Edit: thanks for all your help and replies, this is a such a great community!
I would like to host a public service for some family, probably Peertube so we can share some videos. Invite only.
There’s no way I’m going to get everyone onto a VPN, it’s a non-starter though I would prefer it.
I am thinking to use a VPS with anubis and either crowdsec or fail2ban (or both?!) in front of Peertube. Will apply as much hardening as I can muster behind that: things in containers, systemd hardening, SELinux/Apparmor enabled/tuned, separate users for services, the usual. All ports shut except 80/443, firewall up.
Despite all this I expect it will get scanned and attacked as it will have to expose ports 80/443 to the world so for family it will just work.
Is there anything else I should consider for security? Is Peertube the weakest link in the chain? (a little concerned their min password length is 6 it seems and no 2fa). So long as I keep whole thing up-to-date is it as secure as anybody can manage these days (without resorting to VPN)?
Is it all too much hassle and I should look for a company that offers hosted Peertube so they can worry about it?
Thanks for any and all advice.
You must log in or register to comment.
I’d say you’re good. I trust NPM’s SSL forwarding so I’d say spin up Peertube and put NPM in front of it to manage your certs and such, and as long as both are up to date it’ll be fine.
Realistically though, you could still use a VPN and have it be pretty easy for your family members IF you have access to their router console and IF said router supports network wide wireguard or openVPN connections. Having both networks tied in to eachother that way makes it so that nobody ever has to use a VPN client to connect, but still only devices from their network (or yours) will be able to connect.
Realistically though, you could still use a VPN and have it be pretty easy for your family members IF you have access to their router console and IF said router supports network wide wireguard or openVPN connections. Having both networks tied in to eachother that way makes it so that nobody ever has to use a VPN client to connect, but still only devices from their network (or yours) will be able to connect.
Realistically this plan dies the moment someone takes their phone outside of the WiFi range. It’s fine in theory, but fails miserably in non-techie real life.
“Where’s the router you configured for me? Oh the Cox guy said I should just use their router for $9.99/mo so I donated it to Goodwill”
I had to look up NPM as in my head it’s NodeJS Package Manager but TIL there’s also Nginx Proxy Manager!
I like your VPN solution for a small group and actually tying it to their home network/router could make sense and further restrict attacks I have to deal with. However in my case I could be dealing with 30+ households of users and as others say I am bound to get people on mobiles complaining they can’t access it. However noted for future projects.
It sounds like you’ve got the right plan. I use Anubis and fail2ban along with some manual rules on nginx to block AI bots. In my experience Anubis helps a lot, and you can monitor nginx logs over time to for scans and such to make additional ban rules on.
Good to hear Anubis is effective - I would hope that takes the site out of the ‘easy target’ sort of category and most bots give up. Yeah I think monitoring is gonna be key to keep an eye on threats. Thanks!
I think you will be fine as described.
If you want extra peace of mind with 2FA, you can use Authelia (https://www.authelia.com/integration/openid-connect/clients/peertube/) or a similar service that you can put infront of peertube to handle auth.
You can also check https://kanidm.com/ and https://goauthentik.io/ as well!
Oh also a friend of mine is developing this, that uses passwordless magic links or passkeys https://github.com/dzervas/magicentry I haven’t looked much into it though!
Email magic links are cool (personally hate when a website only allows this login because I don’t have my email available on every device, but that is unrelated sorta).
I probably wouldn’t go with a relatively new project that isn’t guaranteed to stick around long-term (big hassle to swap provider).
authelia and authentik both have a lot of eyes looking over the code so I’d also feel more confident going with them, even if I can’t get passwordless email login (don’t think they support it but not certain).
I probably wouldn’t go with a relatively new project that isn’t guaranteed to stick around long-term
Oh of course, I just shared it because I don’t think I’ve seen anything similar and simple, just in case anyone wants to check it out and experiment etc
Hey thanks for these links I will check them out! Magic links would be great actually as then I am not relying on them to set decent passwords or giving them burden of TOTP/etc which some may not have used before.
Authelia is great, but I’ve been using Authentik for a similar setup and it’s been rock solid with more user-friendly UI if your famly members aren’t tech savvy, pluss it has some nice passwordless options.
That’s a great suggestion, then I’m not relying just on the app/service to have super secure auth.
i hate to sound like a shill for one thing but pangolin tunneled reverse proxy is pretty cool way to expose stuff
Thanks for this suggestion - this is interesting because it looks like pangolin combines almost all the measures mentioned so far here apart from Anubis: auth provider with one-time email passcodes, geoip blocking, crowdsec plus bonus automated cert handling. It does look like it does nearly everything in one package and I can pay for them to host it for me if I don’t want to selfhost those parts. Strong contender!
GeoIP blocking
You mention a firewall, but for any open ports still restrict the source IPs to limited ranges not “all”.
Personally, at my home’s edge firewall I have pfSense with pfBlocker and that uses a GeoIP database, so I can just pick the countries I want to allow in… you want to block as early as possible (ie at the VPS?), so you might have to look at options
If your family are in the same region, then it should be relatively easy to limit to a few ranges on the VPS
Here’s a quick search result: https://lite.ip2location.com/ip-address-ranges-by-country
Really good point. I can definitely restrict to one country and anyone using their own VPNs/TOR/whatever will be sophisticated enough to understand why its restricted and how to keep their access.
WAF and DMZ too.
👍 looks like its fairly easy to add something like ModSecurity WAF to nginx
unethical life pro tip, but you can use the free tier of Cloudflare tunnels + Access to accomplish this. While technically against the ToS, I have been doing this with jellyfin for an over a year now, I don’t cache anything, and my overall bandwidth usage is low it’s probably not very noticeable. If I get banned at some point I’ll just create a new free account ¯\_(ツ)_/¯
How is it against the ToS? I’ve never bothered to look that deeply into their rules, but this is exactly what I do now >.>
If you’re going to self-hosted instead of using a VPS (I know you said you’re looking at a VPS solution, this is just in case) make sure you can segregate your networks. A router that allows you to create virtual LANs, same with the access points and switches if needed.
You don’t want to expose all your devices to the internet for a few services.
Consider Tailscale. It’s a mesh VPN based on Wireguard that uses a hosted service to manage keys and devices. It works without having to expose any ports on the firewall, and can expose a service through a relay server.
Some people will say that you shouldn’t trust it because company bad, but you should give it a try and make up your own mind. If you’re feeling adventurous, you can install Headscale on a VPS to serve as a control server.
Bro said ‘no vpn’ a hundred times lol
Bro is also concerned about attacks on exposed well-known ports, in which case bro can use Tailscale Funnel to expose a service without exposing a port. Besides, bro can make up bro’s own mind.
Hey thanks for this. Yep I’ve got too many users and most are not technical so it’s just a huge headache to get them all onto VPN not matter how simple. That said I’d consider tailscale/funnel for other projects and it’s always good to hear what others are using.
