Back to posts

Self-Hosting on the Public Internet – How to Stay Secure Without Losing Convenience

Nitin Ahirwal / October 14, 2025

Self-HostingCybersecurityLinuxDevOpsNetworkingCloud Security

The Dilemma of Self-Hosting: VPN Safety vs. Internet Convenience

If you’ve been around the self-hosting community for a while, you’ve probably heard the advice on repeat:
👉 “Don’t expose your services to the internet. Always use Tailscale, WireGuard, or another VPN.”

This is good advice, no doubt. But here’s the catch: sometimes you need your services on the public internet.

  • Your family wants to watch Jellyfin without setting up a VPN.
  • You run a self-hosted Plausible analytics server, which requires global access.
  • Or maybe, like many of us, you already run a commercial VPN on your laptop/phone—leaving no room for another.

So, how do you balance security with usability? The answer is layered defense: multiple security measures stacked together to make your exposed services resilient against attacks.

🚨 The Real Threat: Bots, Not Hackers

Forget the Hollywood image of a genius hacker targeting your server. The reality? It’s mostly bots.

Automated scripts scan the internet 24/7, looking for:

  • Outdated software
  • Default passwords
  • Open ports with known vulnerabilities

They don’t care who you are. They just want resources for ransomware, crypto mining, or botnets.

The good news: if you stay updated and configure defenses, bots will usually fail and move on.

🔒 First Line of Defense: Keep Everything Updated

  • Update OS packages regularly
  • Don’t ignore router and server firmware updates
  • Use automation (like Watchtower for Docker) to keep containers patched

Bots thrive on known exploits. Updates shut those doors.

🖥️ Securing SSH Access

If SSH is exposed, it’s the first thing bots will attack. Harden it:

  • Fail2Ban → bans IPs after repeated failed logins
  • Disable root login → bots love trying root
  • Use SSH keys only → passwords are dead, keys are safer

This alone dramatically lowers your risk.

🌐 Hardening Web Services

Your reverse proxy is now the gatekeeper.

1. CrowdSec: Smarter Intrusion Prevention

  • Detects suspicious HTTP traffic (scans, brute force logins)
  • Auto-blocks IPs from a crowdsourced malicious database
  • Integrates with Traefik, Nginx, Caddy

Think of it as “Fail2Ban for the web, with global intelligence.”

2. GeoBlocking: Block What You Don’t Need

If your family only needs Jellyfin in your home country, why allow traffic from 200+ others?

  • Traefik’s Geoblock plugin makes it simple.
  • Fewer entry points = fewer risks.

🔑 Centralizing Authentication

Most self-hosted apps aren’t great at security. Relying on their built-in login systems is risky.

Instead, use Single Sign-On (SSO):

  • Tools: Authelia or Authentik
  • Adds 2FA, role-based access, alerts
  • One login for all apps = stronger and simpler

🛡️ Going Extreme: Mutual TLS (mTLS)

For highly sensitive apps, enable mTLS:

  • Normal HTTPS: server proves identity
  • mTLS: server + client both prove identity
  • Requires installing certs on your devices

It’s not convenient, but it’s rock-solid.

📊 Monitoring & Alerts: Don’t Stay Blind

Prevention isn’t enough—you must detect intrusions too.

  • Uptime Kuma → alerts if services go down
  • Ntfy → push notifications for suspicious logins or bans
  • Grafana + Prometheus → track traffic and server health
  • OpenCanary honeypot → fake services to catch intruders

Think of this as your “burglar alarm system.”

🧩 Principle of Least Privilege: Your Hidden Superpower

The rule: give the minimum access necessary.

Examples:

  • Mount only /media/movies in Jellyfin, not /media/*
  • Don’t expose unnecessary ports (e.g., keep MQTT local-only)
  • Run containers with restricted permissions

Every privilege trimmed = one less potential exploit.

✅ Pulling It All Together

A layered approach = safety without sacrificing convenience:

  • Keep everything patched
  • Harden SSH with Fail2Ban + keys
  • Use CrowdSec + GeoBlocking for web traffic
  • Centralize logins with SSO
  • Add mTLS for sensitive apps
  • Monitor everything with Ntfy, Grafana, and honeypots
  • Apply least privilege everywhere

No setup is invincible. But these layers make you bot-resistant and secure enough for most real-world scenarios.

🔮 Final Thoughts

Self-hosting is about freedom and control. Hiding everything behind a VPN is safe but inconvenient. Exposing services is convenient but risky.

The solution isn’t choosing one over the other—it’s building layered defenses that make exposed services resilient.

Your Jellyfin stays accessible to family. Your Plausible analytics run smoothly. And you sleep better knowing you’ve built more than a server—you’ve built a fortress.

Key Takeaways

  • Bots are the main threat—not targeted hackers
  • Updates are your strongest defense
  • Fail2Ban + CrowdSec are must-haves
  • SSO and mTLS add strong authentication layers
  • Monitoring is as critical as prevention
  • Least privilege mindset keeps your setup lean and secure