This, but I prefer nginx.
And no real need for tailscale or cloudflare. If you do not like to depend on a third party service, either port forward and ddns or an external vps+wire guard if you have gcnat
Comment on What steps do you take to secure your server and your selfhosted services?
AkatsukiLevi@lemmy.world 4 days ago
Disable password authentication on SSH
Enable firewall and block all ports you’re not using(most firewalls do this by default)
Switch to a LTS kernel(not security related, but it keeps things going smooth… Technically it is safer since it gets updated less often so it is a bit more battle tested? Never investigated whenever a LTS kernel is safer than a standard one)
Use Caddy to proxy to services instead of directly exposing them out
HTTPS for web stuff(Caddy does it automatically)
Shimitar@downonthestreet.eu 4 days ago
szszl@sh.itjust.works 2 days ago
This is a valid solution but honestly how is using VPS not depending on third party?
Shimitar@downonthestreet.eu 2 days ago
It is, but you are free to switch at any time provider, there is no technological lock in like with cloudflare or tailscale (i know there is a free self hostable version, not talking about that).
So just rent a new one and switch your wireguard there.
JustEnoughDucks@feddit.nl 4 days ago
Dropping instead of blocking might technically be better because it wastes a bit more bot time and they see it as “it doesn’t exist” rather than an obsticle to try exploits on. Not sure if that is true though.
For me:
-
ssh server only with keys
-
absolutely no ssh forwarding, only available to local network via firewall rules
-
docker socket proxy for everything that needs socket access
-
drop non-used ports, limit IPs for local-only services (e.g. paperless)
-
crowdsec on traefik for the rest (sadly it blocks my VPN IPs also)
-
Authelia over everything that doesn’t break the native apps (jellyfin and home assistant are the two that it breaks so far, and HA was very intermittent so I made a separate authelia rule and mobile DNS entry for slightly reduced rules)
-
proper umask rules on all docker directories (or as much as possible)
-
main drive FDE with a separate boot drive with FDE keyfile on a dongle that is removed except for updates and booting to make snatch-and-grabs useless and compromising bootloader impractical
-
full disk encryption with passworded data drives, so even if a smash and grab happens when I leave the dongle in, the sensitive data is still encrypted and the keys aren’t in memory (makes a startup script with a password needed, so no automated startups for me)
For more info, I followed a lot of stuff on: github.com/…/How-To-Secure-A-Linux-Server
-
szszl@sh.itjust.works 2 days ago
Caddy or any other (reputable) reverse proxy. I think Nginx Proxy Manager would be best for beginner thanks to GUI.
ZonenRanslite@feddit.org 4 days ago
This and fail2ban
ocean@lemmy.selfhostcat.com 4 days ago
Anything else?
InvertedParallax@lemm.ee 4 days ago
There are ip lists that let you iptables drop all traffic from China and Russia.
Strongly recommend.
ocean@lemmy.selfhostcat.com 4 days ago
I was auto banning all countries but my own but now I’m hosting one resource that has an audience including Chinese…
Good advice outside of this use case! :)
lka1988@lemmy.dbzer0.com 2 days ago
My UDM has this capability. I’ve blocked quite a few countries that it logged as trying to get into my network.