Selfhosted

Following for my own edification!

I have Nginx Proxy Manager set up to let me access services running HTTP on other ports on the machine with a local network only access list just so my traffic even in my own network will use TLS. The likelihood that anyone is sniffing traffic on my own network is extremely small, but I’m paranoid. (Can’t let anyone see that I’m running Ubuntu Server. How embarrassing.)

I used to have all VMs in my QEMU/KVM server on their own /30 routed network to prevent spoofing. It essentially guaranteed that a compromised VM couldn’t give itself the IP of say, my web server and start collecting login creds. Managing the IP space got painful quick.

I’m somewhat paranoid therefore running several isolated servers. And it’s still not bulletproof and will never be!

• only the isolated server, ie. no internet access, can fetch data from the other servers but not vice versa.
• SSH access key based only
• Firewall dropping all but non-standard ports on dedicated subnets
• Fail2ban drops after 2 attempts
• Password length min 24 characters, 2FA, password rotation every 6 months
• Guest network for friends, can’t access any internal subnet
• Reverse proxy (https;443 port only)
• Any service is accessed by a non-privileged user
• Isolated docker services/databases and dedicated docker networks
• every drive + system Luks-encrypted w/ passphrase only
• Dedicated server for home automation only
• Dedicated server for docker services and reverse proxy only
• Isolated data/backup server sharing data to a tv box and audio system without network access via nfs
• Offsite data/backup server via SSH tunnel hosted by a friend

For about a year I was running a full out of band IPS on my network. My core switch was set up with port mirroring to spit out a copy of all traffic on one port so that my Suricata server could analyze it. Then, this was fed into ElasticSearch and a bunch of big data crap looked for anomalies.

It was cool. Basically useless because all it did was complain about the same IP crawler bots as my nginx logs. But fun to setup and ultimately good for my career lol.

• full disk encryption on everything except the router (no point in encrypting the router)
  • the server doesn't have a display connected for obvious reasons, so I'm manually unlocking it via ssh on each boot
    • obviously, the SSH keys are different, so the server has a different IP in initrd. That said, I still don't have any protection against malicious modification of initrd or UEFI
• the server scans all new SSL certificates in realtime using certspotter and notifies me of any new certificates issued for my domains that it doesn't know about (I use Cloudflare so it triggers relatively often, but I still do checks on who the issuer is)
• firewall blocks outgoing 25 so nobody can impersonate my mailserver

I am clearly not paranoid enough. For a while I was running an open source router inline between the network AP and the fiber to Ethernet box and running nids but the goddamn thing kept crapping out every few days so i took it back out until I can find a more stable solution.

I have plans if I can ever get around to it. I want the smart TV, printer and other shitty things on a separate network from the more trusted devices. I don't know how yet but I would like to set up 802.1X for the trusted stuff.

npftables blocks all incoming except a particular set of ips. any connections from those ips hit pubkey authentication.

I've never had a problem

Mine's pretty simple, I have a "don't open ports until ABSOLUTELY NECESSARY" policy, wireguard works well enough for everything else I need to access remotely. I also keep SSH disabled on any machine that has direct access to the internet.