24
Reverse Proxy with WAF and network monitoring
(lm.madiator.cloud)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 19 May 2025
24 points (96.2% liked)
Selfhosted
50093 readers
37 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
If you are looking to harden your server, might I suggest installing Lynis. Lynis will extensively scan your server, and at the end of the scan it will print the output of the test including a score of 1-100 and recommendations on how to fix, secure and harden the server. Not all of the recommendations will be applicable to you.
I use Crowdsec. While Crowdsec is not a trad WAf, it is more than capable when set up correctly. I use Crowdsec in conjunction with UFW, Fail2ban, Tailscale, rkhunter, and chkrootkit. I have fail2ban in aggressive mode, since I am the only user, or legit user that is. ;) I have been accused of going overboard on security.
You mentioned these, and I have never used them. I'm assuming you are going for a reverse proxy as part of your hardening methods. I use Caddy, and it's real simple to set up. It also takes care of your cert renewals automatically.
Most of the logging apps like Syslog, Graylog, or similar I've found to be quite heavy as they need a lot of additional modules to run like databases, elastic, et al. I recently discovered lnav, with the help of the kind folks here. It is not a pretty, graphical, dialed out dashboard. You view the logs in the terminal. Very light on resources, and does exactly what it says on the tin. Check it out.
Do it! It's easy to set up and works very well. You can pipe all manner of things through Tailscale like ssh, sftp, etc.
Also, don't forget about using ssh keys. I know there is a lot of discussion about changing the ssh port number and how effective it really is. For about 5 minutes of your time, you can have it all set up, and it will at the very least, cut down a lot of noisy bots. If you want to go even further, you can set up host allow/host deny:
sudo host.allowandsudo hosts.deny. Make sure you edit host allow first. LOLYou may want to look into Debsums, AIDE, iptraf-ng, Apparmor Deborphan, unattended updates, Maldet, etc, which will probably recommended by Lynis when you initiate a scan.