From af6256b3ca794d847cfa1a917ef8552ca8ec12ba Mon Sep 17 00:00:00 2001 From: Muhammad Nauman Raza Date: Fri, 29 Mar 2024 15:45:06 +0000 Subject: [PATCH] blog(post): home server security --- public/blog/feed.xml | 98 +++++++++++++++++++++++++++++++ public/blog/index.html | 2 +- public/sitemap.xml | 10 ++++ public/tags/index.html | 2 +- public/tags/selfhosted/index.html | 2 +- 5 files changed, 111 insertions(+), 3 deletions(-) diff --git a/public/blog/feed.xml b/public/blog/feed.xml index b22f904..06de7f9 100644 --- a/public/blog/feed.xml +++ b/public/blog/feed.xml @@ -184,6 +184,104 @@ What makes matters worse is how gullible the general population is, even those e <p>I would like to clarify that I'm not suggesting that people should avoid using the internet to gather information - while its reliability is incredibly questionable, the accessibility and openness it provides far beats traditional methods of gathering information (books and such). My suggestion is that people should be much more careful with how they interpret information on the internet, and perform their due diligence in their research into whatever they're aiming to learn; <strong>people should make sure that what they're reading is accurate before absorbing any information</strong> (here's your tl;dr).</p> <p>That's about it for this blog post, as it was meant to be a brief way of expressing my thoughts on the matter. Thanks for reading!</p> + + + + Home server security + 2024-01-04T00:00:00+00:00 + 2024-01-04T00:00:00+00:00 + + https://devraza.duckdns.org/blog/home-server-security/ + <h1 id="introduction">Introduction<a class="zola-anchor" href="#introduction" aria-label="Anchor link for: introduction">#</a></h1> +<p>Home server security is pretty often overlooked from what I can tell. +Any device accessible from the internet has <em>some</em> degree of +vulnerability in the current era of the internet. I aim for this +document to detail methods to amend the contemporary cybersecurity +challenges faced by most homelabbers.</p> +<h1 id="justification-in-depth">Justification in Depth<a class="zola-anchor" href="#justification-in-depth" aria-label="Anchor link for: justification-in-depth">#</a></h1> +<p>Of course, my statements about home servers needing some security +measures put in place aren't baseless. My own experience, as well as +that of a sizable number of people on the wonderful +<a rel="nofollow noreferrer" href="https://join-lemmy.org">lemmy</a> community at +<code>selfhosted@lemmy.world</code> shows that home servers are endlessly 'knocked&quot; +on, and that login attempts to services like SSH <em>are</em> made. Here's a +snippet from my <a rel="nofollow noreferrer" href="https://fail2ban.org">fail2ban</a> filter to +verify this point:</p> +<pre style="background-color:#151515;color:#e8e8d3;"><code><span>Mar 29 14:38:13 icefall fail2ban.filter[1097]: INFO [...] Found 176.126.240.158 - 2024-03-29 14:38:13 +</span><span>Mar 29 14:40:11 icefall fail2ban.filter[1097]: INFO [...] Found 176.126.240.158 - 2024-03-29 14:40:11 +</span><span>Mar 29 14:40:29 icefall fail2ban.filter[1097]: INFO [...] Found 185.8.165.204 - 2024-03-29 14:40:29 +</span><span>Mar 29 14:40:40 icefall fail2ban.filter[1097]: INFO [...] Found 162.212.154.58 - 2024-03-29 14:40:40 +</span></code></pre> +<p>Within the past <em>few minutes</em>, I've already got a few IP addresses from +all over the world taking a peak at my services. If I had my SSH port +set to the standard <code>22</code>, I could have expected a few rogue login +attempts to have been made, too.</p> +<p>And, speaking of not having my SSH port set to the standard <code>22</code>, I'll +now move on to what you should be done to secure a home server. One +thing that I think should be noted, however, is that security doesn't +need to be very strong, and you generally don't need to go too far out +of your way with security measures (though this definitely depends on +invdividual circumstance). Honestly speaking, you <em>probably</em> <strong>don't</strong> +have competent black hats looking to get in to your server - what you +probably <strong>do</strong> have, however, are a bunch of script kiddies and +perversive bots.</p> +<h1 id="the-list">The list<a class="zola-anchor" href="#the-list" aria-label="Anchor link for: the-list">#</a></h1> +<p>The fairly basic stuff you'd need to do in this case doesn't make much +room for detail. So, here it all is in the form of a simple list (I've +included the relevant NixOS configuration where I think it'd be +useful<sup class="footnote-reference"><a href="#1">1</a></sup>):</p> +<ul> +<li> +<p>Move your SSH daemon to a non-default port, like <code>3291</code>.</p> +<pre data-lang="nix" style="background-color:#151515;color:#e8e8d3;" class="language-nix "><code class="language-nix" data-lang="nix"><span style="color:#ffb964;">services</span><span>.</span><span style="color:#ffb964;">openssh </span><span>= { +</span><span> </span><span style="color:#ffb964;">ports </span><span>= [ </span><span style="color:#cf6a4c;">3291 </span><span>]; </span><span style="color:#888888;"># whatever you like +</span><span>}; +</span></code></pre> +</li> +<li> +<p>Force public key authentication with SSH and disable root logins.</p> +<pre data-lang="nix" style="background-color:#151515;color:#e8e8d3;" class="language-nix "><code class="language-nix" data-lang="nix"><span style="color:#ffb964;">services</span><span>.</span><span style="color:#ffb964;">openssh</span><span>.</span><span style="color:#ffb964;">settings </span><span>= { +</span><span> </span><span style="color:#ffb964;">PermitRootLogin </span><span>= </span><span style="color:#99ad6a;">&quot;no&quot;</span><span>; +</span><span> </span><span style="color:#ffb964;">PasswordAuthentication </span><span>= false; +</span><span>}; +</span></code></pre> +</li> +<li> +<p>Set up a pretty basic firewall - something like <code>ufw</code> would do the trick.</p> +<pre data-lang="nix" style="background-color:#151515;color:#e8e8d3;" class="language-nix "><code class="language-nix" data-lang="nix"><span style="color:#ffb964;">networking </span><span>= { +</span><span> </span><span style="color:#ffb964;">nftables</span><span>.</span><span style="color:#ffb964;">enable </span><span>= true; </span><span style="color:#888888;"># use the newer nftables +</span><span> </span><span style="color:#ffb964;">firewall </span><span>= { +</span><span> </span><span style="color:#ffb964;">enable </span><span>= true; +</span><span> </span><span style="color:#ffb964;">rejectPackets </span><span>= true; </span><span style="color:#888888;"># explicit deny +</span><span> </span><span style="color:#ffb964;">interfaces</span><span>.</span><span style="color:#ffb964;">enp1s0 </span><span>= { </span><span style="color:#888888;"># obviously, replace `enp1s0` with your interface +</span><span> </span><span style="color:#ffb964;">allowedTCPPorts </span><span>= [ ... ]; </span><span style="color:#888888;"># put in the ports you need here +</span><span> }; +</span><span> }; +</span><span>}; +</span></code></pre> +</li> +<li> +<p>This probably doesn't need to be said, but <strong>use strong passwords</strong>!</p> +</li> +<li> +<p>Host a <a rel="nofollow noreferrer" href="https://fail2ban.org">fail2ban</a> instance to ban hosts making bruteforce attempts.</p> +</li> +</ul> +<p>I think that's all there is for almost everyone, and is basically the +minimal amount of effort a home server administrator should do. +Personally, I would prefer to enforce a VPN connection in order to +access my <em>personal</em> services for that extra layer of security (because +why'd they need to be exposed to the internet?). This can be done faily +easily with tailscale, and for the slightly more paranoid - +<a rel="nofollow noreferrer" href="https://headscale.net/">headscale</a> is a +viable...alternative? Anyways, I've got a blog post that explores +headscale in a little more detail, which might be worth checking out.</p> +<p>Well, that's all I wanted to say. It's been a while since my last blog +post, and the inspiration for this one came seemingly randomly - I hope +someone finds this useful.</p> +<div class="footnote-definition" id="1"><sup class="footnote-definition-label">1</sup> +<p>Naturally, you shouldn't just copy and paste the snippets into</p> +</div> diff --git a/public/blog/index.html b/public/blog/index.html index 0419c11..c192f31 100644 --- a/public/blog/index.html +++ b/public/blog/index.html @@ -1 +1 @@ -Blog Posts
\ No newline at end of file +Blog Posts
\ No newline at end of file diff --git a/public/sitemap.xml b/public/sitemap.xml index 1136525..f0576e8 100644 --- a/public/sitemap.xml +++ b/public/sitemap.xml @@ -10,6 +10,10 @@ https://devraza.duckdns.org/blog/hoaxes-overview/ 2024-01-04 + + https://devraza.duckdns.org/blog/home-server-security/ + 2024-01-04 + https://devraza.duckdns.org/blog/nfc-misconceptions/ 2024-01-19 @@ -51,6 +55,9 @@ https://devraza.duckdns.org/tags/hacking/ + + https://devraza.duckdns.org/tags/hardening/ + https://devraza.duckdns.org/tags/hardware/ @@ -63,6 +70,9 @@ https://devraza.duckdns.org/tags/home-lab/ + + https://devraza.duckdns.org/tags/homelab/ + https://devraza.duckdns.org/tags/nfc/ diff --git a/public/tags/index.html b/public/tags/index.html index 88b1cec..4e8e91d 100644 --- a/public/tags/index.html +++ b/public/tags/index.html @@ -1,3 +1,3 @@ Tags
\ No newline at end of file +en">Tags
\ No newline at end of file diff --git a/public/tags/selfhosted/index.html b/public/tags/selfhosted/index.html index bd76c46..9f69685 100644 --- a/public/tags/selfhosted/index.html +++ b/public/tags/selfhosted/index.html @@ -1,3 +1,3 @@ Blog Posts
\ No newline at end of file +en">Blog Posts
\ No newline at end of file