Using Fail2ban to protect exposed services | arvind.io
arvind.io
Fail2ban is a software application that protects you from brute-force attacks. The most common use-case is to protect your server's publicly exposed SSH service from being an easy target. If that is your only goal, you might find it quicker to follow the steps from this article by Linode for...

I’m wondering if I’m starting to outgrow Tailscale… my wife keeps having networking issues on Android due to Tailscale, the Nvidia Shield kills the Tailscale app randomly, and my parents’ TV doesn’t have a Tailscale app…

I feel like the time is approaching to publicly expose some of my services to the internet…

Any other tips?

  • paequ2@lemmy.todayOPEnglish
    5·
    14 hours ago

    Harden your server first

    Do you have any tutorials or guides on this handy?

    Use your router/server to block some counties using geoip

    Yeah, definitely all my users are in the same town/region/country as me. So this could be doable.

    Configure rate limits in Nginx

    Hm, currently using Caddy as my reverse proxy. I guess there’s some module for this.

    only open ports in your firewall you really want to open

    The only port I need open is 443 for accessing Jellyfin and Immich. I can definitely block 22 from the public internet. And fuck it no automatic redirects from 80 to 443. TLS or bust.

    • irmadlad@lemmy.worldEnglish
      3·
      13 hours ago

      Do you have any tutorials or guides on this handy?

      Now that’s a deeeeep rabbit hole. I tend to go overboard on hardening and security, however, one good place to start is installing Lynis and run a scan. Lynis will spit out a rather extensive list of areas you need to harden or adjust and a score for your server. It will also give links where you can go and read up on the specific item in question. Now, not every one of the bullets in the list will apply, but you should give each careful consideration. Lynis is Free and Open Source Software (FOSS).

      I ran a scan just for demonstration purposes so you can see what the end results are. This is just a snippet:

      spoiler 
        * Configure minimum password age in /etc/login.defs [AUTH-9286]
      https://cisofy.com/lynis/controls/AUTH-9286/

  * Configure maximum password age in /etc/login.defs [AUTH-9286]
      https://cisofy.com/lynis/controls/AUTH-9286/

  * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]
      https://cisofy.com/lynis/controls/AUTH-9328/

  * To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310]
      https://cisofy.com/lynis/controls/FILE-6310/

  * To decrease the impact of a full /tmp file system, place /tmp on a separate partition [FILE-6310]
      https://cisofy.com/lynis/controls/FILE-6310/

  * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
      https://cisofy.com/lynis/controls/FILE-6310/

      Be mindful of where you get your hardening tutorials. There are hundreds of thousands out there. I would stick with authoritative sources.

      ETA: I would also recommend reading up on Cloudflare Tunnels/ZeroTrust. I know some people are iffy about Cloudflare and I see their points. It’s worth a read in my opinion.