As the title says, I want to know the most paranoid security measures you’ve implemented in your homelab. I can think of SDN solutions with firewalls covering every interface, ACLs, locked-down/hardened OSes etc but not much beyond that. I’m wondering how deep this paranoia can go (and maybe even go down my own route too!).

Thanks!

  • Pika@sh.itjust.worksEnglish
    1·
    5 months ago

    My security is fairly simplistic but I’m happy with it

    • software protection

      • fail2ban with low warning hold
      • cert based login for ssh (no password Auth)
      • Honeypot on all common port numbers, which if pinged leads to a permanent IP ban
      • drop all firewall
      • PSAD for intrusion/scanning protection (so many Russian scanners… lol)
      • wireguard for VPN to access local virtual machines and resources
      • external VPN with nordVPN for secure containers (yes I know nord is questionable I plan to swap when my sub runs out)

    • physical protection

      • luksCrypt on the sensitive Data/program Drive ( I know there’s some security concerns with luksCrypt bite me)
      • grub and bios locked with password
      • UPS set to auto notify on power outage
      • router with keep alive warning system that pings my phone if the lab goes offline and provides fallback dns

    • things I’ve thought about:

      • a mock recovery partition entry that will nuke the Luks headers on entry (to prevent potential exploit getting through grub)
      • removing super user access completely outside of local user access
  • easeKItMAn@lemmy.worldEnglish
    0·
    5 months ago

    I’m somewhat paranoid therefore running several isolated servers. And it’s still not bulletproof and will never be!

    • only the isolated server, ie. no internet access, can fetch data from the other servers but not vice versa.
    • SSH access key based only
    • Firewall dropping all but non-standard ports on dedicated subnets
    • Fail2ban drops after 2 attempts
    • Password length min 24 characters, 2FA, password rotation every 6 months
    • Guest network for friends, can’t access any internal subnet
    • Reverse proxy (https;443 port only)
    • Any service is accessed by a non-privileged user
    • Isolated docker services/databases and dedicated docker networks
    • every drive + system Luks-encrypted w/ passphrase only
    • Dedicated server for home automation only
    • Dedicated server for docker services and reverse proxy only
    • Isolated data/backup server sharing data to a tv box and audio system without network access via nfs
    • Offsite data/backup server via SSH tunnel hosted by a friend
    • MigratingtoLemmy@lemmy.worldOPEnglish
      0·
      5 months ago

      Would you have to compromise on your security according to your threat model if you ran VMs rather than dedicated devices? I’m no security engineer and I don’t know if KVM/QEMU can fit everyones needs, but AWS uses XCP-ng, and unless they’re using a custom version of it, all changes are pushed upstream. I’d definitely trust AWS’ underlying virtualisation layer for my VMs, but I wonder if I should go with XCP or KVM or bhyve.

      This is my personal opinion, but podman’s networking seems less difficult to understand than Docker. Docker was a pain the first time I was reading about the networking in it.

      Really like your setup. Do you have any plans to make it more private/secure?

      • easeKItMAn@lemmy.worldEnglish
        0·
        5 months ago

        I used VMs some time ago but never managed to look deeper into separation of bare metal vs VMs. Hence I can’t assess this reasonably.
        Docker got me interested when it started and after discovering its networking capabilities I never looked back.
        Basically I’m trying to minimize the possibility that by intercepting one dockerized service the attacker is able to start interacting with all devices. And I have lots of devices because of a fully automated house. ;) My paranoia will ensure the constant growth of privacy and security :)

  • NuXCOM_90Percent@lemmy.zipEnglish
    0·
    5 months ago

    Never used it “in anger” but:

    I have my firewall plugged into a metered outlet (plugged into a UPS). I have it set up to send me alerts if power draw increases beyond a certain threshold. I’ve tested it and wireguard is measurable (yay) but so are DDOS attacks. If I get that alert, I can choose to turn off that plug and take my whole network offline until I get home and can sort that out.

    Gotten a few false positives over the years but mostly that is just texting my partner to ask what they are doing.