this post was submitted on 06 Feb 2024
182 points (99.5% liked)

Selfhosted

39964 readers
248 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

As the title says, I want to know the most paranoid security measures you've implemented in your homelab. I can think of SDN solutions with firewalls covering every interface, ACLs, locked-down/hardened OSes etc but not much beyond that. I'm wondering how deep this paranoia can go (and maybe even go down my own route too!).

Thanks!

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 89 points 9 months ago (3 children)

Nice try, attacker trying to get me to do their reconnaissance work for them. I'm on to you.

[–] [email protected] 19 points 9 months ago (1 children)

It would be funny if that were the case. I was just hoping to be a little more paranoid from you lot and maybe improve on the things I've thought about

[–] [email protected] 21 points 9 months ago (1 children)

Yeah, just having a little fun in the role of a paranoid admin. My setup isn't worth mentioning since it fits my threat model (i.e. nobody gives a shit about my network, just don't be the low hanging fruit) but I'm interested in other replies. Hope you get some useful responses here.

[–] [email protected] 9 points 9 months ago

I'd love to play paranoid admin over my network. Thanks!

[–] [email protected] 14 points 9 months ago* (last edited 9 months ago)

No, honestly I'm not an attacker, but your local bank. We just need your help to update our systems. Please provide us the following credentials to continue using our phish- *ugh* services.

Credit card number: _____________
CVV: ___
Expiration date: ______

[–] [email protected] 9 points 9 months ago (3 children)

Spfff me, never Anyway please tell me more about your IP adress and your private keys.

[–] [email protected] 8 points 9 months ago (1 children)

My private key has a 3 in it

[–] [email protected] 12 points 9 months ago (1 children)
load more comments (1 replies)
[–] [email protected] 8 points 9 months ago (1 children)

Ok my ip address is 192.168.3.200.

load more comments (1 replies)
[–] [email protected] 7 points 9 months ago

Hey its me your friend Aaron how are you. Hey i was just wandering, what is your credit card details again? just wandering

[–] [email protected] 44 points 9 months ago (1 children)

Logcheck. It took ages to make sure innocent logs are ignored, but now I get an email as soon as anything non-routine happens on my servers. I get emails with logs from every update, every time I log in, etc. This has given me the most confidence that nothing unexpected is happening on my servers. Of course, one needs to make sure that the firewall is configured well, and that you use ssh keys etc., but logcheck is how I know I'm doing enough.

[–] [email protected] 7 points 9 months ago* (last edited 9 months ago)

Very nice idea, and it's quite simple too. Thanks

[–] [email protected] 42 points 9 months ago* (last edited 9 months ago) (7 children)

Never used it "in anger" but:

I have my firewall plugged into a metered outlet (plugged into a UPS). I have it set up to send me alerts if power draw increases beyond a certain threshold. I've tested it and wireguard is measurable (yay) but so are DDOS attacks. If I get that alert, I can choose to turn off that plug and take my whole network offline until I get home and can sort that out.

Gotten a few false positives over the years but mostly that is just texting my partner to ask what they are doing.

load more comments (7 replies)
[–] [email protected] 42 points 9 months ago (1 children)

My most paranoid config is disabling Ipv4

That's it. If someone wants to attack me, they will need to adopt IPv6!

[–] [email protected] 11 points 9 months ago

they will need to adopt IPv6!

And find your IP in a /56 or /64 range (depending on what your ISP gives you). Good luck.

[–] [email protected] 34 points 9 months ago* (last edited 9 months ago) (1 children)

I've replaced reconnaissance commands (a handful of them found here: https://www.cybrary.it/blog/linux-commands-used-attackers) -- whoami, uname, id, uptime, last, etc

With shell scripts which run the command but also send me a notification via pushover. I'm running several internet-facing services, and the moment those get run because someone is doing some sleuthing inside the machine, I get notified.

It doesn't stop people getting in, I've set up other things for that -- but on the off chance that there is some zero-day that I don't know about yet, or they've traversed the network laterally somehow, the moment they run one of those commands, I know to kill-switch the entire thing.

The thing is, security is an on-going process. Leave any computer attached to the internet long enough and it'll be gotten into. I don't trust being able to know every method that can be used, so I use this as a backup.

[–] [email protected] 7 points 9 months ago

That's a very good idea. Something to think about, especially if you have open ports and are paranoid enough (aren't we all? Hehe). Thanks

[–] [email protected] 27 points 9 months ago* (last edited 9 months ago) (3 children)

My security is fairly simplistic but I'm happy with it

  • software protection

    • fail2ban with low warning hold
    • cert based login for ssh (no password Auth)
    • Honeypot on all common port numbers, which if pinged leads to a permanent IP ban
    • drop all firewall
    • PSAD for intrusion/scanning protection (so many Russian scanners... lol)
    • wireguard for VPN to access local virtual machines and resources
    • external VPN with nordVPN for secure containers (yes I know nord is questionable I plan to swap when my sub runs out)
  • physical protection

    • luksCrypt on the sensitive Data/program Drive ( I know there's some security concerns with luksCrypt bite me)
    • grub and bios locked with password
    • UPS set to auto notify on power outage
    • router with keep alive warning system that pings my phone if the lab goes offline and provides fallback dns
  • things I've thought about:

    • a mock recovery partition entry that will nuke the Luks headers on entry (to prevent potential exploit getting through grub)
    • removing super user access completely outside of local user access
[–] [email protected] 7 points 9 months ago (1 children)

Could you please elaborate how you do the honeypotting?

load more comments (1 replies)
load more comments (2 replies)
[–] [email protected] 18 points 9 months ago (1 children)

Really all I do is setup fail2ban on my very few external services, and then put all other access behind wireguard.

Logs are clean, I'm happy.

load more comments (1 replies)
[–] [email protected] 16 points 9 months ago* (last edited 9 months ago) (6 children)

Only remote access by wireguard and ssh on non standard port with key based access.

Fail2ban bans after 1 attempt for a year. Tweaked the logs to ban on more strict patterns

Logs are encrypted and mailed off site daily

System updates over tor connecting to onion repos.

Nginx only has one exposed port 443 that is accessible by wireguard or lan. Certs are signed by letsencrypt. Paths are ip white listed to various lan or wireguard ips.

Only allow one program with sudo access requiring a password. Every other privelaged action requires switching to root user.

I dont allow devices I dont admin on the network so they go on their own subnet. This is guests phones and their windows laptops.

Linux only on the main network.

I also make sure to backup often.

[–] [email protected] 8 points 9 months ago (2 children)

Can you explain why you use onion repos? I've never heard of that, and I've heard of kind of a lot of things.

[–] [email protected] 10 points 9 months ago* (last edited 9 months ago) (2 children)

Onion repositories are package repositories hosted on tor hidden services. The connection goes through six hops and is end to end encrypted. In addition to further legitimizing the tor network with normal everyday usage it has the benefit of hiding what packages have been installed on a system.

Here are some notes about them if you want to read more.

https://blog.torproject.org/debian-and-tor-services-available-onion-services/

https://www.whonix.org/wiki/Onionizing_Repositories

load more comments (2 replies)
[–] [email protected] 7 points 9 months ago* (last edited 9 months ago)

With Debian it's just the apt-tor package, and the project maintains an official list at.. onion.debian.org iirc?
I don't know if serving onion traffic is more expensive for Debian/mirror maintainers so idk if this is something everybody should use

[–] [email protected] 5 points 9 months ago (3 children)

Linux only on the main network.

Is that a security benefit?

[–] [email protected] 8 points 9 months ago

If big corporations hoovering your data should be on everyone's threat list, then yea, i'd say its a huge benefit.

[–] [email protected] 5 points 9 months ago

I guess it cuts the attack surface profile down a bit?

load more comments (1 replies)
[–] [email protected] 5 points 9 months ago (2 children)

System updates over tor connecting to onion repos.

How does this help, assuming your DNS isn't being spoofed?

load more comments (2 replies)
load more comments (3 replies)
[–] [email protected] 15 points 9 months ago (1 children)

I understand some of these words.

load more comments (1 replies)
[–] [email protected] 14 points 9 months ago (1 children)

How do you all that have your services on your LAN accessing it over wireguard when external pass the wife/kids/family test? If I had to have my wife activate a VPN before she could access our nextcloud or bitwarden, she'd just never use it

[–] [email protected] 6 points 9 months ago (3 children)

Is always on not an option?

[–] [email protected] 8 points 9 months ago (2 children)

Always on wireguard kills battery life on mobile for me so I guess that's a no.

[–] [email protected] 6 points 9 months ago

that should not be the case because wireguard only 'runs' when it sends or receives packets. try setting the keepalive time a bit higher, 5 minutes maybe.

load more comments (1 replies)
load more comments (2 replies)
[–] [email protected] 13 points 9 months ago (1 children)

Using SPA firewall knocking (fwknop) to open ports to ssh in. I suppose if I was really paranoid, the most secure would be an air gap, but there's only so much convenience I'll give up for security.

load more comments (1 replies)
[–] [email protected] 11 points 9 months ago* (last edited 9 months ago) (3 children)

I'm not super paranoid about security, but I do try to have a few good practices to make sure that it takes more than a bot scanning for /admin.php to find a way in.

  • Anything with SSH access uses key-based auth with password auth disabled. First thing I do when spinning up a new machine
  • Almost nothing is exposed directly to the Internet. I have wireguard set up on all my devices for remote access and also for extra security on public networks
  • Anyone who comes to visit gets put on the "guest" network, which is a separate subnet that can't see or talk to anything on the main network
  • For any service that supports creating multiple logins, I make sure I have a separate admin user with elevated permissions, and then create a non-privileged user that I sign in on other devices with
  • Every web-based service is only accessible with a FQDN which auto-redirects to HTTPS and has an actual certificate signed by a trusted CA. This is probably the most "paranoid" thing I do, because of the aforementioned not being accessible on the Internet, but it makes me happy to see the little lock symbol on my browser without having to fiddle around with trusting a self-signed cert.
load more comments (3 replies)
[–] [email protected] 11 points 9 months ago* (last edited 9 months ago) (10 children)

I'm an enterprise guy, so that's the explanation for non home use things.

  • VPN for anything not my web or certificate revocation distribution point
  • Sophos IPS
  • sophos utm for web application firewall
  • transparent inline web proxy, sophos is doing https inspection. I have internal CA and all clients trust it. I don't inspect medical or banking, other common sense stuff.
  • heavily vlan segmented with firewall between
  • my windows clients are managed by active directory with heavy handed GPOs.
  • least priv accounts, different accounts for workstation admin, server, domain, network devices
  • security Onion IDS
  • separate red forest that has admin accounts for my management access and accounts on devices
  • trellix antivirus and global reputation based file monitoring
  • I've started applying disa STIGs on servers
  • site to site VPN with other family member household. They get managed trellix av also.
  • my public identity accounts like MS,.Google, etc all need 2fa, token, etc.

I bet this can still get exploited, just would take effort hopefully none does for a home network.

I'm still one shitty windows zero day click away from getting my workstation or browser tokens owned though, I can feel it.

load more comments (9 replies)
[–] [email protected] 11 points 9 months ago (6 children)
  • Custom Router/Firewall running OPNsense and the Sensei plugin
  • Extensive DNS filtering through Pihole
  • Redirecting all DNS requests to my Pihole through OPNsense
  • My entire network is behind a multi hop VPN
  • I don't let any Windows systems connect to the internet, instead, I have a Linux server which is connected to the internet (through a VPN of course) and runs a browser, and I use X2go to access the browser which is running on the Linux server
load more comments (6 replies)
[–] [email protected] 11 points 9 months ago* (last edited 8 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
AP WiFi Access Point
CA (SSL) Certificate Authority
DNS Domain Name Service/System
Git Popular version control system, primarily for code
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
NAT Network Address Translation
PiHole Network-wide ad-blocker (DNS sinkhole)
SBC Single-Board Computer
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
nginx Popular HTTP server

15 acronyms in this thread; the most compressed thread commented on today has 16 acronyms.

[Thread #493 for this sub, first seen 6th Feb 2024, 16:55] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 8 points 9 months ago (2 children)

I've got systems that can detect suspicious activities in the net, which result in a shutdown of the router. And not like "could you please shut down" but a hard power off type of shutdown.

[–] [email protected] 6 points 9 months ago

Now that's the kind of paranoid I was hoping to see in here. High five, pal.

load more comments (1 replies)
[–] [email protected] 7 points 9 months ago (6 children)

Notifications on system file access

Notifications on root login/sudo

Declarative OS, tmpfs root, disabled sudo

Bastion server, but right now I don't have a proper router to do it at home

Yubikey, or a separate phone on Graphene OS for otp, keys, etc

Authelia + fascist fail2ban (or some CSF)

Most of these are pretty normal, but usually you don't do them all at once 😄 also, I don't really like hiding my services from the open internet, authelia is fine tuned to let people only access what they are supposed to. And regular users of my server usually don't notice that I even have it

load more comments (6 replies)
[–] [email protected] 7 points 9 months ago

After reading this thread I'm apparently not paranoid enough.

Internet facing services are on their own firewalled vlan (dmz), behind a rev proxy, and I have crowdsec running on the proxy and router.

Anything that can get away with putting up on a vps I have (e.g. this Lemmy server). But some things have storage/compute requirements I'm not willing to shell out for.

[–] [email protected] 6 points 9 months ago (4 children)

Neat post and great comments. Saved. Thanks. :)

My personal setup includes:

  • non web facing homeserver for the juicy stuff
  • vps with stuff I‘d barely miss if it was gone
  • far too many backups
  • automatic cleanup of backups so my hdds dont fill up
  • fail2ban listening on every log, even docker containers with permaban enabled
  • scripts are root 700 and so on

I‘m aware that stuff might go horribly wrong but so far it hasnt.

load more comments (4 replies)
[–] [email protected] 6 points 9 months ago* (last edited 9 months ago) (7 children)
  • full disk encryption on everything except the router (no point in encrypting the router)
    • the server doesn't have a display connected for obvious reasons, so I'm manually unlocking it via ssh on each boot
      • obviously, the SSH keys are different, so the server has a different IP in initrd. That said, I still don't have any protection against malicious modification of initrd or UEFI
  • the server scans all new SSL certificates in realtime using certspotter and notifies me of any new certificates issued for my domains that it doesn't know about (I use Cloudflare so it triggers relatively often, but I still do checks on who the issuer is)
  • firewall blocks outgoing 25 so nobody can impersonate my mailserver
load more comments (7 replies)
[–] [email protected] 6 points 9 months ago
[–] [email protected] 5 points 9 months ago

Air gapping? I keep a offline backup just in case.

load more comments
view more: next ›