What steps do you take to secure your server and your selfhosted services?
-
I agree - I don’t expose anything to the internet other than the WireGuard endpoint.
I’m only hosting services that my immediate family need to access, so I just set up WireGuard on their devices, and only expose the services on the LAN.
I used to expose services to the internet, until one of my #saltstack clients was exploited through a very recent vulnerability I hadn’t yet patched (only a week or so since it was announced). I was fortunate that the exploit failed due to the server running FreeBSD, so the crontab entry to download the next mailicious payload failed because wget wasn’t available on the server.
That’s when I realised - minimise the attack surface - if you’re not hosting services for anyone in the world to access, don’t expose them to everyone in the world to exploit.
TBF if you want, you can have a bastion server which is solely whitelisted by IP to stream your content from your local server. It's obviously a pivot point for hackers, but it's the level of effort that 99% of hackers would ignore unless they really wanted to target
you. And if you're that high value of a target, you probably shouldn't be opening any ports on your network, which brings us back to your original solution.I, too, don't expose things to the public because I cannot afford the more safe/obfuscated solutions. But I do think there are reasonable measures that can be taken to expose your content to a wider audience if you wanted.
-
This and fail2ban
Anything else?
-
Anything else?
There are ip lists that let you iptables drop all traffic from China and Russia.
Strongly recommend.
-
There are ip lists that let you iptables drop all traffic from China and Russia.
Strongly recommend.
I was auto banning all countries but my own but now I’m hosting one resource that has an audience including Chinese…
Good advice outside of this use case!
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
I expose some stuff through IPv6 only with my Synology NAS (I am CGNATED) and I have always wondered if I still need to use fail2ban in that environment...
My Synology has an auto block feature that from my understanding is essentially fail2ban, what I don't know is if such a feature works for all my exposed services but Synology's.
-
My new strategy is to block EVERY port except WireGuard. This doesn't work for things you want to host publicly ofc, like a website, but for most self host stuff I don't see anything better than that.
I do this too. Took me a little effort to set things up, but now its so easy.
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
Default block for incoming traffic is always a good starting point.
I'm personally using crowdsec to good results, but still need to add some more to it as I keep seeing failed attacks that should be blocked much quicker. -
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
Just tailscale really.
My services are only exposed to the tailscale network, so I don't have to worry about otger devices on my LAN.
A good VPN with MFA is all you really need if you are the only user.
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
use a cheap vlan switch to make an actual vlan DMZ with the services' router
use non-root containers everywhere. segment services in different containers
-
I was auto banning all countries but my own but now I’m hosting one resource that has an audience including Chinese…
Good advice outside of this use case!
Yeah, there were other countries to ban, but those 2 cut my attacks down 90%.
Also consider a honeypot that triggers when anyone tries to ssh it at all.
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
in the context of the comment you referenced:
Definitely have the server on its own VLAN. It shouldn't have any access to other devices that are not related to the services and I would also add some sort of security software.
If you have a public service that you expect to have multiple users on you definitely should have some level of monitoring whether it is just the application logs from the forum that you want to host or further have some sort of EDR on the server.
Things I would do if I was hosting a public forum:
- Reverse proxy
- fail2ban
- dedicated server that does not have any personal data or other services that are sensitive
- complete network isolation with VLAN
- send application logs to ELK
- clamAV
And if the user base grows I would also add:
- EDR such as velociraptor
- an external firewall / ips
- possibly move from docker to VM for further isolation (not likely)
-
Disable password authentication on SSH
Enable firewall and block all ports you're not using(most firewalls do this by default)
Switch to a LTS kernel(not security related, but it keeps things going smooth... Technically it is safer since it gets updated less often so it is a bit more battle tested? Never investigated whenever a LTS kernel is safer than a standard one)
Use Caddy to proxy to services instead of directly exposing them out
HTTPS for web stuff(Caddy does it automatically)
Enable firewall and block all ports you're not using(most firewalls do this by default)
this one haven't failed me....yet.
PS: please don't pentest me
-
I expose some stuff through IPv6 only with my Synology NAS (I am CGNATED) and I have always wondered if I still need to use fail2ban in that environment...
My Synology has an auto block feature that from my understanding is essentially fail2ban, what I don't know is if such a feature works for all my exposed services but Synology's.
My Synology has an auto block feature that from my understanding is essentially fail2ban, what I don’t know is if such a feature works for all my exposed services but Synology’s
I'd be surprised if it works for custom services. Fail2ban has to know what's running and haw to have access to its log file to know what is a failed authentication request. The best you can do without log access is to rate limit new tcp connections. But still you should know what's the service behind because 5 new SSH sessions per minute and IP can be reasonable 5 new http1.0 connections likely cannot load a single html page.
-
Disable password authentication on SSH
Enable firewall and block all ports you're not using(most firewalls do this by default)
Switch to a LTS kernel(not security related, but it keeps things going smooth... Technically it is safer since it gets updated less often so it is a bit more battle tested? Never investigated whenever a LTS kernel is safer than a standard one)
Use Caddy to proxy to services instead of directly exposing them out
HTTPS for web stuff(Caddy does it automatically)
Dropping instead of blocking might technically be better because it wastes a bit more bot time and they see it as "it doesn't exist" rather than an obsticle to try exploits on. Not sure if that is true though.
For me:
-
ssh server only with keys
-
absolutely no ssh forwarding, only available to local network via firewall rules
-
docker socket proxy for everything that needs socket access
-
drop non-used ports, limit IPs for local-only services (e.g. paperless)
-
crowdsec on traefik for the rest (sadly it blocks my VPN IPs also)
-
Authelia over everything that doesn't break the native apps (jellyfin and home assistant are the two that it breaks so far, and HA was very intermittent so I made a separate authelia rule and mobile DNS entry for slightly reduced rules)
-
proper umask rules on all docker directories (or as much as possible)
-
main drive FDE with a separate boot drive with FDE keyfile on a dongle that is removed except for updates and booting to make snatch-and-grabs useless and compromising bootloader impractical
-
full disk encryption with passworded data drives, so even if a smash and grab happens when I leave the dongle in, the sensitive data is still encrypted and the keys aren't in memory (makes a startup script with a password needed, so no automated startups for me)
For more info, I followed a lot of stuff on: https://github.com/imthenachoman/How-To-Secure-A-Linux-Server
-
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
- Fail2ban
- UFW
- Reverse Proxy
- IPtraf (monitor)
- Lynis (Audit)
- OpenVas (Audit)
- Nessus (Audit)
- Non standard SSH port
- CrowdSec + Appsec
- No root logins
- SSH keys
- Tailscale
- RKHunter
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
Tailscale and being at my house is the only two ways in so I feel those are pretty good for me.
-
My new strategy is to block EVERY port except WireGuard. This doesn't work for things you want to host publicly ofc, like a website, but for most self host stuff I don't see anything better than that.
My new strategy is to block EVERY port
Wow! All 65535 +/-, in and out? That's one way to skin a cat.
-
My new strategy is to block EVERY port
Wow! All 65535 +/-, in and out? That's one way to skin a cat.
ez pz:
#!/usr/sbin/nft -f table inet filter { chain input { type filter hook input priority raw; policy accept; iif "lo" accept ct state established,related accept iif "enp1s0" udp dport 51820 accept iif "enp1s0" drop } chain forward { type filter hook forward priority raw; policy accept; iif "lo" accept ct state established,related accept iif "enp1s0" udp dport 51820 accept iif "enp1s0" drop } chain output { type filter hook output priority raw; policy accept; } } -
ez pz:
#!/usr/sbin/nft -f table inet filter { chain input { type filter hook input priority raw; policy accept; iif "lo" accept ct state established,related accept iif "enp1s0" udp dport 51820 accept iif "enp1s0" drop } chain forward { type filter hook forward priority raw; policy accept; iif "lo" accept ct state established,related accept iif "enp1s0" udp dport 51820 accept iif "enp1s0" drop } chain output { type filter hook output priority raw; policy accept; } }I've seen it done as such:
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
One thing I do is instead of having an open SSH port, I have an OpenVPN server that I’ll connect to, then SSH to the host from within the network. Then, if someone hacks into the network, they still won’t have SSH access.
