Hi, I’m setting up a public wiki using mediawiki and I’d like some help ensuring the server and mediawiki is safely setup before I start sharing it publicly. I installed it on Vultr using the mediawiki app from the Vultr Marketplace. Are there any things I should ensure before publicly sharing the link?
Some things I’ve done so far:
-
I disabled password login to the server so its only possible to login via ssh
-
I made it so I have to approve of any edits to the wiki
-
I still haven’t enabled uploads of files because I want to ensure I only allow jpeg\png uploads.
I’m relatively new to running servers so any tips are highly appreciated.
Get some WAF for the public facing app, maybe at least https://github.com/nbs-system/naxsi .
ELI5? 😅
The install section of naxsi is a whole lotta stuff I’ve never touched before
sorry, this is kinda like a firewall, but protecting websites, so many vulnerabilities are filtered out. it does not protect you 100% percent (nothing does). it might be hard to setup, in that case there is an option to use waf as a service, i.e. - cloudflare has such offering, maybe there are others as well. i have looked into vultr - they seem to offer only a “usual” type of firewall, not http/application based.
Ah ok thanks for the info! Do you know if vultrs firewall would make installing fail2ban redundant?
if you configure ssh access only from your home ip - then fail2ban is not needed.
Oh perfect thanks
But if your home ip ever changes, you‘re fucked. I would never do that. Pubkey is the way.
Method of authentication doesn’t matter if there’s a pre-authentication vulnerability: https://thehackernews.com/2023/02/openssh-releases-patch-for-new-pre-auth.html
Instead of exposing multiple services, I would recommend just one VPN for remote access. Less attack surface.
Thats how I do it. But I also have physical access so if the vpn fails I don’t get locked out.
usually i add more than 1 ip and also vultr firewall can be managed to change ip. tailscale can be used as well. there are options!
That’s good! Had me worried there.