Greenhouse Update 4 - September
@forestjohnson hey, I think this is really cool and all, but I've got a question for you!
What are the inherent risks in self-hosting from a security perspective? I'm redoing my home server currently to act as a wiki, and some federated stuff, got instance and maybe some build automation as a service for a small solarpunk community, but what are the risks of say having my IP address floating around out there? I'm curios and you may have thought about this a bit more than me 😅
Good question. It may depend. I have been self-hosting for many years, and I have always used my home IP address to do so. I've never ran into any problems with it.
I would summarize it with different risk categories.
1. ingress vulnerability risk
The risk that the server you put onto the public network is vulnerable to an ez-to-execute attack which would allow a remote attacker to run code on your server and take it over.
2. accidental exposure
The risk that you accidentally publish something you didn't mean to publish, like your private documents.
3. privacy/self-doxxing risks
If you operate your public site via your home IP address like I do, obviously anyone who knows about the existence of your site also knows your home IP address and may be able to execute a DOS attack against you (pay a small time criminal to have 1000s of compromised computers attempt to connect to your house, thus clogging/disabling your home internet connection)
Also, typically in order to host a web site, you have to have a domain name. The contracts for domain name registration require you to put your personally identifying information on file with the registrar in association with the domain name. This personally identifiable information may or may not be published (its almost always not published) but it is definitely on file.
If you wish to address #1, all you have to do is use common configurations of well known and up-to-date open source software and you should be fine.
If you wish to address #2 , just be sure to understand what the software you install is doing, be careful what you publish, if you implement any sort of security in front of your private content, then try to attack your own site a bit to make sure its not trivially vulnerable.
If you wish to address #3, you may either host your website via TOR or another anonymity network, or you may use a hosting oriented VPN/reverse tunnel provider like Greenhouse. You may also set up your own VPN with a cloud provider of your choice to act as a lightning rod.
There are probably privacy focused DNS providers as well. Or you can use Namecoin, but that won't work with anyone else's computer yet.
it's also possible that by getting your IP address, someone could use it to leapfrog to more personal information about you like your name or home address.
However, unless you are an absolute privacy freak, using TOR and 100% opsec everywhere you go, using cash all the time, no credit cards, no car, etc etc, I really don't think that hosting a web site is any more dangerous than simply using the internet in the first place 👍
Smol server part of the pixie.town infrastructure. Registration is approval-based, and will probably only accept people I know elsewhere or with good motivation.