>>1019090
>tinc/cjdns/VPN
Do you just spew buzzwords without thinking?
1) tinc is VPN software. With outdated crypto and 'easy to start' as only benefit.
2) using cjdns is security through obscurity, extra set of things to break and security holes, and no better than having bastion host for solving 'SSH listens on well known IP' problem
3) 99% of hosting services provide non-internet routable network for your hosts. No need to bring your own vpn.
So, textbook setup is:
- Web server host - has both public IP and connected to internal net. SSH listens only to local interface.
- Databases, whenever extra shit you need - connected only to internal network.
- Bastion - both public and internal connections, SSH listens to public. Keep IP confidential, and use non-standard ssh port (yes, it's obscurity, but extra layer for epsilon effort. Will also keep your logs clean from botnets' junk).
Internal network firewall should be run on router, to protect against local root on compromised webserver. Allow web -> databases; bastion -> anywhere (ssh port only); block anything else.
Public firewall config is obvious, and it's ok to run it on hosts themselves.
Once you are comfortable with basic networking, you can try to setting up proper DMZ and VPN (but both are not overkill for basic website case).