Skip to content

GrumpyKit10/CloudWatcher

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
docker/wireguard
docker/wireguard
 
 
docs
docs
 
 
fail2ban
fail2ban
 
 
nginx
nginx
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
TODO.txt
TODO.txt
 
 

Repository files navigation

CloudWatcher

Personal Ubuntu server hosted on Linode for web development and website hosting with secure remote access and enterprise-style hardening.

Overview

CloudWatcher is a manually configured Ubuntu 22.04 server hosted on Linode. It serves my personal website and development projects while prioritizing security, controlled access, and reliable backups. The server demonstrates hands-on experience with Linux server administration, networking, VPNs, and secure system configuration.

Features

  • Secure remote access via WireGuard VPN and SSH keys for a dedicated non-root user
  • Manual Ubuntu hardening: firewall rules, non-root SSH, restricted access
  • Nginx web server hosting for personal website and development projects
  • Automated backups:
    • Linode snapshots
    • Object storage backup (Linode bucket)
  • Persistent logging and monitoring for system, service, and network events
  • Infrastructure maintained entirely through manual configuration for full control
  • Domain and DNS managed via AWS Route53
  • HTTPS configured with AWS Certificate Manager
  • Custom domain email setup using Zoho Mail with catch-all support

Architecture Diagram

The following diagram shows the CloudWatcher server setup:

  • Secure remote access via WireGuard VPN and SSH keys
  • Nginx web server with HTTPS via AWS Certificate Manager
  • DNS managed via AWS Route53
  • Email handled via Zoho Mail with catch-all functionality
  • Persistent logging and backup flows illustrated
flowchart TD
    Internet((Internet))
    Route53[AWS Route53 DNS]
    ACM[AWS Certificate Manager HTTPS]
    CloudWatcher[CloudWatcher Server Ubuntu 22.04]
    Nginx[Nginx Web Server]
    VPN[WireGuard VPN]
    Users[Authorized Users SSH Keys]
    UFW[UFW Firewall + Fail2Ban]
    Logs[Persistent Logging journald Nginx UFW]
    Backups[Linode Snapshots & Object Storage]
    Email[Zoho Mail catch-all]

    Internet --> Route53
    Route53 --> ACM
    ACM --> CloudWatcher
    CloudWatcher --> Nginx
    CloudWatcher --> VPN
    VPN --> Users
    CloudWatcher --> UFW
    CloudWatcher --> Logs
    CloudWatcher --> Backups
    Route53 --> Email
Loading

Security & Hardening

Access & Authentication

  • SSH access restricted to a non-root user
  • Root login disabled
  • Password authentication disabled; SSH keys required
  • User logins limited via AllowUsers in SSH configuration

Firewall & Network

  • UFW configured to deny all incoming traffic except:
    • SSH (custom port)
    • WireGuard VPN
    • HTTPS (Nginx)
  • Fail2Ban installed to prevent brute-force login attempts
  • Unused services disabled to minimize attack surface

Logging & Monitoring

  • Persistent system logging enabled with journald for OS and service events
  • Nginx access and error logs maintained for web server monitoring
  • UFW firewall logs maintained for network activity auditing
  • SSH and sudo activity logged in /var/log/auth.log

Updates & Maintenance

  • Automatic security updates enabled for timely vulnerability patching
  • Regular Linode snapshots and object storage backups ensure data redundancy

VPN

Note: Sensitive keys and IPs are intentionally excluded. Replace placeholders in wg0.conf.example before deployment.

  • WireGuard VPN configured as the only remote access method to the server
  • VPN enforces strong encryption and restricted allowed IPs
  • WireGuard VPN deployed via Docker Compose for secure remote access
  • Containerized setup ensures reproducibility and simplified management
  • Configuration stored separately in docker/wireguard/ with example configs for security

Setup Summary (Reproducible Steps)

Note: Sensitive credentials, IPs, and keys are not included for security reasons.

  1. Install Ubuntu 22.04 LTS on a Linode VM
  2. Create dedicated non-root user for SSH access
  3. Configure WireGuard VPN for all remote connections
  4. Install and configure Nginx for web hosting
  5. Enable UFW firewall and configure rules for required services
  6. Install Fail2Ban to protect against brute-force attacks
  7. Enable persistent journald logging and verify system logs
  8. Configure Linode snapshot backups and object storage backups
  9. Enable automatic security updates
  10. Configured Route53 DNS and AWS Certificate Manager for secure HTTPS traffic
  11. Integrated custom email via Zoho Mail with catch-all functionality for personal domain

Notes

All services and hardening measures were configured manually to demonstrate a deep understanding of Linux server security, networking, and operational reliability.

License

This project is licensed under the MIT License.

About

Personal Ubuntu server for web hosting and project development with secure remote access.

infosecmatthew.com

Topics

dns nginx ssh ssl aws backup email firewall logging linux-server wireguard

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages