Apart from a really nice firewall firehol also supplies a good set of
ip-blacklists.
For public exposure of email ports, I am using the combination of
firehol-firewall, firehol-blacklist, fail2ban and a whitelist based on
geo-ip. The mail-client ports exposed are 993 and 465, because starttls
is considered flawed nowadays: https://nostarttls.secvuln.info/)
Full access from any IP (except firehol-blacklist and fail2ban) is
possible over VPN (openvpn) with MFA (privacyidea).
Privacyidea also supplies a mobile-app compatible with a.o. TOTP and
HOTP but it provides a more secure way of enrollment (2-step).
Thanks for pointing at crowdsec.net, will see if it can tighten security
further in cooperation with the above.
- Kees
On 14-11-2021 11:33, infoomatic wrote:
I will throw in a few interesting projects which have kept my small
servers safe:
*) firehol.org
*) crowdsec.net
*) www.fail2ban.org
Have a look at those interesting projects!
On 13.11.21 22:16, Tyler Montney wrote:
With the world of ransomware as it is today (aka attacks seem more
vicious and commonplace), anything I expose to WAN must have
additional protection. I've seen a few posts to this list on it. The
only thing that helped was that Dovecot supports OAuth. Through OAuth
I figure I could implement MFA. However, I'd have to host my own
identity server. From there, Thunderbird supports OAuth so that should
work.
Since this is getting increasingly complicated, I wanted to ask before
going further. What do you all do? Any recommendations?
