Also at k3can@mastodon.hams.social

  • 0 Posts
  • 6 Comments
Joined 2 years ago
cake
Cake day: June 21st, 2023

help-circle


  • You’re not a “target” as much as you are “a thing that exists.” These aren’t targeted attacks.

    That said, you can look into adding some additional measures to your webserver if you haven’t already, like dropping connections if a client requests a location they shouldn’t, like trying to access /admin, /…/…, /.env, and so on.

    On nginx, it could be something like:

    location ^/\.|)/admin|/login {
        return 444;
    }
    

    Of course, that should be modified to match whatever application you’re actually using.




  • A lot of how you set up your system is just going to depend on how you want to set it up.

    I run podman (like an improved version of docker) in a single LXC container for applications that are primarily packaged as docker apps. I think I have 4 or 5 applications running on that LXC.

    For things that are distributed via apt, git repo, etc, I’ll either create a new LXC or use an existing LXC if it’s related to other services I’m running. For example, crowdsec is run in the same machine as nginx since those two work together and I’ll always want them both running at the same time, so there’s no reason to separate them.

    I have mariadb running in its own LXC so that it can follow a different (more frequent) backup schedule than the mostly static applications that interact with it.

    Anything that needs to interact directly with hardware, like Home Assistant, or I want kernel separation for, will get a full fledge VM instead of a container.

    It’s all about how you want to use it.