Inspired by this comment to try to learn what I’m missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?
Disable password authentication on SSH
Enable firewall and block all ports you’re not using(most firewalls do this by default)
Switch to a LTS kernel(not security related, but it keeps things going smooth… Technically it is safer since it gets updated less often so it is a bit more battle tested? Never investigated whenever a LTS kernel is safer than a standard one)
Use Caddy to proxy to services instead of directly exposing them out
HTTPS for web stuff(Caddy does it automatically)
This and fail2ban