I find the idea of self-hosting to be really appealing, but at the same time I find it to be incredibly scary. This is not because I lack the technical expertise, but because I have gotten the impression that everyone on the Internet would immediately try to hack into it to make it join their bot net. As a result, I would have to be constantly vigilant against this, yet one of the numerous assailants would only have to succeed once. Dealing with this constant threat seems like it would be frightening enough as a full-time job, but this would only be a hobby project for me.
How do the self-hosters on Lemmy avoid becoming one with the botnet?
Only expose services internally then use a secure VPN to access your services, this makes your network no more vulnerable in practice than not self hosting. If you need/want to expose something to the internet, make sure you setup your network right. Use a DMZ to separate that service and leverage something like CrowdSec along with good passwords, antivirus, and keep things patched.
Thanks for the CrowdSec tip, I’ve already got an nginx reverse proxy set up but wasn’t aware I could integrate this for extra protection.
How do I check this? I route everything on my internal network only. But how should I make sure its not accessible remotely? I cannot just have these on an air gapped network.
You can run a port scan against your public IP from another network to see what is open. But if you haven’t specifically set something up for external access through port forwarding you are probably fine.
Throw your IP into Shodan.io and see what it comes back with.
Should I do the same if I want to expose an OpenAI compatible API to access an LLM to chat remotely on local technical documents?
It doesn’t usually matter what the service is, the basic concepts are the same. If you want to access a service you host on your internal network from another external network you either need to use a VPN to securely connect into your network, or expose the service directly. If you are exposing it directly you should put it (or a proxy like NPM) in your DMZ. The specifics of how to do this though will vary from service to service and with your specific network config.