I have changed the default users and passwords and installed fail2ban. What other security measures or configuration changes should I make when running my Pi as a webserver? I will be running a wordpress site for only a few people, but want to do my best in securing my Pi and also my home network which it will be hosted on.
First of all, if it’s about SSH security, best is to not allow SSH connections from outside your local network at all, by just forwarding port 80+443 for webserver access. Then fail2ban is not needed at all. If you really need SSH from outside local network, consider VPN connections, otherwise switch the SSH sever to listen to a non default port, instead of default port 22.
I used SSH on port 22 with fail2ban for a while and regularly found access attempts from around the world. After switching to another random port, I hadn’t any attempt for about a year. Just note that non default ports are often blocked on public networks, e.g at work or university WLAN.
Then you should use key authenticating for SSH instead of password login. This even makes login more comfortable as you don’t need to enter a password, if your SSH client has your private key. But you can as well secure the key again with a password that then needs to be entered, especially good if not only yourself have access to the client system.
But that’s only about securing SSH/system access.
Next is the webserver itself. It should use HTRPS only. Install certbot (via dietpi-software) and use dietpi-letsencrypt with HTTPS redirection to enforce that for your server. There are further possibilities to make SSL/HTTPS most secure, but let’s talk about that later, as I am on the road currently .
I never worked with HAProxy (just have single home server environment here, thus no need for a lead balancer), so can’t say for sure, but your guide shows that HAProxy indeed can be used to allow/force external HTTPS access to web servers, which internally not have SSL enabled. So the load balancer does all the SSL handshake, encryption, decryption stuff, while the web server in the back don’t have to bother with this an can concentrate on serving their content. Quite interesting and makes sense:
- The SSL settings are the same for all local servers, one doesn’t need to configure/update these on all web server separately.
- But on the other hand, from within the local network, access to the web servers directly is not encrypted. But should be no problem to configure them, listening to the load balancer only.
But for a wordpress site for only a few people I don’t see any need or use of a load balancer .
adyus tell me a bid more about your server setup, which device and webserver are you using? Usually, using CertBot + DietPi-Letsencrypt servers good default SSL settings with a reasonable share between security and performance. But I have a similar mostly two users Nextcloud instance here and love to have it on SSLLabs 100% score: https://www.ssllabs.com/ssltest/
This leads to quite some delay, when accessing your web page, especially accessing from my mobile phone takes some seconds, before the page opens the first time. This is due to the larger than usual keys and checksums needed. But if you want to try it, I can give you some instructions based on used webserver.
I’m currently running the latest version of DietPi on a Pi 3 B+. My wordpress installation is set up with Lighttpd right now, but I’ve read Nginx can perform or load multiple tasks at once and may be faster. Which do you prefer or suggest for a wordpress site?
For me I just want to ensure my home network is as safe as can be after opening ports for my Pi, and that my Pi isn’t opening up my home network or computers to attack.
I was thinking about doing a fresh installation of DietPi and doing the following.
-Add a new default user and delete root/dietpi (or is it safe to continue using dietpi but with a strong password?)
-Change default passwords and disable password authentication in favor of local network SSH (outside SSH attempts or login attempts would hopefully be blocked or ignored.)
-Install wordpress, change default pass for that and the SQL server.
-Enable some sort of logging for unwanted login and connection attempts
-Install CertBot + DietPi-Letsencrypt
-Open ports 80/443
Safest bet would be to create a separate network such as a DMZ (orange zone from below image)…and putting that service on it there, with appropriate locked down firewall of course …this way if that is compromised (red zone…aka internet)…they don’t get access to your home/internal LAN network (green zone from below image), then perhaps pinholing from your internal LAN (green) into that DMZ (orange) so you can see the ports of your server so you can safely view/control it without exposing your entire LAN to the internet…but not in from the DMZ
I used to develop a similar firewall application/appliance called smoothwall under the handle AwPhuch