ocean@lemmy.selfhostcat.com to Selfhosted@lemmy.worldEnglish · 3 days agoWhat steps do you take to secure your server and your selfhosted services?message-squaremessage-square47fedilinkarrow-up10arrow-down10file-text
arrow-up10arrow-down1message-squareWhat steps do you take to secure your server and your selfhosted services?ocean@lemmy.selfhostcat.com to Selfhosted@lemmy.worldEnglish · 3 days agomessage-square47fedilinkfile-text
Inspired by this comment to try to learn what I’m missing. Cloudflare proxy Reverse Proxy Fail2ban Docker containers on their own networks
minus-squaregamer@lemm.eelinkfedilinkEnglisharrow-up0·3 days agoMy new strategy is to block EVERY port except WireGuard. This doesn’t work for things you want to host publicly ofc, like a website, but for most self host stuff I don’t see anything better than that.
minus-squareirmadlad@lemmy.worldlinkfedilinkEnglisharrow-up0·2 days ago My new strategy is to block EVERY port Wow! All 65535 +/-, in and out? That’s one way to skin a cat.
minus-squaregamer@lemm.eelinkfedilinkEnglisharrow-up0·2 days agoez pz: #!/usr/sbin/nft -f table inet filter { chain input { type filter hook input priority raw; policy accept; iif "lo" accept ct state established,related accept iif "enp1s0" udp dport 51820 accept iif "enp1s0" drop } chain forward { type filter hook forward priority raw; policy accept; iif "lo" accept ct state established,related accept iif "enp1s0" udp dport 51820 accept iif "enp1s0" drop } chain output { type filter hook output priority raw; policy accept; } }
minus-squarerobador51@lemmy.mllinkfedilinkEnglisharrow-up0·2 days agoI do this too. Took me a little effort to set things up, but now its so easy.
My new strategy is to block EVERY port except WireGuard. This doesn’t work for things you want to host publicly ofc, like a website, but for most self host stuff I don’t see anything better than that.
Wow! All 65535 +/-, in and out? That’s one way to skin a cat.
ez pz:
#!/usr/sbin/nft -f table inet filter { chain input { type filter hook input priority raw; policy accept; iif "lo" accept ct state established,related accept iif "enp1s0" udp dport 51820 accept iif "enp1s0" drop } chain forward { type filter hook forward priority raw; policy accept; iif "lo" accept ct state established,related accept iif "enp1s0" udp dport 51820 accept iif "enp1s0" drop } chain output { type filter hook output priority raw; policy accept; } }I do this too. Took me a little effort to set things up, but now its so easy.