One thing I realized early on was that in computer security, things are only 100% secure in theory, but practically security is proportional to the sense of trust we put into these systems. Security is more a matter of organizational risk.
Nothing is completely secure in practice
Even the most well thought through ways of securing data at rest had flaws lurking in shadows for 12+years unnoticed (LUKS cryptsetup vulnerability - CVE 2021 - 4122), mechanisms to restrict access had flaws to fatally grant root access (Polkit vulnerability - CVE-2021-4034). All the news that we have heard about Pegasus and software alike is just the tip of the iceberg when it comes to the ocean of zero day attacks out there in the wild.
SSH & VPN tunnels
At least today in 2022, It’s impossible to be 100% secure if you want to interface with a computer. However, that being said, these concerns are only valid when we are talking about extremely well funded attackers. When you suspect that to be the case, which is a very rare possibility unless you are a high profile target, it is better to not interface with devices connected to the internet in the first place. With this in mind one of the most (relatively) secure practical ways of accessing remote applications involves establishing SSH local/remote port forwarding with some sort of 2FA for machines present in a VPN environment.
Port Forwarding
The SSH access should be secured enough to minimize the attack surface using the standard practices for securing SSH access. The remote services that you intent to use should not be running on publicly open ports and should be port forwarded via ssh tunnels.
Don’t run your own production servers
If the services in question are production services, it’s better to not self host them because of the overhead that comes with the job of maintaining and keeping the system secure. There are a lot of complex decisions for one single person:
- make sure there are no vulnerabilities in the code written
- make sure to keep an eye for publicly disclosed security flaws
- make sure to upgrade the system appropriately when needed
- make sure to setup proper firewall and mechanism to address DDoS attacks
- make sure to setup proper Identity and Access Management
- And more…
The likelihood of errors when one person does everything. In large organizations, there are multiple people hired for these exact things. So if you are planning to run a self hosted famous app in production, don’t. It’s not worth the effort and time when you could use the existing cloud platforms to host it. Sometimes, it’s better to delegate than to do everything ourselves. And, this would be one such case.