22 lines
14 KiB
HTML
22 lines
14 KiB
HTML
<!doctype html><html lang=en><head><meta charset=utf-8><meta content="width=device-width,initial-scale=1.0" name=viewport><meta content="light dark" name=color-scheme><title>Home server security</title><link href=/img/favicon-32x32.png rel=icon sizes=32x32 type=image/png><link href=/img/favicon-16x16.png rel=icon sizes=16x16 type=image/png><link href=/img/apple-touch-icon.png rel=apple-touch-icon sizes=180x180><link href=https://fonts.googleapis.com rel=preconnect><link crossorigin href=https://fonts.gstatic.com rel=preconnect><link href="https://fonts.googleapis.com/css2?family=Signika&display=swap" rel=stylesheet><style>*{font-family:monospace!important}body{--primary-color:#8070c6;--primary-pale-color:#8070c61c;--text-color:#151517;--text-pale-color:#454449;--bg-color:#f4f0f3;--highlight-mark-color:#5f75b045;--callout-note-color:#e887bb;--callout-important-color:#a292e8;--callout-warning-color:#d9d564;--callout-alert-color:#f06969;--callout-question-color:#78b9c4;--callout-tip-color:#91d65c}body.dark{--primary-color:#a292e8;--primary-pale-color:#a292e81c;--text-color:#ece5ea;--text-pale-color:#5c5c61;--bg-color:#151517;--highlight-mark-color:#5f75b045;--callout-note-color:#e887bb;--callout-important-color:#a292e8;--callout-warning-color:#d9d564;--callout-alert-color:#f06969;--callout-question-color:#78b9c4;--callout-tip-color:#91d65c}body{--main-font:'Signika',ui-sans-serif,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--code-font:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;--homepage-max-width:750px;--main-max-width:750px;--avatar-size:70px;--avatar-radius:0;--paragraph-font-size:18px;--paragraph-line-height:1.75;--aside-font-size:16px;--img-border-radius:0;--inline-code-border-radius:2px}</style><link href=/main.css rel=stylesheet><body class=post><script>if(localStorage.getItem('theme')=='dark'){document.body.classList.add('dark');const a=document.querySelector('link#hl');if(a)a.href='/hl-dark.css'}</script><header class=blur><div id=header-wrapper><nav><a href=/>devraza</a><button aria-label="toggle expand" class=separator id=toggler>::</button><span class="wrap left fold">{</span><a href=/blog>blog</a><span class="wrap-separator fold">,</span><a class=fold href=/projects>projects</a><span class="wrap right fold">} ;</span></nav><div id=btns><a aria-label="rss feed" href=/blog/feed.xml><svg viewbox="0 0 24 24" height=24 width=24 xmlns=http://www.w3.org/2000/svg><path d="M3 17C5.20914 17 7 18.7909 7 21H3V17ZM3 10C9.07513 10 14 14.9249 14 21H12C12 16.0294 7.97056 12 3 12V10ZM3 3C12.9411 3 21 11.0589 21 21H19C19 12.1634 11.8366 5 3 5V3Z" fill=currentColor></path></svg></a><button aria-label="theme switch" data-moon-icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="24" height="24"><path d="M10 7C10 10.866 13.134 14 17 14C18.9584 14 20.729 13.1957 21.9995 11.8995C22 11.933 22 11.9665 22 12C22 17.5228 17.5228 22 12 22C6.47715 22 2 17.5228 2 12C2 6.47715 6.47715 2 12 2C12.0335 2 12.067 2 12.1005 2.00049C10.8043 3.27098 10 5.04157 10 7ZM4 12C4 16.4183 7.58172 20 12 20C15.0583 20 17.7158 18.2839 19.062 15.7621C18.3945 15.9187 17.7035 16 17 16C12.0294 16 8 11.9706 8 7C8 6.29648 8.08133 5.60547 8.2379 4.938C5.71611 6.28423 4 8.9417 4 12Z" fill="currentColor"></path></svg>' data-sun-icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="24" height="24"><path d="M12 18C8.68629 18 6 15.3137 6 12C6 8.68629 8.68629 6 12 6C15.3137 6 18 8.68629 18 12C18 15.3137 15.3137 18 12 18ZM12 16C14.2091 16 16 14.2091 16 12C16 9.79086 14.2091 8 12 8C9.79086 8 8 9.79086 8 12C8 14.2091 9.79086 16 12 16ZM11 1H13V4H11V1ZM11 20H13V23H11V20ZM3.51472 4.92893L4.92893 3.51472L7.05025 5.63604L5.63604 7.05025L3.51472 4.92893ZM16.9497 18.364L18.364 16.9497L20.4853 19.0711L19.0711 20.4853L16.9497 18.364ZM19.0711 3.51472L20.4853 4.92893L18.364 7.05025L16.9497 5.63604L19.0711 3.51472ZM5.63604 16.9497L7.05025 18.364L4.92893 20.4853L3.51472 19.0711L5.63604 16.9497ZM23 11V13H20V11H23ZM4 11V13H1V11H4Z" fill="currentColor"></path></svg>' id=theme-toggle><svg viewbox="0 0 24 24" height=24 width=24 xmlns=http://www.w3.org/2000/svg><path d="M10 7C10 10.866 13.134 14 17 14C18.9584 14 20.729 13.1957 21.9995 11.8995C22 11.933 22 11.9665 22 12C22 17.5228 17.5228 22 12 22C6.47715 22 2 17.5228 2 12C2 6.47715 6.47715 2 12 2C12.0335 2 12.067 2 12.1005 2.00049C10.8043 3.27098 10 5.04157 10 7ZM4 12C4 16.4183 7.58172 20 12 20C15.0583 20 17.7158 18.2839 19.062 15.7621C18.3945 15.9187 17.7035 16 17 16C12.0294 16 8 11.9706 8 7C8 6.29648 8.08133 5.60547 8.2379 4.938C5.71611 6.28423 4 8.9417 4 12Z" fill=currentColor></path></svg></button><button aria-label="table of content" id=toc-toggle><svg viewbox="0 0 24 24" height=24 width=24 xmlns=http://www.w3.org/2000/svg><path d="M3 4H21V6H3V4ZM3 11H15V13H3V11ZM3 18H21V20H3V18Z" fill=currentColor></path></svg></button></div></div></header><div id=wrapper><div id=blank></div><aside class=blur><nav><ul><li><a class=h2 href=#introduction>Introduction</a><li><a class=h2 href=#justification-in-depth>Justification in Depth</a><li><a class=h2 href=#the-list>The list</a></ul></nav><button aria-label="back to top" id=back-to-top><svg viewbox="0 0 24 24" height=24 width=24 xmlns=http://www.w3.org/2000/svg><path d="M11.9997 10.8284L7.04996 15.7782L5.63574 14.364L11.9997 8L18.3637 14.364L16.9495 15.7782L11.9997 10.8284Z" fill=currentColor></path></svg></button></aside><main><div><div data-check-icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="24" height="24"><path d="M10.0007 15.1709L19.1931 5.97852L20.6073 7.39273L10.0007 17.9993L3.63672 11.6354L5.05093 10.2212L10.0007 15.1709Z" fill="currentColor"></path></svg>' data-copy-icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="24" height="24"><path d="M6.9998 6V3C6.9998 2.44772 7.44752 2 7.9998 2H19.9998C20.5521 2 20.9998 2.44772 20.9998 3V17C20.9998 17.5523 20.5521 18 19.9998 18H16.9998V20.9991C16.9998 21.5519 16.5499 22 15.993 22H4.00666C3.45059 22 3 21.5554 3 20.9991L3.0026 7.00087C3.0027 6.44811 3.45264 6 4.00942 6H6.9998ZM5.00242 8L5.00019 20H14.9998V8H5.00242ZM8.9998 6H16.9998V16H18.9998V4H8.9998V6Z" fill="currentColor"></path></svg>' id=copy-cfg style=display:none></div><article data-backlink-icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="20" height="20"><path d="M9.41421 8L18.0208 16.6066L16.6066 18.0208L8 9.41421V17H6V6H17V8H9.41421Z" fill="currentColor"></path></svg>' class=prose><h1>Home server security</h1><div id=post-info><div id=date><span id=publish>2024-03-28</span></div><div id=tags><a href=https://devraza.giize.com/tags/homelab><span>#</span>homelab</a><a href=https://devraza.giize.com/tags/hardening><span>#</span>hardening</a><a href=https://devraza.giize.com/tags/selfhosted><span>#</span>selfhosted</a></div></div><h1 id=introduction>Introduction<a aria-label="Anchor link for: introduction" class=zola-anchor href=#introduction>#</a></h1><p>Home server security is pretty often overlooked from what I can tell. Any device accessible from the internet has <em>some</em> degree of vulnerability in the current era of the internet. I aim for this document to detail methods to amend the contemporary cybersecurity challenges faced by most homelabbers.<h1 id=justification-in-depth>Justification in Depth<a aria-label="Anchor link for: justification-in-depth" class=zola-anchor href=#justification-in-depth>#</a></h1><p>Of course, my statements about home servers needing some security measures put in place aren't baseless. My own experience, as well as that of a sizable number of people on the wonderful <a rel="nofollow noreferrer" href=https://join-lemmy.org>lemmy</a> community at <code>selfhosted@lemmy.world</code> shows that home servers are endlessly 'knocked' on, and that login attempts to services like SSH <em>are</em> made. Here's a snippet from my <a rel="nofollow noreferrer" href=https://fail2ban.org>fail2ban</a> filter to verify this point:<pre style=background:#151515;color:#e8e8d3><code><span>Mar 29 14:38:13 icefall fail2ban.filter[1097]: INFO [...] Found 176.126.240.158 - 2024-03-29 14:38:13
|
|
</span><span>Mar 29 14:40:11 icefall fail2ban.filter[1097]: INFO [...] Found 176.126.240.158 - 2024-03-29 14:40:11
|
|
</span><span>Mar 29 14:40:29 icefall fail2ban.filter[1097]: INFO [...] Found 185.8.165.204 - 2024-03-29 14:40:29
|
|
</span><span>Mar 29 14:40:40 icefall fail2ban.filter[1097]: INFO [...] Found 162.212.154.58 - 2024-03-29 14:40:40
|
|
</span></code></pre><p>Within the past <em>few minutes</em>, I've already got a few IP addresses from all over the world taking a peak at my services. If I had my SSH port set to the standard <code>22</code>, I could have expected a few rogue login attempts to have been made, too.<p>And, speaking of not having my SSH port set to the standard <code>22</code>, I'll now move on to what you should be done to secure a home server. One thing that I think should be noted, however, is that security doesn't need to be very strong, and you generally don't need to go too far out of your way with security measures (though this definitely depends on invdividual circumstance). Honestly speaking, you <em>probably</em> <strong>don't</strong> have competent black hats looking to get in to your server - what you probably <strong>do</strong> have, however, are a bunch of script kiddies and perversive bots.<h1 id=the-list>The list<a aria-label="Anchor link for: the-list" class=zola-anchor href=#the-list>#</a></h1><p>The fairly basic stuff you'd need to do in this case doesn't make much room for detail. So, here it all is in the form of a simple list (I've included the relevant NixOS configuration where I think it'd be useful<sup class=footnote-reference><a href=#1>1</a></sup>):<ul><li><p>Move your SSH daemon to a non-default port, like <code>3291</code>.</p> <pre class=language-nix data-lang=nix style=background:#151515;color:#e8e8d3><code class=language-nix data-lang=nix><span style=color:#ffb964>services</span><span>.</span><span style=color:#ffb964>openssh </span><span>= {
|
|
</span><span> </span><span style=color:#ffb964>ports </span><span>= [ </span><span style=color:#cf6a4c>3291 </span><span>]; </span><span style=color:#888># whatever you like
|
|
</span><span>};
|
|
</span></code></pre><li><p>Force public key authentication with SSH and disable root logins.</p> <pre class=language-nix data-lang=nix style=background:#151515;color:#e8e8d3><code class=language-nix data-lang=nix><span style=color:#ffb964>services</span><span>.</span><span style=color:#ffb964>openssh</span><span>.</span><span style=color:#ffb964>settings </span><span>= {
|
|
</span><span> </span><span style=color:#ffb964>PermitRootLogin </span><span>= </span><span style=color:#99ad6a>"no"</span><span>;
|
|
</span><span> </span><span style=color:#ffb964>PasswordAuthentication </span><span>= false;
|
|
</span><span>};
|
|
</span></code></pre><li><p>Set up a pretty basic firewall - something like <code>ufw</code> would do the trick.</p> <pre class=language-nix data-lang=nix style=background:#151515;color:#e8e8d3><code class=language-nix data-lang=nix><span style=color:#ffb964>networking </span><span>= {
|
|
</span><span> </span><span style=color:#ffb964>nftables</span><span>.</span><span style=color:#ffb964>enable </span><span>= true; </span><span style=color:#888># use the newer nftables
|
|
</span><span> </span><span style=color:#ffb964>firewall </span><span>= {
|
|
</span><span> </span><span style=color:#ffb964>enable </span><span>= true;
|
|
</span><span> </span><span style=color:#ffb964>rejectPackets </span><span>= true; </span><span style=color:#888># explicit deny
|
|
</span><span> </span><span style=color:#ffb964>interfaces</span><span>.</span><span style=color:#ffb964>enp1s0 </span><span>= { </span><span style=color:#888># obviously, replace `enp1s0` with your interface
|
|
</span><span> </span><span style=color:#ffb964>allowedTCPPorts </span><span>= [ ... ]; </span><span style=color:#888># put in the ports you need here
|
|
</span><span> };
|
|
</span><span> };
|
|
</span><span>};
|
|
</span></code></pre><li><p>This probably doesn't need to be said, but <strong>use strong passwords</strong>!</p><li><p>Host a <a rel="nofollow noreferrer" href=https://fail2ban.org>fail2ban</a> instance to ban hosts making bruteforce attempts.</p></ul><p>I think that's all there is for almost everyone, and is basically the minimal amount of effort a home server administrator should do. Personally, I would prefer to enforce a VPN connection in order to access my <em>personal</em> services for that extra layer of security (because why'd they need to be exposed to the internet?). This can be done faily easily with tailscale, and for the slightly more paranoid - <a rel="nofollow noreferrer" href=https://headscale.net/>headscale</a> is a viable...alternative? Anyways, I've got a blog post that explores headscale in a little more detail, which might be worth checking out.<p>Well, that's all I wanted to say. It's been a while since my last blog post, and the inspiration for this one came seemingly randomly - I hope someone finds this useful.<div class=footnote-definition id=1><sup class=footnote-definition-label>1</sup><p>Naturally, you shouldn't just copy and paste the snippets into your own config. Do your research first!</div></article><div class=giscus></div></div><footer><div class=copyright><p>© 2023-2024 Muhammad Nauman Raza</div><div class=credits>powered by <a rel="noreferrer noopener" href=https://www.getzola.org target=_blank>zola</a> and <a rel="noreferrer noopener" href=https://github.com/isunjn/serene target=_blank>serene</a></div></footer></main></div><script src=/js/lightense.min.js></script><script src=/js/main.js></script> |