Recent Discussions
Network Sec
Open in DiscordUnanswered
Common Ringed Plover posted this in #questions
102 messages
0 views
Common Ringed PloverOP
Current Network sec for my server setup is this.
CFT -> [ DMZ, docker(lxc)-> Reverse Proxy] -> infa ( Pterodactyl/Ctrl panel [LXC] ) <-> ( Wings VM )
all traffic goes through my reverse proxy and through a CFT, with the only open port being on the Wings VM.
Should I be locking it down further?
all https traffic flows through my RP, keeping my other stuff isolated from the CFT.
CFT -> [ DMZ, docker(lxc)-> Reverse Proxy] -> infa ( Pterodactyl/Ctrl panel [LXC] ) <-> ( Wings VM )
all traffic goes through my reverse proxy and through a CFT, with the only open port being on the Wings VM.
Should I be locking it down further?
all https traffic flows through my RP, keeping my other stuff isolated from the CFT.
Common Ringed PloverOP
The downside from my sec though is latency ( not to bad tbh )
as everything is running on my Clustered Proxmox, so I am emulating, then for Pterodactyl, I am emulating again with its Docker containers
as everything is running on my Clustered Proxmox, so I am emulating, then for Pterodactyl, I am emulating again with its Docker containers
@Common Ringed Plover Current Network sec for my server setup is this.
CFT -> [ DMZ, docker(lxc)-> Reverse Proxy] -> infa ( Pterodactyl/Ctrl panel [LXC] ) <-> ( Wings VM )
all traffic goes through my reverse proxy and through a CFT, with the only open port being on the Wings VM.
Should I be locking it down further?
all https traffic flows through my RP, keeping my other stuff isolated from the CFT.
CFT -> [ DMZ, docker(lxc)-> Reverse Proxy] -> infa ( Pterodactyl/Ctrl panel [LXC] ) <-> ( Wings VM )
all traffic goes through my reverse proxy and through a CFT, with the only open port being on the Wings VM.
Should I be locking it down further?
all https traffic flows through my RP, keeping my other stuff isolated from the CFT.
Can you go further short answer yes
Longer answer no because its just not worth it especially since it looks like a home lab setup
Longer answer no because its just not worth it especially since it looks like a home lab setup
@Blstmo Can you go further short answer yes
Longer answer no because its just not worth it especially since it looks like a home lab setup
Longer answer no because its just not worth it especially since it looks like a home lab setup
Common Ringed PloverOP
while it is partly my homelab, I am setting up a small business for MC server hosting in my local community, as I have the extra compute.
On top of that, as I am doing cyber sec courses I want to make sure my network sec is actually up to snuff.
On top of that, as I am doing cyber sec courses I want to make sure my network sec is actually up to snuff.
@Common Ringed Plover while it is partly my homelab, I am setting up a small business for MC server hosting in my local community, as I have the extra compute.
On top of that, as I am doing cyber sec courses I want to make sure my network sec is actually up to snuff.
On top of that, as I am doing cyber sec courses I want to make sure my network sec is actually up to snuff.
Your biggest risk will be ddos attacks to the actual servers if you want to go further you can setup vnets inside of proxmox to allow inter communication between services as needed if you really wanted to to fully reduce any outside communication so you would have
like
panel and whmcs on vnet
db server on same vnet
and then you would have another vnet that has your proxy whmcs and ptero panel on it and then you could create rules that block any traffic apart from 443 and 80 for those this is way over kill though and just a quick explanation as I have a lot of stuff I am doing right now
On the cyber sec note I assume your doing it through as school do they get you guys to do any like super rare issues like bit flipping vulns and stuff or is it just the sorta more basic stuff
like
panel and whmcs on vnet
db server on same vnet
and then you would have another vnet that has your proxy whmcs and ptero panel on it and then you could create rules that block any traffic apart from 443 and 80 for those this is way over kill though and just a quick explanation as I have a lot of stuff I am doing right now
On the cyber sec note I assume your doing it through as school do they get you guys to do any like super rare issues like bit flipping vulns and stuff or is it just the sorta more basic stuff
@Blstmo Your biggest risk will be ddos attacks to the actual servers if you want to go further you can setup vnets inside of proxmox to allow inter communication between services as needed if you really wanted to to fully reduce any outside communication so you would have
like
panel and whmcs on vnet
db server on same vnet
and then you would have another vnet that has your proxy whmcs and ptero panel on it and then you could create rules that block any traffic apart from 443 and 80 for those this is way over kill though and just a quick explanation as I have a lot of stuff I am doing right now
On the cyber sec note I assume your doing it through as school do they get you guys to do any like super rare issues like bit flipping vulns and stuff or is it just the sorta more basic stuff
like
panel and whmcs on vnet
db server on same vnet
and then you would have another vnet that has your proxy whmcs and ptero panel on it and then you could create rules that block any traffic apart from 443 and 80 for those this is way over kill though and just a quick explanation as I have a lot of stuff I am doing right now
On the cyber sec note I assume your doing it through as school do they get you guys to do any like super rare issues like bit flipping vulns and stuff or is it just the sorta more basic stuff
Common Ringed PloverOP
I was planning on setting up Vlans a bit later, as I want to setup some extra layers from my managed switch.
Anyway Thanks for taking time out for some guidance. It's really appreciated.
Also all my server architecture is on a second network for IOT stuff and is always assumed to be compromised. Isolating it from my main net at a router level.
Anyway Thanks for taking time out for some guidance. It's really appreciated.
Also all my server architecture is on a second network for IOT stuff and is always assumed to be compromised. Isolating it from my main net at a router level.
For cyber sec, I am applying for a comp science with a major in cyber, plus an intern ship with my governments cyber stuff.
I have done the TCM ethical hacking cyber course, plus all the free linux admin and cyber sec courses from the Linux foundation. I also have been slowly chipping at the HTB cyber sec courses.
I have done the TCM ethical hacking cyber course, plus all the free linux admin and cyber sec courses from the Linux foundation. I also have been slowly chipping at the HTB cyber sec courses.
Very nice very nice
well good luck
Common Ringed PloverOP
you to
@Common Ringed Plover you to
I am out of gov cyber sec now 5 years of hell (not to scare you or anything) was enough just hope you dont have to deal with the stuff I did when you have your gov job
sorry for my awful grammar its been a long day
@Blstmo I am out of gov cyber sec now 5 years of hell (not to scare you or anything) was enough just hope you dont have to deal with the stuff I did when you have your gov job
Common Ringed PloverOP
I want to get to a red team ( espionage ), also its fine man, my grammar is horrid as well.ok you should run into less of the horrid stuff on the internet then you should be fine
@Common Ringed Plover Current Network sec for my server setup is this.
CFT -> [ DMZ, docker(lxc)-> Reverse Proxy] -> infa ( Pterodactyl/Ctrl panel [LXC] ) <-> ( Wings VM )
all traffic goes through my reverse proxy and through a CFT, with the only open port being on the Wings VM.
Should I be locking it down further?
all https traffic flows through my RP, keeping my other stuff isolated from the CFT.
CFT -> [ DMZ, docker(lxc)-> Reverse Proxy] -> infa ( Pterodactyl/Ctrl panel [LXC] ) <-> ( Wings VM )
all traffic goes through my reverse proxy and through a CFT, with the only open port being on the Wings VM.
Should I be locking it down further?
all https traffic flows through my RP, keeping my other stuff isolated from the CFT.
One thing to avoid if you can is using Docker on an LXC like you are. LXCs run on the hypervisor host so a priv escalation can cause you more problems. Better to run these things in a VM or dedicated metal, the overhead isn’t significant.
@AeonRemnant One thing to avoid if you can is using Docker on an LXC like you are. LXCs run on the hypervisor host so a priv escalation can cause you more problems. Better to run these things in a VM or dedicated metal, the overhead isn’t significant.
Common Ringed PloverOP
I already thought of that.
As per my chart the only things in LXCs is the main panel for pterodactyl and the store front.
The main server node running Wings is on a VM and locked down
As per my chart the only things in LXCs is the main panel for pterodactyl and the store front.
The main server node running Wings is on a VM and locked down
Docker is only running the end points for CFT
Honestly? Ptero is that poorly made that I wouldn’t be risking it. It’s had multiple pretty bad CVEs before, the store front being in an LXC isn’t… omega scuffed but no LXC deployment is the best kind of deployment.
@AeonRemnant Honestly? Ptero is that poorly made that I wouldn’t be risking it. It’s had multiple pretty bad CVEs before, the store front being in an LXC isn’t… omega scuffed but no LXC deployment is the best kind of deployment.
Common Ringed PloverOP
I'm waiting for pelican to get out of alphaMoonlight is better.
Loading...
Loading...