Securing the fences

Like moths to a flame, bots and automated vulnerability scanners cannot resist publicly accessible servers. However, there are certain precautions we can take to be a bit more safer from these unwanted guests (and also to keep our sanity).

Few things to keep your servers safe

  • Use SSH Private keys/Certificates.
  • Use a firewall to restrict ports e.g. ufw works well
  • Use a VPN (tailscale, nebula, wireguard or anything similar) and don’t expose unnecessary ports on the public internet.
  • Run regular OS updates.
  • Run regular port scans to ensure that no unexpected ports are open.
    • nmap can be used to run scans on the the local subnet - nmap -Pn 192.168.0.0/24
    • Schedule periodic nmap runs (as cron jobs?) and potentially alert on unexpected conditions.
  • Periodically monitor important logs (as cron jobs?) and alert on odd conditions (like an unexpected entry in the /var/log/auth.log)
  • Ensure SSL and authentication exists in local networks as well.
  • Prefer static websites - Might not always be possible but a lot lower risk.
    • If need to use dynamic applications (wordpress, other crms) and expose them publicly, ensure that you are monitoring the CVE’s associated with that application.

Some other commands useful to highlight

  • who - lets you see who else is currently logged in
  • journalctl -u service - Interface with the systemd journals / logs.
  • ufw - A simpler linux firewall (works on top of iptables/netfilter). If running tailscale, you can lock down all communications to only go through it. See here on how you could do it.
    • Or block an IP address - sudo ufw insert 1 deny proto tcp from <IP> to any port 80,443
    • Be sure to check ufw-docker if using docker networking or your firewall might not actually be protecting you as you intend.
  • ss (or netstat) - gives you info about ports and associated processes.
    • sudo ss -tnpe - lets you see what processes are listening on a port.
    • A lot of other features so don’t forget to man ss
  • tcpdump - If you suspect any intrusion, allows you to monitor the wire.
    • or use wireshark-tui for a more interactive experience.
  • fail2ban - Can be useful to ban IP’s that continuously act in bad faith.