Back to Blog
team@tinypod.app

Network Security Fundamentals for Self-Hosters

Self-hosting means your server is on the internet. Network security basics protect against the constant barrage of automated attacks.

securitynetworkingfirewall

Your Server Is Under Attack


Plug a server into the internet and within minutes, automated scanners start probing it. SSH brute force, port scans, vulnerability scanners — it's constant.


Layer 1: Firewall


Only Open What You Need

Default deny all incoming traffic. Explicitly allow:

  • Port 80 (HTTP → redirects to HTTPS)
  • Port 443 (HTTPS)
  • Port 22 (SSH — consider changing to non-standard)

    • That's it. Nothing else.


    UFW (Uncomplicated Firewall)

    The simplest Linux firewall:

    ufw default deny incoming

    ufw default allow outgoing

    ufw allow 80

    ufw allow 443

    ufw allow 22

    ufw enable


    Layer 2: SSH Hardening


    Disable Password Authentication

    Use SSH keys only. Password brute force is the #1 attack vector.

    PasswordAuthentication no


    Disable Root Login

    PermitRootLogin no

    Use a regular user and sudo.


    Change Default Port

    Port 2222 (or any non-standard port)

    Doesn't stop determined attackers but eliminates 90% of automated scans.


    Rate Limit SSH

    Use fail2ban to ban IPs after failed attempts.


    Layer 3: Fail2ban


    Automatically bans IP addresses that show malicious patterns.


  • SSH: Ban after 3 failed login attempts
  • Caddy/Nginx: Ban after repeated 4xx errors
  • Custom filters for your applications

    • Layer 4: Reverse Proxy Security


    Security Headers

    Add via Caddy or Nginx:

  • Strict-Transport-Security (HSTS)
  • Content-Security-Policy (CSP)
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin

    • Rate Limiting

    Limit requests per IP per second. Prevents brute force and simple DDoS.


    Hide Server Information

    Remove Server headers that reveal software versions.


    Layer 5: Keep Everything Updated


    Enable automatic security updates:

    apt-get install unattended-upgrades


    Update container images regularly. Old images have known vulnerabilities.


    Layer 6: Monitoring


  • Monitor SSH login attempts
  • Monitor failed authentication across all services
  • Set up alerts for unusual traffic patterns
  • Review logs weekly

    • The Minimum Security Checklist


    1. Firewall with default deny

    2. SSH keys only, no root login

    3. fail2ban active

    4. All services behind HTTPS reverse proxy

    5. Automatic security updates enabled

    6. Regular backups (tested!)


    TinyPod servers come pre-configured with firewall rules, SSH hardening, and Caddy's automatic HTTPS. Security defaults that don't require configuration.