I’m not great with Docker or networking, so when I picked up an n100 mini pc for self hosting I installed Ubuntu and Tipi to get started.

I used Tipi to install Immich and forwarded my ports, then setup cloudflare tunneling to expose it to the internet. Currently I’m migrating from Google Photos.

But since I’m new to this I’m worried about exposing Immich to the internet without really knowing what I’m doing. Any suggestions on ways to monitor my setup to make sure nothing goes wrong or gets hacked? Ideally any application suggestions would come from the Tipi app store but I’m willing to learn if there’s no other option. Thanks!

  • Lunch@lemmy.worldEnglish
    2·
    8 months ago

    Have a look at Tailscale for your devices, this will prevent you from having to expose anything to the Internet, but rather having it behind your own VPN solution. Tailscale is the kinda service that is stupid easy to get going with too. HIGHLY recommend it!

  • sacbuntchris@lemmy.worldOPEnglish
    1·
    8 months ago

    Thanks to everyone who took the time to answer. How do I check if my server has been accessed?

    • /bin/bash/@lemmy.worldEnglish
      1·
      8 months ago

      trough ssh when you connect to your machine run :

      lastb -10

      This will show you the last 10 login failed attemps you can change to 20 or whatever

      you can also run: last -10 to see the last successful logged in

      use :

      more history

      to see all the commands that someone have typed

      on the dir /var/logs you have a lot of another logs too

      for more paranoid level use

      netstat -a

      This will show you all incoming and outgoing communications

      and like the others said considere using firewall and fail2ban

      Note: don’t relly to much on firewalls since they are easy to bypass

      keep all softwares updated

      read frequently about new vulnerabilities if there is some vulnerability that affects your software until gets patched turn of that service.

    • merthyr1831@lemmy.worldEnglish
      3·
      8 months ago
      1. create empty debit account
      2. place credentials to account in server’s home directory
      3. if you get a call from your new account’s bank, they’ve got your server
  • wildbus8979@sh.itjust.worksEnglish
    21·
    8 months ago

    First, I would caution against exposing services to the internet. It would be far better to leave everything behind a VPN that only you or trusted peers can access.

    Past that you can use tools like OSSEC, Snort, and fail2ban.

      • BearOfaTime@lemm.eeEnglish
        1·
        8 months ago

        Tailscale is a mesh network. It’s all encrypted, like a VPN, but not exactly the same thing.

        It’s kind of like each member of the network having a VPN connection to every other member of the network.

        Tailscale has a neat feature called Funnel, which funnels specified inbound traffic from the internet to a specific resource/service/device.

        That traffic is encrypted too, starting from the entry point (which is hosted by Tailscale).

        This can be useful for example, for something like Nextcloud, so clients don’t have to run the Tailscale app to get access.

  • Björn Tantau@swg-empire.deEnglish
    0·
    8 months ago

    Set up a weekly or at least monthly reminder to check for updates. That’s the most important thing to do. Outdated packages may have known security vulnerabilities.