How do you secure your server from the internet?

[WindirBear]

Hey guys so I just bought a tiny qotom pc to run pfsense on since I've been running my webserver for  a year now with just Wordfence plugin protecting it. I wasn't able to afford to get a firewall and since I want to operate a nextcloud server now is a great time to learn some basic network security

 

I don't know much about network security as there are many ways to attack a network but I've been watching network chuck and other videos and pfsense seems promising. That being said  I don't have remote ssh set up because I'm afraid of brute force attacks. Also my website is online store with practically no traction other than bots attacking my network, so security is important. I also have ip cameras set up for remote access and the firmware SUCKS, I can't change the username so it's stuck at admin, which is such a security risk. So....

 

Is this the a good way to secure my web server, local network, and nextcloud?

Do I need pfsense to secure my servers?

How do you guys secure your network?

Is it best to just run these services through a cloud service like linode?

[fUnDaMeNtAl_knobhead]

I just use it on LAN and use a pi-vpn when I am outside the LAN

[Levent]

Running everything behind a VPN is the only solution I would consider relatively safe. If you HAVE to expose ports to internet, at least set a rate limit for the ports you exposed.

Dont expose usual suspects like 3389, 139 and 443 to internet, ever.

10 minutes ago, WindirBear said:

Do I need pfsense to secure my servers?

Nope, all you need is proper configuration in any half decent consumer router and also in your server. If you need features that are slight above what a consumer might need, consider getting a router that is able to run openwrt.

 

I always run most of my network behind a VPN, I only expose one port for VPN and one port for port triggering when I am on a heavily filtered network to run SSH tunnel.

[WindirBear]

5 minutes ago, Levent said:

Running everything behind a VPN is the only solution I would consider relatively safe. If you HAVE to expose ports to internet, at least set a rate limit for the ports you exposed.

Dont expose usual suspects like 3389, 139 and 443 to internet, ever.

Nope, all you need is proper configuration in any half decent consumer router and also in your server. If you need features that are slight above what a consumer might need, consider getting a router that is able to run openwrt.

 

I always run most of my network behind a VPN, I only expose one port for VPN and one port for port triggering when I am on a heavily filtered network to run SSH tunnel.

I have port 443 open for https and port 80 as certbot needs it open.

[fuzz0r]

15 minutes ago, WindirBear said:

I have port 443 open for https and port 80 as certbot needs it open.

What server OS you running for the webserver?

 

I have fail2ban running with 3 jails on my webserver atm. (as an example)

One for nginx, one for bots and one for sshd.

 

Edit: also maybe look into proxying your IPs behind cloudflare? So that you're not directly exposing your IPs to the internet.

[WindirBear]

3 hours ago, fuzz0r said:

What server OS you running for the webserver?

 

I have fail2ban running with 3 jails on my webserver atm. (as an example)

One for nginx, one for bots and one for sshd.

 

Edit: also maybe look into proxying your IPs behind cloudflare? So that you're not directly exposing your IPs to the internet.

Ubuntu server.

 

I thought cloudflare was a paid service. I looked it up again and see it's free. I will be implementing it soon. Thanks!

 

Also also will be installing fail2ban. I just don't like the idea of opening my ssh to the Internet.

[wseaton]

Internet security has two basic modes.

 

Keeping bad guys from connecting in, and keeping stuff thats insecure from connecting out. 

 

Unless you have no router at all and connecting your machines directly to your modem there should be a router at play. Even the most basic ISP supplied router typically has a Firewall of sort to stop basic incoming port connections. Often Port 25 and 80 are blocked by default unless you have a business account. You really need to be living in the Wild West to have a fully open network with a commercial ISP and a residential account. Just run a free port scan from a security site to check.

 

Keeping junk like china's finest security cams from phoning home to their over lords is a bit trickier. I typically put this stuff in its own policy group and block the entire group on my firewall. My rule being if it doesn't need to see the internet then it wont. You would think power plants and oil refineries would get this, but oh no 

 

Stupid trick if you don't have a firewall: use static IPs and set a bogus gateway. If IP can't get out then layer 7 can't. A bad entity would have to compromise another device internally to get around this.

[WindirBear]

21 minutes ago, wseaton said:

Internet security has two basic modes.

 

Keeping bad guys from connecting in, and keeping stuff thats insecure from connecting out. 

 

Unless you have no router at all and connecting your machines directly to your modem there should be a router at play. Even the most basic ISP supplied router typically has a Firewall of sort to stop basic incoming port connections. Often Port 25 and 80 are blocked by default unless you have a business account. You really need to be living in the Wild West to have a fully open network with a commercial ISP and a residential account. Just run a free port scan from a security site to check.

 

Keeping junk like china's finest security cams from phoning home to their over lords is a bit trickier. I typically put this stuff in its own policy group and block the entire group on my firewall. My rule being if it doesn't need to see the internet then it wont. You would think power plants and oil refineries would get this, but oh no 

 

Stupid trick if you don't have a firewall: use static IPs and set a bogus gateway. If IP can't get out then layer 7 can't. A bad entity would have to compromise another device internally to get around this.

The server itself is in a commercial location however the internet is still being used like its the internet. How can i have have a website without it being on port 80 or 443? How can i protect it? Cant I use pfsense to block server access to the local network?

Also the ISP its under doesn't even seem to block port 80 or 443.