Inspired by this comment to try to learn what I’m missing.

  • Cloudflare proxy
  • Reverse Proxy
  • Fail2ban
  • Docker containers on their own networks

Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?

  • Akatsuki Levi@lemmy.worldEnglish
    243·
    19 days ago

    Disable password authentication on SSH

    Enable firewall and block all ports you’re not using(most firewalls do this by default)

    Switch to a LTS kernel(not security related, but it keeps things going smooth… Technically it is safer since it gets updated less often so it is a bit more battle tested? Never investigated whenever a LTS kernel is safer than a standard one)

    Use Caddy to proxy to services instead of directly exposing them out

    HTTPS for web stuff(Caddy does it automatically)

    • Shimitar@downonthestreet.euEnglish
      4·
      19 days ago

      This, but I prefer nginx.

      And no real need for tailscale or cloudflare. If you do not like to depend on a third party service, either port forward and ddns or an external vps+wire guard if you have gcnat

    • RelativeArea1@sh.itjust.worksEnglish
      1·
      19 days ago

      Enable firewall and block all ports you’re not using(most firewalls do this by default)

      this one haven’t failed me…yet.

      PS: please don’t pentest me