Started off by
- Enabling unattended updates
- Enable only ssh login with key
- Create user with sudo privileges
- Disable root login
- Enable ufw with necessary ports
- Disable ping
- Change ssh default port 21 to something else.
Got the ideas from networkchuck
Did this on the proxmox host as well as all VMs.
Any suggestions?
this is not even all of it.
the big take away is i try to layer things. the endpoint devices are most important to protect and monitor as those are the foot hold something needs to then move through the network.
i then use network level protections to secure the remaining portions of the network from other portions of the network.
Replace Fortinet with Pfsense (+Suricatta/Snort) for non-propriety. (I have a Fortinet firewall and I can't bring myself to pay for their packages). One thing I'd recommend for you, as I host a lot of stuff is DNS Proxy though cloudflare, so the services I'm hosting are not pointing to my origin IP.
None of my services are available outside my house without first logging into the fortigate SSL VPN. That is the only open port I have.
The SSL VPN uses a loopback interface so only IPs from the US can access it, and I have strong auto block enabled and I add IPs of systems that try brute forcing into the box so they get blocked
I did forget to mention that I use cloud flair already for the exact reason you mentioned so my home IP is not used.
I also have a domain name with valid wildcard certificate. The domain is used to access the SSL VPN and I also then use the cert within my entire homelab so I have everything encrypted
I was not a fan of PF sense, the fortigate has more security features that I wanted
Pretty cool man, thanks for sharing.