this post was submitted on 22 Nov 2023
4 points (100.0% liked)

Homelab

371 readers
9 users here now

Rules

founded 1 year ago
MODERATORS
 

Started off by

  1. Enabling unattended updates
  2. Enable only ssh login with key
  3. Create user with sudo privileges
  4. Disable root login
  5. Enable ufw with necessary ports
  6. Disable ping
  7. Change ssh default port 21 to something else.

Got the ideas from networkchuck

Did this on the proxmox host as well as all VMs.

Any suggestions?

you are viewing a single comment's thread
view the rest of the comments
[–] zR0B3ry2VAiH@alien.top 1 points 1 year ago (1 children)

Replace Fortinet with Pfsense (+Suricatta/Snort) for non-propriety. (I have a Fortinet firewall and I can't bring myself to pay for their packages). One thing I'd recommend for you, as I host a lot of stuff is DNS Proxy though cloudflare, so the services I'm hosting are not pointing to my origin IP.

[–] wallacebrf@alien.top 1 points 1 year ago (1 children)

None of my services are available outside my house without first logging into the fortigate SSL VPN. That is the only open port I have.

The SSL VPN uses a loopback interface so only IPs from the US can access it, and I have strong auto block enabled and I add IPs of systems that try brute forcing into the box so they get blocked

I did forget to mention that I use cloud flair already for the exact reason you mentioned so my home IP is not used.

I also have a domain name with valid wildcard certificate. The domain is used to access the SSL VPN and I also then use the cert within my entire homelab so I have everything encrypted

I was not a fan of PF sense, the fortigate has more security features that I wanted

[–] zR0B3ry2VAiH@alien.top 1 points 1 year ago

Pretty cool man, thanks for sharing.