Inspired by this comment to try to learn what I’m missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?
Default block for incoming traffic is always a good starting point.
I’m personally using crowdsec to good results, but still need to add some more to it as I keep seeing failed attacks that should be blocked much quicker.