Back to Blog
team@tinypod.app

Securing Your Self-Hosted Services: A Complete Guide

Self-hosting means you're responsible for security. Firewalls, HTTPS, authentication, updates — here's everything you need to do.

securityhardeningself-hostingguide

Layer 1: Network


Firewall

  • Only open ports you need (typically 80, 443, 22)
  • Use UFW or nftables
  • Block all inbound by default
  • Rate limit SSH

    • SSH Hardening

  • Disable password authentication
  • Use SSH keys only
  • Change default port (optional, reduces noise)
  • Use fail2ban to block brute force
  • Consider SSH certificates

    • Layer 2: HTTPS


  • Every service must be behind HTTPS
  • Use Let's Encrypt with auto-renewal
  • Use a reverse proxy (Caddy, Traefik, Nginx)
  • HSTS headers
  • Redirect HTTP to HTTPS

    • Layer 3: Authentication


    SSO

    Use Authentik or Keycloak for single sign-on across all services.


    2FA

    Enable two-factor authentication everywhere possible.


    Strong Passwords

    Use Vaultwarden to generate and store unique passwords.


    Layer 4: Updates


  • Keep your OS updated (unattended-upgrades on Debian/Ubuntu)
  • Keep containers updated (Watchtower or manual updates)
  • Subscribe to security mailing lists for software you run

    • Layer 5: Backups


  • Automate backups (see our backup guide)
  • Test restores regularly
  • Store backups off-site
  • Encrypt backups

    • Layer 6: Monitoring


  • Monitor for unauthorized access (fail2ban logs)
  • Monitor resource usage (Grafana/Prometheus)
  • Monitor uptime (Uptime Kuma)
  • Set up alerts for anomalies

    • Layer 7: Container Security


  • Run containers rootless (Podman)
  • Use read-only filesystems where possible
  • Limit container capabilities
  • Don't run as root inside containers
  • Use specific image tags, not :latest

    • Security is layers. No single measure is sufficient, but together they make your self-hosted infrastructure robust.