Setting up a personal site on local hardware has been on my bucket list for along time. I finally bit he bullet and got a basic website running with apache on a Ubuntu based linux distro. I bought a domain name, linked it up to my l ip got SSL via lets encrypt for https and added some header rules until security headers and Mozilla observatory gave it a perfect score.

Am I basically in the clear? What more do I need to do to protect my site and local network? I’m so scared of hackers and shit I do not want to be an easy target.

I would like to make a page about the hardware its running on since I intend to have it be entirely ran off solar power like solar.lowtechmagazine and wanted to share technical specifics. But I heard somewhere that revealing the internal state of your server is a bad idea since it can make exploits easier to find. Am I being stupid for wanting to share details like computer model and software running it?

  • Coleslaw4145@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    Use a reverse proxy in a DMZ. You can use something like Bunkerweb + Crowdsec to give you a WAF and dynamic IP blocklist in front of your web service.

  • monogram@feddit.nl
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    2 months ago

    Fail2ban ufw nftables

    port forward only the bare minimum (80 443)

    Expose docker ports with 127.0.0.1:8000:8000 then port forward with caddy server on the host

    Edit: add nftables

    • dgdft@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      2 months ago

      This is dangerous advice because docker is well-known for undoing UFW’s iptable rules. It’s mitigated by binding to localhost, but still way too easy for people to shoot themselves in the foot by using the two together.

      • monogram@feddit.nl
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        Docker is going to undo your port iptable rules with or without ufw

        Running rm -rf ~ isn’t that hard to do either just don’t do it.

        Your router’s NAT should save you if that happens on the wrong port anyway.

        • dgdft@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          edit-2
          2 months ago

          You shouldn’t suggest UFW at all then. There are other firewall options that can be used just fine with docker.

          It does have real potential to cause issues, e.g. if OP were to put their server in DMZ mode on their router and later copy some docker setup instructions that don’t explicitly bind to localhost.

          • monogram@feddit.nl
            link
            fedilink
            English
            arrow-up
            0
            ·
            2 months ago

            Please tell me more, which firewall would you recommend that plays nice with Docker?

            No NAT? Hahaha that’s a big if, and why would you copy paste a docker compose without reading it?