Ask HN: How do you secure your home server?

I do it manually, and I triple-check it manually.<p>Once I realized that its a few hours work for a server that&#x27;s going to be online for years then the work doesn&#x27;t seem so bad.<p>If I was making a routine out of setting up these kind of things all-the-time i&#x27;d consider some kind of scripted install, but that&#x27;s not what i&#x27;ve found myself having to do.

90% of it is organising which ports you want to open on your router and which machine you will forward those ports to. Then you match those ports by allowing those same ports to be open on the server machine.<p>I have a raspberry Pi which is dedicated to two jobs only: as a web server and as a UPS controller. My main machine covers ftp and ssh. The router forwards the relevant ports to the relevant server.<p>There are surprisingly few ports that need to be open between your network and the outside world: ssh, ftp, http, https is pretty much it. Every other port is blocked. This is mine:<p><pre><code> # ufw status Status: active To Action From -- ------ ---- 80 ALLOW Anywhere 443 ALLOW Anywhere 22 ALLOW Anywhere 21 ALLOW Anywhere Anywhere ALLOW 202.14.146.0&#x2F;24 3389 ALLOW Anywhere 80 (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6) 22 (v6) ALLOW Anywhere (v6) 21 (v6) ALLOW Anywhere (v6) 3389 (v6) ALLOW Anywhere (v6) </code></pre> When you organise the ufw firewall on the server don&#x27;t forget to allow both IP version 4 addresses and IP version 6 addresses<p>Make a note of what you&#x27;ve done, or bookmark the website URLs of the &#x27;Howto Websites&#x27; if you use one of those.<p>You can use a site-checker to see what your firewall is doing: <a href="http:&#x2F;&#x2F;ports.my-addr.com&#x2F;check-all-open-ports-online.php" rel="nofollow">http:&#x2F;&#x2F;ports.my-addr.com&#x2F;check-all-open-ports-online.php</a>