I put up a vps with nginx and the logs show dodgy requests within minutes, how do you guys deal with these?

Edit: Thanks for the tips everyone!

  • InEnduringGrowStrong@lemm.ee
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    I do client ssl verification.
    Nobody but me or my household is supposed to access those anyway.
    Any failure is a ban (I don’t remember how long for).
    I also ban every IP not from my country, adjusting that sometimes if I travel internationally.
    It’s much easier when you host stuff only for your devices (my case) and not for the larger public (like this lemmy instance).

    • karlthemailman@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      How do you have this set up? Is it possible to have a single verification process in front of several exposed services? Like as part of a reverse proxy?

      • dinosaurdynasty@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Yup, there are many ways of doing that. Most reverse proxies should support basic auth (easy, but browser UX is terrible and it breaks websockets) or TLS client auth (even worse browser UX, phones are awful).

        The best thing is do something like Caddy + Authelia (which is what I currently do with most things, with exceptions for specific user agents and IPs for apps that require it, aka non-browser stuff like Jellyfin),

      • InEnduringGrowStrong@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Yes it’s running in my reverse proxy.
        Nginx is doing my “client ssl verify” in front of my web services.
        You can even do this on a per uri/location.
        For example, my nextcloud is open without client certs so I can share files with people, but the admin settings path is protected by client ssl.

    • ComptitiveSubset@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      That sounds like an excellent solution for web based apps, but what about services like Plex or Nextcloud that use their own client side apps?

      • InEnduringGrowStrong@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Some apps now have support for client certs (home-assistant ❤).
        Nextcloud is one of the only apps that’s open without client ssl because it’d be highly inconvenient to share a file link with someone if I had to install a cert on their devices. Plex app never works right for me so I just use the browser. My TV is too old to have old built-in so I have a VM in which I use a browser to watch plex.