From 7389bc96a7e60e73c9153202c1252592fae15961 Mon Sep 17 00:00:00 2001 From: Muhammad Nauman Raza Date: Fri, 29 Mar 2024 15:45:32 +0000 Subject: [PATCH] chore: update blog post date --- content/blog/home-server-security.md | 115 ++++++++++++++++++++ public/blog/home-server-security/index.html | 22 ++++ public/tags/hardening/index.html | 3 + public/tags/homelab/index.html | 3 + 4 files changed, 143 insertions(+) create mode 100644 content/blog/home-server-security.md create mode 100644 public/blog/home-server-security/index.html create mode 100644 public/tags/hardening/index.html create mode 100644 public/tags/homelab/index.html diff --git a/content/blog/home-server-security.md b/content/blog/home-server-security.md new file mode 100644 index 0000000..62ec3f0 --- /dev/null +++ b/content/blog/home-server-security.md @@ -0,0 +1,115 @@ ++++ +title = "Home server security" +date = 2024-03-28 +draft = false + +[taxonomies] +categories = ["Cybersecurity", "Self-hosting"] +tags = ["homelab", "hardening", "selfhosted"] + +[extra] +lang = "en" +toc = true +comment = true +copy = true +math = false +mermaid = false ++++ + +# Introduction + +Home server security is pretty often overlooked from what I can tell. +Any device accessible from the internet has *some* degree of +vulnerability in the current era of the internet. I aim for this +document to detail methods to amend the contemporary cybersecurity +challenges faced by most homelabbers. + +# Justification in Depth + +Of course, my statements about home servers needing some security +measures put in place aren't baseless. My own experience, as well as +that of a sizable number of people on the wonderful +[lemmy](https://join-lemmy.org) community at +`selfhosted@lemmy.world` shows that home servers are endlessly 'knocked" +on, and that login attempts to services like SSH *are* made. Here's a +snippet from my [fail2ban](https://fail2ban.org) filter to +verify this point: + +``` +Mar 29 14:38:13 icefall fail2ban.filter[1097]: INFO [...] Found 176.126.240.158 - 2024-03-29 14:38:13 +Mar 29 14:40:11 icefall fail2ban.filter[1097]: INFO [...] Found 176.126.240.158 - 2024-03-29 14:40:11 +Mar 29 14:40:29 icefall fail2ban.filter[1097]: INFO [...] Found 185.8.165.204 - 2024-03-29 14:40:29 +Mar 29 14:40:40 icefall fail2ban.filter[1097]: INFO [...] Found 162.212.154.58 - 2024-03-29 14:40:40 +``` + +Within the past *few minutes*, I've already got a few IP addresses from +all over the world taking a peak at my services. If I had my SSH port +set to the standard `22`, I could have expected a few rogue login +attempts to have been made, too. + +And, speaking of not having my SSH port set to the standard `22`, I'll +now move on to what you should be done to secure a home server. One +thing that I think should be noted, however, is that security doesn't +need to be very strong, and you generally don't need to go too far out +of your way with security measures (though this definitely depends on +invdividual circumstance). Honestly speaking, you *probably* **don't** +have competent black hats looking to get in to your server - what you +probably **do** have, however, are a bunch of script kiddies and +perversive bots. + +# The list + +The fairly basic stuff you'd need to do in this case doesn't make much +room for detail. So, here it all is in the form of a simple list (I've +included the relevant NixOS configuration where I think it'd be +useful[^1]): + +- Move your SSH daemon to a non-default port, like `3291`. + ```nix + services.openssh = { + ports = [ 3291 ]; # whatever you like + }; + ``` + +- Force public key authentication with SSH and disable root logins. + ```nix + services.openssh.settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + ``` + +- Set up a pretty basic firewall - something like `ufw` would do the trick. + ```nix + networking = { + nftables.enable = true; # use the newer nftables + firewall = { + enable = true; + rejectPackets = true; # explicit deny + interfaces.enp1s0 = { # obviously, replace `enp1s0` with your interface + allowedTCPPorts = [ ... ]; # put in the ports you need here + }; + }; + }; + ``` + +- This probably doesn't need to be said, but **use strong passwords**! + +- Host a [fail2ban](https://fail2ban.org) instance to ban hosts making bruteforce attempts. + +I think that's all there is for almost everyone, and is basically the +minimal amount of effort a home server administrator should do. +Personally, I would prefer to enforce a VPN connection in order to +access my *personal* services for that extra layer of security (because +why'd they need to be exposed to the internet?). This can be done faily +easily with tailscale, and for the slightly more paranoid - +[headscale](https://headscale.net/) is a +viable...alternative? Anyways, I've got a blog post that explores +headscale in a little more detail, which might be worth checking out. + +Well, that's all I wanted to say. It's been a while since my last blog +post, and the inspiration for this one came seemingly randomly - I hope +someone finds this useful. + +[^1]: Naturally, you shouldn't just copy and paste the snippets into + diff --git a/public/blog/home-server-security/index.html b/public/blog/home-server-security/index.html new file mode 100644 index 0000000..7174c47 --- /dev/null +++ b/public/blog/home-server-security/index.html @@ -0,0 +1,22 @@ +Home server security

Home server security

2024-01-04

Introduction#

Home server security is pretty often overlooked from what I can tell. Any device accessible from the internet has some degree of vulnerability in the current era of the internet. I aim for this document to detail methods to amend the contemporary cybersecurity challenges faced by most homelabbers.

Justification in Depth#

Of course, my statements about home servers needing some security measures put in place aren't baseless. My own experience, as well as that of a sizable number of people on the wonderful lemmy community at selfhosted@lemmy.world shows that home servers are endlessly 'knocked" on, and that login attempts to services like SSH are made. Here's a snippet from my fail2ban filter to verify this point:

Mar 29 14:38:13 icefall fail2ban.filter[1097]: INFO [...] Found 176.126.240.158 - 2024-03-29 14:38:13
+Mar 29 14:40:11 icefall fail2ban.filter[1097]: INFO [...] Found 176.126.240.158 - 2024-03-29 14:40:11
+Mar 29 14:40:29 icefall fail2ban.filter[1097]: INFO [...] Found 185.8.165.204 - 2024-03-29 14:40:29
+Mar 29 14:40:40 icefall fail2ban.filter[1097]: INFO [...] Found 162.212.154.58 - 2024-03-29 14:40:40
+

Within the past few minutes, I've already got a few IP addresses from all over the world taking a peak at my services. If I had my SSH port set to the standard 22, I could have expected a few rogue login attempts to have been made, too.

And, speaking of not having my SSH port set to the standard 22, I'll now move on to what you should be done to secure a home server. One thing that I think should be noted, however, is that security doesn't need to be very strong, and you generally don't need to go too far out of your way with security measures (though this definitely depends on invdividual circumstance). Honestly speaking, you probably don't have competent black hats looking to get in to your server - what you probably do have, however, are a bunch of script kiddies and perversive bots.

The list#

The fairly basic stuff you'd need to do in this case doesn't make much room for detail. So, here it all is in the form of a simple list (I've included the relevant NixOS configuration where I think it'd be useful1):

  • Move your SSH daemon to a non-default port, like 3291.

    services.openssh = {
    +  ports = [ 3291 ]; # whatever you like
    +};
    +
  • Force public key authentication with SSH and disable root logins.

    services.openssh.settings = {
    +  PermitRootLogin = "no";
    +  PasswordAuthentication = false;
    +};
    +
  • Set up a pretty basic firewall - something like ufw would do the trick.

    networking = {
    +  nftables.enable = true; # use the newer nftables
    +  firewall = {
    +    enable = true;
    +    rejectPackets = true; # explicit deny
    +    interfaces.enp1s0 = { # obviously, replace `enp1s0` with your interface
    +      allowedTCPPorts = [ ... ]; # put in the ports you need here
    +    };
    +  };
    +};
    +
  • This probably doesn't need to be said, but use strong passwords!

  • Host a fail2ban instance to ban hosts making bruteforce attempts.

I think that's all there is for almost everyone, and is basically the minimal amount of effort a home server administrator should do. Personally, I would prefer to enforce a VPN connection in order to access my personal services for that extra layer of security (because why'd they need to be exposed to the internet?). This can be done faily easily with tailscale, and for the slightly more paranoid - headscale is a viable...alternative? Anyways, I've got a blog post that explores headscale in a little more detail, which might be worth checking out.

Well, that's all I wanted to say. It's been a while since my last blog post, and the inspiration for this one came seemingly randomly - I hope someone finds this useful.

1

Naturally, you shouldn't just copy and paste the snippets into

powered by zola and serene
\ No newline at end of file diff --git a/public/tags/hardening/index.html b/public/tags/hardening/index.html new file mode 100644 index 0000000..98eec7a --- /dev/null +++ b/public/tags/hardening/index.html @@ -0,0 +1,3 @@ +Blog Posts
# hardeningAll Tags
Home server security 2024-01-04
powered by zola and serene
\ No newline at end of file diff --git a/public/tags/homelab/index.html b/public/tags/homelab/index.html new file mode 100644 index 0000000..c57b915 --- /dev/null +++ b/public/tags/homelab/index.html @@ -0,0 +1,3 @@ +Blog Posts
# homelabAll Tags
Home server security 2024-01-04
powered by zola and serene
\ No newline at end of file