Inspired by this comment to try to learn what I’m missing.

  • Cloudflare proxy
  • Reverse Proxy
  • Fail2ban
  • Docker containers on their own networks

Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?

  • MangoPenguin@lemmy.blahaj.zoneEnglish
    1·
    25 days ago

    They aren’t on the internet mainly.

    My router (opnsense) has a wireguard server which is how I access things when out of the house.

    I do have a minecraft server for my friends and I, but that VM is on its own network isolated from everything else.

  • Akatsuki Levi@lemmy.worldEnglish
    1·
    27 days ago

    Disable password authentication on SSH

    Enable firewall and block all ports you’re not using(most firewalls do this by default)

    Switch to a LTS kernel(not security related, but it keeps things going smooth… Technically it is safer since it gets updated less often so it is a bit more battle tested? Never investigated whenever a LTS kernel is safer than a standard one)

    Use Caddy to proxy to services instead of directly exposing them out

    HTTPS for web stuff(Caddy does it automatically)

  • Chewy@discuss.tchncs.deEnglish
    1·
    26 days ago

    Some I haven’t yet found in this thread:

    • rootless podman
    • container port mapping to localhost (e.g. 127.0.0.1:8080:8080)
    • systemd services with many of its sandboxing features (PrivateTmp, …)
      • Chewy@discuss.tchncs.deEnglish
        0·
        24 days ago

        Yes. 127.0.0.0 is the localhost. This is the IP the container is listening on. Even if there was no firewall it wouldn’t allow any connection except from the host. If it’s set to 0.0.0.0 it means it’ll allow connections from any IP (which might not be an issue depending on your setup).

        The reverse proxy runs on localhost anyway, so any other IPs have no reason to ever have access.

        • ocean@lemmy.selfhostcat.comOPEnglish
          1·
          20 days ago

          Yes. 127.0.0.0 is the localhost. This is the IP the container is listening on. Even if there was no firewall it wouldn’t allow any connection except from the host. If it’s set to 0.0.0.0 it means it’ll allow connections from any IP (which might not be an issue depending on your setup).

          Thanks for explaining this!

  • xcutie@linux.communityEnglish
    1·
    25 days ago

    To add some points, that I do:

    • Proper logging: So I could realize something unusual is going on
    • rootless podman container: harder to escalate privileges and gain root
    • Apparmor: same, plus it could trigger suspicious log entries
  • irmadlad@lemmy.worldEnglish
    1·
    26 days ago
    • Fail2ban
    • UFW
    • Reverse Proxy
    • IPtraf (monitor)
    • Lynis (Audit)
    • OpenVas (Audit)
    • Nessus (Audit)
    • Non standard SSH port
    • CrowdSec + Appsec
    • No root logins
    • SSH keys
    • Tailscale
    • RKHunter