@ocean@lemmy.selfhostcat.com to Selfhosted@lemmy.worldEnglish • 15 days agoWhat steps do you take to secure your server and your selfhosted services?message-square44fedilinkarrow-up10arrow-down10file-text
arrow-up10arrow-down1message-squareWhat steps do you take to secure your server and your selfhosted services?@ocean@lemmy.selfhostcat.com to Selfhosted@lemmy.worldEnglish • 15 days agomessage-square44fedilinkfile-text
Inspired by this comment to try to learn what I’m missing. Cloudflare proxy Reverse Proxy Fail2ban Docker containers on their own networks
minus-square@gamer@lemm.eelinkfedilinkEnglish0•15 days agoMy new strategy is to block EVERY port except WireGuard. This doesn’t work for things you want to host publicly ofc, like a website, but for most self host stuff I don’t see anything better than that.
minus-square@robador51@lemmy.mllinkfedilinkEnglish0•15 days agoI do this too. Took me a little effort to set things up, but now its so easy.
minus-squareirmadladlinkfedilinkEnglish0•14 days ago My new strategy is to block EVERY port Wow! All 65535 +/-, in and out? That’s one way to skin a cat.
minus-square@gamer@lemm.eelinkfedilinkEnglish0•14 days agoez pz: #!/usr/sbin/nft -f table inet filter { chain input { type filter hook input priority raw; policy accept; iif "lo" accept ct state established,related accept iif "enp1s0" udp dport 51820 accept iif "enp1s0" drop } chain forward { type filter hook forward priority raw; policy accept; iif "lo" accept ct state established,related accept iif "enp1s0" udp dport 51820 accept iif "enp1s0" drop } chain output { type filter hook output priority raw; policy accept; } }
My new strategy is to block EVERY port except WireGuard. This doesn’t work for things you want to host publicly ofc, like a website, but for most self host stuff I don’t see anything better than that.
I do this too. Took me a little effort to set things up, but now its so easy.
Wow! All 65535 +/-, in and out? That’s one way to skin a cat.
ez pz:
#!/usr/sbin/nft -f table inet filter { chain input { type filter hook input priority raw; policy accept; iif "lo" accept ct state established,related accept iif "enp1s0" udp dport 51820 accept iif "enp1s0" drop } chain forward { type filter hook forward priority raw; policy accept; iif "lo" accept ct state established,related accept iif "enp1s0" udp dport 51820 accept iif "enp1s0" drop } chain output { type filter hook output priority raw; policy accept; } }