zlacker

[parent] [thread] 6 comments
1. Schema+(OP)[view] [source] 2026-01-11 23:37:21
If you expose ports, literally everything you are hosting and every plugin is an attack surface. Most of this stuff is built by single hobbiest devs on the weekend. You are also exposed to any security issues you make in your configuration. My first attempt self hosting I had redis compromised because I didn't realise I had exposed it to the internet with no password.

Behind a VPN your only attack surface is the VPN which is generally very well secured.

replies(2): >>sva_+c1 >>Jach+aj
2. sva_+c1[view] [source] 2026-01-11 23:45:48
>>Schema+(OP)
You exposed your redis publicly? Why?

Edit: This is the kind of service that you should only expose to your intranet, i.e. a network that is protected through wireguard. NEVER expose this publicly, even if you don't have admin:admin credtials.

replies(2): >>Schema+F2 >>vladva+T91
◧◩
3. Schema+F2[view] [source] [discussion] 2026-01-11 23:57:14
>>sva_+c1
I actually didn't know I had. At the time I didn't properly know how docker networking worked and I exposed redis to the host so my other containers could access it. And then since this was on a VPS with a dedicated IP, this made it exposed to the whole internet.

I now know better, but there are still a million other pitfalls to fall in to if you are not a full time system admin. So I prefer to just put it all behind a VPN and know that it's safe.

replies(1): >>drnick+67
◧◩◪
4. drnick+67[view] [source] [discussion] 2026-01-12 00:33:04
>>Schema+F2
> but there are still a million other pitfalls to fall in to if you are not a full time system admin.

Pro tip: After you configure a new service, review the output of ss -tulpn. This will tell you what ports are open. You should know exactly what each line represents, especially those that bind on 0.0.0.0 or [::] or other public addresses.

The pitfall that you mentioned (Docker automatically punching a hole in the firewall for the services that it manages when an interface isn't specified) is discoverable this way.

replies(1): >>jsrcou+9a
◧◩◪◨
5. jsrcou+9a[view] [source] [discussion] 2026-01-12 00:55:47
>>drnick+67
Thanks, didn't know about this one.
6. Jach+aj[view] [source] 2026-01-12 01:55:55
>>Schema+(OP)
I have a VPS with OVH, I put Tailscale on it and it's pretty cool to be able to install and access local (to the server) services like Prometheus and Grafana without having to expose them through the public net firewall or mess with more apache/nginx reverse proxies. (Same for individual services' /metrics endpoints that are served with a different port.)
◧◩
7. vladva+T91[view] [source] [discussion] 2026-01-12 09:43:23
>>sva_+c1
Isn't GP's point inadvertently exposing stuff? Just mention docker networking on HN and you'll get threadfuls of comments on how it helpfully messes with your networking without telling you. Maybe redis does the same?

I mitigate this by having a dedicated machine on the border that only does routing and firewalling, with no random services installed. So anything that helpfully opens ports on internal vms won't automatically be reachable from the outside.

[go to top]