end, awesome visuals, clear, cuts to the chase. I really like this and have enjoyed every bit. Would be awesome if you can showcase the process of setting some of these stuff you mentioned in separate videos. Would love to see that and again awesome job 🙏
You have no idea how much knowledge I gained from this video/tutorial. I have watched a few of your videos including the "Put SSL on everything" but this was by far my favorite. Appreciate the effort that went into this. Subbed
I'm starting my journey into the world of servers with my first homelab and I've already watched this video a thousand times. Amazing content! It's very difficult to find accessible documentation that helps you understand why each step is necessary. I'm not a computer layman, but it's very difficult to get all the pieces to work together with the certainty that I'm not doing anything crazy. Thank you very much for the video, my friend!
Love it Tim! Although you say it is for a home lab, your excellent account, and all the great comments elaborating on it, will be an inspiration to improve the setup at my workplace. Thank you from a Dutchman!!
I am windows system engineer and I have been thinking about self hosted services for sometime now (around 2 years) somehow your video motivated me to start I have just started with the hardware and I am using your videos as a guide and inspiration and ideas to achieve what I want. Keep up the good work and the nice ideas
Great video, thanks! The production value is also really nice, it's obvious you're making great progress and you are by far my favorite homelab/tech youtuber. It's easy to recommand such a great channel. Thank you for everything you're doing and I hope to see many more of your content.
This video was amazing! Having the big picture (the visuals were perfect!) helps pull all these concepts together. I've watched a lot of videos of the self hosted pieces but without understanding how they fit together and the why, I felt lost.
Your video quality just keeps on improving. I really enjoy your work and you do a great job representing the self hosting community with a lot of polish and enthusiasm.
Happy to see you doing a security video, I just got my domain setup with cloud flare.. really cool to see that I can host public services without exposing my public IP.
Dude I'm learning so much from your videos! I got wireguard up and running recently and have only been hiding behind that, but this video is an awesome roadmap for me to up my selfhosting game. Def earned my sub, looking forward to learning more from you
Really helpful in terms of networking, however I missed a bit of endpoint hardening, configuring the OS firewall, hardening docker, kernel hardening, file permissions, etc. Although its kind of a rabbit hole to get into that lol
Great overview. To summarize home lab architecture this thoroughly in 18 minutes is downright impressive! I would just suggest adding a quick comment or addendum to the guide somewhere that Cloudflare proxies alone can't be depended on for blocking external attacks, even with IP allow lists. You'll also need to setup MTLS, otherwise another Cloudflare account could proxy malicious traffic to your account through to your servers.
Excellent video Tim, you covered quite a bit. One thing i might add (which would fall into permissions) is to make sure UNC (known as backdooring) is turned off. This makes it harder for an attacker to easily spread ransomware/malware throughout your network.
Cool video! Using pictograms makes it so easy to visualize :) For containers, running them with the least privileges possible (preventing privilege escalation), using specialized socket proxies for the services needing it (ie Traefik, Watchtower, Portainer...) and segmenting their networks to the lowest possible level is also a good idea
I really wish that there was a "latest-stable" tag like how there are LTS versions of operating systems. This way you could have a patching cycle that just checks for and applies the latest stable patch.
Thanks for another great video.m!! Your first advice is great: just don’t open up your home. As a non-professional have learned this the hard way a couple of years ago. Thanks for not forgetting to put in that advice!
@@alexitanguay Putting a server online while having forgotten having set up a test account called test with password test - it is one of those things that gets your ISP connection suspended until you explained your error after finding it in the first place. If you're not a professional in the field you are bound to do silly things like that.
That can probably be extended to include interesting features, for example if we put all IoT devices in a separate network, they should still be able to access Internet and be available from our trusted devices (phones), but should not have access (initiate connections) to our trusted devices.
@@vaddimka use rules / patterns like this. This is quite easy with Mikrotik routers. If source = IoT vlan & destination = phone vlan, then drop connection. Swop it around like this: If source = phone vlan & destination = IoT vlan, then allow.
I would add to this that you can make use of Qualys (self hosted) in order to scan for vulnerabilities in your Home lab. They have a free version for up to 16 devices !
Didn't realise that I should do conditional port forwarding. Just got Cloudflare's IP ranges added to my router. Excellent. Now to learn about VLANs as that's really the only other thing I don't have configured. Cheers Techno Tim!
This is sooo good!! Many years wondering what I would need to do to self-host stuff without putting myself at risk and you just told me everything in less than 20 minutes. Thanks a lot!!!
Thanks for this detailed and wonderfully illustrated explanation. Before coming across your video, I had read and watched many guides on self hosting that were not very clear on security steps (if they mentioned security at all). Your video is a gem of a resource!
Great video as always! Your concise, easy to follow and straight to the point videos are at this point kind of therapeutic to me! Like a few others have already suggested, I would also like to suggest making this video the start of a series of other videos, each of which goes into the actual set up of the main steps mentioned in this video. It would ultimately make for a very nice play list on home-labbing best security practices, and how tos!
Any chance of a tour of how your network is laid out? From the modem to your servers? Maybe a how to of how you have your stuff setup? Perhaps a video series/playlist? I would like to redo my home lab to do a better job of segmenting things out.
I think that for some odd reason SSH Bastion Hosts are strangely overlooked idea on the self-hosted environments. Servers on DMZ (behind the firewall on their own logical network, isolated from rest of the end devices) + Securely hardened Bastion host for server management access limits the attack surface to minimal as possible. Same goes to any intermediary device management portals etc...
this is great guideline for start self hosting security. If you need some kind of inspiration for the video, you might split this one into few yt videos and describe each section in details, giving some basic explanation for newbies on each topic, maybe using more examples and advices, or even setting this kind of server hosting from scratch giving examples on options within each layer of security. I've got this idea watching this section: 9:32, so it may be good starting point
Friends do not let friends use latest. Simply put: A good auto-update tool uses digests and actuall versioned tags(preferably preventing automatic master updates), to ensure a stable environment ;-)
Are yoh referring to Cloudflare Zero-Trust/Tunnels in this case? Or is this again, just a reverse proxy? It would increase latency in any way, but also security.
These are really great advices that you learn even in CCNA, so, good stuff. But the aspect of the host itself, about containers, os, virtualization, and updates it's something you don't see teached around often. Probably because is a market that's always changing, but it would be great to have an in-depth video about this part!
Another important consideration: Before self-hosting services on your "home" Internet connection, make SURE you check with your provider to see if they permit this. If you do it without their approval, you may find your services terminated for "hosting" (prohibited by almost all home Internet service providers, without upgrading to Business-Class services).
7:32 latest can also have breaking changes if it starts pointing to a major version release and may need hands on involvement from you. Already had this happen once and that will be the last time because I went ahead and changed all my containers to refer to specific release. Some projects have tags for major releases so I point to those instead if available (like a 5.0 tag pointing to the latest 5.0 release)
This really comes down to the use case, some times integrating 3rd party services by them self could actually cause more damage than setting up everything local only.
Once more a great video and another excellent source of inspiration. Totally love the little paper icons. You are good dude! I have to say that your channel has become my favorite one when it comes to IT related content. I am surprise that you haven't got more than 1 million subscribers considering the quality of your videos. It will be soon I am sure. This video comes just when I was considering rehosting some customers websites, perfect timing.
@@TechnoTim Hello Tim. Thank you for your kind message. In case you are reading this, I believe you would be the perfect person to do a tutorial on how to setup IPV6 with Docker. I have been struggling for the last week with this on my infrastructure. Proxmox in bridge mode with a /24 subnet from my ISP, Docker swarm on KVMs and PFSense on bare metal. I am trying to implement a vanilla IPV6 config with DHCPv6 on PFSense. Totally insane that I could not find a proper recipe to do this. The docker gateway behavior makes the whole access to containers particularly weird. In case you have some knowledge on this type of setup, it would be a great material to add to your collection. Take care !
Great video - if I was to host at home, I would add a second router behind my first router/firewall - so I have somehting like a DMZ - or go the VLAN path...
What would change if I config my server into DMZ instead of port-forwarding it (in the modem/router)? I know that the DMZ opens all the ports available for one machine, but it’s isolated from the rest of the network, does it make it more safer?
I really gotta get my IOT devices on thier own vlan, I went down that route a while back and broke all the mobile functionality.. Im sure its something on my part.
"Keep your {software of choice} up to date!" This is the conventional wisdom, and many people (including very senior software engineers) enable auto-update to the latest versions of their tools. But another conventional wisdom is that early adopters have the most problems. Be aware that the latest bug fixes also contain the latest vulnerabilities. Yes, update regularly, but keep an eye open for announcements of vulnerabilities in the software you use. Carefully consider skipping a version if a new vulnerability applies to your deployment.
Re: USG repetition... You can automate all Unifi USG via Ansible. Even learning Ansible for a simple connection and a quick loop to set all of those forwarding rules is a great way to quickly pickup and learn Ansible for a small simple task.
Great video, thought it should be pointed out that it is possible to allow a group of ingress IP's within UniFi by creating a firewall rule and apply it before predefined rules. The action should accept, then create an IP and port group for the source (this will be the cloudflare IPs that you created a rule per IP block for) and the destination should then be the machine to forward to. This does require 1 (ONE) port forward rule setup the way that you have setup, and then exclude the ingress IP used in the port forward from the cloudflare group. It's a bit of a hacky solution but it works.
@@TechnoTim it would be amazing to see a similar video for securing a cloud vps for self hosted applications. A lot more people now are leveraging the likes of Linode or DigitalOcean, but wish to retain privacy and security.
An additional method of protection I use when it comes to Cloudflare is ASN blocking. I've spent a lot of time collecting a lot of webhost and VPN providers network ASNs to effectively block a lot of potential bad traffic. I find this blocks A LOT of "bad actors" especially when attackers often rent multiple IPs from the same host. Simply blocking the hosts ASN will effectively block every possible IP that hosting provider owns, without necessarily having to block IP ranges themselves.
Thank you very much 🙏 I had no idea on how to secure my home server, without putting my family at riskt 😅 This Video gave me a good idea on what I had to do and look for ❤
Quick question. If you use the reverse proxy to get your certificates etc, does it mean that the service isn't encrypted between the reverse proxy and the endpoint in your local network? Or is there still certificate management required on the endpoint which is being accessed, from the reverse proxy?
I took a different route, setup nebula on all of my hosts inside homelab, on digital ocean, and my laptop. So, they are all linked into a overlay VPN network. Reliability still a bit needing to improve, but it mostly work.
Great video. I just set up an app with Cloudflare Argo Tunnel and restricted access to the domain with Cloudflare ZeroTrust. I wonder if it's worth it to put the APP behind a virtualized opnsense or if that is overkill
I'd say depending on your security requirements you DO want to use a system that is "end of life". Specifically one that doesn't have an Intel Government Management Engine or a Platform Government Security Processor. But anyway, yes, you would be wise to use a VPN such as wireguard if you have such requirements.
I've watched this so many times - but I keep coming back to it when I need to check over my security measures and see if there's something I need to change/implement. Best security video for self-hosting!!
New Customers Exclusive - Get a Free 240gb SSD at Micro Center: micro.center/0ef37a (paid)
American only. 🤦♂️
i dont have a microcenter near me :(
bro i actually dealt with the smae topic for weeks now and you forgot network segmentation using vlans, iptables or ebpf. also zero trust access instead of ssh is missing
This set up is far more secure than any company I've worked for.
And we can do this at home!
I still occasionally run into companies with passwords in the form of "CompanyName1234" so I'm not sure any kind of setup would really save them...
I'm a sysadmin specializing in security and I block countries at work. It saved us a ton from exploit scans and from attempted exploits that we've previously patched. Our firewall can detect and block exploits and there is tons coming from a handful of countries. Also, it may have also saved us from being exploited on one occasion when an exploit attempt came from Russia going to an unpatched Pulse VPN appliance. There is a possibility that other measures would have caught it as well, but it was an excellent first layer of security in this instance. I highly recommend blocking Countries. I highly recommend blocking Russia, China, Ukraine, Crimea, and North Korea. You are correct that most attacks that I see originate from the US, so a layered security model is important but this one rules kills about 60% of all exploit and exploit scanning activity.
Thank you for your valuable insight!
Blocking countries can be a terrible idea in some instances so it would be case by case. Where I work, we can’t. You end up blocking edge locations and CDNs. Not to mention our clients customers. Usually I can only block middle eastern countries.
I'm not in the US and you can bet I'll be blocking the entire continent
I'd be blocking the US as well lol
Also Iran or Nigeria to be blocked I say.
Security professional here. Thanks for making this video! I'll be recommending folks view this video. You've described everything I suggest folks with home-labs do.
The only minor disagreement I have is with setting up the proxy authentication after everything else is working. Set it up from the start and apply it to all services behind the proxy. You're in a much better spot if everything on your home-lab requires authentication on the proxy. Even if it means logging-in twice (to the proxy and the back-end service). This drastically lowers the attack surface. You can later exclude any services you'd like to remain public.
Also, use some type of split DNS; where you serve the internal IP of the proxy to all internal clients. That way you can skip the hop to Cloudflare internally. And you can still access all your home-lab services if your internet connection goes out.
Good call! Thank you for your expertise! It should be in place prior to! Also, I have a guide on split DNS with PiHole, should have mentioned it!
Good idea with internal DNS, it fixed my problem with all my selfhosted apps being routed through my slow 10mbps upload speed via cloudflare. I even get SSL still when using local dns for routing my domain to my server's local IP
@@TechnoTimcan we get a video on split DNS?
As a tenured engineer (over 10 years in networking, security, and more) this was video was a fairly comprehensive guide to the extent of touching on different layers of protection for self-hosted solutions. Major kudos and for sure a sub from me.
I'd say the only "aspect" missing is the time to do all this, aside from your job (if you have one). This has been the biggest thing for me. I host things internally, just not exposed to the Internet.
Would actually appreciate if Linode would sponsor a series on your channel with topics of your choosing that compare and contrast and shows how to run services remotely for distributed friends and family
I would so much rather listen to Linode tutorials from Tim rather than the guy they seem to have buddied with currently who spends a 20 minute video giving you the first 3 sentences of a man page.
You should make a video of home lab hosting from square 0 if you were to start from nothing (or start over) and how to set it up. Episode one: bare necessary hardware and how to set up Vlans. Episode two set up server (old pc), setup docker, and setup backups. Etc
Ditto.
Getting some pointers to absolute beginners are a great idea, because there's too much to learn and no clear, easy way of achieving it.
I don’t think you need VLANs on your homelab. You have L3 switches and huge variety of internal networks, so, you can just use port isolation. It’s good for learning, but if your case is not learning or you want just to make it done with less configuring, you can skip VLANs and lose nothing.
That'd be pretty dope
Are we not gonna talk about the awesome illustration using those stickers or cardboard!, this video is amazing end to end, awesome visuals, clear, cuts to the chase.
I really like this and have enjoyed every bit.
Would be awesome if you can showcase the process of setting some of these stuff you mentioned in separate videos.
Would love to see that and again awesome job 🙏
Thank you!
You have no idea how much knowledge I gained from this video/tutorial. I have watched a few of your videos including the "Put SSL on everything" but this was by far my favorite. Appreciate the effort that went into this.
Subbed
Thank you so much for the kind words and recognizing how much work went into this!
I'm starting my journey into the world of servers with my first homelab and I've already watched this video a thousand times. Amazing content! It's very difficult to find accessible documentation that helps you understand why each step is necessary. I'm not a computer layman, but it's very difficult to get all the pieces to work together with the certainty that I'm not doing anything crazy. Thank you very much for the video, my friend!
*looks over at Self Hosting video I just posted with disappointment*
Wooooo Microcenter sponsorship! Let’s Go!!! I’m digging the style of this vid.
I saw yours a few days ago! It was great! This just compliments it!
Love it Tim! Although you say it is for a home lab, your excellent account, and all the great comments elaborating on it, will be an inspiration to improve the setup at my workplace.
Thank you from a Dutchman!!
Thank you!
I am windows system engineer and I have been thinking about self hosted services for sometime now (around 2 years) somehow your video motivated me to start I have just started with the hardware and I am using your videos as a guide and inspiration and ideas to achieve what I want. Keep up the good work and the nice ideas
Thank you! You got this!
Great video, thanks! The production value is also really nice, it's obvious you're making great progress and you are by far my favorite homelab/tech youtuber. It's easy to recommand such a great channel. Thank you for everything you're doing and I hope to see many more of your content.
Thank you!
This video was amazing! Having the big picture (the visuals were perfect!) helps pull all these concepts together. I've watched a lot of videos of the self hosted pieces but without understanding how they fit together and the why, I felt lost.
Glad it was helpful!
Your video quality just keeps on improving. I really enjoy your work and you do a great job representing the self hosting community with a lot of polish and enthusiasm.
Thank you!
Happy to see you doing a security video, I just got my domain setup with cloud flare.. really cool to see that I can host public services without exposing my public IP.
Thanks man! Took a risk on this one!
Dude I'm learning so much from your videos! I got wireguard up and running recently and have only been hiding behind that, but this video is an awesome roadmap for me to up my selfhosting game. Def earned my sub, looking forward to learning more from you
Glad to hear it! Thank you!
Really helpful in terms of networking, however I missed a bit of endpoint hardening, configuring the OS firewall, hardening docker, kernel hardening, file permissions, etc. Although its kind of a rabbit hole to get into that lol
🐰🕳 it never ends!
This videos are just getting better every day, keep it up.
Great overview. To summarize home lab architecture this thoroughly in 18 minutes is downright impressive! I would just suggest adding a quick comment or addendum to the guide somewhere that Cloudflare proxies alone can't be depended on for blocking external attacks, even with IP allow lists. You'll also need to setup MTLS, otherwise another Cloudflare account could proxy malicious traffic to your account through to your servers.
Excellent video Tim, you covered quite a bit.
One thing i might add (which would fall into permissions) is to make sure UNC (known as backdooring) is turned off. This makes it harder for an attacker to easily spread ransomware/malware throughout your network.
Great tip!
Cool video! Using pictograms makes it so easy to visualize :) For containers, running them with the least privileges possible (preventing privilege escalation), using specialized socket proxies for the services needing it (ie Traefik, Watchtower, Portainer...) and segmenting their networks to the lowest possible level is also a good idea
I really wish that there was a "latest-stable" tag like how there are LTS versions of operating systems. This way you could have a patching cycle that just checks for and applies the latest stable patch.
There is with nginx, it really depends on the container maintainer and how they manage their releases!
@@TechnoTim Thanks!
WOW, This is by far one of the best self hosting videos on TH-cam! Excellent stuff Tim!
Wow, thanks!
Your videos are getting better every time, you're doing a great job. Not easy to explain and put all this together. Thanks
I appreciate that!
Thanks for another great video.m!! Your first advice is great: just don’t open up your home. As a non-professional have learned this the hard way a couple of years ago. Thanks for not forgetting to put in that advice!
Thank you!
What happened?
@@alexitanguay Putting a server online while having forgotten having set up a test account called test with password test - it is one of those things that gets your ISP connection suspended until you explained your error after finding it in the first place. If you're not a professional in the field you are bound to do silly things like that.
Hi Tim! I love your tutorials and homelab. Would be great to see a dedicated Pfsense video with VLAN setups including a managed router.
Thank you! Noted!
@@TechnoTim Thanks for the reply. I am so excited for the next video. All the best to you.
That can probably be extended to include interesting features, for example if we put all IoT devices in a separate network, they should still be able to access Internet and be available from our trusted devices (phones), but should not have access (initiate connections) to our trusted devices.
@@vaddimka use rules / patterns like this. This is quite easy with Mikrotik routers.
If source = IoT vlan & destination = phone vlan, then drop connection.
Swop it around like this:
If source = phone vlan & destination = IoT vlan, then allow.
This would be great, Vlan in Pfsense for starters
I would add to this that you can make use of Qualys (self hosted) in order to scan for vulnerabilities in your Home lab. They have a free version for up to 16 devices !
Didn't realise that I should do conditional port forwarding. Just got Cloudflare's IP ranges added to my router. Excellent. Now to learn about VLANs as that's really the only other thing I don't have configured. Cheers Techno Tim!
This is sooo good!! Many years wondering what I would need to do to self-host stuff without putting myself at risk and you just told me everything in less than 20 minutes. Thanks a lot!!!
Thanks for this detailed and wonderfully illustrated explanation. Before coming across your video, I had read and watched many guides on self hosting that were not very clear on security steps (if they mentioned security at all). Your video is a gem of a resource!
Dude we need a updated version of this golden topic
Great video as always! Your concise, easy to follow and straight to the point videos are at this point kind of therapeutic to me! Like a few others have already suggested, I would also like to suggest making this video the start of a series of other videos, each of which goes into the actual set up of the main steps mentioned in this video. It would ultimately make for a very nice play list on home-labbing best security practices, and how tos!
Any chance of a tour of how your network is laid out? From the modem to your servers? Maybe a how to of how you have your stuff setup? Perhaps a video series/playlist? I would like to redo my home lab to do a better job of segmenting things out.
Or a guide on network layout strategies and techniques? Suggestion on traffic segmentation, pros/cons and ways to accomplish.
Great video! First one I've seen so far to talk about the most basic, firmware updates.
This was such a great video. You covered so much with simple explanations. Thanks!
I think that for some odd reason SSH Bastion Hosts are strangely overlooked idea on the self-hosted environments. Servers on DMZ (behind the firewall on their own logical network, isolated from rest of the end devices) + Securely hardened Bastion host for server management access limits the attack surface to minimal as possible. Same goes to any intermediary device management portals etc...
Great call!
Great video! Your public speaking skills are impeccable! Learned heaps!
Thank you so much! It takes practice! I think I still have much to work on!
i just wanted to search more about this topic! and the you come whit this video!
commenting just to say that microcenter is the best, and every machine I've ever built has come from them
Mannn, I'm such a visual learner and these little dynamic icons/symbols you're using give me a good basis to follow along with.
How does using cloudflare the way you outlined in this video compare to cloudflare zero trust tunnels? What are the pros and cons of each?
YESSSSSSS. I'm researching this subject recently! THANK YOU
I had to go Light Mode on this one 😎
Need a darkmode Button for this video.
Thanks for the tip of NATing only Cloudfflare IPs. That's one thing I've been missing and it really helps a lot with my conscience! :D
Noooo.. The purple ambient lighting is gone! 😄
Thanks for your awesome videos. They are amazing and I learn so easily with you explaining it all.
These illustrations are really cool.
I'm creeped out the most about my personal machine being compromised, because of the local cluster.
this is great guideline for start self hosting security. If you need some kind of inspiration for the video, you might split this one into few yt videos and describe each section in details, giving some basic explanation for newbies on each topic, maybe using more examples and advices, or even setting this kind of server hosting from scratch giving examples on options within each layer of security. I've got this idea watching this section: 9:32, so it may be good starting point
Great video. Can you make a series following up this video how to setup all your advice?
Friends do not let friends use latest.
Simply put: A good auto-update tool uses digests and actuall versioned tags(preferably preventing automatic master updates), to ensure a stable environment ;-)
Are yoh referring to Cloudflare Zero-Trust/Tunnels in this case? Or is this again, just a reverse proxy? It would increase latency in any way, but also security.
These are really great advices that you learn even in CCNA, so, good stuff. But the aspect of the host itself, about containers, os, virtualization, and updates it's something you don't see teached around often. Probably because is a market that's always changing, but it would be great to have an in-depth video about this part!
Thank you!
I had to go Light Mode on this video 😎
Textbook quality educational content in the form of a video, one of the finest creations I've ever come across, in any category.
Thank yoiu so much!
Another important consideration: Before self-hosting services on your "home" Internet connection, make SURE you check with your provider to see if they permit this. If you do it without their approval, you may find your services terminated for "hosting" (prohibited by almost all home Internet service providers, without upgrading to Business-Class services).
Thanks for the tip!
Another fan here from the Netherlands! I'm learning so much from your videos!
Thank you!
7:32 latest can also have breaking changes if it starts pointing to a major version release and may need hands on involvement from you. Already had this happen once and that will be the last time because I went ahead and changed all my containers to refer to specific release. Some projects have tags for major releases so I point to those instead if available (like a 5.0 tag pointing to the latest 5.0 release)
This really comes down to the use case, some times integrating 3rd party services by them self could actually cause more damage than setting up everything local only.
super good and I think you should update these every few years. I know not much may have changed. But it will be worth what has.
Once more a great video and another excellent source of inspiration. Totally love the little paper icons. You are good dude! I have to say that your channel has become my favorite one when it comes to IT related content. I am surprise that you haven't got more than 1 million subscribers considering the quality of your videos. It will be soon I am sure. This video comes just when I was considering rehosting some customers websites, perfect timing.
Awesome, thank you! This is all new to me, so just figuring it all out!
@@TechnoTim Hello Tim. Thank you for your kind message. In case you are reading this, I believe you would be the perfect person to do a tutorial on how to setup IPV6 with Docker. I have been struggling for the last week with this on my infrastructure. Proxmox in bridge mode with a /24 subnet from my ISP, Docker swarm on KVMs and PFSense on bare metal. I am trying to implement a vanilla IPV6 config with DHCPv6 on PFSense. Totally insane that I could not find a proper recipe to do this. The docker gateway behavior makes the whole access to containers particularly weird. In case you have some knowledge on this type of setup, it would be a great material to add to your collection. Take care !
Great video - if I was to host at home, I would add a second router behind my first router/firewall - so I have somehting like a DMZ - or go the VLAN path...
What would change if I config my server into DMZ instead of port-forwarding it (in the modem/router)? I know that the DMZ opens all the ports available for one machine, but it’s isolated from the rest of the network, does it make it more safer?
I really gotta get my IOT devices on thier own vlan, I went down that route a while back and broke all the mobile functionality.. Im sure its something on my part.
Brilliant video! How you’ve not got more subscribers is mental!!
Thank you!
Just as a quick note for your UDM: You can add cloudflares IP ranges as a group (at least in the legacy ui) :)
Will look a bit better
Thank you! Yeah, what a great "upgrade" 😉
@@TechnoTim You can do this on the new UI as well pretty sure. Settings > Profiles > Port/IP Groups
Excellent video Tim. Now I don’t have to explain it to anyone anymore, I just point them here. By the way: greetings from The Netherlands 😉
"Keep your {software of choice} up to date!" This is the conventional wisdom, and many people (including very senior software engineers) enable auto-update to the latest versions of their tools. But another conventional wisdom is that early adopters have the most problems. Be aware that the latest bug fixes also contain the latest vulnerabilities. Yes, update regularly, but keep an eye open for announcements of vulnerabilities in the software you use. Carefully consider skipping a version if a new vulnerability applies to your deployment.
Re: USG repetition... You can automate all Unifi USG via Ansible. Even learning Ansible for a simple connection and a quick loop to set all of those forwarding rules is a great way to quickly pickup and learn Ansible for a small simple task.
Good call!!
Love Techno Tim insanely helpful videos about sorting our digital life.
Those little icons are so awesome! Do you have a source for the files?
Link in the description to icons!
Setup CrowdSec the other day to block IPs in iptables on my reverse proxy VM (since it's the machine requests get forwarded to).
Great video, thought it should be pointed out that it is possible to allow a group of ingress IP's within UniFi by creating a firewall rule and apply it before predefined rules. The action should accept, then create an IP and port group for the source (this will be the cloudflare IPs that you created a rule per IP block for) and the destination should then be the machine to forward to. This does require 1 (ONE) port forward rule setup the way that you have setup, and then exclude the ingress IP used in the port forward from the cloudflare group.
It's a bit of a hacky solution but it works.
Interesting. I tried for hours to do something similar but ended up just using the clunky ui for port forwards without aliases. Thank you!
The visuals here made the content easy to understand, along with your expert explaination. Thanks!
Glad it was helpful! Thank you!
@@TechnoTim it would be amazing to see a similar video for securing a cloud vps for self hosted applications. A lot more people now are leveraging the likes of Linode or DigitalOcean, but wish to retain privacy and security.
This is such a good video, keep it up bro, I can already feel the 100k subs
Bro Thank you so much for the Conditional Port Fowarding Advice, it makes so much sense!
An additional method of protection I use when it comes to Cloudflare is ASN blocking. I've spent a lot of time collecting a lot of webhost and VPN providers network ASNs to effectively block a lot of potential bad traffic. I find this blocks A LOT of "bad actors" especially when attackers often rent multiple IPs from the same host. Simply blocking the hosts ASN will effectively block every possible IP that hosting provider owns, without necessarily having to block IP ranges themselves.
9:58
That's the issue with cloudflare. Only port 443 and 80 are served by cf on free tier plan.
You should make a video in tandem with Network Chuck
Good work covering supply chain attack from dodgy containers.
Thank you very much 🙏
I had no idea on how to secure my home server, without putting my family at riskt 😅
This Video gave me a good idea on what I had to do and look for ❤
I recognize that "thank you" sign, that's awesome
Thank you! 😀
I love how you make so easy to understand thank you Tim.
"Hey, that MicroCenter looks familiar." Howdy neighbor, keep up the great work!
Quick question. If you use the reverse proxy to get your certificates etc, does it mean that the service isn't encrypted between the reverse proxy and the endpoint in your local network? Or is there still certificate management required on the endpoint which is being accessed, from the reverse proxy?
It does mean that, so you'll also want to secure the transport between it and your services
You can use self-signed certs from the internal reverse proxy to the service. Ensuring terrific is once again encrypted between all hops.
Thanks!
Thank you!
I have to say I am loving the paper items and the shuffling off them - very cool. Dutch crew reporting in
Thank you!
The port 443 is the one that u opened?
Your hoodie is insane, regards from Germany
With the new lights, I feel like TechnoTim is giving us the 10 Security Commandments 😂
So much to think about now. A lot to work on now that I'm changing my network stack around.
dude, I love the graphics! great Job.
I love the props explanations in this video. Good job
Thank you!
very interesting. You didn't mentionned a DMZ ? Why ?
I took a different route, setup nebula on all of my hosts inside homelab, on digital ocean, and my laptop. So, they are all linked into a overlay VPN network. Reliability still a bit needing to improve, but it mostly work.
Nice!
Very good info and well explained, thanks! But what was most impressive was aaall those little papers manually coloured!😅
Great video. I just set up an app with Cloudflare Argo Tunnel and restricted access to the domain with Cloudflare ZeroTrust. I wonder if it's worth it to put the APP behind a virtualized opnsense or if that is overkill
I'd say depending on your security requirements you DO want to use a system that is "end of life". Specifically one that doesn't have an Intel Government Management Engine or a Platform Government Security Processor. But anyway, yes, you would be wise to use a VPN such as wireguard if you have such requirements.
Thanks!
Thank you so much!
I've watched this so many times - but I keep coming back to it when I need to check over my security measures and see if there's something I need to change/implement. Best security video for self-hosting!!