What steps do you take to secure your server and your selfhosted services?
-
I was getting more at stacks on a host talking, ie: you have a postgres stack with PG and Pgadmin, but want to use it with other stacks or k8s swarm, without exposing the pg port outside the machine.
You can do that by joining the containers to the same docker network, you don't need to expose ports even to localhost.
-
You can do that by joining the containers to the same docker network, you don't need to expose ports even to localhost.
I mustn't be communicating well, but that's fine.
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
As many others have said, not allowing inbound WAN connections into my LAN is an important step. I also run k3s on my server with Calico as the CNI and make heavy use of network policies to keep anything I’m running from misbehaving. That, along with easy ingress makes k3s worth it for me over Docker Compose. I use OpenWRT on my router and force certain devices to run through a VPN and block other devices from the internet entirely.
-
There are ip lists that let you iptables drop all traffic from China and Russia.
Strongly recommend.
My UDM has this capability. I've blocked quite a few countries that it logged as trying to get into my network. Great little internet cylinder.
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
-
Some I haven't yet found in this thread:
- rootless podman
- container port mapping to localhost (e.g. 127.0.0.1:8080:8080)
- systemd services with many of its sandboxing features (PrivateTmp, ...)
Does adding 127.0.0.1 make it so only that server can access it or what? I’ve seen that but not understand
-
My UDM has this capability. I've blocked quite a few countries that it logged as trying to get into my network. Great little internet cylinder.
Have the rack mounted one, I usually roll my own router but I'm glad to have someone else making sure I don't do anything stupid for security.
It's not perfect, but it's peace of mind.
-
One thing I do is instead of having an open SSH port, I have an OpenVPN server that I’ll connect to, then SSH to the host from within the network. Then, if someone hacks into the network, they still won’t have SSH access.
Thanks
-
I do the same, but with Wireguard instead of OpenVPN. The performance is much better in my experience and it sucks less battery life.
I’ve been meaning to learn how to make my own
-
Does adding 127.0.0.1 make it so only that server can access it or what? I’ve seen that but not understand
127.0.0.0 is the localhost. This is the IP the container is listening on. Even if there was no firewall it wouldn't allow any connection except from the host. If it's set to 0.0.0.0 it means it'll allow connections from any IP (which might not be an issue depending on your setup).
The reverse proxy runs on localhost anyway, so any other IPs have no reason to ever have access.
-
I’ve been meaning to learn how to make my own
I found the guide/examples on their website a bit irritating at first (that's on me) but it works well once understood and configured.
-
I found the guide/examples on their website a bit irritating at first (that's on me) but it works well once understood and configured.
Thanks! I’ll do that
