Inspired by this comment to try to learn what I’m missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?
This and fail2ban
Anything else?
There are ip lists that let you iptables drop all traffic from China and Russia.
Strongly recommend.
My UDM has this capability. I’ve blocked quite a few countries that it logged as trying to get into my network. Great little internet cylinder.
Have the rack mounted one, I usually roll my own router but I’m glad to have someone else making sure I don’t do anything stupid for security.
It’s not perfect, but it’s peace of mind.
I was auto banning all countries but my own but now I’m hosting one resource that has an audience including Chinese…
Good advice outside of this use case! :)
Yeah, there were other countries to ban, but those 2 cut my attacks down 90%.
Also consider a honeypot that triggers when anyone tries to ssh it at all.