Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

How do you secure your server from the internet?

WindirBear
 Share

Hey guys so I just bought a tiny qotom pc to run pfsense on since I've been running my webserver for  a year now with just Wordfence plugin protecting it. I wasn't able to afford to get a firewall and since I want to operate a nextcloud server now is a great time to learn some basic network security 😄

 

I don't know much about network security as there are many ways to attack a network but I've been watching network chuck and other videos and pfsense seems promising. That being said  I don't have remote ssh set up because I'm afraid of brute force attacks. Also my website is online store with practically no traction other than bots attacking my network, so security is important. I also have ip cameras set up for remote access and the firmware SUCKS, I can't change the username so it's stuck at admin, which is such a security risk. So....

 

Is this the a good way to secure my web server, local network, and nextcloud?

Do I need pfsense to secure my servers?

How do you guys secure your network?

Is it best to just run these services through a cloud service like linode?

Link to comment
Share on other sites

Link to post
Share on other sites

I just use it on LAN and use a pi-vpn when I am outside the LAN

I have an ASUS G14 2021 with Manjaro KDE and I am a professional Linux NoOB and also pretty bad at General Computing.

 

ALSO I DON'T EDIT MY POSTS* NOWADAYS SO NO NEED TO REFRESH BEFORE REPLYING *unless I edit my post

Link to comment
Share on other sites

Link to post
Share on other sites

Running everything behind a VPN is the only solution I would consider relatively safe. If you HAVE to expose ports to internet, at least set a rate limit for the ports you exposed.

Dont expose usual suspects like 3389, 139 and 443 to internet, ever.

10 minutes ago, WindirBear said:

Do I need pfsense to secure my servers?

Nope, all you need is proper configuration in any half decent consumer router and also in your server. If you need features that are slight above what a consumer might need, consider getting a router that is able to run openwrt.

 

I always run most of my network behind a VPN, I only expose one port for VPN and one port for port triggering when I am on a heavily filtered network to run SSH tunnel.

mY s YsTeM iS Not pErfoRmInG aS gOOd As I sAW oN yOuTuBe. WhA t IS a GoOd FaN CuRVe??!!? wHat aRe tEh GoOd OvERclok SeTTinGS FoR My CaRd??
 HoW CaN I foRcE my GpU to uSe 1o0%? BuT WiLL i HaVE Bo0tllEnEcKs? RyZEN dOeS NoT peRfORm BetTer wItH HiGhER sPEED RaM!!dId i WiN teH SiLiCON LotTerrYyOu ShoUlD dEsHrOuD uR GPUmy SYstEm iS UNDerPerforMiNg iN WarzONEcan mY Pc Run WiNdOwS 11 ?woUld BaKInG MY GRaPHics card fIX it?
 MultimETeR TeSTiNG!! aMd'S GpU DrIvErS aRe as goOD aS NviDia's YOU SHoUlD oVERCloCk yOUR ramS To 5000C18

 

Link to comment
Share on other sites

Link to post
Share on other sites

5 minutes ago, Levent said:

Running everything behind a VPN is the only solution I would consider relatively safe. If you HAVE to expose ports to internet, at least set a rate limit for the ports you exposed.

Dont expose usual suspects like 3389, 139 and 443 to internet, ever.

Nope, all you need is proper configuration in any half decent consumer router and also in your server. If you need features that are slight above what a consumer might need, consider getting a router that is able to run openwrt.

 

I always run most of my network behind a VPN, I only expose one port for VPN and one port for port triggering when I am on a heavily filtered network to run SSH tunnel.

I have port 443 open for https and port 80 as certbot needs it open.

Link to comment
Share on other sites

Link to post
Share on other sites

15 minutes ago, WindirBear said:

I have port 443 open for https and port 80 as certbot needs it open.

What server OS you running for the webserver?

 

I have fail2ban running with 3 jails on my webserver atm. (as an example)

One for nginx, one for bots and one for sshd.

 

Edit: also maybe look into proxying your IPs behind cloudflare? So that you're not directly exposing your IPs to the internet.

Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, fuzz0r said:

What server OS you running for the webserver?

 

I have fail2ban running with 3 jails on my webserver atm. (as an example)

One for nginx, one for bots and one for sshd.

 

Edit: also maybe look into proxying your IPs behind cloudflare? So that you're not directly exposing your IPs to the internet.

Ubuntu server.

 

I thought cloudflare was a paid service. I looked it up again and see it's free. I will be implementing it soon. Thanks!

 

Also also will be installing fail2ban. I just don't like the idea of opening my ssh to the Internet.

Link to comment
Share on other sites

Link to post
Share on other sites

Internet security has two basic modes.

 

Keeping bad guys from connecting in, and keeping stuff thats insecure from connecting out. 

 

Unless you have no router at all and connecting your machines directly to your modem there should be a router at play. Even the most basic ISP supplied router typically has a Firewall of sort to stop basic incoming port connections. Often Port 25 and 80 are blocked by default unless you have a business account. You really need to be living in the Wild West to have a fully open network with a commercial ISP and a residential account. Just run a free port scan from a security site to check.

 

Keeping junk like china's finest security cams from phoning home to their over lords is a bit trickier. I typically put this stuff in its own policy group and block the entire group on my firewall. My rule being if it doesn't need to see the internet then it wont. You would think power plants and oil refineries would get this, but oh no 

 

Stupid trick if you don't have a firewall: use static IPs and set a bogus gateway. If IP can't get out then layer 7 can't. A bad entity would have to compromise another device internally to get around this.

Link to comment
Share on other sites

Link to post
Share on other sites

21 minutes ago, wseaton said:

Internet security has two basic modes.

 

Keeping bad guys from connecting in, and keeping stuff thats insecure from connecting out. 

 

Unless you have no router at all and connecting your machines directly to your modem there should be a router at play. Even the most basic ISP supplied router typically has a Firewall of sort to stop basic incoming port connections. Often Port 25 and 80 are blocked by default unless you have a business account. You really need to be living in the Wild West to have a fully open network with a commercial ISP and a residential account. Just run a free port scan from a security site to check.

 

Keeping junk like china's finest security cams from phoning home to their over lords is a bit trickier. I typically put this stuff in its own policy group and block the entire group on my firewall. My rule being if it doesn't need to see the internet then it wont. You would think power plants and oil refineries would get this, but oh no 

 

Stupid trick if you don't have a firewall: use static IPs and set a bogus gateway. If IP can't get out then layer 7 can't. A bad entity would have to compromise another device internally to get around this.

The server itself is in a commercial location however the internet is still being used like its the internet. How can i have have a website without it being on port 80 or 443? How can i protect it? Cant I use pfsense to block server access to the local network?

Also the ISP its under doesn't even seem to block port 80 or 443.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×