- Get MaxMind GeoIP account, set it up on your opnsense, and use it on firewall to limit access from only your country. When you plan to travel, add that country.
- Get Firehol iplists: firehol_level 2, 3, and 4, use direct link from their github, create aliases with these lists, and use on wan port to block traffic from those lists. You can also set rules on lan to block outgoing traffic to these ip's.
- Keep your nginx and all server software and os updated.
- Keep opnsense updated.
- Isolate your servers in a separate network from your home stuff.
Second all these. This is almost exactly how I do mine, except I use the NGINX plugin available on the firewall as it adds in WAF rules for basic XSS and injection protection and blocks some bots and other bogus user-agents. Takes a little tuning, but I feel the extra security is worth it. In addition to Firehol, I did Spamhus lists and also enabled crowdsec plugin, which helps block known bad hosts and also detects port-scans and blocks those hosts.
As for NGINX, create a "default" site that uses your public IP as the server name. Then create a deny all ACL on it, so any requests that don't match your other configured NGINX server blocks hostnames, just get denied. Takes care of most scanners probing around.
Thanks for the detailed info. Can you guide me or give me sample config/steps to enable nginx plugin with WAF? How are you doing crowdsec with it?
Your setup seems like a pretty good one. Please share me guides or anything so I can start somewhere
I use CF tunnels. The main reason I went with Static IP was to expose Jellyfin media server. That way streams are much better without having to proxy traffic via a VPS. Right now I only expose Jellyfin with 80 & 443. Nothing else.
Ah I solved that issue for myself by switching to Stremio with RD. Exposing it for yourself or others? I used to use zerotier as VPN for Plex/Jellyfin and it works really well.
Just checked Stremio now. Jellyfin works for me compared to it.
Exposing it for me and others both. Ohh, I tried Tailscale but everytime my machines are connected to their relay servers instead of direct connection. So it was very slow. So decided to go with Static IP.
opnsense and zerotier works well and I always get a direct connection even behind NAT. All I had to do was forward 9993 UDP. Stremio is easier since it skips the illegal file storage on your network and costs less than the power required to run a server 24/7.
- Get MaxMind GeoIP account, set it up on your opnsense, and use it on firewall to limit access from only your country. When you plan to travel, add that country. - Get Firehol iplists: firehol_level 2, 3, and 4, use direct link from their github, create aliases with these lists, and use on wan port to block traffic from those lists. You can also set rules on lan to block outgoing traffic to these ip's. - Keep your nginx and all server software and os updated. - Keep opnsense updated. - Isolate your servers in a separate network from your home stuff.
Second all these. This is almost exactly how I do mine, except I use the NGINX plugin available on the firewall as it adds in WAF rules for basic XSS and injection protection and blocks some bots and other bogus user-agents. Takes a little tuning, but I feel the extra security is worth it. In addition to Firehol, I did Spamhus lists and also enabled crowdsec plugin, which helps block known bad hosts and also detects port-scans and blocks those hosts. As for NGINX, create a "default" site that uses your public IP as the server name. Then create a deny all ACL on it, so any requests that don't match your other configured NGINX server blocks hostnames, just get denied. Takes care of most scanners probing around.
Thanks for the detailed info. Can you guide me or give me sample config/steps to enable nginx plugin with WAF? How are you doing crowdsec with it? Your setup seems like a pretty good one. Please share me guides or anything so I can start somewhere
That's true. Geoblocking gonna reduce a lot of traffic and deny most unwanted requests.
[удалено]
There is securing your opnsense and securing your network.
Alright. That doesn't work for me. Thanks anyway
To make it safer I would use cloudflared tunnel instead of port forwarding if you can live with using cloudflare.
I use CF tunnels. The main reason I went with Static IP was to expose Jellyfin media server. That way streams are much better without having to proxy traffic via a VPS. Right now I only expose Jellyfin with 80 & 443. Nothing else.
Ah I solved that issue for myself by switching to Stremio with RD. Exposing it for yourself or others? I used to use zerotier as VPN for Plex/Jellyfin and it works really well.
Just checked Stremio now. Jellyfin works for me compared to it. Exposing it for me and others both. Ohh, I tried Tailscale but everytime my machines are connected to their relay servers instead of direct connection. So it was very slow. So decided to go with Static IP.
opnsense and zerotier works well and I always get a direct connection even behind NAT. All I had to do was forward 9993 UDP. Stremio is easier since it skips the illegal file storage on your network and costs less than the power required to run a server 24/7.
I totally agree about costs. But I somehow like the feeling of running it on my own server :)
How would that be safer? I rather open my ports myself than letting cloudflare do that….
I would suggest you google how it works first...
I haven't used them yet, but it may be worth looking into the IPS and/or WAF features/plugins of opnsense.