blog(post): home server security
This commit is contained in:
parent
5e50342515
commit
af6256b3ca
|
@ -184,6 +184,104 @@ What makes matters worse is how gullible the general population is, even those e
|
||||||
<p>I would like to clarify that I'm not suggesting that people should avoid using the internet to gather information - while its reliability is incredibly questionable, the accessibility and openness it provides far beats traditional methods of gathering information (books and such). My suggestion is that people should be much more careful with how they interpret information on the internet,
|
<p>I would like to clarify that I'm not suggesting that people should avoid using the internet to gather information - while its reliability is incredibly questionable, the accessibility and openness it provides far beats traditional methods of gathering information (books and such). My suggestion is that people should be much more careful with how they interpret information on the internet,
|
||||||
and perform their due diligence in their research into whatever they're aiming to learn; <strong>people should make sure that what they're reading is accurate before absorbing any information</strong> (here's your tl;dr).</p>
|
and perform their due diligence in their research into whatever they're aiming to learn; <strong>people should make sure that what they're reading is accurate before absorbing any information</strong> (here's your tl;dr).</p>
|
||||||
<p>That's about it for this blog post, as it was meant to be a brief way of expressing my thoughts on the matter. Thanks for reading!</p>
|
<p>That's about it for this blog post, as it was meant to be a brief way of expressing my thoughts on the matter. Thanks for reading!</p>
|
||||||
|
</content>
|
||||||
|
</entry>
|
||||||
|
<entry xml:lang="en">
|
||||||
|
<title>Home server security</title>
|
||||||
|
<published>2024-01-04T00:00:00+00:00</published>
|
||||||
|
<updated>2024-01-04T00:00:00+00:00</updated>
|
||||||
|
<link href="https://devraza.duckdns.org/blog/home-server-security/" type="text/html"/>
|
||||||
|
<id>https://devraza.duckdns.org/blog/home-server-security/</id>
|
||||||
|
<content type="html"><h1 id="introduction">Introduction<a class="zola-anchor" href="#introduction" aria-label="Anchor link for: introduction">#</a></h1>
|
||||||
|
<p>Home server security is pretty often overlooked from what I can tell.
|
||||||
|
Any device accessible from the internet has <em>some</em> degree of
|
||||||
|
vulnerability in the current era of the internet. I aim for this
|
||||||
|
document to detail methods to amend the contemporary cybersecurity
|
||||||
|
challenges faced by most homelabbers.</p>
|
||||||
|
<h1 id="justification-in-depth">Justification in Depth<a class="zola-anchor" href="#justification-in-depth" aria-label="Anchor link for: justification-in-depth">#</a></h1>
|
||||||
|
<p>Of course, my statements about home servers needing some security
|
||||||
|
measures put in place aren't baseless. My own experience, as well as
|
||||||
|
that of a sizable number of people on the wonderful
|
||||||
|
<a rel="nofollow noreferrer" href="https://join-lemmy.org">lemmy</a> community at
|
||||||
|
<code>selfhosted@lemmy.world</code> shows that home servers are endlessly 'knocked&quot;
|
||||||
|
on, and that login attempts to services like SSH <em>are</em> made. Here's a
|
||||||
|
snippet from my <a rel="nofollow noreferrer" href="https://fail2ban.org">fail2ban</a> filter to
|
||||||
|
verify this point:</p>
|
||||||
|
<pre style="background-color:#151515;color:#e8e8d3;"><code><span>Mar 29 14:38:13 icefall fail2ban.filter[1097]: INFO [...] Found 176.126.240.158 - 2024-03-29 14:38:13
|
||||||
|
</span><span>Mar 29 14:40:11 icefall fail2ban.filter[1097]: INFO [...] Found 176.126.240.158 - 2024-03-29 14:40:11
|
||||||
|
</span><span>Mar 29 14:40:29 icefall fail2ban.filter[1097]: INFO [...] Found 185.8.165.204 - 2024-03-29 14:40:29
|
||||||
|
</span><span>Mar 29 14:40:40 icefall fail2ban.filter[1097]: INFO [...] Found 162.212.154.58 - 2024-03-29 14:40:40
|
||||||
|
</span></code></pre>
|
||||||
|
<p>Within the past <em>few minutes</em>, I've already got a few IP addresses from
|
||||||
|
all over the world taking a peak at my services. If I had my SSH port
|
||||||
|
set to the standard <code>22</code>, I could have expected a few rogue login
|
||||||
|
attempts to have been made, too.</p>
|
||||||
|
<p>And, speaking of not having my SSH port set to the standard <code>22</code>, I'll
|
||||||
|
now move on to what you should be done to secure a home server. One
|
||||||
|
thing that I think should be noted, however, is that security doesn't
|
||||||
|
need to be very strong, and you generally don't need to go too far out
|
||||||
|
of your way with security measures (though this definitely depends on
|
||||||
|
invdividual circumstance). Honestly speaking, you <em>probably</em> <strong>don't</strong>
|
||||||
|
have competent black hats looking to get in to your server - what you
|
||||||
|
probably <strong>do</strong> have, however, are a bunch of script kiddies and
|
||||||
|
perversive bots.</p>
|
||||||
|
<h1 id="the-list">The list<a class="zola-anchor" href="#the-list" aria-label="Anchor link for: the-list">#</a></h1>
|
||||||
|
<p>The fairly basic stuff you'd need to do in this case doesn't make much
|
||||||
|
room for detail. So, here it all is in the form of a simple list (I've
|
||||||
|
included the relevant NixOS configuration where I think it'd be
|
||||||
|
useful<sup class="footnote-reference"><a href="#1">1</a></sup>):</p>
|
||||||
|
<ul>
|
||||||
|
<li>
|
||||||
|
<p>Move your SSH daemon to a non-default port, like <code>3291</code>.</p>
|
||||||
|
<pre data-lang="nix" style="background-color:#151515;color:#e8e8d3;" class="language-nix "><code class="language-nix" data-lang="nix"><span style="color:#ffb964;">services</span><span>.</span><span style="color:#ffb964;">openssh </span><span>= {
|
||||||
|
</span><span> </span><span style="color:#ffb964;">ports </span><span>= [ </span><span style="color:#cf6a4c;">3291 </span><span>]; </span><span style="color:#888888;"># whatever you like
|
||||||
|
</span><span>};
|
||||||
|
</span></code></pre>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>Force public key authentication with SSH and disable root logins.</p>
|
||||||
|
<pre data-lang="nix" style="background-color:#151515;color:#e8e8d3;" class="language-nix "><code class="language-nix" data-lang="nix"><span style="color:#ffb964;">services</span><span>.</span><span style="color:#ffb964;">openssh</span><span>.</span><span style="color:#ffb964;">settings </span><span>= {
|
||||||
|
</span><span> </span><span style="color:#ffb964;">PermitRootLogin </span><span>= </span><span style="color:#99ad6a;">&quot;no&quot;</span><span>;
|
||||||
|
</span><span> </span><span style="color:#ffb964;">PasswordAuthentication </span><span>= false;
|
||||||
|
</span><span>};
|
||||||
|
</span></code></pre>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>Set up a pretty basic firewall - something like <code>ufw</code> would do the trick.</p>
|
||||||
|
<pre data-lang="nix" style="background-color:#151515;color:#e8e8d3;" class="language-nix "><code class="language-nix" data-lang="nix"><span style="color:#ffb964;">networking </span><span>= {
|
||||||
|
</span><span> </span><span style="color:#ffb964;">nftables</span><span>.</span><span style="color:#ffb964;">enable </span><span>= true; </span><span style="color:#888888;"># use the newer nftables
|
||||||
|
</span><span> </span><span style="color:#ffb964;">firewall </span><span>= {
|
||||||
|
</span><span> </span><span style="color:#ffb964;">enable </span><span>= true;
|
||||||
|
</span><span> </span><span style="color:#ffb964;">rejectPackets </span><span>= true; </span><span style="color:#888888;"># explicit deny
|
||||||
|
</span><span> </span><span style="color:#ffb964;">interfaces</span><span>.</span><span style="color:#ffb964;">enp1s0 </span><span>= { </span><span style="color:#888888;"># obviously, replace `enp1s0` with your interface
|
||||||
|
</span><span> </span><span style="color:#ffb964;">allowedTCPPorts </span><span>= [ ... ]; </span><span style="color:#888888;"># put in the ports you need here
|
||||||
|
</span><span> };
|
||||||
|
</span><span> };
|
||||||
|
</span><span>};
|
||||||
|
</span></code></pre>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>This probably doesn't need to be said, but <strong>use strong passwords</strong>!</p>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>Host a <a rel="nofollow noreferrer" href="https://fail2ban.org">fail2ban</a> instance to ban hosts making bruteforce attempts.</p>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
<p>I think that's all there is for almost everyone, and is basically the
|
||||||
|
minimal amount of effort a home server administrator should do.
|
||||||
|
Personally, I would prefer to enforce a VPN connection in order to
|
||||||
|
access my <em>personal</em> services for that extra layer of security (because
|
||||||
|
why'd they need to be exposed to the internet?). This can be done faily
|
||||||
|
easily with tailscale, and for the slightly more paranoid -
|
||||||
|
<a rel="nofollow noreferrer" href="https://headscale.net/">headscale</a> is a
|
||||||
|
viable...alternative? Anyways, I've got a blog post that explores
|
||||||
|
headscale in a little more detail, which might be worth checking out.</p>
|
||||||
|
<p>Well, that's all I wanted to say. It's been a while since my last blog
|
||||||
|
post, and the inspiration for this one came seemingly randomly - I hope
|
||||||
|
someone finds this useful.</p>
|
||||||
|
<div class="footnote-definition" id="1"><sup class="footnote-definition-label">1</sup>
|
||||||
|
<p>Naturally, you shouldn't just copy and paste the snippets into</p>
|
||||||
|
</div>
|
||||||
</content>
|
</content>
|
||||||
</entry>
|
</entry>
|
||||||
<entry xml:lang="en">
|
<entry xml:lang="en">
|
||||||
|
|
File diff suppressed because one or more lines are too long
|
@ -10,6 +10,10 @@
|
||||||
<loc>https://devraza.duckdns.org/blog/hoaxes-overview/</loc>
|
<loc>https://devraza.duckdns.org/blog/hoaxes-overview/</loc>
|
||||||
<lastmod>2024-01-04</lastmod>
|
<lastmod>2024-01-04</lastmod>
|
||||||
</url>
|
</url>
|
||||||
|
<url>
|
||||||
|
<loc>https://devraza.duckdns.org/blog/home-server-security/</loc>
|
||||||
|
<lastmod>2024-01-04</lastmod>
|
||||||
|
</url>
|
||||||
<url>
|
<url>
|
||||||
<loc>https://devraza.duckdns.org/blog/nfc-misconceptions/</loc>
|
<loc>https://devraza.duckdns.org/blog/nfc-misconceptions/</loc>
|
||||||
<lastmod>2024-01-19</lastmod>
|
<lastmod>2024-01-19</lastmod>
|
||||||
|
@ -51,6 +55,9 @@
|
||||||
<url>
|
<url>
|
||||||
<loc>https://devraza.duckdns.org/tags/hacking/</loc>
|
<loc>https://devraza.duckdns.org/tags/hacking/</loc>
|
||||||
</url>
|
</url>
|
||||||
|
<url>
|
||||||
|
<loc>https://devraza.duckdns.org/tags/hardening/</loc>
|
||||||
|
</url>
|
||||||
<url>
|
<url>
|
||||||
<loc>https://devraza.duckdns.org/tags/hardware/</loc>
|
<loc>https://devraza.duckdns.org/tags/hardware/</loc>
|
||||||
</url>
|
</url>
|
||||||
|
@ -63,6 +70,9 @@
|
||||||
<url>
|
<url>
|
||||||
<loc>https://devraza.duckdns.org/tags/home-lab/</loc>
|
<loc>https://devraza.duckdns.org/tags/home-lab/</loc>
|
||||||
</url>
|
</url>
|
||||||
|
<url>
|
||||||
|
<loc>https://devraza.duckdns.org/tags/homelab/</loc>
|
||||||
|
</url>
|
||||||
<url>
|
<url>
|
||||||
<loc>https://devraza.duckdns.org/tags/nfc/</loc>
|
<loc>https://devraza.duckdns.org/tags/nfc/</loc>
|
||||||
</url>
|
</url>
|
||||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
Loading…
Reference in a new issue