I’m a software developer working in the telecam sector on security related products, so I know a fair bit about system security. Yet I wound secure my own system far less than most people here if I didn’t enjoy cybersecurity as a hobby.

I wonder what you are securing against? Some examples:

  • jellyfin: unless you have home videos on there, what does it matter if someone exfiltrates some movies? Surely you have basic DOS protection and/or region locking to reduce wasted network traffic, right?
  • linux: I assume nobody is using their servers as daily drive PCs, so what does it matter if somehow your system is superficially compromised. You can always reimage. Sure they could mine some bitcoin with your system, but it doesn’t have that much PSU headroom to cost you much on your bills, right?

It just seems like most attack vectors lead to mild annoyance at most for most systems.

Do you guys just enjoy cybersecurity? Do you actually keep sensitive data on your self hosted systems? Do you self-host on expensive hardware? What am I missing?

  • pHr34kY@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 minutes ago

    The worst I had was a credential-stuffer bot that used a set of leaked credentials to get on my mail server and send spam. I changed the password within 5 minutes and it stopped. That was the end of it.

    Once I had someone deface a website because wordpress wasn’t patched. I just restored the site from backup and moved on with life.

    I would think that most of the time, you just join a botnet.

    BUT someone getting into your email can let them do password resets to all your accounts. Then again, I self-host my email because all mail providers are reading your email by default. I’d still rather self-host it.

  • fozid@feddit.uk
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 hour ago

    From my perspective, self hosting is a hobby, we run services we feel we need, but it’s also something we do for fun. As such some people enjoy thinking about and deploying the most secure server possible, regardless of actual threats. However, to directly answer your question, yes there isn’t really a lot that can be stolen from a self host residential server, maybe if you hack a valutwarden instance and acquire all the credit card details stored in it and all the id’s stored in it. But the main hack isnt stealing, but deploying a bot net of some sort.

  • artyom@piefed.social
    link
    fedilink
    English
    arrow-up
    36
    arrow-down
    3
    ·
    7 hours ago

    You’re a cyber security developer but don’t understand how a compromised device on your network compromises your entire local network?

    Don’t mean to be rude but it seems like a basic principle.

  • betterdeadthanreddit@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    ·
    8 hours ago

    Nobody gives half a shit about my personal data or dick pics but I don’t want to contribute my bandwidth somebody’s botnet. No expensive hardware here, it’s all the old desktops that I’ve upgraded from but won’t throw out because they haven’t caught on fire yet.

    Last part is only mostly true, one did catch on fire but is doing much better now.

  • Morgikan@fedia.io
    link
    fedilink
    arrow-up
    9
    arrow-down
    1
    ·
    7 hours ago

    My biggest concern is pivoting. Specific to Jellyfin, many users are using docker, but do not isolate the user so the daemon is operating as root. With that setup, an attacker could mount the host filesystem to the container and would own the host from that container.

    Again, for the linux mention, the answer is pivoting. Many machines use Tailscale. If one of those machines were to be compromised using Tailscale’s default ACL, they would be able to move laterally through the network without issue. At that point, it would be possible to modify existing nodes (ex. subnet routers, exit nodes, etc) or even add additional rogue nodes.

    The question of why people care is tricky. Why should you care if your networked printer is using out of date firmware? It likely isn’t storing personal information, right? It’s a prime target because it’s easy, poorly monitored, and opens another door. A lot of infosec is just keeping doors shut so other doors don’t get opened.

    • hirihit640@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 hours ago

      With that setup, an attacker could mount the host filesystem to the container and would own the host from that container.

      Can you elaborate more on this? Assuming an attacker is in the Jellyfin container with full remote code execution, how could they mount the host filesystem?

      • Morgikan@fedia.io
        link
        fedilink
        arrow-up
        2
        ·
        3 hours ago

        It would depend on having access to misconfigured permissions or docker.sock like when you chain containers to manage other containers. Because you have access to docker.sock and that socket can send API calls to the docker daemon (which is run from root) those commands would inherit the same level of access. An attacker could make the API call to mount /:/root and then access the host filesystem.

        It’s just an example of how even though the container might not have anything worthwhile, it can be used to laterally move and open another door.

        • hirihit640@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 hours ago

          Got it. Access to docker.sock is definitely something to be wary of, or CAP_ADMIN, or access to certain host devices.

          Worth mentioning though that Jellyfin usually has none of these.

          • The Stoned Hacker@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 hour ago

            Also worth mentioning that Linux recently has had two massive privilege escalation vulnerabilities that bypass system namespacing and thus also provide container escapes.

  • NaibofTabr@infosec.pub
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    edit-2
    6 hours ago

    I wonder what you are securing against?

    OK, you’re familiar with vulnerability scanners and port scanners right?

    The threat model here isn’t really attackers specifically targeting your home network for any particular reason (unless you’re a LastPass engineer working remotely while running an exposed Plex server). They’re not looking for you, they’re looking for anything useful.

    The threat model is attackers using scanning tools to discover vulnerable systems connected to the Internet. All they need from you is an active connection and a system that can store data, from which they can host malware files for distribution to other targets or conduct attacks or just run a cryptominer (if you’re lucky and they’re not very ambitious). They can find this by scanning for open ports and then running a vulernability scanner to figure out if there’s some exposed hardware that can be exploited.

    An unsecured system is a hazard that could land you in jail when someone else starts using your device and network connection to commit crimes.

    Now, as long as you’re behind a standard residential network service, and your ISP is in control of your gateway device, you’re relatively safe from this. Most ISPs will block any traffic like that very strictly. If your ISP is in control of your gateway device then they’re responsible for its behavior (demarcation matters).

    But, most self-hosters run into limitations with their ISP blocking a lot of ports by default, because they want to access their personal server from outside their home, and so they take control by running their own gateway device or paying for a business connection which gives them complete control over which ports are open. This is where the risk comes in. You are assuming the responsibility for properly securing your connection to the public Internet, taking it off your ISP’s hands.

    If you’re going to do this, you should know exactly which ports you have open to the outside and why, and a general idea of what traffic you expect to see on them when and how much. Monitor that traffic at your firewall. Every other port should be closed and your firewall (on your router, gateway device, or better yet a dedicated OPNSense firewall) should be configured to drop packets received by closed ports (“stealth” mode). You don’t want it to respond that those ports are blocked, you want it to appear to not be there at all.

    Every other security implementation is a secondary concern for a home network. Yes you should patch your software regularly and you should practice deny-by-default and least-privilege as a matter of course, but you’re going to mitigate 90% of your risk by just not accepting incoming connections for anything you don’t need. Most vulnerable systems are discovered by automated scanning, so the less your system responds to external connections the better. If you’re going to worry about configuring, securing and patching one device, make it that front line firewall. And be very selective about which internally hosted services you expose externally.

  • calamityjanitor@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    8 hours ago

    I’d be worried about lateral movement. Something like a XSS in jellyfin that gets them to my browser on my main computer, or otherwise leveraging the network proximity in anyway to spread to other machines with stuff I care about.

  • GreenKnight23@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    8 hours ago

    nothing is exposed publicly except a VPN. no key, no service. (edit: firewall rules only activate on special request from an app on my phone. via software I wrote that polls specific values with specific signatures)

    VPN drops you to a vlan that only has app access through reverse proxies.

    all network traffic is monitored and alerted using graylog. same for system logs as well.

    all alerts notify me directly. all WiFi is whitelist only.

    why so strict? mostly because I’m paranoid. I had a stalker earlier in my life that made me fully appreciate privacy.

  • Mereo@piefed.ca
    link
    fedilink
    English
    arrow-up
    2
    ·
    6 hours ago

    Public-facing services need at least a minimum level of security protection. All of my services are protected by the reverse proxy Caddy, and Crowdsec protects my system and services from malicious bots. My Flirt 2’s firewall bans all malicious bots that Crowdsec discovers.

  • SavvyWolf@pawb.social
    link
    fedilink
    English
    arrow-up
    3
    ·
    7 hours ago

    People exfiltrating movies from your Jellyfin account sounds harmless until you get a knock on the door from the police asking why you’re running a piracy sharing site. Depending on the attacker’s level of access, they may also wonder why your server is now serving kiddie fiddling videos. Or maybe the attacker just replaces all your movie metadata images with ones from the Bee Movie.

    To me at least, DOS and region locking should come after properly locking down public facing services. They aren’t 100% reliable at preventing intrusions.

    I’d be surprised if there wasn’t a large difference between the power usage of a cpu at rest (like most servers will be) and one at full power. Especially if it had a gpu in it. They certainly sound a lot louder in my experience.

    You can never be truly sure how bad a compromised system has been compromised, or even easily detect when it has happened. It could be running as part of a botnet, stealing your credentials or probing your local/mesh network.

    In my eyes, competent cybersecurity abilities are an important part of selhosting which seems to fall by the wayside. It’s important to know exactly what your server is doing, what is running and who has access. If your system is on the public internet, you have a moral obligation to behave and not have it turn into a botnet or spam machine.

    • Onomatopoeia@lemmy.cafe
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      7 hours ago

      I like your point about power monitoring - that would be an interesting secondary method for alerting to a possible breach, if you have a consistent power-use profile.

  • tangeli@piefed.social
    link
    fedilink
    English
    arrow-up
    3
    ·
    8 hours ago

    The biggest threats I am concerned with are:

    • my liability and harm to my reputation resulting from unauthorized abuse of my systems
    • consumption of my limited Internet access bandwidth and capacity
    • corruption or loss of my systems and data
    • theft and sale or other abuse of my private data

    The first results mostly from the risk of my systems being incorporated into bot nets.

    The second from bot nets and abusive crawlers.

    The latter results mostly from ransom ware or open ended theft and exploitation of my data.

    The threats are not all from the Internet. I saw an article recently about ‘smart’ TVs that are configured to be part of a web scraping infrastructure that the vendors sell as a service, in some cases configured to use up to 200GB per month of bandwidth.

  • irmadlad@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    8 hours ago

    This is the security I’ve implemented on my network:

    • Modem receiving IP from ISP. Modem to router. Router to stand alone pfsense firewall. Router has a 54 character complex password for WiFi. There are no guest provisions for WiFi.
    • Pfsense firewall with pfblockerng & suricata running on both lan and wan, both with a full array of rules/feeds updated daily. pfsense has tailscale as an overlay vpn. Server traffic and PC traffic have their own VLAN provided by pfsense. My approach is to deny all until something complains and address that on a case by case basis. Additionally ntopng is utilized for traffic analysis. IPv6 is disabled.
    • Server running Tailscale as an overlay VPN, UFW deny all posture, and fail2ban with an aggressive posture. Server has been hardened against Lynis spec where applicable. Not all recommendations apply to my server. Server is utilizing host deny/host allow and SSH keys.
    • Server is utilizing containers for services.
    • Server is using Cloudflare tunnel/zero trust.
    • Server and pfsense communicate via Tailscale encrypted tunnel. PC/Phone/mobile device can communicate with pfsense via Tailscale.
    • Server services are accessed via https.
    • PC connected to pfsense firewall with same rules as server. PC is using a VPN with Cloudflare 1.1.1.1/1.0.0.1 for DNS queries. Firefox is using 1.1.1.1/1.0.0.1. Settings for Firefox are the strictest for Enhanced Tracking Protection, and DOH. HTTPS-Only mode enabled. PC is also running a soft firewall.
    • All other devices such as phones, laptops, and tablets run a VPN with Cloudflare 1.1.1.1/1.0.0.1 for DNS queries.
    • IoT devices are isolated. Phones are isolated. Smart TVs are isolated.

    I’ve been told repeatedly that I go overboard on security.

    Do you guys just enjoy cybersecurity?

    To the extent of my knowledge thereof, yes.

    Do you actually keep sensitive data on your self hosted systems?

    No I do not. No password vaults, no financial info, etc.

    Do you self-host on expensive hardware?

    No. In fact I just finished decommissioning one of my Dell T320s. In it’s place I put an Optiplex 7020 SFF. The Dell T320 was adding $40 USD of my electric bill, while the Optiplex 7020 sips about $8 a month, plus it doesn’t pump heat in to the lab like the T320s do. I have one more T320 to decommission and then I’ll be done with that type of equipment. I’m looking to sell the two T320s, but I’m not sure someone wants to pay to ship a boat anchor.

    It’s not that the data on my server is so sensitive. I just don’t want anyone mucking around in my lab all willy nilly, which is why I run all the above and isolate everything I can, so that anyone who might get through, wouldn’t have any lateral movement,