I recently figured out reverse proxies and I have several apps that I want to expose for ease of use for family members. I have found authelia and thought I could set that up as an extra protection against suspicions activity but after thinking about it a bit more I realized that the apps I want to expose already have user accounts and passwords so it would make things a bit more annoying when logging in. plus would authelia even work if the user is using a phone app instead of the web browser?
What are your ways of keeping your servers safe from suspicious activity or even monitoring them for suspicious activity ?
Before this post gets blasted with “just use a VPN” Yes I already have wireguard up and running but trying to get family members setup with a vpn that are technology illiterate is a nightmare
Teleport is a good alternative
I used to use Nginx Proxy Manager for exposing services but generally you end up exposing the login page for that particular app and you have a different login per app which is a pretty shitty solution for non-IT folk. I’ve tried to set up Authelia and other similar things and found them to be very annoying to set up / configure. Maybe I’m just an idiot though!
I would suggest having a think about what you want to expose and whether there’s a better way (eg overseerr instead of exposing radarr/sonarr)
CloudFlare tunnels are also great - they obfuscate your public IP and can have a login form in front of them. You provide a list of email addresses that can log in to Cloudflare and only those users can access the website. I have mine set up to auth through Google accounts for example but you can use GitHub, office and I believe Discord. Not managing user accounts has been a life saver for me… You can also block access from outside of your country.
Authelia is an additional security option for your reverse proxy, but it may not be needed if the apps you are exposing already have user accounts and passwords. It can be used with phone apps, but the app must support OAuth2 authentication. Make sure to install and maintain a firewall to prevent unauthorized access to your servers.
hmmm if the phone apps can be used with Authelia that might be a game changer.
people are not getting the risks of exposing services correctly. think about it again. even you lock everything behind a password protection, if the password is weak, it is still not anything better than no protection. The chain is only as strong as the weakest link. Your tech illiterate family members may very likely setup something like 88888888, then they are effectively making the entire server naked. It is best to use device specific authentication apps like wireguard. If they can’t even use such app, then only expose apps that support webauthn (or oidc, and setup an oidc provider that supports webauthn or nopass), where they can use fingerprint readers on their phone to login.
Before this post gets blasted with “just use a VPN” Yes I already have wireguard up and running but trying to get family members setup with a vpn that are technology illiterate is a nightmare
I mean, the reasons to do this cannot be understated. A VPN literally accomplishes the security and exposure issues.
It’s your network through. You can feel free to expose your ports and services to the entire internet and take the risk of zero day attacks, brute force, and credential leaks. Knowing that your family is illiterate, it sounds like they may not use best cyber security practices with your services…
So, that leaves it on you. You can either support it on the front end with a proper VPN like Wireguard, or support it on the back end with IDS, honeypots, advanced threat management, constant monitoring, mitigation, patch management, backup and restores, isolation, etc.
There are not shortcuts to proper security and exposure management. You can also pay someone, or a company to do this for you.
Yes the reason why I said that is because I know what a VPN is and I know why its secure but I am asking for a different solution to the same problem. I am looking for different options and I know one option is a VPN so it doesnt help to me to find a solution when the only answers are “just use a VPN”
Thank you for the couple of keywords. I will start my research there.
You can either support it on the front end with a proper VPN like Wireguard, or support it on the back end with IDS, honeypots, advanced threat management, constant monitoring, mitigation, patch management, backup and restores, isolation, etc.
Isn’t there a middle ground with something like Cloudflare Tunnels or Tailscale Funnel? Those still expose your services to the internet outside of a VPN, but they require a lot less maintenance than you described.