Hacker News new | ask | show | jobs
by doublerabbit 441 days ago
A VPS with a software firewall is more than enough.

Block port 22, secure SSH with certificates only. Allow port 443 and configure your web server as a reverse proxy with a private backend.

You don't need an IDS, you don't need a WAF and you don't need Cloudflare.

Unless you become the next Facebook that's when you start to become concerned about security.
3 comments
XorNot 441 days ago
I'm less worried about SSH access then I am abotya vulnerability in some front-end web service though.

I've contented myself using TLS client certs on my family's Android phones (which do not work at all on iOS for something like Home Assistant).

link
palata 441 days ago
> A VPS with a software firewall is more than enough.

So you don't self-host at home, right?

I have been considering setting up a physical DMZ at home, with two routers (each with its own firewall), such that my LAN stays unmodified and my server can run between both routers. Then it feels like it would be similar to having a VPS in terms of security, maybe?

link
doublerabbit 441 days ago
I colocate four servers in two DCs all running FreeBSD with PF. My main host is running a jail that hosts a bHyve VM

With four jails, each running their own bHyve VMs they run another FreeBSD OS allowing me to host jails for different services. Email, web and game servers.

I'm not a fan of DMZ as they get messy as you then have to ensure your host is protected correctly. So I use bridges, I have two bridges an outer and inner.

Services requiring outbound internet access are tapped to the outer bridge which are throttled and if required can then load balance between and the inner bridge which is under control of deny all, allow some. To my own set of home IPs.

The outer bridge cannot contact services in the inner but the inner can contact the outer but can only host internally.

This all done with PF within each jail as each jail provides you with its own vnet adapter which can be applied to a bridge.

If you wish to learn further that is what you work up too But for the personal user who wishes self-host and to have internet presence a firewall is just fine.

link
palata 441 days ago
This is very interesting! Have you considered writing a blog post explaining that kind of setup? I would love that! In the meantime, thanks a lot for the insights, that's a good starting point!

> I'm not a fan of DMZ as they get messy as you then have to ensure your host is protected correctly.

Could you elaborate on that? Specifically in my case I would have a perimeter router to which I would connect both my server and the inner router. My LAN would stay behind the inner router, so my understanding is that it still strictly has the same security as when my inner router was connected to the ISP; I just add a layer with the perimeter router.

Then the perimeter router opens the server (probably just chosen ports) to the public Internet, so that the server is reachable.

Wouldn't that mean that my host is protected correctly?

link
doublerabbit 441 days ago
That sounds pretty reasonable.

While home routers tend to set their rules as outbound allow and inbound denied. My DC just provides me with a network cable to the big pond of data.

How I secure that for my home network is using my personal rig with multiple network ports.

One port acts as a public bridge. And the 3rd and 4th network ports then are then assigned to the private bridges

The 2nd port then sits in a middle bridge where it communicates to both the public and private bridge.

link
mhitza 441 days ago
> A VPS with a software firewall is more than enough.

You want VPS-provider firewall. Docker's going to punch holes through your software firewall.

link