LAN security options for the server
- Whole disk encription (prevents bypassing security by reading the disk with another computer)
- Dedicated server (reduces exploitable surface area)
- Linux OS (protects from windows malware)
- Firewall blocking all but ssh and the noodle http[s] ports. (reduces exploitable surface area)
- ssh keys (prevents password guessing on ssh)
- On a network not (even indirectly) connected to the internet. (most secure)
- On a network only indirectly connected to the internet with no Microsoft windows devices on the network.
- Encrypted VPN or better yet a ssh tunnel (use with keys will prevent MITMA from a spoofed wifi or an untrusted ISP or government)
- Anonymity networks like tor can be used (optionally with ssl or ssh) (in practice will prevent anyone, including governments, from knowing what server a user is talking to)
- On a network only indirectly connected to the internet.
- On a public network with a firewall or NAT port forwarding blocking all but one port
- On a public network (least secure)