I self-host all of my websites (including this one) and some other services. I won’t get super detailed here, but I wanted to give a general idea as to what I do to secure my self-hosted sites and services.
Basics
- Domain is registered separate from the server where the content is hosted (which is physically in my control) and DNS is handled separately from those 2.
- All default passwords have been changed and strong password and password rotation policy is enforced.
Server
- Built from scratch and runs limited sites and services.
- OS and software are regularly checked and updated.
- SELinux policy in enforcing mode.
- SSH access via local network only. All insecure protocols disabled (FTP, telnet, rlogin, etc.).
- Root account/SSH access via root are disabled.
- SSH login via SSH keys (no password login).
- Full-disk encryption at rest (if seized/stolen).
- Locked bootloader.
- Password-protected UEFI.
- USB access disabled by default.
- Hardened kernel config and kernel boot parameters.
- Unneeded services and kernel modules disabled.
- Hardened filesystem.
Network
- Robust firewall with only necessary ingress/egress ports accessible to server.
- Network-based IPS/IDS.
- Isolated VLAN (not inherently a security feature, but there’s no access to other VLANs on the network and no other devices on this VLAN except this server).
Site
- HSTS (with modern cipher suites only — TLS 1.2 and 1.3).
- Site and site components are regularly checked and updated.
- Bruteforce protection.
- 2-factor authentication.
- (D)DoS protection.
- Certain IP spaces are restricted (won’t go into detail about which, but reason is based on attack frequency).
There are more nuts and bolts to this, but this gives a general idea of my setup.