Edit: thanks for all your help and replies, this is a such a great community!
I would like to host a public service for some family, probably Peertube so we can share some videos. Invite only.
There’s no way I’m going to get everyone onto a VPN, it’s a non-starter though I would prefer it.
I am thinking to use a VPS with anubis and either crowdsec or fail2ban (or both?!) in front of Peertube. Will apply as much hardening as I can muster behind that: things in containers, systemd hardening, SELinux/Apparmor enabled/tuned, separate users for services, the usual. All ports shut except 80/443, firewall up.
Despite all this I expect it will get scanned and attacked as it will have to expose ports 80/443 to the world so for family it will just work.
Is there anything else I should consider for security? Is Peertube the weakest link in the chain? (a little concerned their min password length is 6 it seems and no 2fa). So long as I keep whole thing up-to-date is it as secure as anybody can manage these days (without resorting to VPN)?
Is it all too much hassle and I should look for a company that offers hosted Peertube so they can worry about it?
Thanks for any and all advice.
You must log in or register to comment.
If you’re going to self-hosted instead of using a VPS (I know you said you’re looking at a VPS solution, this is just in case) make sure you can segregate your networks. A router that allows you to create virtual LANs, same with the access points and switches if needed.
You don’t want to expose all your devices to the internet for a few services.
It sounds like you’ve got the right plan. I use Anubis and fail2ban along with some manual rules on nginx to block AI bots. In my experience Anubis helps a lot, and you can monitor nginx logs over time to for scans and such to make additional ban rules on.
I’d say you’re good. I trust NPM’s SSL forwarding so I’d say spin up Peertube and put NPM in front of it to manage your certs and such, and as long as both are up to date it’ll be fine.
Realistically though, you could still use a VPN and have it be pretty easy for your family members IF you have access to their router console and IF said router supports network wide wireguard or openVPN connections. Having both networks tied in to eachother that way makes it so that nobody ever has to use a VPN client to connect, but still only devices from their network (or yours) will be able to connect.
Realistically though, you could still use a VPN and have it be pretty easy for your family members IF you have access to their router console and IF said router supports network wide wireguard or openVPN connections. Having both networks tied in to eachother that way makes it so that nobody ever has to use a VPN client to connect, but still only devices from their network (or yours) will be able to connect.
Realistically this plan dies the moment someone takes their phone outside of the WiFi range. It’s fine in theory, but fails miserably in non-techie real life.
GeoIP blocking
You mention a firewall, but for any open ports still restrict the source IPs to limited ranges not “all”.
Personally, at my home’s edge firewall I have pfSense with pfBlocker and that uses a GeoIP database, so I can just pick the countries I want to allow in… you want to block as early as possible (ie at the VPS?), so you might have to look at options
If your family are in the same region, then it should be relatively easy to limit to a few ranges on the VPS
Here’s a quick search result: https://lite.ip2location.com/ip-address-ranges-by-country
Really good point. I can definitely restrict to one country and anyone using their own VPNs/TOR/whatever will be sophisticated enough to understand why its restricted and how to keep their access.
unethical life pro tip, but you can use the free tier of Cloudflare tunnels + Access to accomplish this. While technically against the ToS, I have been doing this with jellyfin for an over a year now, I don’t cache anything, and my overall bandwidth usage is low it’s probably not very noticeable. If I get banned at some point I’ll just create a new free account ¯\_(ツ)_/¯
How is it against the ToS? I’ve never bothered to look that deeply into their rules, but this is exactly what I do now >.>
