Port knocking through NAT for self-hosted server
I decided to move to self-hosting because it is cheaper.
What I want to host:
- My personal website
- Some apps for fun
- Maybe later a Honeypot
I have my old laptop acting as the main host. It has Ubuntu installed with virtualbox.
What I plan to do is create a VM on the main host. For the OS I think it will be Alpine Linux or another Ubuntu (advice for which one is better ?).
I plan the harden it as much as possible (fail2ban, apparmor etc.).
I plan to have a docker for every app inside the VM. The access for different apps will be through host header forwarding and nginx.
Now for the big question which is networking. I plan to use the bridge mode virtual box to the VM (is it the best choice ? Maybe switch to NAT network ?)
On my router admin page I can activate the NAT and create rules:
80, PUBLIC IP ===> 80, VM IP
443, PUBLIC IP ===> 443, VM IP
22, PUBLIC IP ===> 22, VM IP
Even though I allow authentication only through pub key and private key, I am still worried about port 22 being exposed.
I want to implement port knocking. Assume I chose 1000, 2000, 3000 as the sequence. My VM won't even know someone knocked because everything (except 443 and 80) is blocked by my router NAT ...
I though about creating more NAT rules in my router but this is visible to attackers: they just need to try 3!=6 permutation before finding the correct sequence ...
Any recommendation or critiques about hardening are very appreciated.
