I hear a lot of stories like this. I've been self-hosting for a few years out of my home. I have a symmetrical gigabit fiber connection. My IP changes very frequently (DDNS and a low TTL solves that problem for my use cases).
_anyway_
I haven't been hacked.. yet. /me knocks on wood
The precautions I take are basic:
- Use unique and secure credentials on each service I expose.
- I only expose ports 80 and 443 to the public. 80 HTTP redirects to HTTPS/443
- I keep my software updated (docker-compose pull)
- Nightly backups to cloud storage and local disk
- I "airgap" my home network from my hosting network. There is no shared hardware between them including firewalss/routers, switches, etc.
I figure cloud services and SaaS get hacked anyway. I can't enumerate the breaches my data has been a part of. If my self-hosted stuff gets hacked at least I can do the forensics and actually see what happened and what was accessed. With a 3rd party all I can hope for is what their PR department lets out.
The first hack I noticed was that someone had set a password on my redis server because the default was no password and I had accidentally exposed it to the wider internet. This was exposed for 6 months before this happened. Who knows what else was accessed without me knowing.
It's pretty silly how many services are public by default when ideally they should only listen on a unix domain socket (or nothing) until you configure something else.
I'm interested in how you set up your home and hosting networks without any shared hardware. I've been running my own websites from home for awhile on their own machines, but never considered they could be on a completely separate network all the way up to the modem.
My ISP provides me with PPPoE into my house. I have that Ethernet going into a small switch which both networks connect to via a firewall. Each network establishes its own PPPoE session and receives its own (dynamic) IP address.
Not necessarily. For my use case it’s one extra 4 port gigabit switch and a single pc that runs everything containerized including the NAS, firewall, and apps.
_anyway_
I haven't been hacked.. yet. /me knocks on wood
The precautions I take are basic:
I figure cloud services and SaaS get hacked anyway. I can't enumerate the breaches my data has been a part of. If my self-hosted stuff gets hacked at least I can do the forensics and actually see what happened and what was accessed. With a 3rd party all I can hope for is what their PR department lets out.