Edit: thanks for all your help and replies, this is a such a great community!
I would like to host a public service for some family, probably Peertube so we can share some videos. Invite only.
There’s no way I’m going to get everyone onto a VPN, it’s a non-starter though I would prefer it.
I am thinking to use a VPS with anubis and either crowdsec or fail2ban (or both?!) in front of Peertube. Will apply as much hardening as I can muster behind that: things in containers, systemd hardening, SELinux/Apparmor enabled/tuned, separate users for services, the usual. All ports shut except 80/443, firewall up.
Despite all this I expect it will get scanned and attacked as it will have to expose ports 80/443 to the world so for family it will just work.
Is there anything else I should consider for security? Is Peertube the weakest link in the chain? (a little concerned their min password length is 6 it seems and no 2fa). So long as I keep whole thing up-to-date is it as secure as anybody can manage these days (without resorting to VPN)?
Is it all too much hassle and I should look for a company that offers hosted Peertube so they can worry about it?
Thanks for any and all advice.
You must log in or # to comment.
It sounds like you’ve got the right plan. I use Anubis and fail2ban along with some manual rules on nginx to block AI bots. In my experience Anubis helps a lot, and you can monitor nginx logs over time to for scans and such to make additional ban rules on.
Good to hear Anubis is effective - I would hope that takes the site out of the ‘easy target’ sort of category and most bots give up. Yeah I think monitoring is gonna be key to keep an eye on threats. Thanks!
i hate to sound like a shill for one thing but pangolin tunneled reverse proxy is pretty cool way to expose stuff
Thanks for this suggestion - this is interesting because it looks like pangolin combines almost all the measures mentioned so far here apart from Anubis: auth provider with one-time email passcodes, geoip blocking, crowdsec plus bonus automated cert handling. It does look like it does nearly everything in one package and I can pay for them to host it for me if I don’t want to selfhost those parts. Strong contender!
I think you will be fine as described.
If you want extra peace of mind with 2FA, you can use Authelia (https://www.authelia.com/integration/openid-connect/clients/peertube/) or a similar service that you can put infront of peertube to handle auth.
Authelia is great, but I’ve been using Authentik for a similar setup and it’s been rock solid with more user-friendly UI if your famly members aren’t tech savvy, pluss it has some nice passwordless options.
That’s a great suggestion, then I’m not relying just on the app/service to have super secure auth.
unethical life pro tip, but you can use the free tier of Cloudflare tunnels + Access to accomplish this. While technically against the ToS, I have been doing this with jellyfin for an over a year now, I don’t cache anything, and my overall bandwidth usage is low it’s probably not very noticeable. If I get banned at some point I’ll just create a new free account ¯\_(ツ)_/¯
Consider Tailscale. It’s a mesh VPN based on Wireguard that uses a hosted service to manage keys and devices. It works without having to expose any ports on the firewall, and can expose a service through a relay server.
Some people will say that you shouldn’t trust it because company bad, but you should give it a try and make up your own mind. If you’re feeling adventurous, you can install Headscale on a VPS to serve as a control server.
Bro said ‘no vpn’ a hundred times lol
Bro is also concerned about attacks on exposed well-known ports, in which case bro can use Tailscale Funnel to expose a service without exposing a port. Besides, bro can make up bro’s own mind.
Hey thanks for this. Yep I’ve got too many users and most are not technical so it’s just a huge headache to get them all onto VPN not matter how simple. That said I’d consider tailscale/funnel for other projects and it’s always good to hear what others are using.