Started off by
- Enabling unattended updates
- Enable only ssh login with key
- Create user with sudo privileges
- Disable root login
- Enable ufw with necessary ports
- Disable ping
- Change ssh default port 21 to something else.
Got the ideas from networkchuck
Did this on the proxmox host as well as all VMs.
Any suggestions?
Don’t bother with disabling icmp. You’ll use it way more then it’s worth disabling, and something like
nmap -Pn -p- X.X.X.0/24
will find all your servers anyways (same can be said for ssh and port 22. But moving that does stop some bots)As long as i go out not exposing anything the the global internet, you really don’t need a lot. The fire wall should already deny all inbound traffic.
The next step is monitoring. It’s one thing to think your stuff is safe and locked down. It’s another thing to know your stuff is safe. Something like Observium, Nagios, Zabbix, or otherwise is a great way to make sure everything stays up, as well as having insights into what everything it doing. Even Uptime Kuma is a good test. Then something like Wazuh to watch for security events and OpenVAS or Nessus, to look holes. I’d even though in CrowdSec for host based virus detection. (Warning, this will quickly send you down the rabbit hole of being a SOC analyst for your own home)
Block outbound traffic too.
Open up just what you need.
Segment internally and restrict access. You don’t need more than SSH to a Linux Server, or perhaps to it’s web interface for an application running on it.
I just set up Wazuh at work and pointed it at a non-domain, vanilla Windows 11 machine to test and it came back with over 300 events immediately. Not trying to scare anyone off as I think it’s a great tool, more just a heads up that the rabbit hole runs very deep.