Me right now: studying the ins and outs of #Docker, ports exposure, firewalls and #TLS.
-
@elena If you need someone to sanity check your VPS setup before deploying, feel free to ask me. I have VPSes with containers on OVH and netcup that are happily humming along and resisting attacks since years
@jwildeboer thank you Jan!!! One quick question: once I install Docker (again), whatβs the first thing I should do to ensure the VPS canβt be exploited in attacks?
Like what should I tweak right away?
My previous Docker setup lasted less than a day
-
Me right now: studying the ins and outs of #Docker, ports exposure, firewalls and #TLS.
Iβve got a brand new VPS (on Hetzner) that for now only has #Fail2Ban on it.
Letβs see when Iβll feel confident (reckless?) enough to install #Docker on it
This time I learned my lesson and Iβm only paying month-by-month. And Iβve got many thoughts about what went down yesterday that I may share in a blog post soon.
Thanks for all your supportive messages
οΈ I hope my public fumbles are useful to fellow #selfhosting newbies π₯²@elena
Your public fumbles are VERY useful for other (upcoming) selfhosters! Be assured! This is gold for technically less versed Fediversians :).Btw: if time (and nerves
) allow, you could re-read the service contract with OVH, this kind of termination policy seems a bit strange to me 
. Maybe you could push for some money back.
Just a thought tho.
Or maybe you have already ofc.Best of luck for the further steps! Many watch and learn
. -
@elena
Your public fumbles are VERY useful for other (upcoming) selfhosters! Be assured! This is gold for technically less versed Fediversians :).Btw: if time (and nerves
) allow, you could re-read the service contract with OVH, this kind of termination policy seems a bit strange to me . Maybe you could push for some money back.
Just a thought tho.
Or maybe you have already ofc.Best of luck for the further steps! Many watch and learn
.@EloPup thank you! Honestly I find my time valuable and I don't want to waste any more time or efforts with them... in case any attempts are unfruitful. Just moving on to greener pastures. Honestly I would have respected them so much more if they'd said: "you violated our ToS so we are terminating your ACCOUNT". Instead of saying: "you violated our ToS so we deleted your VPS with no recourse to get your money back for the 6 months you paid... but you're more than welcome to buy a new plan" WTF?
-
Me right now: studying the ins and outs of #Docker, ports exposure, firewalls and #TLS.
Iβve got a brand new VPS (on Hetzner) that for now only has #Fail2Ban on it.
Letβs see when Iβll feel confident (reckless?) enough to install #Docker on it
This time I learned my lesson and Iβm only paying month-by-month. And Iβve got many thoughts about what went down yesterday that I may share in a blog post soon.
Thanks for all your supportive messages
οΈ I hope my public fumbles are useful to fellow #selfhosting newbies π₯²@elena fascinating to hear of your progress in this. Happy to share my exp in this anytime. Crowdsec is a good alternative to fail2ban as that is kinda out of date now by some reckonings but good non the less. Uncomplicated firewall 'ufw' if your on debian / ubuntu is a good jumping off point for FOSS firewall on linux. If you use docker compose files and an ingress you can expose just 80 and 443 for letsencrypt to issue free certs. Bonus, if you sign up to the free tier that Tailscale has for home labbers you can lock your hetzner / digital ocean / akami etc host down to have no other open ports and allowing you secure access via ssh from anywhere using your own 'tailnet' and tailscale client. They make it simple to install, use and extend. I like to use traefik for ingress, some like nginx, others are moving to caddy - but there be dragons at least in terms of decision anxiety, which is why I've gone with traefik but others may chosse differently.
Hope you have great success. Rock on ! -
@elena fascinating to hear of your progress in this. Happy to share my exp in this anytime. Crowdsec is a good alternative to fail2ban as that is kinda out of date now by some reckonings but good non the less. Uncomplicated firewall 'ufw' if your on debian / ubuntu is a good jumping off point for FOSS firewall on linux. If you use docker compose files and an ingress you can expose just 80 and 443 for letsencrypt to issue free certs. Bonus, if you sign up to the free tier that Tailscale has for home labbers you can lock your hetzner / digital ocean / akami etc host down to have no other open ports and allowing you secure access via ssh from anywhere using your own 'tailnet' and tailscale client. They make it simple to install, use and extend. I like to use traefik for ingress, some like nginx, others are moving to caddy - but there be dragons at least in terms of decision anxiety, which is why I've gone with traefik but others may chosse differently.
Hope you have great success. Rock on !@jon thank you Jon, I really appreciate your feedback and advice.
Do I understand everything you said? Not quite but I get the gist of it. Aw how I wish I was more knowledgeable about this stuff.
You're the second person to recommend Tailscale to me. I'll definitely look into it.
Thank you for the support and encouragement! -
Me right now: studying the ins and outs of #Docker, ports exposure, firewalls and #TLS.
Iβve got a brand new VPS (on Hetzner) that for now only has #Fail2Ban on it.
Letβs see when Iβll feel confident (reckless?) enough to install #Docker on it
This time I learned my lesson and Iβm only paying month-by-month. And Iβve got many thoughts about what went down yesterday that I may share in a blog post soon.
Thanks for all your supportive messages
οΈ I hope my public fumbles are useful to fellow #selfhosting newbies π₯²@elena If you are going to use docker compose again with port mapping. The default configuration will punch through your firewall and ignore fail2ban. The docs have some options for mapping to local or make it compatible with firewall: https://docs.docker.com/engine/network/packet-filtering-firewalls/#restrict-external-connections-to-containers
-
@elena If you are going to use docker compose again with port mapping. The default configuration will punch through your firewall and ignore fail2ban. The docs have some options for mapping to local or make it compatible with firewall: https://docs.docker.com/engine/network/packet-filtering-firewalls/#restrict-external-connections-to-containers
@maikel thank you, this is super useful
-
@jon thank you Jon, I really appreciate your feedback and advice.
Do I understand everything you said? Not quite but I get the gist of it. Aw how I wish I was more knowledgeable about this stuff.
You're the second person to recommend Tailscale to me. I'll definitely look into it.
Thank you for the support and encouragement!@elena I apologise for my technical rant. I know I can get carried away now and then. It is my thing so sometimes I can't help being excited and start using short hand. On your question regarding Tailscale, I just wrote a short blog entry about it at https://headshed.dev/missivz/whats-tailscale/ in which I try to explain myself as regards mesh networks and why you may find it useful.
I hope this makes sense - pleas let me know and I am happy to receive feedback and rectify accordingly.
Tailscale and others like it that use wireguard are nothing less than game changing in my mind, if not a step toward a paradigm shift in networking and security. -
@elena I apologise for my technical rant. I know I can get carried away now and then. It is my thing so sometimes I can't help being excited and start using short hand. On your question regarding Tailscale, I just wrote a short blog entry about it at https://headshed.dev/missivz/whats-tailscale/ in which I try to explain myself as regards mesh networks and why you may find it useful.
I hope this makes sense - pleas let me know and I am happy to receive feedback and rectify accordingly.
Tailscale and others like it that use wireguard are nothing less than game changing in my mind, if not a step toward a paradigm shift in networking and security.@jon thank you Jon! People keep recommending Tailscale to me... I will definitely read your piece and look into it.
I just figured out how to turn on the Firewall for my Hetzner server, where I have Docker installed.
One thing at a timeβ
