Inspired by this comment to try to learn what I’m missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?
Some I haven’t yet found in this thread:
- rootless podman
- container port mapping to localhost (e.g.
127.0.0.1:8080:8080
) - systemd services with many of its sandboxing features (PrivateTmp, …)
They aren’t on the internet mainly.
My router (opnsense) has a wireguard server which is how I access things when out of the house.
I do have a minecraft server for my friends and I, but that VM is on its own network isolated from everything else.
To add some points, that I do:
- Proper logging: So I could realize something unusual is going on
- rootless podman container: harder to escalate privileges and gain root
- Apparmor: same, plus it could trigger suspicious log entries
Disable password authentication on SSH
Enable firewall and block all ports you’re not using(most firewalls do this by default)
Switch to a LTS kernel(not security related, but it keeps things going smooth… Technically it is safer since it gets updated less often so it is a bit more battle tested? Never investigated whenever a LTS kernel is safer than a standard one)
Use Caddy to proxy to services instead of directly exposing them out
HTTPS for web stuff(Caddy does it automatically)
This and fail2ban