So I made my own home web server on a RPi that I had lying around just to gain a little experience. I'm not doing anything much with it yet, and I'm wanting to get it secured before doing too much with it. I'm pretty new to this, so besides picking a good root passphrase to ssh into it and setting up fail2ban, I haven't done anything else to harden it. Just today (the server has been up for about two weeks) I've had one ban of an IP address from Denmark then something like 50+ login attempts from 2 different IP addresses in China.
To get to my point, this has gotten me thinking more about security. What more can I do to protect my little RPi server and any future web connected servers and/or devices?
>RPi
You can suck my dick you fucking homosex
>>54881219
So edgy, consider suicide.
>>54881113
Do you really need ssh accessible over the big scary internet? Just restrict it to your local network.
>>54881243
To be fair, my little homosexual petal, if I wanted to commit suicide a claymore to the face is my most favourite method so far. So thanks for that.
>>54881277
Considering that I'm often not in the same physical location (it's about two hours away from where I am now), it would definitely be preferable. Even if it's not absolutely necessary, I'd rather learn some good security techniques rather than shying away from the scary outside world.
If there's too much ssh attempt from unknown, you can try :
- remap to another port
- port knocking
- install sslh (ssh/https/vpn multiplexer)
All of above doesn't improve security but it does reduce bot login attempt.
>>54881113
Keep your rpi in a DMZ. Even some cheap consumer routers can be set up to provide a DMZ.
Don't put anything critical or confidential on the rpi. Don't allow the rpi access to anything in your internal network (that's the whole point of the DMZ).
If you need SSH, don't expose the rpi SSH port to the internet. Instead, access the rpi exclusively from your internal network. If you absolutely need access from outside, use VPN (or SSH, the poor man's VPN) to connect to your workstation first, and from there connect to your rpi. In theory, this reduces the number of attack vectors to your workstation and your workstation only.
Have you considered installing DD-WRT and OpenVPN?
https://advancedhomeserver.com/dd-wrt-and-openvpn-part-1/
>>54881652
This was meant for OP...>>54881113
>>54881506
I didn't even know port knocking existed. That looks very interesting and I'll definitely look into implementing it! Thanks
>>54881620
My router actually does have a DMZ and I meant to set that up but was too lazy and forgot about. Thanks for bringing that up! I probably need to look into using vpn as well
>>54881652
I haven't..yet. I will definitely look into it. I appreciate the link and am reading it now
