Guides
Fundamentos ▾
Linux Vim Terminal SSH
Versionamento ▾
Git GitHub
Infraestrutura ▾
Firewall Server Ubuntu Admin Rede & Seg Nginx Docker Arquitetura
Desenvolvimento ▾
Dev Env Node.js Express Databases PostgreSQL MongoDB
Deploy ▾
Deploy CI/CD

Rede e Segurança

DNS, certificados TLS, VPN com WireGuard e Tailscale.

DNS — Domain Name System

Sistema que traduz nomes de domínio em IPs.

1
Client
dig site.com
2
Resolver
ISP / 8.8.8.8
3
Root → TLD
. → .com
4
Authoritative
IP retornada

Records DNS

RecordUsoExemplo
Adomínio → IPv4meu-site.com → 93.184.216.34
AAAAdomínio → IPv6meu-site.com → 2606:2800:220:1:...
CNAMEalias para outro domíniowww.meu-site.com → meu-site.com
MXservidor de emailmeu-site.com → mail.meu-site.com
TXTtexto (SPF, DKIM, validação)v=spf1 include:...
NSnameserversmeu-site.com → ns1.cloudflare.com

Ferramentas DNS

dig meu-site.com           # A record
dig meu-site.com AAAA      # IPv6
dig meu-site.com MX        # email
dig meu-site.com NS        # nameservers
dig +short meu-site.com    # só o IP
dig +trace meu-site.com    # resolução completa
dig @8.8.8.8 meu-site.com  # query no Google DNS

nslookup meu-site.com
host meu-site.com
whois meu-site.com

TLS 1.3

1
ClientHello
versões + cifras
2
ServerHello
cifra + cert
3
Key Exchange
chave simétrica
4
Encrypted
dados protegidos
# Cipher suites TLS 1.3
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

# Configuração nginx
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;

Certificados — Tipos

TipoValidaçãoUsoCusto
DVDomain ValidationSites pessoaisGrátis (Let's Encrypt)
OVOrganization ValidationEmpresas$50-200/ano
EVExtended ValidationBancos$200+/ano
WildcardTodos subdomínios*.site.com$100+/ano
Self-signedNinguémDevGrátis

Certbot / Let's Encrypt

sudo apt install certbot python3-certbot-nginx -y

# plugin nginx configura automaticamente
sudo certbot --nginx -d meu-site.com -d www.meu-site.com

# standalone
sudo certbot certonly --standalone -d meu-site.com

# DNS challenge (wildcard)
sudo certbot certonly --manual --preferred-challenges dns \
  -d "*.meu-site.com" -d "meu-site.com"

# renovação
sudo certbot renew --dry-run

# cron
echo "0 3 * * * certbot renew --quiet --post-hook 'systemctl reload nginx'" | \
  sudo tee /etc/cron.d/certbot-renew

Certificados em /etc/letsencrypt/live/meu-site.com/

Cloudflare SSL

# Dashboard → SSL/TLS:
Mode: Full (Strict)      ← sempre usar
Always HTTPS: ON
Min TLS version: 1.2
HSTS: ON (max-age=63072000)

Universal SSL: gratuito (domínios gerenciados)
Advanced Certificate Manager: $10/mês (dedicado)

mTLS (Mutual TLS)

Autenticação mútua — cliente e servidor apresentam certificados.

# nginx como servidor mTLS
server {
    listen 443 ssl;
    ssl_certificate /etc/ssl/server.crt;
    ssl_certificate_key /etc/ssl/server.key;
    ssl_client_certificate /etc/ssl/ca.crt;
    ssl_verify_client on;
}

# gerar certificado de cliente
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out client.crt -days 365

# testar
curl --cert client.crt --key client.key https://api.meu-site.com

VPN — WireGuard

VPN moderna, rápida, configuração simples.

WireGuard
Manual (chaves, IPs, firewall), performance máxima, kernel nativo
Tailscale
Automático (tailscale up), NAT traversal automático, MagicDNS
# instalar
sudo apt install wireguard -y

# gerar chaves
wg genkey | tee server.key | wg pubkey > server.pub
wg genkey | tee client.key | wg pubkey > client.pub
wg genpsk > psk.key
chmod 600 *.key

Configuração WireGuard

Servidor

# /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_private_key>

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <client_public_key>
PresharedKey = <preshared_key>
AllowedIPs = 10.0.0.2/32

Cliente

# /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.2/24
PrivateKey = <client_private_key>
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = <server_public_key>
PresharedKey = <preshared_key>
Endpoint = meu-server.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Gerenciar

sudo systemctl start wg-quick@wg0
sudo systemctl stop wg-quick@wg0
sudo systemctl enable wg-quick@wg0

sudo wg show
sudo wg show wg0

# adicionar peer dinamicamente
sudo wg set wg0 peer <pub_key> endpoint host:51820 allowed-ips 10.0.0.3/32

# UFW
sudo ufw allow 51820/udp

VPN — Tailscale

# instalar
curl -fsSL https://tailscale.com/install.sh | sh

# autenticar
sudo tailscale up

# status
tailscale status
tailscale ip
tailscale ping outro-device

# SSH (sem chave)
tailscale ssh peer-name

# exit node (rotear tudo por outro device)
tailscale up --exit-node=exit-server

# funnel (expor porta publicamente)
tailscale funnel 3000

WireGuard vs Tailscale

AspectoWireGuardTailscale
SetupManual (chaves, IPs)Automático (tailscale up)
NAT traversalManual (port forward)Automático (DERP)
DNSManualMagicDNS automático
ACLsiptablesJSON policy
CustoGrátisGrátis (3 devices)
Self-hosted✅ (Headscale)
PerformanceMáxima (kernel)Boa (userspace)

SSH — Hardening

# /etc/ssh/sshd_config

PasswordAuthentication no
ChallengeResponseAuthentication no
HostKey /etc/ssh/ssh_host_ed25519_key
AllowUsers alfredo
Port 2222
PermitRootLogin no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
Protocol 2

sudo systemctl restart sshd

UFW — Resumo Rápido

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp      # SSH
sudo ufw allow 80/tcp        # HTTP
sudo ufw allow 443/tcp       # HTTPS
sudo ufw allow 51820/udp     # WireGuard
sudo ufw enable
sudo ufw status verbose

Checklist de Segurança

☑ SSH: senha desabilitada, ed25519 only, porta customizada
☑ UFW: deny incoming, permitir só portas necessárias
☑ fail2ban: proteção contra brute force
☑ TLS 1.2+ only, cipher suites fortes
☑ HSTS habilitado
☑ DNS: registrar no Cloudflare (proxy + DDoS protection)
☑ WireGuard/Tailscale para acesso remoto seguro
☑ Nginx: server_tokens off, headers de segurança
☑ Dependabot + CodeQL para código
☑ Backups automatizados e testados
☑ 2FA em todas as contas

Referência Rápida

SituaçãoComando
Testar DNSdig +short site.com
Verificar certificadoopenssl s_client -connect site.com:443
Gerar chave WireGuardwg genkey | tee key | wg pubkey
Status WireGuardsudo wg show
Tailscale upsudo tailscale up
UFW statussudo ufw status verbose
Fail2ban statussudo fail2ban-client status
Certbot renovarsudo certbot renew --dry-run