So I have two instances of AdGuard Home running on two providers (Vultr and DigitalOcean in case it’s relevant) and I want to know how to make it more secure. I have the following firewall rules in place already:

  1. Port 22 open for all
  2. Port 53 open for select CIDRs (my IP and relatives’ IP for router level config, and for a couple of VPN IPs)
  3. Port 443 open for all
  4. Port 853 open for all
  5. Everything else closed for all

Despite this config, my AdGuard Home instances sometimes slow down and stop working. I’m on their 1 CPU, 1 GB RAM and SSD storage plans. What can I do to make the VPS more secure?

  • Yo_2T@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Not sure what’s going on that’s making it slow down and unresponsive, cuz AGH isn’t all that resource hungry.

    Since you have 53 open to select CIDR ranges, do you get a lot of queries from IPs other than the ones from your own and your relatives?

    • randomname97531@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I’m not sure either. I use Google and Cloudflare DoH and DoT addresses as upstream DNS and some 8 hours ago, noticed high response times such as 20,000 for mainly Google DoT address (and also Cloudflare DoT). Checked system resource usage of the instances and everything is normal. Also no network usage spike. Made sure Ubuntu is up to date and no upgrades are available, rebooted it as well, even manually restarted the VPS.

      I actually used to use Oracle’s free tier for about 1 year 4 months, with port 53 open for all (yeah, that was a bad choice in retrospect) and it was only last month when I got requests from a bunch of IP addresses in Brazil and Paraguay. I ended up spending some 1.5 hours looking for rogue IPs from these countries and created a CIDR list from two already-available lists, and then pasted all those CIDRs in Disallowed Domains in DNS Settings. That stopped the issue. But Oracle still cancelled and terminated my account a couple of weeks after that incident. So when I set up my current instances on Vultr and DO, one of the first things I did was enable firewall and limit port 53 to select CIDRs because we are assigned IPs dynamically and I can’t use exact IP addresses. So far, I’ve not got requests from any IP I don’t recognise.