Hey guys,
Currently im just running calibre and nextcloud docker containers over the web, with a ddns from noip and a cloudflare domain. But i also want to setup a vaultwarden container too, so now i need to really consider the security of my server. What are the main things to watch out for? Calibre and nextcloud are just using subdomains, is it okay to have a subdomain to connect to vaultwarden? Am i better off just trusting bitwarden and sticking with them?
Thanks!
IMO if you are asking such question - stick to Bitwarden cloud.
Passwords, at least to me, is something I don’t want to lose. I don’t trust myself I could provide a proper uptime & security, so I just use cloud version.
I recently switched to cloud from vaultwarden. I was comfortable enough with the security, but when I started to actually plan disaster recovery, it was something I literally could not afford to get wrong.
So bitwarden is the one service I don’t, and have no plans to, self host.
Bitwarden’s official self hosting stack (not a single container) ships with nightly encrypted database dumps. And their backup page mentions just needing to backup the ‘bwdata’ folder which has worked great for me.
Is there a reason you can’t just VPN in and expose only the VPN gateway? My preferred security is not exposing a bunch of random applications to the internet and hoping each doesn’t ever have any vulnerabilities.
Yeah i could definitely do that, however would that cause much trouble regarding using the nextcloud android app, or my ereader which uses OPDS to get books from calibre? I get thatd id have to sign into the VPN, but i already use mullvad on everything.
Sorry, just dont know much about personal VPNs
As long as you’re connected to the VPN it probably shouldn’t. I use the automate app on my phone to automatically connect to my home wireguard server whenever I’m off my wi-fi, and it works great.
You’re going to run into an issue of only being able to have one VPN connected on Android at a time though if you’re already running mullvad on it, but as long as you have a decent connection at home and no data cap, you could just route all of your traffic through your home network, and then split tunnel your private IPs to connect directly, and anything else through mullvad.
Head scale would be a self-hosted way of doing this as well.
- You’d install headscale publicly accessible on your VPS or port-forwarded server.
- You’d configure your phone and any laptop you travel with using the tailscale apps with the special hidden setting to use your custom control-server.
- Now any apps you want to access yourself but not for the public unauthenticated internet to see, you bind to tailscale/headscale interfaces rather than public interfaces.
- Anything you DO want publicly accessible (for example immich for image sharing to friends who aren’t on your tailscale network) you host the normal way by binding to a public interface.
You could also do this with regular tailscale and cut the self-hosted headscale out of the picture.
But by doing this or another private VPN setup, you take the listeners for some of your apps off the internet and reduce your attack-surface. It obviously doesn’t help for WordPress or other stuff you actually want to share publicly, but it can give some peace of mind for personal services like bitwarden or Jellyfin.
Have you got any resources regarding setting up a firewall? I forgot about fail2ban though, gotta set that up soon
Sorry, but I sincerely hope you just don’t selfhost Vaultwarden.
Are you saying this because i dont know much about firewalls and VPNs right now? Or because i dont have a good backup solution? Or something else?
Currently my backup solution might not be the nicest, but im taking regular backups on the same laptop, copying those onto an external HD, and syncing that onto my main PC, hopefully whoch should be enough
Personally I trust Bitwarden more than myself to keep all my passwords secure AND available. They’ve got a good track record as far as I’m aware.
For general security hardening though…
I use Shodan to help me identify if anything is misconfigured and what is visible from the web. You can pick up an account for usually $1 for life when they run a deal, then you can just monitor your DDNS, domain, and IP address and have it email you when any new services are detected.
Cloudflare Tunnels, to remove the need for a nginx reverse proxy (with the added benefit of easy failover as well as simplifying your stack). Then I’m utilizing Cloudflare’s WAF to handle filtering out known malicious, foreign IP addresses, and other malicious traffic.
Another route you can go is a Nginx/haproxy reverse proxy behind something like Suricata. Then you can utilize something like fail2ban or crowdsec.
Authentik. Get everything behind a SSO experience and don’t expose your backend services to unauthenticated local traffic (utilize http basic auth with header passthrough in authentik). So many people setup auth wrong and then have something like auth.domain.com going through auth but then mistakenly have their external IP address setup to allow traffic in authenticated.
