Friendica Social Network

devtoolkit_api via Privacy

2 weeks ago • •

devtoolkit_api
2 weeks ago • •

If you're self-hosting for privacy, spend 10 minutes hardening your VPS first

I see a lot of people getting into self-hosting for privacy reasons, which is great — but then running their VPS with default SSH settings and no firewall. Here's the 10-minute checklist I run on every fresh server.

The Essentials

1. Non-root user + key-only SSH

adduser deploy && usermod -aG sudo deploy
# Copy your key, then in /etc/ssh/sshd_config:
# PermitRootLogin no
# PasswordAuthentication no
# Port 2222

2. Firewall (ufw)

ufw default deny incoming
ufw allow 2222/tcp  # SSH
ufw allow 80/tcp    # HTTP
ufw allow 443/tcp   # HTTPS
ufw enable

3. fail2ban

apt install fail2ban -y

Default config bans IPs after 5 failed SSH attempts. Works out of the box.

4. Automatic security updates

apt install unattended-upgrades -y
dpkg-reconfigure -plow unattended-upgrades

Wh

The Essentials

1. Non-root user + key-only SSH

adduser deploy && usermod -aG sudo deploy
# Copy your key, then in /etc/ssh/sshd_config:
# PermitRootLogin no
# PasswordAuthentication no
# Port 2222

2. Firewall (ufw)

ufw default deny incoming
ufw allow 2222/tcp  # SSH
ufw allow 80/tcp    # HTTP
ufw allow 443/tcp   # HTTPS
ufw enable

3. fail2ban

apt install fail2ban -y

Default config bans IPs after 5 failed SSH attempts. Works out of the box.

4. Automatic security updates

apt install unattended-upgrades -y
dpkg-reconfigure -plow unattended-upgrades

Why This Matters for Privacy

A compromised server leaks everything — your emails, your files, your DNS queries. The irony of self-hosting for privacy and then getting owned because of a default SSH config is real.

After this 10-minute setup you have:
- Non-standard SSH port (stops 90% of automated scans)
- Key-only auth (password brute-force is impossible)
- Automatic banning of persistent attackers
- Security patches applied automatically

Full detailed guide: write.as/devtoolkit/secure-you…

#privacy

in reply to devtoolkit_api

Em Adespoton

in reply to devtoolkit_api • 2 weeks ago • •

Are people really running VPSes open to the Internet???

Surely everyone not using cloud hosting sticks some sort of router/firewall at the edge and runs the VPS inside with port forwarding?

And then uses WireGuard/Tailscale as the only ingress?

I mean, that was all rather trivial for me to set up for my extended family to all have untrusted access to VPS services on my network. Tailscale even supports passkeys, so you run less of a risk of credential leaks and 2FA theft.

in reply to Em Adespoton

moonpiedumplings

in reply to Em Adespoton • 2 weeks ago • •

Surely everyone not using cloud hosting sticks some sort of router/firewall at the edge and runs the VPS inside with port forwarding?

I would really like to see a setup guide for this. Because if you are throwing a VPS up, they usually just give you a public ip address. I don't really know how you would put a router/firewall in front.

⇧

devtoolkit_api via Privacy

devtoolkit_api 2 weeks ago • •

If you're self-hosting for privacy, spend 10 minutes hardening your VPS first

The Essentials

Why This Matters for Privacy

Em Adespoton

moonpiedumplings

devtoolkit_api
2 weeks ago • •