What steps do you take to secure your server and your selfhosted services?
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
As many others have said, not allowing inbound WAN connections into my LAN is an important step. I also run k3s on my server with Calico as the CNI and make heavy use of network policies to keep anything I’m running from misbehaving. That, along with easy ingress makes k3s worth it for me over Docker Compose. I use OpenWRT on my router and force certain devices to run through a VPN and block other devices from the internet entirely.
-
There are ip lists that let you iptables drop all traffic from China and Russia.
Strongly recommend.
My UDM has this capability. I've blocked quite a few countries that it logged as trying to get into my network. Great little internet cylinder.
-
Inspired by this comment to try to learn what I'm missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
-
Some I haven't yet found in this thread:
- rootless podman
- container port mapping to localhost (e.g. 127.0.0.1:8080:8080)
- systemd services with many of its sandboxing features (PrivateTmp, ...)
Does adding 127.0.0.1 make it so only that server can access it or what? I’ve seen that but not understand
-
My UDM has this capability. I've blocked quite a few countries that it logged as trying to get into my network. Great little internet cylinder.
Have the rack mounted one, I usually roll my own router but I'm glad to have someone else making sure I don't do anything stupid for security.
It's not perfect, but it's peace of mind.
-
One thing I do is instead of having an open SSH port, I have an OpenVPN server that I’ll connect to, then SSH to the host from within the network. Then, if someone hacks into the network, they still won’t have SSH access.
Thanks
-
I do the same, but with Wireguard instead of OpenVPN. The performance is much better in my experience and it sucks less battery life.
I’ve been meaning to learn how to make my own
-
Does adding 127.0.0.1 make it so only that server can access it or what? I’ve seen that but not understand
127.0.0.0 is the localhost. This is the IP the container is listening on. Even if there was no firewall it wouldn't allow any connection except from the host. If it's set to 0.0.0.0 it means it'll allow connections from any IP (which might not be an issue depending on your setup).
The reverse proxy runs on localhost anyway, so any other IPs have no reason to ever have access.
-
I’ve been meaning to learn how to make my own
I found the guide/examples on their website a bit irritating at first (that's on me) but it works well once understood and configured.
-
I found the guide/examples on their website a bit irritating at first (that's on me) but it works well once understood and configured.
Thanks! I’ll do that