this post was submitted on 23 Jun 2024
2 points (100.0% liked)

Self-Hosted Alternatives to Popular Services

166 readers
1 users here now

A place to share, discuss, discover, assist with, gain assistance for, and critique self-hosted alternatives to our favorite web apps, web...

founded 2 years ago
MODERATORS
bot@lemmit.online
2
What does "monitor the logs" mean for you? (old.reddit.com)
submitted 2 years ago by bot@lemmit.online to c/selfhosted@lemmit.online
1 comments fedilink hide all child comments
 
This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/Fran314 on 2024-06-22 12:07:07+00:00.

Currently my homeserver has only one port that is open, for wireguard, while every other service is local network only. I am considering to open port 80 and 443 for (a reverse proxy for) some services, just for a quality of life (definitely vaultwarden, possibly jellyfin, qbittorrent and immich).

Every post that explains how to harden the server when opening to the public gives the following suggestions:

  • only open services that you actually need and nothing more

  • keep your services updated

  • use 2FA wherever possible and disable any new account creation for every service. Additionally use public/private keys instead of passwords, restrict access only to some IPs where it makes sense

  • MONITOR THE LOGS

Now I understand the importance of monitoring the logs, but what I don't understand is what it means in practice. In an ideal world, service would log "MALICIOUS USAGE" at every malicious attempt, and one could just search for this. Clearly, this is ridiculous.

What I'm trying to say is: I have to monitor the logs for malicious usage, but what does malicious usage LOOK like?

For example, let's say I'm monitoring the sshd daemon (just an example, not planning to forward it). In this case, one could just monitor when a connection happens and send a notification. If I get a notification when I didn't connect, that is malicious usage.

But what about jellyfin? I can send a notification everytime I login, sure, it's a bit annoying but it works. But what if someone finds an exploit that doesn't require login? How would one detect that? I can't send a notification everytime ANYTHING happens, so how could I detect that? What would it look like?

So what I'm asking is: how do YOU monitor your logs in your homeserver? What's your routine? Do you automate it somehow, or is it a manual job, and how often do you do it?

For a practical example, I would like to know how you monitor the services mentioned above (wireguard, vaultwarden, jellyfin, qbittorrent), also if there is any meaningful way to monitor the reverse proxy (I use caddy), or any other serivce that you use

Thank you all!

you are viewing a single comment's thread
view the rest of the comments
[–] TheButtonJustSpins 1 points 2 years ago

And this is exactly why I only expose public services, through two layers of reverse proxies and docker. Everything else is over VPN only.