I mean, that’s true regardless of how it is running. If the service is externally available, it will be probed for vulnerabilities. At least with a container, you can ward off what files it has access to, so an attacker can’t just ransomware your entire NAS with a single vulnerable service.
And thaaaat’s why it’s head/tailscale or nothing for me. I’m smart enough to know I don’t know enough to be absolutely confident I won’t get SHODAN’d and end up crying over a home network catastrophe, never feeling truly secure ever again.
Every now and then it’s tempting to get those fun features in containers like Nextcloud, like public links and federation, but it’s not worth the risk IMHO. Not when there’s state-class adversarial bots written by stupidly smart people roaming the landscape. <_<
I mean, that’s true regardless of how it is running. If the service is externally available, it will be probed for vulnerabilities. At least with a container, you can ward off what files it has access to, so an attacker can’t just ransomware your entire NAS with a single vulnerable service.
And thaaaat’s why it’s head/tailscale or nothing for me. I’m smart enough to know I don’t know enough to be absolutely confident I won’t get SHODAN’d and end up crying over a home network catastrophe, never feeling truly secure ever again.
Every now and then it’s tempting to get those fun features in containers like Nextcloud, like public links and federation, but it’s not worth the risk IMHO. Not when there’s state-class adversarial bots written by stupidly smart people roaming the landscape. <_<