What steps do you take to secure your server and your selfhosted services?

irmadlad@lemmy.world

• Fail2ban
• UFW
• Reverse Proxy
• IPtraf (monitor)
• Lynis (Audit)
• OpenVas (Audit)
• Nessus (Audit)
• Non standard SSH port
• CrowdSec + Appsec
• No root logins
• SSH keys
• Tailscale
• RKHunter

dannyboy@sh.itjust.works

Tailscale and being at my house is the only two ways in so I feel those are pretty good for me.

irmadlad@lemmy.world

My new strategy is to block EVERY port

Wow! All 65535 +/-, in and out? That's one way to skin a cat.

gamer@lemm.ee

ez pz:

#!/usr/sbin/nft -f
table inet filter {
    chain input {
        type filter hook input priority raw; policy accept;
        iif "lo" accept
        ct state established,related accept
        iif "enp1s0" udp dport 51820 accept
        iif "enp1s0" drop
    }

    chain forward {
        type filter hook forward priority raw; policy accept;
        iif "lo" accept
        ct state established,related accept
        iif "enp1s0" udp dport 51820 accept
        iif "enp1s0" drop
    }

    chain output {
        type filter hook output priority raw; policy accept;
    }
}

irmadlad@lemmy.world

I've seen it done as such:

hperrin@lemmy.ca

One thing I do is instead of having an open SSH port, I have an OpenVPN server that I’ll connect to, then SSH to the host from within the network. Then, if someone hacks into the network, they still won’t have SSH access.

splashjackson@lemmy.ca

I put up a sign that says, "No hackers allowed plz"

chewy7324@discuss.tchncs.de

I do the same, but with Wireguard instead of OpenVPN. The performance is much better in my experience and it sucks less battery life.

chewy7324@discuss.tchncs.de

Some I haven't yet found in this thread:

• rootless podman
• container port mapping to localhost (e.g. 127.0.0.1:8080:8080)
• systemd services with many of its sandboxing features (PrivateTmp, ...)

qjkxbmwvz@startrek.website

Fail2ban config can get fairly involved in my experience. I'm probably not doing it the right way, as I wrote a bunch of web server ban rules --- anyone trying to access wpadmin gets banned, for instance (I don't use WordPress, and if I did, it wouldn't be accessible from my public facing reverse proxy).

I just skimmed my nginx logs and looked for anything funky and put that in a ban rule, basically.

ocean@lemmy.selfhostcat.com

How has that been going?

ikidd@lemmy.world

"All your containers are belong to us."

ikidd@lemmy.world

I assume #2 is just to keep containers/stacks able to talk to each other without piercing the firewall for ports that aren't to be exposed to the outside? It wouldn't prevent anything if one of the containers on that host were compromised, afaik.

Guest

Caddy or any other (reputable) reverse proxy. I think Nginx Proxy Manager would be best for beginner thanks to GUI.

Guest

This is a valid solution but honestly how is using VPS not depending on third party?

mangopenguin@lemmy.blahaj.zone

They aren't on the internet mainly.

mangopenguin@lemmy.blahaj.zone

Containers can talk to each other without any ports exposed at all, they just need to be added to the same docker network.

oderus@lemmy.world

NPM, Nginx

If I need remote access, I just log into NPM and I have certain URL's created for Plex, or Sonarr, Radarr etc. No issues so far.

chewy7324@discuss.tchncs.de

It's mostly to allow the reverse proxy on localhost to connect to the container/service, while blocking all other hosts/IPs.

This is especially important when using docker as it messes with iptables and can circumvent firewall like e.g. ufw.

You're right that it doesn't increase security on case of a compromised container. It's just about outside connections.

shimitar@downonthestreet.eu

It is, but you are free to switch at any time provider, there is no technological lock in like with cloudflare or tailscale (i know there is a free self hostable version, not talking about that).

So just rent a new one and switch your wireguard there.