this post was submitted on 06 Feb 2024
173 points (99.4% liked)

Selfhosted

37811 readers
524 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
173
What are the most paranoid network/OS security measures you've implemented in your homelab? (lemmy.world)
submitted 5 months ago by MigratingtoLemmy@lemmy.world to c/selfhosted@lemmy.world
131 comments fedilink hide all child comments
 

As the title says, I want to know the most paranoid security measures you've implemented in your homelab. I can think of SDN solutions with firewalls covering every interface, ACLs, locked-down/hardened OSes etc but not much beyond that. I'm wondering how deep this paranoia can go (and maybe even go down my own route too!).

Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] Pika@sh.itjust.works 26 points 5 months ago* (last edited 5 months ago) (3 children)

My security is fairly simplistic but I'm happy with it

  • software protection

    • fail2ban with low warning hold
    • cert based login for ssh (no password Auth)
    • Honeypot on all common port numbers, which if pinged leads to a permanent IP ban
    • drop all firewall
    • PSAD for intrusion/scanning protection (so many Russian scanners... lol)
    • wireguard for VPN to access local virtual machines and resources
    • external VPN with nordVPN for secure containers (yes I know nord is questionable I plan to swap when my sub runs out)

  • physical protection

    • luksCrypt on the sensitive Data/program Drive ( I know there's some security concerns with luksCrypt bite me)
    • grub and bios locked with password
    • UPS set to auto notify on power outage
    • router with keep alive warning system that pings my phone if the lab goes offline and provides fallback dns

  • things I've thought about:

    • a mock recovery partition entry that will nuke the Luks headers on entry (to prevent potential exploit getting through grub)
    • removing super user access completely outside of local user access
[–] tofubl@discuss.tchncs.de 7 points 5 months ago (1 children)

Could you please elaborate how you do the honeypotting?

[–] Pika@sh.itjust.works 3 points 5 months ago* (last edited 5 months ago)

I just expanded the existing fail2ban config on the commonly used default ports such as 22, 21 Etc, any requests on those ports get sent into purgatory, so the ip gets blacklisted any connections from it hangs until it times out. It's a super basic setup iptables logs whenever a request is not in the current firewall (last rule in the chain) and then fail2ban reads the log and handles the block. I don't count it as part of the normal setup because they're isolated Because the actual ports the service is on still have the normal rule set but the default port numbers are just an instant if there's activity on it you're gone

[–] IlIllIIIllIlIlIIlI@lemmy.world 3 points 5 months ago

What honeypot are you using?