Homelab

Anything that faces the internet I have on a separate vlan. Each system on that vlan is treated as if it was facing the internet directly, that way if one of them gets compromised the hacker will not get far trying to get into any other machines.

Rest of my network is a little more tame just for ease of access since it's only me on here.

Although at some point I do want to revisit my security protocol even locally, just in case. Hitting some kind of drive by trojan script or something within the browser is always a possibility, it could work in reverse where it connects to an external server and then accesses the rest of the network that way. I'm not aware of such trojans but I'm sure it's possible.

I do block all outbound ports except for base internet ports but a properly written malicious script would probably take that into account and use a common port like 443.

At some point I might setup a honeypot. Just need to name the VM "cryptowallet" or something like that and it would be a very fast target. If access to it is detected it would alert me and shut off the internet.

Opnsense firewall at perimeter...and that's about it. Chances of anything getting in with no exposed ports is pretty slim so I don't really bother with anything more.

For SSH exposed servers/VPS I do change the port though. Cut down log noise & maybe dodge the odd portscanner or two

Is there really any security benefit to not using default ports? Especially if the service is not open externally? I cannot find any official documentation that states you should be doing that.

Disable ICMP? The network team sends their regards 🐴

I know this is a feature in Unifi, but disabling access from countries with know bot farms (China, India) etc.
Unless you need access to them.

Well your host management interfaces shouldn't be exposed to the internet. Use a VPN if you need to access it remotely.

With a leash. She is very hyper.

Hopes and prayers

Only expose applications to the Internet if you have a good need to. Otherwise, use a VPN to access your home network and get to your applications that way.

If you are exposing them to the internet, take precautions. Use a reverse proxy. Use 2FA if the app supports it. Always use good, long passwords. Login as a limited user whenever possible, and disable admin users for services whenever possible. Consider an alternative solution for authentication, like Authentik. Consider using Fail2ban or Crowdsec to help mitigate the risks of brute force attacks or attacks by known bad actors. Consider the use of Cloudflare tunnels (there are plusses and minuses) to help mitigate the risk of DDOS attacks or to implement other security enhancements that can sit in front of the service.

What might be a good reason for exposing an application to the Internet? Perhaps you want to make it available to multiple people who you don't expect to all install VPN clients. Perhaps you want to use it from devices where you can't install one yourself, like a work desktop. This is why my Nextcloud and Calibre Web installs, plus an instance of Immich I'm test-driving, are reachable online.

But if the application only needs to be accessed by you, with devices you control, use a VPN. There are a number of ways to do this. I run a Wireguard server directly on my router, and it only took a few clicks to enable and configure in tandem with the router company's DDNS service. Tailscale makes VPN setup very easy with minimal setup as well. My NAS administration has no reason to be accessible over the internet. Neither does my Portainer instance. Or any device on my network I might want to SSH into. For all of that, I connect with the VPN first, and then connect to the service.

Cloudflare and whitelist CF ips, they publish a file

This is ofc to redirect the traffic the services that are on the cloud.

And those services reside on a separate VLAN and have their own reverse proxy on their own VM/docker whatever.

If it's a Debian system, "Create user with sudo privileges" and "Disable root login" can be done during initial setup. Just leave the root password blank and it'll disable the root user and grant sudo permission to the regular user you create.

Create a separate management VLAN and use it for all your infra (web UIs of all your networking hardware, Proxmox, SSH for servers, etc).

For unattended upgrades, ensure the auto updaters are properly configured so they're used ONLY for bug and security fixes, nor for minor or major releases! Debian unattended-upgrades has good settings out-of-the-box but you may want to add any custom repos you're using. Make sure you have an email relay server configured in the Exim config, as it uses apt-listchanges to email the changelogs to you.

But above all, press the power button to turn it off and then never turn it on again. 100% unhackable.

I just host a bunch of worthless stuff that no one wants.

Do not discount physical security, lock the doors to your house and get an enclosed rack that you can lock

It's not visible from the internet at all, that's about it

Not forwarding ports. I use Tailscale Funnel.

By only having it on when I need it.

People that have theirs on 24/7....why? I used Home Assistant to automate mine so I can bring it up remotely if needed.

from the internet side, I lock down ssh or administrative stuff to local network, and specific IPs, like work. inside my network, everything has a password to access, no defaults. vlans for specific use servers, etc.

I have a camera outside, I’m a pretty big guy, and my rack was built inside my office so it can’t be moved quickly.

Oh, you mean digital security? Lol I have a lot of subnets and don’t forward in much traffic. The WiFi password I give out gets you on my kids network. Plus I run DPI and IDS. I use cloudflare DNS (sometimes operating an internal pihole too). And I don’t browse social media on PCs only on mobile. The only holes punched from WiFi to internal are for printing. And even the wired clients are segregated from my work network.

You have a good list to start with. Consider adding sshguard or fail2ban in the short term and crowdsec in the long term. Also use lynis on Unix systems and PingCastle on AD systems and see what suggestions those make. Just a few suggestions off the top of my head.

Rat traps… damn mice.

Change all root usernames and passwords to “toor”

Who is going to guess that? Not me.

1. Snort on perimeter inbound and outbound.
2. ntopng on perimeter.
3. Heavy VLAN segmentation. Like with like.
4. Inter-VLAN ACLs on core switch. This is a stateless firewall. Some VLANs with certain device types have inbound and outbound. Trusted devices only have inbound.
5. SPAN to Security Onion for all internal traffic.
6. SNMPv3 monitoring on all devices.
7. MAC Sticky on all camera ports because the cabling extends outside of the physical structure of the house. I am going to implement Dot1X at some point.
8. VRFs for sensitive infrastructure to prevent outbound routing completely.
9. A VRF for devices to be forced through an external VPN (Mullvad). Used for devices that do not support a VPN agent.
10. No antivirus. All antivirus is a botnet.
11. All server infrastructure is Devuan using OpenRC instead of systemd.
12. Gaming PC is Artix.
13. DNS blackhole.
14. Public DNS is a Swiss no-logging provider which I use DoT to send my queries to.
15. LibreWolf or Brave Browser on everything.
16. Only hole into the network is a 4096 bit encrypted Wireguard instance operating in a container using an uncommon port. I wrote a custom script that can reach into the container and pull from the API in order to show active sessions, GeoIP, browser fingerprints, length of time the socket has been open, etc.
17. I use geofencing for inbound connections to the Wireguard instance. I only allow my immediate area cellular ISPs IANA address spaces to touch my network. Same goes for the geographic area surrounding my parents house.
18. Unattended updates using custom scripting for my servers, including rebuilding the Wireguard container every single night, updating the server, and I also fire Nessus at it every night. If in the morning there is a CVE of note on that server, the NAT rule allowing traffic to the VPN is disabled at the perimeter until a sufficient patch is released.
19. I run STIGs on everything, within reason and where infrastructure allows, in my suite.
20. LibreSSL over OpenSSL.

Why has no one mentioned CIS hardening.

Originally I'd change the SSH port, obviously only allow pubkey based auth.

Now however, I do everything over wireguard. Every device has Wireguard Access and depending on that different rules what they can access.

Automatic updates and strong passwords. I know that automatic update can break a system but I’ve never had it break anything super critical in my home before that can’t be fixed with 10 minutes of effort. I can think of three things that have broken and required fixing in the last 5 years of auto updating software. I’d much rather have a broke piece of software than a security breach. To those that manually update, how fast after the patch notice are you patching? One day, two days, one week, monthly? What if you are sick or on vacation? I can guarantee mine updates within 24 hours every time.

I hid the server under my desk. They'll never find it there!

If your homelab local only - well all of these are unnecessary if you're the only one who uses it. If you want to expose homelab to internet - you can pretty much use VPN to connect to your homelab without needing to expose whole homelab. Just a port to connect to VPN.

Do not over complicate things

My homelab is in my garage - the storage array is the only thing I care about not losing so using ZFS encryption and Clevis + tang so it needs to be on the home network and able to contact the server to get the decryption keys.

i see a lot of stuff but not a single item about securing your homelab.

Deny outside access to the core management interfaces. Ne'er-do-wells from the .cn domain trying to hack my router can fuck right off.