Could you please suggest if I need to do anything else to ensure that my server is secure against the most common attacks? Currently it seems fine to me, but I would highly appreciate if someone with penetration testing / hacking experience could verify that.
Here's the brief architecture description:
- VPS with Ubuntu 22.04.4 LTS, packages are up-to-date;
- Static IPv4 address is attached to the VM, + I have a domain name with two A-records:
mysite.com / *.mysite.com -> my_IP
- Portainer is installed, configuration UI is publicly accessible by subdomain
portainer.mysite.com
(authentication form is shown) - There's a Nginx Proxy Manager installed as Docker container,
80
and443
ports are forwarded to the host VM, admin panel is publicly accessible by subdomainproxy.mysite.com
(authentication form is shown). This reverse-proxy does traffic forwarding between other Docker containers, forcing HTTPS usage, etc. - There are two Let's Encrypt SSL certificates: one for
mysite.com
, one for*.mysite.com
(both obtained automatically via Certbot), HTTPS works fine everywhere, browser doesn't complain about security issues - Cockpit panel is installed, admin panel is publicly accessible by subdomain
admin.mysite.com
(authentication form is shown), port 9090 is open for public access - Port 22 is also open for public, password authentication is allowed.
All passwords are long (20+ chars), they are different for each service and contain special characters.
Does it look good from the security perspective? Do I need to take care about anything else here? Firewall, Cloudflare Zero Trust tunnel for Cockpit, etc.? I don't really like that my service apps like Portainer are publicly accessible...