• 0 Posts
  • 13 Comments
Joined 1 year ago
cake
Cake day: October 10th, 2023

help-circle
  • Daniel15@alien.topBtoHomelabHow do you secure your home lab?
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    +1

    Use unattended updates ONLY for bug and security fixes, nor for minor or major releases. Ensure you configure your auto-updaters properly!

    Debian unattended-upgrades only upgrades packages from the main and security repos by default, so it should be fine since no major updates are performed within a particular Debian version.


  • Daniel15@alien.topBtoHomelabHow do you secure your home lab?
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    If it’s a Debian system, “Create user with sudo privileges” and “Disable root login” can be done during initial setup. Just leave the root password blank and it’ll disable the root user and grant sudo permission to the regular user you create.

    Create a separate management VLAN and use it for all your infra (web UIs of all your networking hardware, Proxmox, SSH for servers, etc).

    For unattended upgrades, ensure the auto updaters are properly configured so they’re used ONLY for bug and security fixes, nor for minor or major releases! Debian unattended-upgrades has good settings out-of-the-box but you may want to add any custom repos you’re using. Make sure you have an email relay server configured in the Exim config, as it uses apt-listchanges to email the changelogs to you.

    But above all, press the power button to turn it off and then never turn it on again. 100% unhackable.





  • I have a $5/year MXRoute account that I still use even though I self-host my emails. I use MXRoute as an outbound SMTP relay since they’ve got all the IP reputation stuff figured out.

    I know you said to exclude VPS, but I’ve got some of VPSes around the $15-$50 per year range, since it’s nice having my sites hosted on higher-end enterprise-grade hardware than what I’m using at home.

    I’m considering paying for Kagi (a paid search engine) because it’s ad-free and the results are legitimately better than Google.








  • Nice work!

    Some small pieces of feedback:

    • You can disable the root user during installation, by leaving the root password blank. The installer explains this in the text at the top of the page. If you do this, root will be disabled and sudo will be installed automatically
    • If you really want to control which users can SSH in, it’s recommended to create a group and use AllowGroups, rather than allowing individual users via AllowUsers. Note that once you disable PasswordAuthentication, the only users that can SSH in are users that have keys in authorized_keys, so you don’t really need to use AllowUsers or AllowGroups.
    • Disabling IPv6 is unnecessary. If you don’t want to use it, then just… don’t use it? You should ideally always have IPv6 enabled for connections to the internet though. It’s generally faster due to better routing (see Google’s latency impact data: https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption), and more future-proof.
    • You may want to consider CrowdSec instead of fail2ban. It’s more efficient and they have a shared list of known bad IPs that you can use.