Inspired by this comment to try to learn what I’m missing.

  • Cloudflare proxy
  • Reverse Proxy
  • Fail2ban
  • Docker containers on their own networks

Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?

  • xcutie@linux.communityEnglish
    1·
    2 months ago

    To add some points, that I do:

    • Proper logging: So I could realize something unusual is going on
    • rootless podman container: harder to escalate privileges and gain root
    • Apparmor: same, plus it could trigger suspicious log entries
  • Chewy@discuss.tchncs.deEnglish
    1·
    2 months ago

    Some I haven’t yet found in this thread:

    • rootless podman
    • container port mapping to localhost (e.g. 127.0.0.1:8080:8080)
    • systemd services with many of its sandboxing features (PrivateTmp, …)
  • MangoPenguin@lemmy.blahaj.zoneEnglish
    1·
    2 months ago

    They aren’t on the internet mainly.

    My router (opnsense) has a wireguard server which is how I access things when out of the house.

    I do have a minecraft server for my friends and I, but that VM is on its own network isolated from everything else.

  • Akatsuki Levi@lemmy.worldEnglish
    0·
    2 months ago

    Disable password authentication on SSH

    Enable firewall and block all ports you’re not using(most firewalls do this by default)

    Switch to a LTS kernel(not security related, but it keeps things going smooth… Technically it is safer since it gets updated less often so it is a bit more battle tested? Never investigated whenever a LTS kernel is safer than a standard one)

    Use Caddy to proxy to services instead of directly exposing them out

    HTTPS for web stuff(Caddy does it automatically)