Inspired by this comment to try to learn what I’m missing.

  • Cloudflare proxy
  • Reverse Proxy
  • Fail2ban
  • Docker containers on their own networks

Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?

  • InvertedParallax@lemm.ee
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    2 days ago

    There are ip lists that let you iptables drop all traffic from China and Russia.

    Strongly recommend.

    • Lka1988@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      2 hours ago

      My UDM has this capability. I’ve blocked quite a few countries that it logged as trying to get into my network. Great little internet cylinder.

    • ocean@lemmy.selfhostcat.comOP
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      2
      ·
      2 days ago

      I was auto banning all countries but my own but now I’m hosting one resource that has an audience including Chinese…

      Good advice outside of this use case! :)

      • InvertedParallax@lemm.ee
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        2 days ago

        Yeah, there were other countries to ban, but those 2 cut my attacks down 90%.

        Also consider a honeypot that triggers when anyone tries to ssh it at all.