Comment on What steps do you take to secure your server and your selfhosted services?
JustEnoughDucks@feddit.nl 2 months agoDropping instead of blocking might technically be better because it wastes a bit more bot time and they see it as “it doesn’t exist” rather than an obsticle to try exploits on. Not sure if that is true though.
For me:
-
ssh server only with keys
-
absolutely no ssh forwarding, only available to local network via firewall rules
-
docker socket proxy for everything that needs socket access
-
drop non-used ports, limit IPs for local-only services (e.g. paperless)
-
crowdsec on traefik for the rest (sadly it blocks my VPN IPs also)
-
Authelia over everything that doesn’t break the native apps (jellyfin and home assistant are the two that it breaks so far, and HA was very intermittent so I made a separate authelia rule and mobile DNS entry for slightly reduced rules)
-
proper umask rules on all docker directories (or as much as possible)
-
main drive FDE with a separate boot drive with FDE keyfile on a dongle that is removed except for updates and booting to make snatch-and-grabs useless and compromising bootloader impractical
-
full disk encryption with passworded data drives, so even if a smash and grab happens when I leave the dongle in, the sensitive data is still encrypted and the keys aren’t in memory (makes a startup script with a password needed, so no automated startups for me)
For more info, I followed a lot of stuff on: github.com/…/How-To-Secure-A-Linux-Server