[arunnanda]

It might be slightly easier to use sshguard instead of fail2ban for protecting against ssh attacks.

Using passwordless (key only) login is a given.

As soon as your server is provisioned, log in with the password, first setup ssh, and disable password login.

You can use fail2ban jails for different services (like nginx). You need to decide how strict you need to be.

On FreeBSD, using blacklistd might also be a better idea than using fail2ban.

To quote from the internet - "fail2ban and sshguard are both log scrapers. Log scrapers are gross hacks. blacklistd as an integrated solution is what should have happened many years ago."

FreeBSD jails also provide excellent protection. It can be a good idea to run each service in its own jail. E.g. a separate jail for nginx, one for your webserver, another for your db servers. This way you can also limit the resources that are allocated/dedicated to each jail.

Also, while running pf (or whatever firewall you have), you can limit the number of requests (rate limiting) to somewhat protect yourself.

Using Cloudflare or something else on the front can help against ddos. Also, some providers like OVH and Hetzner have ddos protection built in for free. Some like Vultr have it as a paid service, iirc.

[4oo4]

SSHGuard looks cool, wasn't aware that existed. Haven't messed with FreeBSD jails, but I use unprivileged lxc containers on Linux, iirc that's the closest Linux equivalent? Those help me sleep better at night.

[arunnanda]

lxc was rather new when I started looking into this stuff. Since jails were much older, I just went with FreeBSD. Also because I was a little biased against Linux because on my personal computers Ubuntu and Fedora had crashed occasionally.

Now I think lxd is supposed to be a better user experience than lxc. Same backend better frontend. Like ezjail or iocage for FreeBSD makes the management easier than doing it all directly.