Specifically from the standpoint of protecting against common and not-so-common exploits.

I understand the concept of a reverse proxy and how works on the surface level, but do any of the common recommendations (npm, caddy, traefik) actually do anything worthwhile to protect against exploit probes and/or active attacks?

Npm has a “block common exploits” option but I can’t find anything about what that actually does, caddy has a module to add crowdsec support which looks like it could be promising but I haven’t wrapped my head around it yet, and traefik looks like a massive pain to get going in the first place!

Meanwhile Bunkerweb actually looks like it’s been built with robust protections out of the box, but seems like it’s just as complicated as traefik to setup, and DNS based Let’s Encrypt requires a pro subscription so that’s a no-go for me anyway.

Would love to hear people’s thoughts on the matter and what you’re doing to adequately secure your setup.

Edit: Thanks for all of your informative replies, everyone. I read them all and replied to as many as I could! In the end I’ve managed to get npm working with crowdsec, and once I get cloudflare to include the source IP with the requests I think I’ll be happy enough with that solution.

  • bastion
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    6 months ago

    What you probably want is a dmz or red/green localnets. A reverse proxy (as others have mentioned) like haproxy or nginx) are extremely unlikely to, themselves, be hacked. But they don’t really add security, either.

    What does add security is to have a router with a firewall, with one or more red networks, and a green network.

    The red network has all of your public-facing servers. They have virtually no external access, and no internal access except to respond. It’s even good to have a rule on the router that you can turn on/off that blocks all outbound connections from the red network to the external world. To upgrade a server, turn off the rule, upgrade, and then turn the rule on again. The router only forwards inbound connections from the internet on a specific port, and routes them to the server/servers on the red network(s) on a (possibly different) specific port.

    Most ownage-style hacks involve (once compromised) either calling home (can’t if the server is not allowed outbound connections) or opening an additional port (who cares, the router will never forward anything to that port).

    Then, back up your important info, and keep multiple copies of that info - daily for a week, monthly for a few months, and yearly.