Run a VPS safely

Mirage

Which resource do you refer to keep and run a VPS safely ?

Ben Cousins

I stick everything behind a firewall with :80, :443 and :1194 open to the world -- HTTP, HTTPS and OpenVPN.

HTTP and HTTPS proxy through an NGinX instance, which then points to all the other servers, and manages LE Certificates.

OpenVPN requires an 8096 bit key which - you know - would take a while to brute force.

Everything is being migrated to Alpine Linux presently which a lot of people don't know how to use anyway. apt-get? What that? haha.

Katos

Ben Cousins Similar here, I basically sit it behind a firewall and restrict access.
All traffic runs through the firewall, before being allowed or blocked.

With regards to accessing the server through SSH, this is then protected through Fail2Ban, and this hooks back into the firewall.

Ben Cousins

Katos With regards to accessing the server through SSH

All our SSH is behind OPNSense and NAT to a 172.16.0.0/12 IP.

Katos

Ben Cousins Good idea, makes perfect sense too.
Do you lock your internal servers to a specific jump-server, or...?

Ben Cousins

Katos Behind the VPN? No. As long as you have access to the VPN, you can access the servers. Given the access requirements, it would be because of human failure someone was able to get in.

Katos

Ben Cousins Makes sense, thanks for the insight! 🙂