this post was submitted on 12 Dec 2024
18 points (84.6% liked)

Selfhosted

40734 readers
354 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Considering a lot of people here are self-hosting both private stuff, like a NAS and also some other is public like websites and whatnot, how do you approach segmentation in the context of virtual machines versus dedicated machines?

This is generally how I see the community action on this:

Scenario 1: Air-gapped, fully Isolated Machine for Public Stuff

Two servers one for the internal stuff (NAS) and another for the public stuff totally isolated from your LAN (websites, email etc). Preferably with a public IP that is not the same as your LAN and the traffic to that machines doesn't go through your main router. Eg. a switch between the ISP ONT and your router that also has a cable connected for the isolated machine. This way the machine is completely isolated from your network and not dependent on it.

Scenario 2: Single server with VM exposed

A single server hosting two VMs, one to host a NAS along with a few internal services running in containers, and another to host publicly exposed websites. Each website could have its own container inside the VM for added isolation, with a reverse proxy container managing traffic.

For networking, I typically see two main options:

  • Option A: Completely isolate the "public-facing" VM from the internal network by using a dedicated NIC in passthrough mode for the VM;
  • Option B: Use a switch to deliver two VLANs to the host—one for the internal network and one for public internet access. In this scenario, the host would have two VLAN-tagged interfaces (e.g., eth0.X) and bridge one of them with the "public" VM’s network interface. Here’s a diagram for reference: https://ibb.co/PTkQVBF

In the second option, a firewall would run inside the "public" VM to drop all inbound except for http traffic. The host would simply act as a bridge and would not participate in the network in any way.

Scenario 3: Exposed VM on a Windows/Linux Desktop Host

Windows/Linux desktop machine that runs KVM/VirtualBox/VMware to host a VM that is directly exposed to the internet with its own public IP assigned by the ISP. In this setup, a dedicated NIC would be passed through to the VM for isolation.

The host OS would be used as a personal desktop and contain sensitive information.

Scenario 4: Dual-Boot Between Desktop and Server

A dual-boot setup where the user switches between a OS for daily usage and another for hosting stuff when needed (with a public IP assigned by the ISP). The machine would have a single Ethernet interface and the user would manually switch network cables between: a) the router (NAT/internal network) when running the "personal" OS and b) a direct connection to the switch (and ISP) when running the "public/hosting" OS.

For increased security, each OS would be installed on a separate NVMe drive, and the "personal" one would use TPM with full disk encryption to protect sensitive data. If the "public/hosting" system were compromised.

The theory here is that, if properly done, the TPM doesn't release the keys to decrypt the "personal" disk OS when the user is booted into the "public/hosting" OS.

People also seem to combine both scenarios with Cloudflare tunnels or reverse proxies on cheap VPS.


What's your approach / paranoia level :D

Do you think using separate physical machines is really the only sensible way to go? How likely do you think VM escape attacks and VLAN hopping or other networking-based attacks are?

Let's discuss how secure these setups are, what pitfalls one should watch out for on each one, and what considerations need to be addressed.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] -2 points 2 weeks ago (2 children)

are we talking what’s good enough security for hosting an anime waifu tier list blog or good enough security for a billion dollar corporation?

You tell me. :)

What would you do/trust in both situations?

[–] [email protected] 12 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Well from personal experience with a small website the biggest things you have to deal with are web crawlers trying to vacuum up every last ounce of data they can find and web crawlers trying to find obvious backdoors like trying default WordPress logins (even if you're not running WordPress). Make sure your software is properly configured and up to date and you're safe. Some isolation is still a good idea but don't lose sleep on which one because they're all still overkill in this case.

On the other hand if you're running a service that would be actively targeted by a large government enforcement agency or some other very wealthy and highly motivated entity, then complete physical isolation would be the only acceptable answer but with even more protocols to prevent contamination or identification as there have been attacks demonstrated that could infiltrate even air-gapped environments and that's assuming you could hide it well enough for them not to just come physically compromise it (without you even knowing).

Keep in mind if you want to use any of these technologies because you want to learn them or just think they're neat, then please do! I suspect a lot of people with these types of home setups are doing it mostly for that reason and not because it is absolutely necessary for security purposes.

[–] [email protected] 2 points 1 week ago

because you want to learn them or just think they’re neat, then please do! I suspect a lot of people with these types of home setups are doing it mostly for that reason

That's an interesting take.

[–] [email protected] 1 points 1 week ago (1 children)

Your billion dollar corporations aren't running dedicated hardware. That would be very expensive and impossible to manage.

[–] [email protected] 1 points 1 week ago (1 children)

Are you sure? A big bank usually does... It's very common to see groups of physical machines + public cloud services that are more strictly controlled than others and serve different purposes. One group might be public apps, another internal apps and another HVDs (virtual desktops) for the employees.

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago) (1 children)

Are you setting up a big bank?

[–] [email protected] 1 points 1 week ago (1 children)

Your billion dollar corporations aren’t running dedicated hardware

You said it, some banks are billion dollar corporations :)

[–] [email protected] 1 points 1 week ago

Ok, I meant thinks like AWS and Azure