Started off by

  1. Enabling unattended updates
  2. Enable only ssh login with key
  3. Create user with sudo privileges
  4. Disable root login
  5. Enable ufw with necessary ports
  6. Disable ping
  7. Change ssh default port 21 to something else.

Got the ideas from networkchuck

Did this on the proxmox host as well as all VMs.

Any suggestions?

  • zR0B3ry2VAiH@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Replace Fortinet with Pfsense (+Suricatta/Snort) for non-propriety. (I have a Fortinet firewall and I can’t bring myself to pay for their packages). One thing I’d recommend for you, as I host a lot of stuff is DNS Proxy though cloudflare, so the services I’m hosting are not pointing to my origin IP.

    • wallacebrf@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      None of my services are available outside my house without first logging into the fortigate SSL VPN. That is the only open port I have.

      The SSL VPN uses a loopback interface so only IPs from the US can access it, and I have strong auto block enabled and I add IPs of systems that try brute forcing into the box so they get blocked

      I did forget to mention that I use cloud flair already for the exact reason you mentioned so my home IP is not used.

      I also have a domain name with valid wildcard certificate. The domain is used to access the SSL VPN and I also then use the cert within my entire homelab so I have everything encrypted

      I was not a fan of PF sense, the fortigate has more security features that I wanted