Fail2ban is only useful to reduce the amount of logs being recorded, it has a huge disadvantage that the more IP's that are jailed, the slower your server becomes.
Most rogue attempts to access your server are very basic and nothing to worry about (most of them looking for historic weaknesses in wordpress etc), any serious attempt would be difficult to block, your Pi doesn't have the WAN or CPU bandwidth and you would have to be finding and updating your rules on a very regular basis.
The biggest problem I had were the lesser known search engines that would hammer the server for a number of hours and either bring it to a snail's pace or crash it, they often use a number of large banks of IP's.
On your LAN, make sure the server can only access other devices on the LAN with passwords, no keys, or more preferably not at all. All the devices I can configure block incoming traffic from the servers.
If your server uses wireless then you can use AP isolation to keep it away from your LAN, if you want to access it plug in a Ethernet cable.
Check the files in the server have the correct ownership and permissions, the files should NOT be owned by the server's user (which is normally www-data), the server's user should have read-only access to the files. It is quite common to have the files owned by root which is hopefully the most secure user.
There is plenty of very cheap cloud hosting around, it is far easier and more secure to use one of them instead of a home server and you don't have the risk of your internet getting slowed down by the plethora of trash..
Most rogue attempts to access your server are very basic and nothing to worry about (most of them looking for historic weaknesses in wordpress etc), any serious attempt would be difficult to block, your Pi doesn't have the WAN or CPU bandwidth and you would have to be finding and updating your rules on a very regular basis.
The biggest problem I had were the lesser known search engines that would hammer the server for a number of hours and either bring it to a snail's pace or crash it, they often use a number of large banks of IP's.
On your LAN, make sure the server can only access other devices on the LAN with passwords, no keys, or more preferably not at all. All the devices I can configure block incoming traffic from the servers.
If your server uses wireless then you can use AP isolation to keep it away from your LAN, if you want to access it plug in a Ethernet cable.
Check the files in the server have the correct ownership and permissions, the files should NOT be owned by the server's user (which is normally www-data), the server's user should have read-only access to the files. It is quite common to have the files owned by root which is hopefully the most secure user.
There is plenty of very cheap cloud hosting around, it is far easier and more secure to use one of them instead of a home server and you don't have the risk of your internet getting slowed down by the plethora of trash..
Statistics: Posted by pidd — Fri May 09, 2025 4:36 am