Definitely install fail2ban and use certificates for ssh authentication.
Also, use cloudflare and consider using an email delivery service like jetmail instead of sending mail directly from the instance.
You could then block any incoming traffic that doesn’t come for port the ssh port or from cloud flare for port 443.
In my opinion, folks should avoid Cloudflare at all costs. They’re free speech maximalists with a history of defending NAZI’s and other terrible people. They only discontinue service to white nationalists when the media attention gets too hot. Then they turn around and let them back in once things have died down.
Also, speaking as a screen reader user, if they think your IP address is suspicious (maybe because you’re using Tor or a VPN), they present an inaccessible captcha and don’t offer work-arounds. Then because the entire website is blocked behind the captcha, screen reader users can’t even get in contact with you to let you know what’s happening.
Cloudflare is a major player in the infrastructure of the internet. The should remain neutral and provide their service to anyone operating within the law.
I was using CF initially for proxying, but noticed some weirdness with federation***. I would only get updates from Beehaw, but lemmy.world and other servers’ updates wouldn’t come through. As soon as I dropped the proxy and restarted the server, my instance got flooded by updates. I’m really not sure where to start debugging, so I’ve kept it off for now
Checked it out. I ended up having a WAF rule blocking non-US traffic… Given Beehaw is US based, the fact that I was mostly getting posts from this instance makes a lot of sense now. Thanks again
Better delivery and avoids exposing your IP via emails, although it’s best to setup a some sort of tunnel to avoid having that problem altogether.
Is it possible to have a public-facing instance without exposing your IP? I am not sure I understand that part, and I am very interested in understanding how to achieve that.
Yes, you tunnel all your traffic through cloudflare.
Google “Cloudflare tunnel”.
Whatever people say about cloudflare, right now it’s a necessity if you manage a public facing server and don’t have the resources to avoid DDoS attacks.
Definitely install fail2ban and use certificates for ssh authentication. Also, use cloudflare and consider using an email delivery service like jetmail instead of sending mail directly from the instance.
You could then block any incoming traffic that doesn’t come for port the ssh port or from cloud flare for port 443.
In my opinion, folks should avoid Cloudflare at all costs. They’re free speech maximalists with a history of defending NAZI’s and other terrible people. They only discontinue service to white nationalists when the media attention gets too hot. Then they turn around and let them back in once things have died down.
Also, speaking as a screen reader user, if they think your IP address is suspicious (maybe because you’re using Tor or a VPN), they present an inaccessible captcha and don’t offer work-arounds. Then because the entire website is blocked behind the captcha, screen reader users can’t even get in contact with you to let you know what’s happening.
Cloudflare is a major player in the infrastructure of the internet. The should remain neutral and provide their service to anyone operating within the law.
I was using CF initially for proxying, but noticed some weirdness with federation***. I would only get updates from Beehaw, but lemmy.world and other servers’ updates wouldn’t come through. As soon as I dropped the proxy and restarted the server, my instance got flooded by updates. I’m really not sure where to start debugging, so I’ve kept it off for now
*** see comments under chris below. Fixed
CF has some firewall feature active by default. You have to turn them off.
Checked it out. I ended up having a WAF rule blocking non-US traffic… Given Beehaw is US based, the fact that I was mostly getting posts from this instance makes a lot of sense now. Thanks again
Glad I could help
Why is this better? To overcome spam filters, or is there some security risk associated with e-mails?
Better delivery and avoids exposing your IP via emails, although it’s best to setup a some sort of tunnel to avoid having that problem altogether.
Is it possible to have a public-facing instance without exposing your IP? I am not sure I understand that part, and I am very interested in understanding how to achieve that.
Yes, you tunnel all your traffic through cloudflare. Google “Cloudflare tunnel”.
Whatever people say about cloudflare, right now it’s a necessity if you manage a public facing server and don’t have the resources to avoid DDoS attacks.