After I fiddle with the firewall rules (or a system install or major upgrade) I usually only do a quick portscan with nmap from another box. (TCP and UDP; only IPv4 only because I disabled IPv6 completely.) There are online port-scan services too, but you never know if they also invite the bots.
I agree with others here that vulnerability-scanning your own applications seems overkill. Like with external virus scanners, I always feel they are just as likely the attack vector themselves. The more complexity, the more risk.
What I do is:
Enable unattended system updates (on Debian stable) and automated reboots. And sometimes check if it actually still works.
Firewall configuration with a whitelist for public ports, and as a second layer:
configure internal services to listen only on localhost, or to filter access by ip/netmask, and
put something in front of services that don’t need general public access. (A wireguard tunnel, or HTTP basic auth in your reverse-proxy.)
if you expose ssh to the public, make there is some extra step that prevents you from exposing a test user you just created. I’m using the AllowUsers user whitelist, but KbdInteractiveAuthentication no should be good enough too. If the failed login attempts by the bots bother you, you could run sshd on a non-standard port.
stop services you no longer use, or at least remove public access.
If you have a complex service that needs to be fully public (say a video conference solution, I wouldn’t worry much about a simple static web server) then isolate it from everything else somehow. Ideally on a separate box, make sure it cannot access the internal network, make sure it cannot access any files it doesn’t need. And install those security patches.
Something else I always wanted to do (but never got around doing) is to create a simple canary intrusion detection. Like, putting some important-looking “prod” host into ~/.ssh/config and a private ssh key, and configure the target host to send me a SMS instead when this key tries to log in. (Or even shut everything down automatically.) This should prevent me from becoming part of a botnet for months unnoticed, maybe.
After I fiddle with the firewall rules (or a system install or major upgrade) I usually only do a quick portscan with
nmapfrom another box. (TCP and UDP; only IPv4 only because I disabled IPv6 completely.) There are online port-scan services too, but you never know if they also invite the bots.I agree with others here that vulnerability-scanning your own applications seems overkill. Like with external virus scanners, I always feel they are just as likely the attack vector themselves. The more complexity, the more risk.
What I do is:
AllowUsersuser whitelist, butKbdInteractiveAuthentication noshould be good enough too. If the failed login attempts by the bots bother you, you could run sshd on a non-standard port.Something else I always wanted to do (but never got around doing) is to create a simple canary intrusion detection. Like, putting some important-looking “prod” host into
~/.ssh/configand a private ssh key, and configure the target host to send me a SMS instead when this key tries to log in. (Or even shut everything down automatically.) This should prevent me from becoming part of a botnet for months unnoticed, maybe.