I’m currently self-hosting several services and looking to harden my setup. I already use Nginx Proxy Manager (NPM) with wildcard Let’s Encrypt certs, but I’m thinking of moving to something more robust with:
A proper WAF (Web Application Firewall)
Deep network monitoring (ideally per-container or per-service)
Possibly some bot protection and anomaly detection (ai scrapping is annoying)
I’ve looked into Traefik, BunkerWeb, and Pangolin. Each has pros and cons, BunkerWeb seems WAF-ready, but has some limitations (SSL setup is nightmare). Traefik is very flexible, but I’d need to add middleware myself (also runing non docker services). Pangolin looks great but werent able to get it work in my setup.
Main goals:
Secure exposure of HTTP(S) services (wildcard certs with Cloudlfare)
Easy rules for blocking bad IPs or patterns
Optional: rate-limiting, automatic fail2ban-style bans
Bonus: nice dashboard or at least logs that make sense
I also have a mix of Docker and bare metal services, so proxying non-container stuff cleanly is important.
My final goal is setup like this: OVH (Reverse Proxy - Firewall) - Tailscale - Hetzner Server)
If you are looking to harden your server, might I suggest installing Lynis. Lynis will extensively scan your server, and at the end of the scan it will print the output of the test including a score of 1-100 and recommendations on how to fix, secure and harden the server. Not all of the recommendations will be applicable to you.
I use Crowdsec. While Crowdsec is not a trad WAf, it is more than capable when set up correctly. I use Crowdsec in conjunction with UFW, Fail2ban, Tailscale, rkhunter, and chkrootkit. I have fail2ban in aggressive mode, since I am the only user, or legit user that is. ;) I have been accused of going overboard on security.
You mentioned these, and I have never used them. I’m assuming you are going for a reverse proxy as part of your hardening methods. I use Caddy, and it’s real simple to set up. It also takes care of your cert renewals automatically.
Most of the logging apps like Syslog, Graylog, or similar I’ve found to be quite heavy as they need a lot of additional modules to run like databases, elastic, et al. I recently discovered lnav, with the help of the kind folks here. It is not a pretty, graphical, dialed out dashboard. You view the logs in the terminal. Very light on resources, and does exactly what it says on the tin. Check it out.
Do it! It’s easy to set up and works very well. You can pipe all manner of things through Tailscale like ssh, sftp, etc.
Also, don’t forget about using ssh keys. I know there is a lot of discussion about changing the ssh port number and how effective it really is. For about 5 minutes of your time, you can have it all set up, and it will at the very least, cut down a lot of noisy bots. If you want to go even further, you can set up host allow/host deny:
sudo host.allowandsudo hosts.deny. Make sure you edit host allow first. LOLYou may want to look into Debsums, AIDE, iptraf-ng, Apparmor Deborphan, unattended updates, Maldet, etc, which will probably recommended by Lynis when you initiate a scan.