Apart from a really nice firewall firehol also supplies a good set of ip-blacklists.
For public exposure of email ports, I am using the combination of firehol-firewall, firehol-blacklist, fail2ban and a whitelist based on geo-ip. The mail-client ports exposed are 993 and 465, because starttls is considered flawed nowadays: https://nostarttls.secvuln.info/)
Full access from any IP (except firehol-blacklist and fail2ban) is possible over VPN (openvpn) with MFA (privacyidea). Privacyidea also supplies a mobile-app compatible with a.o. TOTP and HOTP but it provides a more secure way of enrollment (2-step).
Thanks for pointing at crowdsec.net, will see if it can tighten security further in cooperation with the above.
- Kees
On 14-11-2021 11:33, infoomatic wrote:
I will throw in a few interesting projects which have kept my small servers safe:
*) firehol.org
*) crowdsec.net
*) www.fail2ban.org
Have a look at those interesting projects!
On 13.11.21 22:16, Tyler Montney wrote:
With the world of ransomware as it is today (aka attacks seem more vicious and commonplace), anything I expose to WAN must have additional protection. I've seen a few posts to this list on it. The only thing that helped was that Dovecot supports OAuth. Through OAuth I figure I could implement MFA. However, I'd have to host my own identity server. From there, Thunderbird supports OAuth so that should work.
Since this is getting increasingly complicated, I wanted to ask before going further. What do you all do? Any recommendations?