this post was submitted on 18 Jul 2023
6 points (100.0% liked)

Selfhosted

573 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Resources:

> Any issues on the community? Report it using the report flag.

> Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hello!

I am starting to self host a number of small services on a commercial VPS. I'm looking for guidance on how to lock it down, and in general best security practices. I've found some resources online, but any advice from others would go a long way. For reference, I have almost no web management or web services background, but am very comfortable with *nix/CLI etc.

My current structure is this:

  • stock Debian, fully updated
  • nginx for webserving and reverse proxy (not the reverse proxy standalone tool, just regular nginx installed as a service)
  • various services built and deployed through docker-compose
  • services are proxied to subdomains
  • SSL certs for everything with LetsEncrypt

I've done things like disabled root ssh, disabled ssh passwords (only key pairs allowed) and set ufw to only allow http, https, and ssh, and set https for everything to the best of my ability.

What best practices should I be following? How often should I restart/update services? Is using 'latest' through docker-compose sufficient?

What else should I do to harden nginx? Any admin tools to use for monitoring, white or blacklisting?

Lots of newbie questions here - I appreciate any help or guidance the community has. Thank you!

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here