Do I need to implement additional security measures for my self-hosted container web app?

Question

Could you please suggest if I need to do anything else to ensure that my server is secure against the most common attacks? Currently it seems fine to me, but I would highly appreciate if someone with penetration testing / hacking experience could verify that.

Here's the brief architecture description:

• VPS with Ubuntu 22.04.4 LTS, packages are up-to-date;
• Static IPv4 address is attached to the VM, + I have a domain name with two A-records: mysite.com / *.mysite.com -> my_IP
• Portainer is installed, configuration UI is publicly accessible by subdomain portainer.mysite.com (authentication form is shown)
• There's a Nginx Proxy Manager installed as Docker container, 80 and 443 ports are forwarded to the host VM, admin panel is publicly accessible by subdomain proxy.mysite.com (authentication form is shown). This reverse-proxy does traffic forwarding between other Docker containers, forcing HTTPS usage, etc.
• There are two Let's Encrypt SSL certificates: one for mysite.com, one for *.mysite.com (both obtained automatically via Certbot), HTTPS works fine everywhere, browser doesn't complain about security issues
• Cockpit panel is installed, admin panel is publicly accessible by subdomain admin.mysite.com (authentication form is shown), port 9090 is open for public access
• Port 22 is also open for public, password authentication is allowed.

All passwords are long (20+ chars), they are different for each service and contain special characters.

Does it look good from the security perspective? Do I need to take care about anything else here? Firewall, Cloudflare Zero Trust tunnel for Cockpit, etc.? I don't really like that my service apps like Portainer are publicly accessible...

Answer 1

You're not describing any security measures, except that you have long passwords and use HTTPS. This is a good starting point, but it's far from comprehensive protection against common attacks.

Server and web security are very broad topics which have been covered in countless books, articles and papers, so we obviously cannot explain this all in a short answer. If you're not familiar with server administration, then I strongly recommend you find somebody who is and can actually look at the setup. The best we can do here is point out a few obvious problems:

• Containers should be isolated with sVirt/SELinux or AppArmor to prevent attacks against the containers from affecting the host. The Docker documentation also lists several other security measures like using Linux capabilities.
• The nginx webserver should also be locked down with SELinux or AppArmor.
• Each individual web application running inside a container, and other services like database systems should be hardened. How exactly depends on the exact application.
• You should avoid password-based authentication and use public-key authentication instead, or at least implement 2FA. This is particularly true for SSH: Enable PubkeyAuthentication and disable PasswordAuthentication (make sure the former is working before you do the latter, or you'll lock yourself out). For the management interfaces of Portainer etc., you can enable TLS client certificate authentication in nginx, so that it's not even possible to access the log-in form without prior public-key authentication.
• Consider disabling public access to the management interfaces entirely. Bind the corresponding webserver to a local IP and access the interfaces through a VPN, a proxy or an SSH tunnel.
• Check the TLS configuration with tools like the Qualys SSL Server Test. If the browser succeeds establishing a TLS connection, this only means the server fulfills the minimum requirements (valid certificate, use of browser-supported cipher suites etc.). It doesn't prove that TLS is configured securely.
• Check the OWASP Top 10 for general advice on web security.