Harden dnsc-vps-sm #2

Closed
opened 2026-03-13 11:32:25 +01:00 by dennis · 0 comments
Owner

Step 1

Create access log files through caddy config (per-host). Pay attention to roll: https://caddyserver.com/docs/caddyfile/directives/log#examples

Step 2

Install and configure goaccess for Caddy

Step 3

Identify IP ranges to ban

Step 4

Switch to nftables with networking.firewall.nftables.enable = true and then set rules with:

networking.firewall.extraInputRules = ''
  ip saddr 192.0.2.0/24 tcp dport { 80, 443 } drop
  ip6 saddr 2001:db8::/32 tcp dport { 80, 443 } drop
'';

Step 5

Maybe follow-up by using CrowdSec. Avoid Cloudflare, but might be needed at some point.

## Step 1 Create access log files through caddy config (per-host). Pay attention to roll: https://caddyserver.com/docs/caddyfile/directives/log#examples ## Step 2 Install and configure `goaccess` for Caddy ## Step 3 Identify IP ranges to ban ## Step 4 Switch to nftables with `networking.firewall.nftables.enable = true` and then set rules with: ```nix networking.firewall.extraInputRules = '' ip saddr 192.0.2.0/24 tcp dport { 80, 443 } drop ip6 saddr 2001:db8::/32 tcp dport { 80, 443 } drop ''; ``` ## Step 5 Maybe follow-up by using CrowdSec. Avoid Cloudflare, but might be needed at some point.
dennis added reference feat/caddy-hardening 2026-03-13 14:51:01 +01:00
Sign in to join this conversation.
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
dennis/nix-config#2
No description provided.