Hey guys,
I finally come around and started the journey of self-hosting and decided to get a VPS. After securing it, by making login via public-key default, I installed CasaOS and instantly regretted it since it now can be reached freely from the internet. A while ago, I read that you can limit the incoming connection to only VPN and ssh. And configured a Wireguard-VPN on the server via pivpn. But the server can still be reached from the internet. So what do I have to do now? Is it even the right choice, or am I missing something? How do you guys secure your VPS?
Also before diving too deep into firewalls, which is a good idea none the less, just go to SSHd config and set
ListenAddress
to only listen on the VPN network address instead of public IP, and no one can connect via the public IP.Keep it simple, and add complexity only as needed.
I personally prefer using public key encryption over passwords for ssh authentication. There's no need to rely on third-party VPN providers (like ZeroTier or Tailscale) or hosting your own "vpn server" for that purpose as ssh trafic is already encrypted.
The drawback of following the route you suggested is that you have to operate yet another service that could be misconfigured, potentially causing you to lose access to your server. If you're keen on further restricting access, consider whitelisting your static(!) IP address, the IP address ranges associated with your provider or the ranges assigned to your country for an additional layer of security.
I agree. I have all my servers “in the open”, and only use VPN when I need to route my egress through a different geographical location. The reason I’m saying to use
ListenAddress
instead is because OP is already got the VPN setup, and seems like not going to change from it. No point introducing yet another piece of complexity such as firewall to the mix when their objective can be achieved with what they’re already using.