git
43f25321d7
modified: core/crowdsec/docker-compose.yml modified: core/error-pages/docker-compose.yml modified: monitoring/docker-exporter/docker-compose.yml modified: monitoring/docker-socket-proxy/docker-compose.yml deleted: monitoring/influxdb-service/docker-compose.yml modified: monitoring/node-exporter/docker-compose.yml modified: monitoring/pihole-exporter/docker-compose.yml modified: monitoring/telegraf/docker-compose.yml new file: service-access-policy.md
3.8 KiB
3.8 KiB
Service Access Policy and External Exposure Hardening
1) Service classification
| Service/Host | Classification | Rationale |
|---|---|---|
auth.lan.ddnsgeek.com |
authenticated-public |
Public identity/login entrypoint; internet-accessible but requires user authentication. |
nextcloud.lan.ddnsgeek.com |
authenticated-public |
Internet-facing collaboration app that must remain reachable to authenticated users. |
passbolt.lan.ddnsgeek.com |
authenticated-public |
Public password-management portal with strong authentication controls. |
gitea.lan.ddnsgeek.com |
authenticated-public |
Public developer endpoint with account-based access. |
searxng.lan.ddnsgeek.com |
public |
Intended anonymous/search access endpoint. |
familytree.lan.ddnsgeek.com |
authenticated-public |
End-user app; externally reachable but login-protected. |
shifts.lan.ddnsgeek.com |
authenticated-public |
End-user app; externally reachable but login-protected. |
stockfill.lan.ddnsgeek.com |
authenticated-public |
End-user app; externally reachable but login-protected. |
gotify.lan.ddnsgeek.com |
private-admin |
Admin/ops notification backend; should not be internet reachable. |
grafana.lan.ddnsgeek.com |
private-admin |
Infrastructure admin/observability console. |
prometheus.lan.ddnsgeek.com |
private-admin |
Monitoring datastore/query interface. |
node-red.lan.ddnsgeek.com |
private-admin |
Automation runtime and flow editor. |
traefik.lan.ddnsgeek.com |
private-admin |
Reverse-proxy admin/dashboard surface. |
portainer.lan.ddnsgeek.com |
private-admin |
Container management plane. |
influxdb.lan.ddnsgeek.com |
private-admin |
Metrics datastore admin/API surface. |
kuma.lan.ddnsgeek.com |
private-admin |
Monitoring admin surface. |
monitor-kuma.lan.ddnsgeek.com |
private-admin |
Monitoring admin surface. |
edge.lan.ddnsgeek.com |
private-admin |
Edge/network administration plane. |
2) Required controls for private-admin
Apply at least one trusted-path control (preferably layered):
- Private network only (no public DNS / no internet route).
- WireGuard/Tailscale/OpenVPN access gate.
- mTLS client certificate requirement at reverse proxy.
- Source IP allowlist at firewall and reverse proxy.
Minimum target state for all private-admin hosts:
- Public internet: connection refused/timeout, or immediate
403for untrusted source. - Trusted path (VPN/mTLS/allowlisted IP): normal authenticated access.
3) Gateway auth hardening
For all public and authenticated-public services:
- Keep SSO and MFA enforcement at the identity gateway.
- Enforce lockout/backoff on
/login,/oauth/*,/auth/*,/api/auth/*. - Rate-limit by source IP + account identifier to deter credential stuffing.
Suggested baseline:
- Soft limit:
10 req/minper IP for auth endpoints. - Burst:
20. - Temporary block:
15 minafter repeated failures. - Account lockout:
5-10consecutive failed attempts (with secure unlock flow).
4) WAF / reverse-proxy protections
Deploy one of:
- WAF managed rules for bot/credential-stuffing signatures.
- Reverse-proxy failed-auth throttling and tarpit/delay policy.
Implement logging + alerting thresholds:
- High failed-auth rate from one IP/CIDR.
- Password spray pattern across many usernames.
- Geo/ASN anomalies for sensitive apps.
5) External re-test procedure
Re-test from a non-trusted external network and record outcomes.
Success criteria:
- Every
private-adminhost is inaccessible without VPN/mTLS/allowlisted source. publicandauthenticated-publichosts remain reachable.- Auth endpoints trigger rate-limit/lockout controls under failed-attempt simulation.
Use ./scripts/retest-external-access.sh for a repeatable external validation pass.