Login
You're viewing the phpc.social public feed.
  • Neil Brownneil@mastodon.neilzone.co.uk
    Dec 13, 2025, 8:18 PM

    Self-hosting does not make your data safe.

    If you don't put in place, review, *and test* backup and recovery plans,,and security measures appropriate to the risk, your data are not "safe".

    Your data might be less affected by the whims of third parties, which can be valuable for sure, but don't confuse that with your data being "safe".

    And I say this as someone who loves self-hosting.

    Any "beginners' guide to self-hosting" which doesn't lead with, or at least focus on, security and resiliency, is getting it wrong, IMHO.

    #SelfHosting

    💬 23🔄 179⭐ 230

Replies

  • Neil Brownneil@mastodon.neilzone.co.uk
    Dec 13, 2025, 8:27 PM

    I don't want to discourage anyone from looking at self-hosting. As I say, I do it, and *whispers* I enjoy it.

    It may - depending on knowledge, learning appetite, and other privileges - be a great choice.

    But, beyond some fun tinkering - the moment you start to rely on something that you are self-hosting - something that *matters*, or where a compromise could impact your network more broadly - then it is *really* worth thinking through security and resiliency.

    It is *also* worth thinking through backups of stuff on third party services, for sure. But "self-host it" is not necessarily the answer.

    💬 9🔄 11⭐ 39
  • Roger BW 😷RogerBW@discordian.social
    Dec 13, 2025, 8:25 PM

    @neil The flip side of course is that if your third-party hoster claims to have safe backups they may simply be lying. (As OVH customers found out when their stack of containers burned down, and the backup servers proved to be just in the next container over.)

    💬 0🔄 0⭐ 5
  • Philippa Cowderoyflippac@types.pl
    Dec 13, 2025, 8:32 PM

    @neil also, when in doubt, RCE on anything in your network affects the entire network because 0 days happen and so does being too ill to update stuff

    💬 1🔄 1⭐ 5
  • James Wellsnikatjef@mastodon.acm.org
    Dec 13, 2025, 9:58 PM

    @flippac
    In a sense that was what my home lab was for. I would randomly go chaos monkey on my home lab and then try to RCA what had happened based on the symptoms. Makes for a great learning experience

    But as others have said, test your backup / recovery system early and often. I learned that lesson the hard way back in the '90s... Took me three long days to "recover"
    @neil

    💬 1🔄 0⭐ 2
  • Philippa Cowderoyflippac@types.pl
    Dec 13, 2025, 10:08 PM

    @nikatjef @neil A home lab on a biz line makes sense for those who can afford it! But yeah, still risk assess (including risks to others: having an irc bouncer with logs cracked was awkward enough when you found out because it crashed and shat its rootfs, if you ever have evidence of exfiltration you'd better have a boring life...)

    💬 1🔄 0⭐ 2
  • James Wellsnikatjef@mastodon.acm.org
    Dec 13, 2025, 10:45 PM

    @flippac
    I always did it on my personal internet access point. The idea of going chaos monkey on a business connected line is the very definition of insanity IMNSHO. For example, one of the times I did it, I "accidentally" enabled ARP spoofing, which could have brought down our online store. Another time I "accidentally" blacklisted an entire ASN... It just happened to be the ASN for one of my company's BGP peers.
    @neil

    💬 2🔄 0⭐ 0
  • James Wellsnikatjef@mastodon.acm.org
    Dec 13, 2025, 10:49 PM

    @flippac
    Please note that when I say "accidentally" in this context, I intentionally made a mistake to practice troubleshooting the resulting issue(s) that it caused. I would intensionally avoid using my knowledge of what I changed and focus, instead, on the state of the home lab.

    @neil

    💬 0🔄 0⭐ 1
  • Philippa Cowderoyflippac@types.pl
    Dec 13, 2025, 11:06 PM

    @nikatjef @neil "biz" in this case is more the class of service you'd ask your telco and/or isp for, with the real emphasis on "second line, can be airgapped from other stuff"

    💬 0🔄 0⭐ 1
  • woe2youwoe2you@toot.wales
    Dec 13, 2025, 8:34 PM

    @neil There may be a touch of XKCD 2501 in play.

    ...goddamn it, I'm going to have to write a post on backups, aren't I.

    💬 1🔄 0⭐ 3
  • 💬 0🔄 0⭐ 1
  • HighlandLawyerHighlandLawyer@mastodon.social
    Dec 13, 2025, 8:53 PM

    @neil
    Self hosting is like growing your own food, or doing your own construction work. Some people rely exclusively on the professionals; others enjoy doing a little as a hobby, but rely on professionals for the rest; some people want to do all they need without anyone else being involved. But everyone needs to know a little about it.

    💬 0🔄 1⭐ 6
  • Haelwenn /элвэн/ :triskell:lanodan@queer.hacktivis.me
    Dec 13, 2025, 8:54 PM
    @neil Third-party service bit reminds me that I have local copies of data I think is important to keep beyond a service/account/… shutdown.

    In a way I'm doing the other side of the Linus Torvalds "internet does backups for me when it's important enough" method.
    💬 0🔄 0⭐ 0
  • Manc AvGeekmancavgeek@social.teamb.space
    Dec 13, 2025, 10:04 PM

    @neil Yeah, I often say that, if you have the money, the time, the spoons, and the know-how, then self-hosting is the way to go.
    As an example, I self-host my own node of my fave Social Media network (ie, this instance) - I've had occasional moments where I've done something comnpletely bone-headed and had to start again, or have come close to losing everything, but for me, that is half of the fun of it.
    For other people - they might enjoy doing this, but more likely, they wont.
    As another example, I do a lot of backups with NextCloud, but my wife pays for Microsoft 365 because that is much easier for her to use, being pretty much automatic, once I set it up for her.
    I resent paying all that money to MS, but I also appreciate the way that both my wife and my daughter can back stuff up easily, meaning that recovering from a hard drive crash will be easier that the last time it happened!

    💬 0🔄 0⭐ 1
  • Whatevswhatevs@mastodon.scot
    Dec 13, 2025, 10:05 PM

    @neil i do need to get better at that. I self host loads of stuff, but my backup are within the same device (different hard disk though).

    But it is such a burden to create a secure backup in a different location..

    💬 0🔄 0⭐ 1
  • Mason Loring Blissmason@partychickens.net
    Dec 14, 2025, 2:53 AM

    @neil The only issue with self-hosting is that we haven't taught people how to go about it. It's abundantly clear that we need to remedy this.

    I agree that resiliency and flexibility, backups, security, and visibility are all critical and all interwoven. Let's teach people how to do it and break them free from the shackles of surveillance capitalism as much as we can.

    💬 2🔄 0⭐ 0
  • FediThing :progress_pride:FediThing@chinwag.org
    Dec 14, 2025, 4:07 AM

    @mason @neil You don't need everyone doing this, you just need small indie hosting providers doing this plus the ability for owners to switch their instance to another provider if one provider goes bad.

    💬 1🔄 0⭐ 0
  • Mason Loring Blissmason@partychickens.net
    Dec 14, 2025, 4:43 AM

    @FediThing @neil We had that in the nineties, and it was eaten by surveillance capitalism.

    I don't see how we roll back partway and prevent a repeat of the last thirty years. Even in the Fediverse, look at the rise of mastodon.social. Look at Threads and Bluesky embracing the outward form of distributed networking but not the actual distribution.

    What we need is for people to be educated, empowered, and independent, choosing to organize as they wish because it makes sense, not because they don't have an option for lack of knowledge.

    💬 0🔄 0⭐ 0
  • Neil Brownneil@mastodon.neilzone.co.uk
    Dec 14, 2025, 5:54 AM

    @mason

    > The only issue with self-hosting is that we haven't taught people how to go about it.

    This is *one* issue, but far from the only one.

    Being able to self-host stuff is a significant privilege.

    💬 0🔄 0⭐ 0
  • WanWizard 🏴󠁧󠁢󠁳󠁣󠁴󠁿 🇳🇱wanwizard@mastodon.scot
    Dec 14, 2025, 11:28 AM

    @neil It is a battle I fight on a daily basis.

    We provide secure managed hosting for small businesses, and the number of times I get to explain "what's wrong with the $5 VPS my nephew runs our business on?"...

    ( more often then not, these nephews don't fall in the experienced self-hoster category, and don't even understand the risks of directly internet connected servers )

    💬 0🔄 0⭐ 0
  • Nömenlōonynomenloony@nomenloony.com
    Dec 15, 2025, 7:23 AM

    @neil I pay a hosting company to "self host". It's expensive, but I get resilience and I can run a cron to automatically request a backup be sent to my Google Drive every evening. I've checked the backups and they are good.

    💬 0🔄 0⭐ 0
  • William LeechWilliamLeech@mastodon.world
    Dec 13, 2025, 8:29 PM

    @neil Funny, I was thinking yesterday that data back up and restore should be taught in school; along the lines that it doesn't matter if it's a big cloud provider or a self host, or a physical piece of paper.

    First you have to think about what you have and then think about how much it matters if you lose it, then how you will protect it.

    💬 2🔄 10⭐ 18
  • Haelwenn /элвэн/ :triskell:lanodan@queer.hacktivis.me
    Dec 13, 2025, 8:49 PM
    @WilliamLeech @neil Also job training given that backups aren't just useful for personal data.

    Specially as given 100% security isn't a thing, you need backups to resist ransomware and other forms of data corruption/loss from malware (and of course broken software too).
    💬 0🔄 0⭐ 0
  • 💬 1🔄 0⭐ 0
  • SamuelJohnsonsamueljohnson@mstdn.social
    Dec 13, 2025, 11:14 PM

    @penguin42 @WilliamLeech @neil I got one on the first day at new job* when an email server (HP mini) RAID array collapsed and needed to be rebuilt. The only place the configuration was recorded was in an email on the server. 🙄

    *before I even finished first coffee.

    💬 1🔄 0⭐ 1
  • mathewmathew@universeodon.com
    Dec 14, 2025, 4:23 PM

    @samueljohnson @penguin42 @WilliamLeech @neil One time at my last job we had three drives in a RAID-5 array fail simultaneously because they were all from the same bad batch.

    We had a backup of everything (because we’re professionals and RAID is not backup), but just restoring it all took days.

    💬 1🔄 0⭐ 0
  • 💬 0🔄 0⭐ 0
  • Dave Robinsondave@europhiles.uk
    Dec 13, 2025, 8:31 PM

    @neil
    I've been self-hosting at home for about twenty years. I remember in the good old days taking a hard disk into the office, containing my off-site backups (I rotated the disks every week). Security was locking it in my desk drawer. These days I have a non-raided micro-server running Proxmox backup server, which backs up a main raided Proxmox server, with a couple of TB of cloud-storage to rclone the (encrypted) backups to.

    All of this costs time and money and requires enthusiasm. Self-hosting is not just about running your own WordPress and Postfix.

    💬 0🔄 0⭐ 0
  • David Craddockwordswords@defcon.social
    Dec 13, 2025, 8:40 PM

    @neil It really does offer no more than a false sense of security sometimes. Professional hosting services are much more likely to have proper security defaults. I remember getting hacked in minutes when I first put my uninformed foot in the 'self hosting sea'. It is a process of trial and error for sure, but it's definitely not painless!

    💬 1🔄 0⭐ 2
  • David Craddockwordswords@defcon.social
    Dec 13, 2025, 9:37 PM

    @neil The worst part is that self-hosted amateur servers are some of the most 'low hanging' fruit for automated hacking scanners on the internet.. not only are they admined by non-professionals who are trying to learn, but they often have fast internet connections/nice internal hardware that can be pwned and used as DDOS relays or worse.

    💬 0🔄 0⭐ 1
  • 💬 0🔄 0⭐ 0
  • lynnlynn@raru.re
    Dec 13, 2025, 8:56 PM

    do you have any suggestions for guides specifically on self-hosting security?

    💬 0🔄 0⭐ 0
  • Andrew :hokkaido: :chikified:piepants@famichiki.jp
    Dec 13, 2025, 8:57 PM

    @neil This is one of the reasons my first rule with self hosting is "don't expose it to the fucking internet". Use a VPN, Tailscale, whatever to access it remotely. That massively reduces the attack surface, but every day I keep seeing people asking how to port forward to their Immich or Jellyfin instance, and deep down I'm screaming to myself. If a zero day is found for one of these popular open source apps, there's going to be bots crawling within hours trying to exploit.

    💬 1🔄 0⭐ 1
  • Jonathan Dechkojdechko@mastodon.social
    Dec 13, 2025, 11:19 PM

    @piepants @neil I’m new to this, so I wanted to ask. I followed a guide. I set up a free cloudflare account, registered a domain, and set up a tunnel with zero trust, authentication and application routing. It was pretty easy, but I’m thinking this is fairly safe in theory. Cloudflare on the front end should keep malicious actors from trying to get at my local machine, right?

    💬 1🔄 0⭐ 0
  • Andrew :hokkaido: :chikified:piepants@famichiki.jp
    Dec 13, 2025, 11:24 PM

    @jdechko @neil Cloudflare will protect against things like DDoS attacks, bot scraping, and potentially you can add things like country and IP restrictions, but it likely won’t protect against, say, a security flaw in a PHP application running on the server.

    I use Tailscale, which creates a direct Wireguard tunnel between my devices. None of my services are accessible from the internet in general, apart from Linkstack and some static webpages.

    💬 0🔄 0⭐ 1
  • Jayne :wales_flag:🇪🇺🏳️‍🌈TCMuffin@toot.wales
    Dec 13, 2025, 9:27 PM

    @neil

    Back in the antediluvian days of IT in the mid-1980s, I was one of a group of 3 “internal consultants” for BT.

    We visited everyone of BT’s computer centres from Aberdeen to Portsmouth and Belfast to Ipswich and regularly tested the centre’s backup processes, media, and documentation.

    We also tested its disaster recovery procedures which usually involved a type of “table top war game”, but occasionally (and unannounced) we’d replicate some form of disaster which took out its hardware.

    💬 0🔄 0⭐ 1
  • 💬 0🔄 0⭐ 0
  • 💬 1🔄 0⭐ 1
  • 💬 0🔄 0⭐ 0
  • Heddershedders@mas.to
    Dec 13, 2025, 9:48 PM

    @neil Yup, it's not a backup unless you can prove you can recover from it.

    💬 1🔄 2⭐ 14
  • 💬 0🔄 0⭐ 0
  • noodlenoodle@aus.social
    Dec 13, 2025, 9:48 PM

    @neil
    Oh god security. It is too hard to allow specific access on Linux. A good tool would allow graphical review of ACLs and setting narrow permissions from a log file (e.g like pfsense firewall logs, if something is unintentionally denied is it easy to create an allow rule). The current status quo encourages people to set broad unintended permissions.

    💬 0🔄 0⭐ 1
  • AndresAndres4NY@social.ridetrans.it
    Dec 13, 2025, 8:53 PM

    @neil Before we had "the cloud", everyone was "self-hosting"; or rather, you'd run your programs locally, with your data saved locally, and you either had backups or you lost everything when your hard drive died.

    The cloud is an improvement in that respect, but I still feel like 3rd party backups are something that should either be basic computer literacy, or even better part of any package (computer, OS, SaaS) you buy.

    💬 2🔄 0⭐ 2
  • AndresAndres4NY@social.ridetrans.it
    Dec 13, 2025, 8:56 PM

    @neil And the "3rd party" bit is important. I buy a thousand dollar home appliance from a store, I'm offered 3rd party extended warranties. I buy google services, I should be offered 3rd party backups (importantly, a company Google does not own) that are accessible should Google disable my account.

    💬 0🔄 0⭐ 2
  • TomAokiTomAoki@bsd.cafe
    Dec 14, 2025, 12:11 AM

    @Andres4NY @neil
    Using cloud as backups would be good, until master data are held locally, self-hosted.

    If anyone want to depend on cloud as master data, which are critical, the person / organization should contract with different (this is important!) cloud provider(s) and making backup to it (them). Backing up to self-hosted in-premise environment is also OK.

    Don't forget, human make mistakes. If user A terminates the contract (regardless notified by user A to the cloud provider or banned by the cloud provider as of abuse etc.) but the operator at the cloud provider missingly terminated unrelated user B and shread ALL data / programs including backup, can the cloud provider 100% undo the mis-operation?
    If possible, it's dangerous because complete deletion on termination is the key point if there were any NDA'ed and/or privacy data.

    Example:
    theguardian.com/australia-news

    💬 0🔄 0⭐ 0
  • Himmelssohnhimmelssohn@social.adlerhorst.net
    Dec 13, 2025, 11:03 PM

    @neil
    Which is totally correct on one hand. On the other hand, this doesn't necessarily enable folks into independancy.

    💬 0🔄 0⭐ 0
  • 💬 0🔄 0⭐ 0
  • FediThing :progress_pride:FediThing@chinwag.org
    Dec 14, 2025, 3:51 AM

    @neil That's why beginners and non-technical people would do best on managed hosting services, not running their own hardware.

    My site at growyourown.services is entirely dedicated to managed hosting options for beginners.

    It's not a binary choice of selfhosting or not, there's a spectrum of options between these where you get more control but also it gets trickier technically. Easiest is managed hosting, midway is something like Yunohost, hardest (but most directly controllable) is manual installation etc.

    💬 0🔄 0⭐ 0
  • Demiandgodon@mastodon.online
    Dec 14, 2025, 6:20 AM

    @neil yep! While I may be capable of self hosting it’s not what I want to spend my time on, for years on end. I am trying to move off of big tech and also to have some redundancy. But even this is time consuming

    💬 0🔄 0⭐ 0
  • 💬 0🔄 0⭐ 0
  • Christian Tietzectietze@mastodon.social
    Dec 14, 2025, 10:08 AM

    @neil do you have any such guide, or guides, in your bookmarks? I find it's hard to enter that whole space if you don't know what the previous 20y of tech change were, and witnessed them all first hand.

    I can absolutely understand why newbies reach for ChatGPT summaries there.

    💬 0🔄 0⭐ 0
  • Carstencblte@nrw.social
    Dec 14, 2025, 10:33 AM

    @neil I like proxmox a lot. Once the host is setup you have a really stable system that should last forever until hardware breaks. proxmox includes automatic backups via cron and easy restore of containers and other backups. Snapshots function before you do something.

    I have attached a NAS for backups and that is working fine for years now. So. Yes. Test your backups is an important step!

    💬 0🔄 0⭐ 0
  • samueljsbsamueljsb@mastodon.me.uk
    Dec 14, 2025, 12:06 PM

    @neil I hear this advice all the time and I want to follow it but... *how* does one test backups? Is it enough to visually check the files are where you expect them to be, or should I be wiping by laptop and restoring from my backup drives every few months? (I assume there's some middle ground?)

    💬 2🔄 0⭐ 0
  • Neil Brownneil@mastodon.neilzone.co.uk
    Dec 14, 2025, 1:29 PM

    @samueljsb I guess that it depends on the data, and the risk appetite.

    I have reporting as to whether backups have completed successfully or not.

    I routinely mount each of the restic archives, and check that I can at least browse / access them.

    For key systems, I do a test restoration.

    So a bit of a mixed bag, really.

    💬 0🔄 0⭐ 0
  • mathewmathew@universeodon.com
    Dec 14, 2025, 4:28 PM

    @samueljsb @neil At a minimum, pick some random files and try restoring them. Check that they are bit-for-bit identical to the originals.

    (If you don’t have a way to restore just a few files then your backup software is no good.)

    💬 0🔄 0⭐ 0
  • CM Thiedecmthiede@vivaldi.net
    Dec 14, 2025, 12:26 PM

    @neil all depends on the data that resides. For your eyes only? Air gap it and don't connect it to the internet.

    💬 0🔄 0⭐ 0
  • InsertUserInsertUser@en.osm.town
    Dec 14, 2025, 4:50 PM

    @neil I do wish there were more utilities with a GUI that were just reasonably secure out of the box.

    I used to have a bit of software that let you do an encrypted backup to an external hard drive then take that hard drive to a friend's house and have the software keep it updated over the internet. Then that company went all in on their own cloud service and I don't think you can use your own hardware anymore.

    💬 0🔄 0⭐ 0
  • Nömenlōonynomenloony@nomenloony.com
    Dec 15, 2025, 7:20 AM

    @neil regular backups to three different cloud services for me. I've lost so many things before that I learnt the hard way.

    💬 0🔄 0⭐ 0