website/public/blog/home-server-security/index.html

22 lines
14 KiB
HTML
Raw Normal View History

2024-03-29 15:45:43 +00:00
<!doctype html><html lang=en><head><meta charset=utf-8><meta content="width=device-width,initial-scale=1.0" name=viewport><meta content="light dark" name=color-scheme><title>Home server security</title><link href=/img/favicon-32x32.png rel=icon sizes=32x32 type=image/png><link href=/img/favicon-16x16.png rel=icon sizes=16x16 type=image/png><link href=/img/apple-touch-icon.png rel=apple-touch-icon sizes=180x180><link href=https://fonts.googleapis.com rel=preconnect><link crossorigin href=https://fonts.gstatic.com rel=preconnect><link href="https://fonts.googleapis.com/css2?family=Signika&display=swap" rel=stylesheet><style>*{font-family:monospace!important}body{--primary-color:#8070c6;--primary-pale-color:#8070c61c;--text-color:#151517;--text-pale-color:#454449;--bg-color:#f4f0f3;--highlight-mark-color:#5f75b045;--callout-note-color:#e887bb;--callout-important-color:#a292e8;--callout-warning-color:#d9d564;--callout-alert-color:#f06969;--callout-question-color:#78b9c4;--callout-tip-color:#91d65c}body.dark{--primary-color:#a292e8;--primary-pale-color:#a292e81c;--text-color:#ece5ea;--text-pale-color:#5c5c61;--bg-color:#151517;--highlight-mark-color:#5f75b045;--callout-note-color:#e887bb;--callout-important-color:#a292e8;--callout-warning-color:#d9d564;--callout-alert-color:#f06969;--callout-question-color:#78b9c4;--callout-tip-color:#91d65c}body{--main-font:'Signika',ui-sans-serif,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--code-font:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;--homepage-max-width:750px;--main-max-width:750px;--avatar-size:70px;--paragraph-font-size:18px;--paragraph-line-height:1.75;--aside-font-size:16px;--img-border-radius:0;--inline-code-border-radius:2px}</style><link href=/main.css rel=stylesheet><body class=post><script>if(localStorage.getItem('theme')=='dark'){document.body.classList.add('dark');const a=document.querySelector('link#hl');if(a)a.href='/hl-dark.css'}</script><header class=blur><div id=header-wrapper><nav><a href=/>devraza</a><button aria-label="toggle expand" class=separator id=toggler>::</button><span class="wrap left fold">{</span><a href=/blog>blog</a><span class="wrap-separator fold">,</span><a class=fold href=/projects>projects</a><span class="wrap right fold">} ;</span></nav><div id=btns><a aria-label="rss feed" href=/blog/feed.xml><svg viewbox="0 0 24 24" height=24 width=24 xmlns=http://www.w3.org/2000/svg><path d="M3 17C5.20914 17 7 18.7909 7 21H3V17ZM3 10C9.07513 10 14 14.9249 14 21H12C12 16.0294 7.97056 12 3 12V10ZM3 3C12.9411 3 21 11.0589 21 21H19C19 12.1634 11.8366 5 3 5V3Z" fill=currentColor></path></svg></a><button aria-label="theme switch" data-moon-icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="24" height="24"><path d="M10 7C10 10.866 13.134 14 17 14C18.9584 14 20.729 13.1957 21.9995 11.8995C22 11.933 22 11.9665 22 12C22 17.5228 17.5228 22 12 22C6.47715 22 2 17.5228 2 12C2 6.47715 6.47715 2 12 2C12.0335 2 12.067 2 12.1005 2.00049C10.8043 3.27098 10 5.04157 10 7ZM4 12C4 16.4183 7.58172 20 12 20C15.0583 20 17.7158 18.2839 19.062 15.7621C18.3945 15.9187 17.7035 16 17 16C12.0294 16 8 11.9706 8 7C8 6.29648 8.08133 5.60547 8.2379 4.938C5.71611 6.28423 4 8.9417 4 12Z" fill="currentColor"></path></svg>' data-sun-icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="24" height="24"><path d="M12 18C8.68629 18 6 15.3137 6 12C6 8.68629 8.68629 6 12 6C15.3137 6 18 8.68629 18 12C18 15.3137 15.3137 18 12 18ZM12 16C14.2091 16 16 14.2091 16 12C16 9.79086 14.2091 8 12 8C9.79086 8 8 9.79086 8 12C8 14.2091 9.79086 16 12 16ZM11 1H13V4H11V1ZM11 20H13V23H11V20ZM3.51472 4.92893L4.92893 3.51472L7.05025 5.63604L5.63604 7.05025L3.51472 4.92893ZM16.9497 18.364L18.364 16.9497L20.4853 19.0711L19.0711 20.4853L16.9497 18.364ZM19.0711 3.51472L20.4853 4.92893L18.364 7.05025L16.9497 5.63604L19.0711 3.51472ZM5.63604 16.9497L7.05025 18.364L4.92893 20.4853L3.51472 19.0711L5.63604
2024-03-29 15:45:32 +00:00
</span><span>Mar 29 14:40:11 icefall fail2ban.filter[1097]: INFO [...] Found 176.126.240.158 - 2024-03-29 14:40:11
</span><span>Mar 29 14:40:29 icefall fail2ban.filter[1097]: INFO [...] Found 185.8.165.204 - 2024-03-29 14:40:29
</span><span>Mar 29 14:40:40 icefall fail2ban.filter[1097]: INFO [...] Found 162.212.154.58 - 2024-03-29 14:40:40
</span></code></pre><p>Within the past <em>few minutes</em>, I've already got a few IP addresses from all over the world taking a peak at my services. If I had my SSH port set to the standard <code>22</code>, I could have expected a few rogue login attempts to have been made, too.<p>And, speaking of not having my SSH port set to the standard <code>22</code>, I'll now move on to what you should be done to secure a home server. One thing that I think should be noted, however, is that security doesn't need to be very strong, and you generally don't need to go too far out of your way with security measures (though this definitely depends on invdividual circumstance). Honestly speaking, you <em>probably</em> <strong>don't</strong> have competent black hats looking to get in to your server - what you probably <strong>do</strong> have, however, are a bunch of script kiddies and perversive bots.<h1 id=the-list>The list<a aria-label="Anchor link for: the-list" class=zola-anchor href=#the-list>#</a></h1><p>The fairly basic stuff you'd need to do in this case doesn't make much room for detail. So, here it all is in the form of a simple list (I've included the relevant NixOS configuration where I think it'd be useful<sup class=footnote-reference><a href=#1>1</a></sup>):<ul><li><p>Move your SSH daemon to a non-default port, like <code>3291</code>.</p> <pre class=language-nix data-lang=nix style=background:#151515;color:#e8e8d3><code class=language-nix data-lang=nix><span style=color:#ffb964>services</span><span>.</span><span style=color:#ffb964>openssh </span><span>= {
</span><span> </span><span style=color:#ffb964>ports </span><span>= [ </span><span style=color:#cf6a4c>3291 </span><span>]; </span><span style=color:#888># whatever you like
</span><span>};
</span></code></pre><li><p>Force public key authentication with SSH and disable root logins.</p> <pre class=language-nix data-lang=nix style=background:#151515;color:#e8e8d3><code class=language-nix data-lang=nix><span style=color:#ffb964>services</span><span>.</span><span style=color:#ffb964>openssh</span><span>.</span><span style=color:#ffb964>settings </span><span>= {
</span><span> </span><span style=color:#ffb964>PermitRootLogin </span><span>= </span><span style=color:#99ad6a>"no"</span><span>;
</span><span> </span><span style=color:#ffb964>PasswordAuthentication </span><span>= false;
</span><span>};
</span></code></pre><li><p>Set up a pretty basic firewall - something like <code>ufw</code> would do the trick.</p> <pre class=language-nix data-lang=nix style=background:#151515;color:#e8e8d3><code class=language-nix data-lang=nix><span style=color:#ffb964>networking </span><span>= {
</span><span> </span><span style=color:#ffb964>nftables</span><span>.</span><span style=color:#ffb964>enable </span><span>= true; </span><span style=color:#888># use the newer nftables
</span><span> </span><span style=color:#ffb964>firewall </span><span>= {
</span><span> </span><span style=color:#ffb964>enable </span><span>= true;
</span><span> </span><span style=color:#ffb964>rejectPackets </span><span>= true; </span><span style=color:#888># explicit deny
</span><span> </span><span style=color:#ffb964>interfaces</span><span>.</span><span style=color:#ffb964>enp1s0 </span><span>= { </span><span style=color:#888># obviously, replace `enp1s0` with your interface
</span><span> </span><span style=color:#ffb964>allowedTCPPorts </span><span>= [ ... ]; </span><span style=color:#888># put in the ports you need here
</span><span> };
</span><span> };
</span><span>};
</span></code></pre><li><p>This probably doesn't need to be said, but <strong>use strong passwords</strong>!</p><li><p>Host a <a rel="nofollow noreferrer" href=https://fail2ban.org>fail2ban</a> instance to ban hosts making bruteforce attempts.</p></ul><p>I think that's all there is for almost everyone, and is basically the minimal amount of effort a home server administrator should do. Personally, I would prefer to enforce a VPN connection in order to access my <em>personal</em> services for that extra layer of security (because why'd they need to be exposed to the internet?). This can be done faily easily with tailscale, and for the slightly more paranoid - <a rel="nofollow noreferrer" href=https://headscale.net/>headscale</a> is a viable...alternative? Anyways, I've got a blog post that explores headscale in a little more detail, which might be worth checking out.<p>Well, that's all I wanted to say. It's been a while since my last blog post, and the inspiration for this one came seemingly randomly - I hope someone finds this useful.<div class=footnote-definition id=1><sup class=footnote-definition-label>1</sup><p>Naturally, you shouldn't just copy and paste the snippets into</div></article><div class=giscus></div></div><footer><div class=copyright><p>© 2024 Muhammad Nauman Raza</div><div class=credits>powered by <a rel="noreferrer noopener" href=https://www.getzola.org target=_blank>zola</a> and <a rel="noreferrer noopener" href=https://github.com/isunjn/serene target=_blank>serene</a></div></footer></main></div><script src=/js/lightense.min.js></script><script src=/js/main.js></script>