Secure Remote Access is the current field-guide cluster.Linux • Security • Self-hosting • Practical tools
Secure Remote Access

How to Decide What Should Be Public on a Linux Server

The safest way to run a Linux server is to decide what should be public before you configure ports, tunnels, DNS, or dashboards. Public services are for visitors, customers, webhooks, and external systems. Admin services should usually stay private.

If you are unsure, start private. It is easier to publish a service later than to clean up an accidental exposure after it has been indexed, scanned, or abused.

The short rule

Make the service public only if unknown Internet users or external systems need to reach it. Keep the service private if it is used for administration, maintenance, monitoring, or internal work.

Should it be public? Usually public Usually private
Website Yes No
Documentation Yes, if intended for users No, if internal
Webhook endpoint Yes, scoped carefully No, if only internal automation
SSH No Yes
Database admin tool No Yes
Metrics dashboard Rarely Yes
Staging app Not by default Usually protected/private

This split gives you a cleaner server before you install extra security tooling.

Public services need deliberate exposure

Public does not mean careless. A public service should have a reason to exist, a hostname, an owner, an authentication model if needed, and a review date.

Good public candidates include:

These services are meant to be reached from outside. They should still be patched, logged, monitored, and documented.

Admin services should usually stay private

Admin services are high-consequence targets. If someone reaches them, they are already closer to control of the system.

Keep these private unless you have a strong reason not to:

A password on an admin dashboard does not automatically make public exposure a good idea. Public exposure adds scanning, brute-force pressure, vulnerability pressure, and review burden.

Protected public is the middle category

Some browser-based tools need a reachable hostname but should not be open to everyone. Treat these as protected-public services.

Examples include:

For these, use a protection layer such as Cloudflare Access, SSO, VPN/mesh access, or strong application authentication. The key is to make an identity decision before sensitive functionality is usable.

The decision model

Use this sequence before exposing anything:

1. Who needs access?
2. Are they known people/devices or unknown public users?
3. Is the service administrative or customer-facing?
4. Does the service need HTTP/browser access?
5. Can it bind to localhost or a private interface instead?
6. What authentication protects it?
7. Who owns it?
8. When will it be reviewed again?

If the answer to “who needs access?” is “only me” or “only our team,” the service should probably not be public.

Match the tool to the decision

Once you know the access category, the tool choice gets simpler.

Decision Better default
Private SSH/admin access Tailscale, WireGuard, or SSH tunnel
Public HTTP service Normal HTTPS hosting or Cloudflare Tunnel
Sensitive browser app Cloudflare Access, app login, or private mesh
Temporary one-person dashboard access SSH local forwarding
Long-term team admin access Tailscale or WireGuard with documented access rules

Do not start with the tool. Start with the access decision.

Common mistakes

Publishing a dashboard because it is convenient

Convenience is not a security model. If only one person needs the dashboard, bind it to localhost or put it behind private access.

Treating DNS as privacy

A strange subdomain is not protection. If a hostname resolves publicly, assume it can be found.

Leaving test services online

Temporary services need expiry dates. If you publish a test app, write down why it exists and when it should be removed.

Forgetting direct origin exposure

If you use a tunnel or reverse proxy, confirm the service is not also reachable directly on the server IP. Otherwise the protective path may be bypassed.

A minimal public-service inventory

Keep a simple table for every server:

Service Public? Host/port Auth Owner Review date
Website Yes example.com public owner monthly
SSH No private network key/MFA path owner monthly
Dashboard No localhost/private private access owner monthly

The inventory does not need to be fancy. It needs to exist.

Bottom line

A safer Linux server starts with a simple distinction: public services are for users; private services are for operators.

Decide which category a service belongs to before opening ports, creating DNS records, or adding tunnels. That one decision prevents many avoidable security problems.