Security & Privacy
When connecting your server to the open internet – whether by VPN, reverse proxy or a combination of both – it is also important to focus on sustainable security and privacy solutions.
- Critical Thinking
- Basic Authentication
- Authelia
- LAN-Only Access
- fail2ban
- CrowdSec
- Restricting Access by Geographic Region
- Hiding from Search Engines
Critical Thinking
Take about criticality and it's importance. Just because we've always done in this way doesnt mean we need to.
Attack surface
Close unused containers
Close unused ports
Uninstall unused software
Disable unused hardware
What is the difference between the two?
Security vs convenience
Privacy
The ability to control who can access our personal information and what they can see.
Security
The proactive measures we take to keep ourselves free from digital threats.
Obscurity
When we self-host our own services, we remove ourselves from the more typical security threats. While OwnCloud may have software vulnerability, they are quickly patched. Actors more commonly attack large companies where more data can be taken. Unless specifically targeted, you are less likely to suffer a security breach
Two-Factor Authentication
Passwords & Passphrases
Basic Authentication
SWAG makes it easy to use basic HTTP authentication through your web browser to password-protect a basic website.
Authelia
SWAG can also be easily integrated with Authelia, a service that can provide a unified login experience through single sign on. Anytime someone tries to access a page protected by authelia, they will be forced to login. Once logged in, you can access all Authelia protected applications without signing it again. For added security, you can configure 2FA with your BitWarden service.
LAN-Only Access
How to configure swag to restrict access to your current IP address.
fail2ban
This service is provided by SWAG by default it is used to automatically ban someone trying to access your server and using invalid authentication. It does this by banning the IP address of the attacker for an increasing amount of time for each offense.
Fail2ban works out of the box with intrusion detection for basic http authentication as well as Authelia. For other applications that do not use these, such as Plex, Jellyfin, and other apps that have their own login screen, you will need to manually configure them. Fail2ban works with these services by monitoring their log files for evidence that someone failed to login.
CrowdSec
CrowdSec is an open-source security solution for responding to malicious actors on your services. They take a unique approach by levering the power of the open-source community to actively share information about previous cyber attacks and protect your community.
Restricting Access by Geographic Region
https://www.linuxserver.io/blog/securing-swag
https://github.com/linuxserver/docker-mods/tree/swag-dbip
Hiding from Search Engines
https://www.linuxserver.io/blog/securing-swag#search-results
Blocking robots.