this post was submitted on 27 Jan 2025
452 points (98.3% liked)
Selfhosted
60253 readers
598 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil.
-
No spam.
-
Posts are to be related to self-hosting.
-
Don't duplicate the full text of your blog or readme if you're providing a link.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Thanks for the insight! Does running this in a docker container help limit the damage at all? Seems like they'd only be able to access the few folders I have the container access to?
Maybe a bit, but if you're not running rootless docker if they get out of that container they'll have the run of your docker host. It is a lot of layers to crack, but sometimes they've got nothing but time, or it's been so long since the containers been updated that its trivial. That's why rootless docker or podman, and Watchtower are your friends.
Also, vlan off your exposed surface and build firewall rules for the VPN and LAN inbound to it, and specific outbound rules if you need those servers to reach into those networks themselves.