I am looking for advice on how to best segment (or not) things in my self-host/home-lab environment. Namely, is it actually important for me to have separate data & web servers.
I am working on making a server for hosting several+ services for family, probably servicing 10-20 persons, maybe more. I plan to make things like game servers, Nextcloud, Jellyfin, and other services “publicly available” on a web domain that may family can use by entering URLs (or IP address+port for phone apps?) on their devices.
(I am doing it this way because using VPNs just isn’t a realistic expectation for everyone who’d use the services. [And I know others who’ve hosted publicly available things for years without trouble.])
I learned from Jay of Learn Linux TV that for business production it is better to separate data from web servers for better protection from malicious activity, but I don’t want to go to that level of complexity just yet (I am a novice at these things).
So, since I am making services public, should I barricade my data in a server that is separate from and accessed by my web server(s), or is it acceptable to keep the data on the same server as the web services?
What do you mean by separate?
And what do you think you gain by doing so?
Ports? Urghhh, uglly.
Way to go IMHO is a reverse proxy. I personally like NGINX, but most people seem to like traefix.
I use NGINX as a proxy. That proxy points to different VMs in different VLANS.
Every single service is either secured by public auth or by 2FA. That way brute force should not be a problem. My proxy also runs Crowdesc, which at least filters out some IPs. Stuff like Jellyfin I set users to be disabled after 3 tries.
The intent is to protect data from ransom attack type scenario, where someone gains unauthorized access and encrypts the data. How? By separating the data from the web servers, a hacker would then have to egress the web server to get to the data.
Way to go IMHO is a reverse proxy. I personally like NGINX, but most people seem to like traefix.
I already have NGINX ready to go!
I use NGINX as a proxy. That proxy points to different VMs in different VLANS.
Every single service is either secured by public auth or by 2FA. That way brute force should not be a problem. My proxy also runs Crowdesc, which at least filters out some IPs. Stuff like Jellyfin I set users to be disabled after 3 tries.
Awesome! I already was planning to add crowdsec to my pfSense.
Perfect, so you basically have everything already.
I have crowdsec installed on both, my OPNsense and NGINX reverse proxy. It is almost meaningless on OPNsense, just a few port scans. While on NGINX there are way more scans and not only open ports.
I run storage (samba) native on my server, while “public” services runs as VMs on the same server. Each VM has its own VLAN with access firewalled through an external/separate OPNsense router. E.g. a Valheim game server has no access to my internal LAN; my deluge server has access to samba (port 445) on my server but nothing else.
It’s probably more secure to use a physically separate storage server, to protect against any vulnerabilities in the hypervisor. On the other hand, running the VMs on the same server removes the network bandwidth bottleneck when storage access is needed – and also allows storing VM images on the storage server with “native” disk performance.
I would just add have geo blocking on your firewall. Allow only countries you need access from, that will bring number of attacks down significantly.
Since I’ve blocked US, China, Russia and India thing are much more manageable.
There are services where you can get free “lite” versions of IP to geo databases, IIRC I use Maxmind. You get a permalink and it updates from there, and for residential IPs it works pretty well.
