- Do not directly open Ports, use something like Cloudflare tunnel (or any other service). If your network isn’t directly reachable from the outside, it is hard to get access to it.
- Activate full disk encryption and also encrypt the Nextcloud storage with the built-in encryption module.
- Do NOT allow any non encrypted ports (like 80).
- Use strong password with MFA
- For ssh try to avoid password auth. and go with ssh keys AND MFA (YubiKey auth. or google authenticator)
- Use Crowdsec and if you do not want to use this, use at least fail2ban
- Do not install any software directly on the server (tmux, screen, htop, docker, fail2ban etc. don’t count here). For this, install the software in a container/kvm.
- If you have the knowledge and the resources, use something like pfSense or Opensense to filter the incoming traffic (normal firewall rules for internal communication and external, DNS filtering, maybe also DPI)
- Use Raid 1, and please do not use software raids
- Also try to not allow internal administrative (ssh, portainer, proxmox etc.) communication to the server. I would, even for internal communication, use a VPN to reach the system. If someone in your home gets infected with malware, it would be easier to infect the server, if the ports are open.
- Make frequent off-site backups.
- If multiple users working (not using it, administrating it) on the server. Disable root login and create different groups as well as different accounts for each one.
1 Like