Harden core.georgsen.dk firewall
- Whitelist home IP (83.89.248.247) for all traffic - Block DNS (53), spiceproxy (3128), Proxmox UI (8006, 8008) from internet - Add Fail2ban for SSH on PVE host - Home IP whitelisted in Fail2ban Access Proxmox from home IP directly or via Tailscale when remote. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
parent
b335488823
commit
15c9d80952
1 changed files with 16 additions and 2 deletions
|
|
@ -95,10 +95,16 @@ NAT masquerade enabled for 10.5.0.0/24 → vmbr0
|
|||
|
||||
### Firewall Rules (INPUT on vmbr0)
|
||||
|
||||
**Home IP (83.89.248.247) is whitelisted - always allowed.**
|
||||
|
||||
| Protocol | Port | Action | Purpose |
|
||||
|----------|------|--------|---------|
|
||||
| TCP | 111 | DROP | Block portmapper from internet |
|
||||
| UDP | 111 | DROP | Block portmapper from internet |
|
||||
| ALL | * | ACCEPT | Allow home IP (83.89.248.247) |
|
||||
| TCP/UDP | 111 | DROP | Block portmapper from internet |
|
||||
| TCP/UDP | 53 | DROP | Block DNS (prevent amplification attacks) |
|
||||
| TCP | 3128 | DROP | Block spiceproxy |
|
||||
| TCP | 8006 | DROP | Block Proxmox UI (use home IP or Tailscale) |
|
||||
| TCP | 8008 | DROP | Block Proxmox console |
|
||||
|
||||
Saved with: `netfilter-persistent save`
|
||||
|
||||
|
|
@ -503,8 +509,16 @@ Personal company website
|
|||
|
||||
### Fail2ban
|
||||
|
||||
**core.georgsen.dk (PVE host):**
|
||||
- Config: `/etc/fail2ban/jail.local`
|
||||
- Jail: sshd
|
||||
- Max retries: 5
|
||||
- Ban time: 24 hours
|
||||
- Whitelisted: 127.0.0.1, 10.5.0.0/24, 83.89.248.247
|
||||
|
||||
**Forgejo (VMID 114):**
|
||||
- Config: `/etc/fail2ban/jail.local`
|
||||
- Jail: forgejo
|
||||
- Max retries: 5
|
||||
- Ban time: 24 hours
|
||||
- Log: `/var/lib/forgejo/log/forgejo.log`
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue