Securing the fences
Like moths to a flame, bots and automated vulnerability scanners cannot resist publicly accessible servers. However, there are certain precautions we can take to be a bit more safer from these unwanted guests (and also to keep our sanity).
Few things to keep your servers safe
- Use SSH Private keys/Certificates.
- Use a firewall to restrict ports e.g. ufw works well
- Use a VPN (tailscale, nebula, wireguard or anything similar) and don’t expose unnecessary ports on the public internet.
- Run regular OS updates.
- Run regular port scans to ensure that no unexpected ports are open.
nmap
can be used to run scans on the the local subnet -nmap -Pn 192.168.0.0/24
- Schedule periodic nmap runs (as cron jobs?) and potentially alert on unexpected conditions.
- Periodically monitor important logs (as cron jobs?) and alert on odd conditions (like an unexpected entry in the /var/log/auth.log)
- Ensure SSL and authentication exists in local networks as well.
- Prefer static websites - Might not always be possible but a lot lower risk.
- If need to use dynamic applications (wordpress, other crms) and expose them publicly, ensure that you are monitoring the CVE’s associated with that application.
Some other commands useful to highlight
who
- lets you see who else is currently logged injournalctl -u service
- Interface with the systemd journals / logs.ufw
- A simpler linux firewall (works on top of iptables/netfilter). If running tailscale, you can lock down all communications to only go through it. See here on how you could do it.- Or block an IP address -
sudo ufw insert 1 deny proto tcp from <IP> to any port 80,443
- Be sure to check ufw-docker if using docker networking or your firewall might not actually be protecting you as you intend.
- Or block an IP address -
ss
(ornetstat
) - gives you info about ports and associated processes.sudo ss -tnpe
- lets you see what processes are listening on a port.- A lot of other features so don’t forget to
man ss
tcpdump
- If you suspect any intrusion, allows you to monitor the wire.- or use wireshark-tui for a more interactive experience.
fail2ban
- Can be useful to ban IP’s that continuously act in bad faith.