Started off by
- Enabling unattended updates
- Enable only ssh login with key
- Create user with sudo privileges
- Disable root login
- Enable ufw with necessary ports
- Disable ping
- Change ssh default port 21 to something else.
Got the ideas from networkchuck
Did this on the proxmox host as well as all VMs.
Any suggestions?
My security is basically if they get past an updated opnsense firewall I could be highly inconvenienced, but everything irreplaceable is backed up in the cloud and offline in my basement.
My home lab and production network are separated by a firewall.
I have backups and plans to rebuild my lab, I actually do it regularly.
My labs do risky things, I get comfortable with those things before doing it in production.
Lock and key, shotgun by the door
Rat traps… damn mice.
Change all root usernames and passwords to “toor”
Who is going to guess that? Not me.
If your homelab local only - well all of these are unnecessary if you’re the only one who uses it. If you want to expose homelab to internet - you can pretty much use VPN to connect to your homelab without needing to expose whole homelab. Just a port to connect to VPN.
Do not over complicate things
on the hardware side of the story.
Dont Forget to update all your firmware’s and Bios for possible vital penetrations.
Not forwarding ports. I use Tailscale Funnel.
Non standard ports.
Ssh keys.
Web certificates.
Opnsense firewall at perimeter…and that’s about it. Chances of anything getting in with no exposed ports is pretty slim so I don’t really bother with anything more.
For SSH exposed servers/VPS I do change the port though. Cut down log noise & maybe dodge the odd portscanner or two
Only expose applications to the Internet if you have a good need to. Otherwise, use a VPN to access your home network and get to your applications that way.
If you are exposing them to the internet, take precautions. Use a reverse proxy. Use 2FA if the app supports it. Always use good, long passwords. Login as a limited user whenever possible, and disable admin users for services whenever possible. Consider an alternative solution for authentication, like Authentik. Consider using Fail2ban or Crowdsec to help mitigate the risks of brute force attacks or attacks by known bad actors. Consider the use of Cloudflare tunnels (there are plusses and minuses) to help mitigate the risk of DDOS attacks or to implement other security enhancements that can sit in front of the service.
What might be a good reason for exposing an application to the Internet? Perhaps you want to make it available to multiple people who you don’t expect to all install VPN clients. Perhaps you want to use it from devices where you can’t install one yourself, like a work desktop. This is why my Nextcloud and Calibre Web installs, plus an instance of Immich I’m test-driving, are reachable online.
But if the application only needs to be accessed by you, with devices you control, use a VPN. There are a number of ways to do this. I run a Wireguard server directly on my router, and it only took a few clicks to enable and configure in tandem with the router company’s DDNS service. Tailscale makes VPN setup very easy with minimal setup as well. My NAS administration has no reason to be accessible over the internet. Neither does my Portainer instance. Or any device on my network I might want to SSH into. For all of that, I connect with the VPN first, and then connect to the service.
i see a lot of stuff but not a single item about securing your homelab.