LAN security options for the server:
- Whole disk encryption (prevents bypassing security by reading the disk with another computer).
- Dedicated server (reduces exploitable surface area).
- Automated Linux updates
- Firewall blocking all but ssh and the Noodle http[s] ports (reduces exploitable surface area).
- ssh keys (prevents password guessing on ssh).
LAN security options on a network, listed from most to least secure:
- Network not (even indirectly) connected to the internet.
- Network with only auto upgraded devices only indirectly connected to the internet:
- Encrypted VPN or better yet a ssh tunnel (use with keys will prevent MITMA from a spoofed wifi or an untrusted ISP or government).
- Anonymity networks like tor can be used, optionally with ssl or ssh (in practice will prevent anyone, including governments, from knowing what server a user is talking to).
- Network only indirectly connected to the internet.
- Public network with a firewall or NAT port forwarding blocking all but one port.
- Public network.