Hello guys, I’m have little to no experience when i have to deal with networking or cybersecurity.

I recently created a backend RESTful API on my Ubuntu VM on my personal desktop and dockerized the app, connecting it to a bridge network named ‘tunnel.’ I also have the Cloudflare Docker hosted in the same ‘tunnel’ network, which allows my local RESTful API Docker to be accessible via my domain and exposed to the internet.

Can anyone help me understand if this setup poses any security risks to my home network?

If so, what should I do to help reduce the risk? I have read that firewall helps, but does a restful api container developed with golang requires it?

  • pentesticals@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Stick your services in a DMZ. It’s easy to setup with PFSense. Don’t allow traffic from your service to anywhere that it shouldn’t go. If your API contains any vulnerabilities, they could be abused to pivot into the internal network. Now, it’s not likely, but it’s certainly possible. Especially if those APIs are from someone open source project or something, if a vuln gets discovered it’s likely to be targeted en-mass.

    • Sheeesssshhhhhh@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Ahhh, got it. I think implementing DMZs and having additional hardware to run my services seems to be the safest option. But yea, thanks alot!

  • ghoarder@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I see no one has mentioned Kong, it’s an api gateway that can reverse proxy your api requests but it’s so much more than that. It can do all sorts of pipelining to do stuff like add JWT, OAuth or Key authentication, rate limiting plus more. You can run it in a docker container too.

  • omfgitsasalmon@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You can use the Cloudflare’s Application Access to secure it down.

    Under the ZeroTrust page > Access > Application.

    Add it there and only allow certain IP and use it via VPN.

  • kon_dev@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    As always, it depends. If you don’t require public access, just remote access, I typically recommend VPN like tailscale. If you expose it publicly, you might want to authenticate users somehow and might enforce TLS. If you feel not confident about exposing out from your network, you could consider running it on a VPS or even a PaaS like fly.io, which help a lot with security concerns, they expose tls via their load balancers, you just own the HTTP server which you package into docker.

  • adamshand@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    There’s nothing inherently insecure about exposing a service to the internet. But it does create an attack surface.

    A firewall or proxy (Cloudflare, Nginx etc) allows you to restrict access via ip address or authentication, but if there’s a bug in your service it can still be exploited.

    The good news about a service you write is that there are no ready built tools to exploit it. The bad news is that there are almost certainly more bugs.

    So it really comes down to what your ap has access to (is it jailed or restricted in someway), is it read only or does it allow modifying file in the system? How confident are you with your code? If someone starts bashing in it, will you be alerted? Is it did get a coloured how serious would that be? There is no “right” answer, is a risk assessment you have to make based on your situation.

    • Sheeesssshhhhhh@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      My APIs require just a simple api key to be placed in a json header to make a request.

      It is just some personal android apps connected to these APIs to interact with certain databases. While there’s no sensitive data involved, I am more concerned about specifically, if there’s a possibility that an attacker could use this to gain access to my personal computer or other devices connected to my home network.

      Should I create a sub network and get a raspberry pi to host these apps?

      • Simon-RedditAccount@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        A DMZ is always recommended in such cases.

        > Should I create a sub network and get a raspberry pi to host these apps?

        Yes, it’s always better. However, Pi may be overpriced now. Take a look at NUC-sized miniPCs, for roughly the same price you’ll get much more computing power.

          • weeklygamingrecap@alien.topB
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            This new wave of “buy a core i7 4th gen USFF PC instead of a Pi” is wild. It’s really case by case of what you are doing but lots of people seem to push “proxmox and tons of VMs! or GTFO” on everyone.

        • Sheeesssshhhhhh@alien.topOPB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          But ya, i mentioned in the other comment that I placed an order this morning.

          After a light research on the comparison, I guess I will cancel the order for it. Is there any particular model that you recommend for several dockerized golang apps?

    • TheGr8CodeWarrior@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      > There’s nothing inherently insecure about exposing a service to the internet. But it does create an attack surface.
      Way too many people I know work in security don’t understand this. I’ve tried explaining to people that exposing a hardened SSH endpoint is almost the same thing as exposing a VPN endpoint.
      Most people think that anything public facing with authentication is by design bad. (The VPN endpoint still handles authentication btw) but fail to acknowledge the thousands and thousands of secure systems running in that fashion today that they use on a daily basis (social media, web host control panels, etc.)

      Making a service publicfacing is not by itself insecure. Generally if you can avoid doing it, you should, but hardening an endpoint to make the risk satisfactory is your goal when you need to.

      Public SSH is not a bad thing. Password auth, root login allowed, and no ip ban mechanism (fail2ban) is a bad security configuration.

      TL;DR

      Public endpoints should be hardened to what you think is an acceptable risk.
      With your API, your should fuzz it and consider the attack surface inside your API.
      What inputs are you accepting? Are they sanitized? Can you lock down the endpoint with authentication?

  • CameronDev@programming.dev
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Realistically, if its an API you created yourself, then no hacker is going to waste their time targetting your bespoke api. Its just too much effort for a single target.

    However, if you happen to be on a 3 letter agency’s shit list, then they may spend some time investigating your API for weaknesses. But they will get in either way, so it really doesnt matter.

    You mentioned that the API controls a VM, does it let you run scripts or commands on a target? Is it authenticated?

  • zfa@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Not sure why no one has pointed you to the actual product Cloudflare have for API security - Cloudflare API Gateway (and API Shield).

    You can kinda-sorta-not-really fudge control with a combination of Access Policy (or exclusion rules for that) and Firewall Rules, or even tack on Access control via JWT etc if you want though.

    Withuot any of those just consider it having been made ‘public’ to the internet at large and secure accordingly.