Self-Hosting

From Wired Wiki
Jump to navigation Jump to search

Hosting from Home

Making Internet Facing Services without Port-forwarding

- Buy a cheap VPS for use as a gateway to services that are hosted at home

- https://github.com/anderspitman/awesome-tunneling

- https://freedombox.org/

- https://sandstorm.io/

- ngrok

- yggdrasil

- zerotier

- netbird

Hypervisors

Whenever possible you should use a Type 1 hypervisor for virtualization needs. Bare metal hypervisors are purposely security hardened. Finding exploitable vulnerabilities that grant some type of system-level or root access is extremely difficult by design. [1] <- This citation SUCKS If you must use a Type 2 hypervisor, a Fedora derivative with the libvirt sVirt driver [2] is suitable, by default it has SELinux, firewall, openscap policies, and user / system vm splits. [3] OpenBSD with VMD is also a good choice if security is much more significant than performance. [4]

For Type 1 hypervisors, generally, Hyper-V is the most secure, but can be difficult to manage. ESXi is easier to manage and seen most often in Enterprise but is not as hardened as Hyper-V. Xen is the least hardened but is the only one that is Opensource.

KVM

Nested virtualization can pose vulnerabilities. [5] [6]

Xen

Xen is the only type-1 hypervisor that is available as open source. [7] The libvirt sVirt driver provides security and isolation features via SELinux / AppArmor that ensures that in the event of a VM breakout exploit, the attacker can only access resources allocated to that VM. With sVirt, VMs are isolated from the host and from each other. Xen doesn't support UEFI secure boot on the host, does not support SEV support, and does not support TPM 2 for guests. Reasonably secure Xen hypervisor hosts can still be made with some extra configuration. [8] If you don't want to do a manual hypervisor set-up Proxmox has reasonable defaults but prioritizes user convenience. Those with supporting hardware can run Qubes OS which has additional security features but still has no resistance against Xen breakouts. [9] [10]

Further Reading: https://xenbits.xen.org/docs/unstable/misc/xen-command-line.html https://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASKhttps://junjizhi.com/all/technical/2019/11/07/vm-isolation/

ESXi

ESXi hosts have many many built-in security features such as CPU isolation, memory isolation, and device isolation. [11] vSphere provides fault tolerance, which allows for running of a shadow copy of your VM and in case a node fails, it is not restarted (as it would do with vSphere HA or Hyper-V) but will continue running from a shadow copy. [12]

Hyper-V

Hypervisors are generally not supposed to be treated as a sandbox. Hyper-V breaks this generality, Hyper-V falls under formally verified design [13] and is built with the assumption that guests can be actively malicious and thus has many defenses to prevent compromised hosts and guests from infecting each other [14]. Hyper-V has ACG and CIG enabled for most of its processes and cannot allocate and run new dynamic code. Hyper-V is aware of SMT vulnerabilities and will protect guests against those attacks, hyper-v also understands that some cores on a processor may be vulnerable and some may not and can mitigate those attacks too. [15] [16] [17]

Guest OS

OpenBSD

OpenBSD has no containerization. No bubblewrap or docker equivalents.[18] You can achieve similar isolation though with Chroots [19] or VMD [20]. Programs that make use of OpenBSD's pledge and unveil are effectively sandboxed. [21]

Hosting from VPS

Stay anonymous. Pay for VPS with XMR.

  • IncogHost - http://incoghostm2dytlqdiaj3lmtn7x2l5gb76jhabb6ywbqhjfzcoqq6aad.onion  - $5 /month
    • Does not operate an .onion for their customer portals
  • FlokiNet  - https://vf7vsrexwb7e4j65idp4hq4eqlvjiwrnvi3jnb4st7oteer5tzgvhaqd.onion - $9 /month
  • Njaala    - https://njallalafimoej5i4eg7vlnqjvmb6zhdh27qxcatdn647jtwwwui3nad.onion - $15/month
    • Is known to shut down customer VPS or revoke domains without warning. Depends on the kind of content you're hosting though. [22] [23]
  • NiceVPS   - https://nicevpsb7u3vqpo5zhyahmvfi5tihon4gnh676ucmzpcyxwodeztr4yd.onion - $16/month

Domain Privacy

Domain privacy has always been registrant information proxy, it was never designed nor meant to be anonymous. There is no anonymous domain registration, period. The only way to hold a domain anonymously is to use a proxy registration service that registers and owns the domain, and in turn lets you use it, and you must only engage with that service anonymously. Tedious to do but possible. Domain names were designed to be public first. [24]

Sources

  1. https://web.archive.org/web/20221128051822/https://forums.tomshardware.com/threads/how-is-type-1-hypervisor-more-secure-than-type-2.3779878
  2. https://web.archive.org/web/20230820013414/https://libvirt.org/drvqemu.html
  3. https://web.archive.org/web/20210210200023/https://old.reddit.com/r/linuxquestions/comments/lh23m4/best_linux_distro_for_kvm_virtualization/gmus31o/
  4. https://www.openbsd.org/faq/faq16.html
  5. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2596
  6. https://seclists.org/oss-sec/2016/q4/684
  7. https://wiki.archlinux.org/title/Xen?useskin=vector
  8. https://joshrosso.com/docs/2020/2020-05-06-linux-hypervisor-setup/
  9. https://www.qubes-os.org/news/2023/07/27/qsb-091/
  10. https://news.ycombinator.com/item?id=15734641
  11. https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-B39474AF-6778-499A-B8AB-E973BE6D4899.html
  12. https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.avail.doc/GUID-623812E6-D253-4FBC-B3E1-6FBFDF82ED21.html
  13. https://link.springer.com/chapter/10.1007/978-3-642-05089-3_51
  14. https://www.red-gate.com/simple-talk/sysadmin/powershell/hyper-v-and-powershell-shielded-virtual-machines/
  15. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
  16. https://www.youtube.com/watch?v=025r8_TrV8I
  17. https://madaidans-insecurities.github.io/linux.html#vbs
  18. https://web.archive.org/web/20221027210949/https://old.reddit.com/r/openbsd/comments/ybcqm7/docker_on_openbsd/
  19. https://web.archive.org/web/20230824235123/https://news.ycombinator.com/item?id=18250567
  20. https://web.archive.org/web/20230728132005/https://www.tumfatig.net/2022/running-docker-host-openbsd-vmd/
  21. https://www.openbsd.org/papers/BeckPledgeUnveilBSDCan2018.pdf
  22. https://news.ycombinator.com/item?id=38986880
  23. https://github.com/zedeus/nitter/issues/1150#issuecomment-1890851760
  24. https://old.reddit.com/r/privacy/comments/16h1xp4/psa_have_you_registered_a_domain_did_you_add/