Why I Self Host
I am going to try to explain why I self host. Why I have servers up and op on the Internet from my house when I could host elsewhere for fairly cheap and probably a lot less work. I’ll start by telling you what I’m not doing.
I am not doing a traditional “homelab”. Okay, if you consider having a NAS, Home Assistant, and a bunch of home networking as “homelab”, then yes I am. However that is secondary. Primarily the home network serves two purposes - secure Internet for myself and a select few others where privacy is top of mind, and a research lab where I can do experiments with various parts of modern technology without impacting the rest of my network.
My Requirements
In my early hacker days, I was quite paranoid, as many older blog posts talk about. My mail and web presence involved my ISP, and whenever there was a new bug in some service that my ISP used, I would test their systems for that bug, and if I found it I’d let them know. I even began testing for bugs that I discovered on my own - I was so paranoid because I wanted to make sure my online data was safe from various governments, blackhats, and the curious. While finding bugs was already fun, there were other practical reasons.
Was I overacting? I didn’t think so. Per the Electronic Communications Privacy Act (ECPA) in 1986 any email sitting on a server for more than 180 days was considered “abandoned” and subject to warrantless confiscation by the government. ISPs in 1986 would hold the data until your email client connected up via POP3 or IMAP and downloaded it, but along came web-based email, cloud services and so on. In the 90s it made sense to self host for this reason alone (the ECPA problem was somewhat rectified in 2010 with US vs Warshak). For this and many other related reasons, local control of email simply made sense, and with having the nmrc.org domain starting in 1997 I could fully control things for myself, my family, and NMRC.
Earlier days of the web the NMRC web server was quite popular mainly due to the (now quite dated) Hack FAQ. Originally hosted on my old ISP’s website as more or less a favor for me reporting bugs on their infrastructure for them to patch, I was told by one of the admins there that the NMRC web presence was one quarter of their entire network traffic. This was surprising to me that they even allowed it, as that ISP that had thousands of users including a decent chunk of local businesses. After the ISP eventually was bought out and my free ride was over, I moved to both control the DNS completely, and web services were moved to a hosting service with more bandwidth. Slowly, as the Hack FAQ faded as important and bandwidth at home increased, I stopped the remote hosting and moved it into the home infrastructure. As it stands now, the only services not hosted here are DNS (hosted at Gandi, my registrar since 1997) and some tunneling being used for limited remote access via Cloudflare (temporarily until a decent solution is arrived at).
Privacy And Security
Unlike other parents, my wife and I did not impose limits on what our four kids could access when they lived here, although as the network evolved and their usage increased I would show the kids how I could monitor things, and they very quickly realized that if I wanted I could monitor them specifically. But truthfully I never felt I had to. I was the household ISP, and while everyone was online a mere fraction of time compared to the people of today, I really didn’t want to spend a lot of time monitoring them. Privacy and security was expected and emphasized. Neither my wife or I really knew exactly what the other was looking at nor did we care, and that applied to our kids as well. Everyone was told of dangers online and how security was important.
Since all of the kids have moved out and my wife has passed away, the count of users living here at the house is one. While there are still a handful of NMRC users that access the public resources remotely via their own accounts, there is less daily ISP-ish/tech support work. But at its peak with a family of six and a over a dozen remote users with questionable online habits, privacy as well as security was taken quite seriously.
Since the beginning, every new bit of tech - be it local, remote, hardware, software, whatever - as it entered into the sphere of any usage that touched the internal or NMRC networks, it was looked at for potential privacy and security elements. This is still true to this day. As I was doing this stuff as an entertaining hobby and as a full-time job, it helped my peace of mind and well as my career.
This emphasis on control - local control - is still underneath it all. As the first wireless devices came into existence, the tech was explored and analyzed. When cell phones got WiFi capability this was looked at as well. Bluetooth, NFC, even GPS was looked at. Cloud-based data? It must be examined when a new device is introduced or an old existing one is updated to see how it is using and potentially abusing this. Outside access coming in? It must be heavily examined so that every security measure is in place.
Nightmares
It is amazing how shitty a lot of new tech is. When I was first looking at phone apps, they were okay, but as the popularity of these personal devices grew, their features became out of control. You know how you can configure a web browser to be more secure and tweak settings to help protect your privacy? The vast majority of phone apps are like that browser without any security or privacy controls at all. In fact the data gathering has only increased.
Unfortunately it seems that many modern browsers that are controlled by large tech companies and some of those operating systems themselves are becoming more like those shitty phone apps. The home edition of Microsoft operating systems includes ads - the kind of ads a browser’s ad blocker would try to block.
Granted when faced with some of this invasive garbage, tech that allows for local control gets special favor as this allows for broader mitigations, such as simply cutting it off from the Internet entirely (or at least heavily restricting it). This is why when presented with a choice of vendors with some type of smarts, the one that allows for local storage gets the edge. And as I’ve set things up where I can have separate VLANs for some of the more questionable devices that I want but don’t offer any local control options, I can contain some of the damage so to speak.
Using Pi-Hole in recursive mode for all of the systems - public-facing self-hosting servers and the internal network - is one of the best options for mitigation of major privacy and security concerns. It doesn’t eliminate it but it does allow for some measures to help contain it. A lot of basic “phoning home” with personal data destined for data brokers is simply blocked.
A lot of this new tech is often filled with security holes as the whole cut and paste model of data development is quite awful - having local control allows for blocking of obvious problem areas such as open ports to the Internet, hard-wired accounts with simple passwords that allow admin access, and so on. Usually just allowing DNS (via Pi-Hole), NTP so it has the proper time, and (if it can be isolated) the ability to check for things like updates is enough. Everything else gets blocked.
Conclusion
If it sounds like it is a lot of work, I guess it is. I’ve automated a lot of it, and using things like Ansible allows me to speed up a number of repetitive administrative tasks as well. This isn’t perfect, but it is both a great learning and teaching platform for me as well as an odd sort of nerd entertainment. I’ll take it. No regrets. And yes, in a future blog post I’ll go over in detail the server hardening I do.