Ask HN: What should I do before exposing a home server to the internet?
5 comments
heres an experiment for you, setup a honeypot router that is open to the web, keep in mind that it is possible for threat actor to reconfigure the router, among other nastiness, but what you want to see is the activity log, so you can see what or who is going for your honey pot and hammering on a locked door to nowhere.
this will give a partial threat profile but will also show you just how sketchy the net is outside of a secure space.
this will give a partial threat profile but will also show you just how sketchy the net is outside of a secure space.
Don’t expose SSH, OMV, Docker, Portainer etc. Use cloudflare DNS. Enable fail2ban, tunnel everything over VPN.
Really I'd like to have SSH available for my own use. Can it be secured well-enough? Keys only, perhaps? Putting it on an unusual port?
you can set up a trigger port, that will open an SSH port when triggered properly. some routers come with this functionality, a third party opensource firmware usually does this or allows for a script to implement it.
so you "knock" on port 666 lets say with a majic packet of some sort this opens a secured SSH port, then drops it on command or idle time to live expires
so you "knock" on port 666 lets say with a majic packet of some sort this opens a secured SSH port, then drops it on command or idle time to live expires
What's wrong with exposing SSH? It has got to be one of the most well tested pieces of network software out there.
Re. fail2ban - nearly all ssh scanning attempts in the wild seem to be from unsophicated attackers using some pieces of obsolete software. I disabled all but a couple of modern ciphers/mac/kex algorithms and hardly ever see any password bruteforce attempts in my logs (not that they have any chance of working - I disable password authentication as well). Mostly a bunch of "no matching key exchange method found" which I regard a minor nuisance.
Re. fail2ban - nearly all ssh scanning attempts in the wild seem to be from unsophicated attackers using some pieces of obsolete software. I disabled all but a couple of modern ciphers/mac/kex algorithms and hardly ever see any password bruteforce attempts in my logs (not that they have any chance of working - I disable password authentication as well). Mostly a bunch of "no matching key exchange method found" which I regard a minor nuisance.
I know very little about system security, but I know that opening up a vanilla distro with all the default daemons and open ports could be inadvisable
So what's a good strategy for a hobbyist to secure their server? Is there a fire-and-forget firewall I could set up? A minimal distribution that has nothing outside of what you need for this type of hosting? Is there a step-by-step guide out there for locking things down?