¶
Public exposure cleanup checklist
¶
Target end-state
No direct admin access ports exposed (SSH/RDP/VNC).
Admin access via:
MeshCentral (MFA)
VPN (site-to-site + client), where needed
DMZ hosting island (Fastpanel) on separate public IP for client sites/mail.
¶
Checklist
¶
Phase 1 — Stabilize & document
Complete port forward inventory
Document HAProxy + wiki platform
Create standard naming + IP conventions pages
¶
Phase 2 — Remote access core
Deploy MeshCentral at
remote.mackdesigner.com
Enforce MFA for admins
Move management flows behind MeshCentral
¶
Phase 3 — Hosting island
Deploy Fastpanel in DMZ with its own public IP
Move public websites/mail to Fastpanel IP
Keep internal apps behind HAProxy
¶
Phase 4 — Shut down risky stuff
Disable SSH port forward (2222)
Remove old forwards (RDP/VNC/etc.)
Tighten pfSense WAN rules