Remix.run Logo
bayindirh 19 hours ago

However, it'll also bring all the bots and "wild west" of the internet to your house when you run your web server from home, and for anyone who has a couple of spare dollars, it's a much wiser choice to run a small VPS elsewhere to weather the storm.

bblb 15 hours ago | parent | next [-]

[Internet facing router with up to date firmware] --> HTTPS --> [separate VLAN DMZ] --> [my hardcore IndieWeb VM/k8s/bare-metal whatever] --> [x No outbound access / paranoid local firewall inside the VM x]

[My home computer] --> SSH --> [my hardcore IndieWeb local cloud]

That's about it. Safe enough.

neogodless 19 hours ago | parent | prev [-]

shrug

In 25 years of hosting a dozen domain names on a server on my home connection, this problem has not surfaced for me.

bayindirh 19 hours ago | parent | next [-]

In 20 years of managing server fleets, I always had the pleasure of watching bots taking a dig at my server(s) the moment I give their public IPs and enable their interfaces.

For someone who knows what they are doing, it's more like mosquito noise, a mere nuisance, but even then, using a rock solid system with all updates installed carries the risk of having a zero-day.

If your server is networked to the rest of the house, and if somebody manages to get in, then it's all fun(!).

wolvoleo 18 hours ago | parent | prev | next [-]

One time has to be the first and when you get hacked they're instantly inside your network unless you were smart enough to set up a DMZ or something.

Especially if you host something like wordpress with plugins you really have to be on the ball with updates.

superkuh 15 hours ago | parent [-]

For 20 years this was not really an issue. From 2010 to 2020 there wasn't a single nginx cve that applied to my simple static setup. There were literally only a handful of remote CVE at all. With the advent of LLM AI exploit finding there have been 2 CVE this year that I had to look in to. Neither actually applied to me, but it is a different world out there.

That said, the practice of running a modern corporate web browser that auto-executes all programs sent to it from arbitrary unknown third parties is a way, way, way bigger and more common and likely attack surface than a simple static webserver serving files in directories.

wolvoleo 15 hours ago | parent [-]

Ok fair enough yes a static site is really low risk. Usually it's more involved than that though.

zikduruqe 17 hours ago | parent | prev [-]

Yep, same here. fail2ban and some http 444 helps out.