Opening your router to the Internet is risky. Are there any guides for the basics to keep things secure? Things like setting up fail2ban? My concern is that I’ll forget something obvious.
Edit: I haven’t had much of a chance to read through everything yet, but I really appreciate all these long, detailed responses. ❤️ Thanks folks!
I hear you can get a pretty good offer from CrowdStrike these days.
Anything exposed to the internet will be found by the scanners. Moving ssh off of port 22 doesn’t do anything except make it less convenient for you to use. The scanners will find it, and when they do, they will try to log in.
(It’s actually pretty easy to write a little script to listen on port 20 (telnet) and collect the default login creds that the worms so kindly share)
The thing that protects you is strong authentication. Turn off password auth entirely, and generate a long keypair. Disable root login entirely.
Most self-hosted software is built by hobbyists with some goal, and rock solid authentication is generally not that goal. You should, if you can, put most things behind some reverse-proxy with a strong auth layer, like Teleport.
You will get lots of advice to hide things behind a vpn. A vpn provides centralized strong authentication. It’s a good idea, but decreases accessibility (which is part of security) - so there’s a value judgement here between the strength of a vpn and your accessibility goals.
Some of my services (ssh, wg, nginx) are open to the internet. Some are behind a reverse proxy. Some require a vpn connection, even within my own house. It depends on who it’s for - just me, technical friends, the world, or my technically-challenged parents trying to type something with a roku remote.
After strong auth, you want to think about software vulnerabilities - and you don’t have to think much, because there’s only one answer: keep your stuff up to date.
All of the above covers the P in PICERL (pick-uh-rel) for Prepare. I stands for Identify, and this is tricky. In an ideal world, you get a real-time notification (on your phone if possible) when any of these things happen:
- Any successful ssh login
- Any successful root login
- If a port starts listening that you didn’t expect
- If the system watching for these things goes down (have two systems that watch each other)
That list could be much longer, but that’s a good start.
After Identification, there’s Contain + Eradicate. In a homelab context, that’s probably a fresh re-install of the OS. Attacker persistence mechanisms are insane - once they’re in, they’re in. Reformat the disk.
R is for recover or remediate depending on who you ask. If you reformatted your disks, it stands for “rebuild”. Combine this with L (lessons learned) to rebuild differently than before.
To close out this essay though, I want to reiterate Strong Auth. If you’ve got strong auth and keep things up to date, a breach should never happen. A lot of people work very hard every day to keep the strong auth strong ;)
This is an excellent comment, thanks for writing this up
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol LXC Linux Containers NAS Network-Attached Storage NAT Network Address Translation SSH Secure Shell for remote terminal access VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
[Thread #884 for this sub, first seen 24th Jul 2024, 19:35] [FAQ] [Full list] [Contact] [Source code]
You can use cloudflare tunnels which skips having to open ports and can also proxy the connection so people can’t find your home IP address depending on what services you’re setting up
Obligatory Cloudflare notice
What’s the notice?
People don’t like centralizing the Internet in a single service. There’s nothing wrong with the product. It works great and is much more secure than opening ports in your home network. This community is just more biased toward decentralization and privacy, which is a common reason for people to start self hosting.
I think wireguard can allow you to set up a similar external connection with some extra steps. This would remove Cloudflare from the loop.
Oh got it, I use wire guard as a VPN for services that only I need but for things I share with multiple people I use cloudflare tunnel after learning about it from youtube tutorials
So, no-one’s mentioned tailscale. If it’s just for you, or some select friends, it’s probably the least friction to get secure access to your home network. Still, gotta check your threat matrix, do you really need it, is it really worth it for that occasional, maybe hypothetical usage ? Least access is best security…
deleted by creator
I’ve never set up a VPN. I’ve connected to them for work, sure, and I’ve dealt with port forwarding for games back in the day. Is it much trickier? Their site makes it sound pretty easy.
Isolate it all and keep on top of security advisories and updates
