Security has been a hot topic for Lemmy recently and privacy is something that we all care about. Here’s how we’re set up to handle both.

Security

As a self-hosted Lemmy instance, we’re actually in a slightly better position than many:

• The server is not remotely accessible from outside the local network (it doesn’t need to be).
• The Lemmy admin interface is not remotely accessible from outside the local network (even if my Lemmy account ends up compromised through some exploit, the potential harm from that is greatly reduced).

We also have more generic network security measures in place:

• The server sits behind a hardware firewall.
• The Lemmy instance sits behind a reverse proxy.
• Internal networks are segregated from each other.
• IP whitelisting is used for all internal remote access.

Nothing on the Internet is unhackable and we’re no exception. However, we’re too small to be an attractive target and we’re sufficiently hardened to avoid being a target of opportunity.

Privacy

Being self-hosted has a number of advantages here too. Lemdit does not use any 3rd party web services whatsoever:

• No cloud hosting of any kind
• No external e-mail service
• No CDN
• No DoS protection
• No analytics
• No ads
• You name it, we don’t have it.

Privacy is important to me personally and all the trade-offs I have made have been in favour of privacy.

Lemdit runs an unmodified version of Lemmy available from its official GitHub repository.

What Lemdit knows about you:

• Standard NGINX access logs are kept for 2 weeks (IP address, time stamps, etc).
• The Lemmy database contains the e-mail address that you signed up with.
• The mail server has a record of e-mails that were sent to you by Lemdit.

This data is not available to anyone else and only legal/law enforcement action could compel us to share it.

Legal

Due to the nature of federated services, all of your engagement (your profile; posts; comments; messages; votes) on this platform should be considered public. We highly recommended that you do not share any information on Lemdit, or the Lemmy platform, that could in any way personally identify you.

Internet regulations are increasingly complex and country specific. To navigate this complexity, we rely on TermsFeed to define our Terms and Conditions, as well as our Privacy Policy. This post tries to describe some of the key points in plain English, but does not act as a substitute for these documents.

I’m not a lawyer nor do I have the time to try and prettend I’m one, so while I dislike long documents written in Legalese, that’s what we have in place for now.