I’m in the process of setting up homelab stuff and i’ve been doing some reading. It seems the consensus is to put everything behind a reverse proxy and use a vpn or cloudflare tunnel.
I plan to use a VPN for accessing my internal network from outside and to protect less battle tested foss software. But I feel like if I cant open a port to the internet to host a webserver then the internet is no longer a free place and we’re cooked.
So my question is, Can I expose webserver, SSH, WireGuard to the internet with reasonable safety? What precautions and common mistakes do I need to watchout for.
You can mitigate some risks with software like fail2ban to slow down some of the hacking attempts, but you will still be susceptible to, sometimes unintentional, denial of service attacks from ever persistent “AI” crawler bots as well as the constant barrage of automated hacking attempts. If you’re bandwidth is not able to handle it or you have bandwidth caps, you’re likely going to have issues.
Would putting everything behind anubis mitigate that?
To a point yes, for the crawler bots, but Anubis uses a lot more resources to keep the bots busy than a simple firewall ignoring the request. And if there’s no response vs a negative response, the requests are likely to fall off more quickly. And the even more significant load might be from malicious login attempts which use even more resources and Anubis likely won’t be as effective on those more targeted attacks depending on the types of services we’re talking about. Either way, firewall blocks are way, way less resource intensive than any of that, so as soon as you open up that firewall and start responding to those malicious or abusive requests they will become progressively more resource intensive to mitigate.
Yes but im spite driven. I’ll take the extra hit to inflict damage to the crawlers
Problem is many of us are stuck with very low upstream bandwidth due to cable company ISP monopolies and/or data caps or just were running things on a small raspberry pi or something and the malicious requests will create extra expense or flat put denial of service for real traffic.
If you’re on a raspberry pi or mobile then its probably best to filter that traffic because my website is dogshit on mobile. I flat out do not understand CSS