Opening your router to the Internet is risky. Are there any guides for the basics to keep things secure? Things like setting up fail2ban? My concern is that I’ll forget something obvious.
Edit: I haven’t had much of a chance to read through everything yet, but I really appreciate all these long, detailed responses. ❤️ Thanks folks!
I hear you can get a pretty good offer from CrowdStrike these days.
Anything exposed to the internet will be found by the scanners. Moving ssh off of port 22 doesn’t do anything except make it less convenient for you to use. The scanners will find it, and when they do, they will try to log in.
(It’s actually pretty easy to write a little script to listen on port 20 (telnet) and collect the default login creds that the worms so kindly share)
The thing that protects you is strong authentication. Turn off password auth entirely, and generate a long keypair. Disable root login entirely.
Most self-hosted software is built by hobbyists with some goal, and rock solid authentication is generally not that goal. You should, if you can, put most things behind some reverse-proxy with a strong auth layer, like Teleport.
You will get lots of advice to hide things behind a vpn. A vpn provides centralized strong authentication. It’s a good idea, but decreases accessibility (which is part of security) - so there’s a value judgement here between the strength of a vpn and your accessibility goals.
Some of my services (ssh, wg, nginx) are open to the internet. Some are behind a reverse proxy. Some require a vpn connection, even within my own house. It depends on who it’s for - just me, technical friends, the world, or my technically-challenged parents trying to type something with a roku remote.
After strong auth, you want to think about software vulnerabilities - and you don’t have to think much, because there’s only one answer: keep your stuff up to date.
All of the above covers the P in PICERL (pick-uh-rel) for Prepare. I stands for Identify, and this is tricky. In an ideal world, you get a real-time notification (on your phone if possible) when any of these things happen:
- Any successful ssh login
- Any successful root login
- If a port starts listening that you didn’t expect
- If the system watching for these things goes down (have two systems that watch each other)
That list could be much longer, but that’s a good start.
After Identification, there’s Contain + Eradicate. In a homelab context, that’s probably a fresh re-install of the OS. Attacker persistence mechanisms are insane - once they’re in, they’re in. Reformat the disk.
R is for recover or remediate depending on who you ask. If you reformatted your disks, it stands for “rebuild”. Combine this with L (lessons learned) to rebuild differently than before.
To close out this essay though, I want to reiterate Strong Auth. If you’ve got strong auth and keep things up to date, a breach should never happen. A lot of people work very hard every day to keep the strong auth strong ;)
This is an excellent comment, thanks for writing this up
Removed by mod
I skimmed over your entire comment minus the part about docker, so if you answered this somewhere and I’m a dumbass I already accept fault,
that being said docker has taught me more about Linux than anything else, cause its like a micro Linux you can reliably bring up and take down on demand, without requiring risking breaking your GUI or something scary
Removed by mod
I think there’s a lot of risk exposing your home IP with services behind it. Last time I did it, within minutes the router got slammed with requests trying to break into services. It actually impacted router performance.
Great writeup!
Removed by mod
Definitely look into fail2ban. There might be something newer out there, but something like that is essential for running open WAN ports.
Forget fail2ban, use crowdsec instead. It is a kind of next generation fail2ban ☝🏻😃
Is that something like Crowdstrike? ;)
Nope, that are two different things, but if you want to crash your server just run
sudo rm -rf /etc && sudo rm -rf /varThis is fun enough 😃
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol LXC Linux Containers NAS Network-Attached Storage NAT Network Address Translation SSH Secure Shell for remote terminal access VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
[Thread #884 for this sub, first seen 24th Jul 2024, 19:35] [FAQ] [Full list] [Contact] [Source code]
Depends on your approach, but only open the minimum amount of ports necessary. Fail2ban is a good idea.
Consider a strict default deny iptables that also affects the output table - in case someone does get in, this will limit the damage one can do by making it part of a botnet.
Personally I like to isolate any exposed servers on its own vlan, so in case of compromise, it won’t affect any of the other hardware I’m running.
Also, most routers have less strict security if the connection is coming from the inside. Make sure any access methods to your router is secure.
Also, most routers have less strict security if the connection is coming from the inside. Make sure any access methods to your router is secure.
Damn good point. Use the same security internally as externally.
So, no-one’s mentioned tailscale. If it’s just for you, or some select friends, it’s probably the least friction to get secure access to your home network. Still, gotta check your threat matrix, do you really need it, is it really worth it for that occasional, maybe hypothetical usage ? Least access is best security…
Isolate it all and keep on top of security advisories and updates
You can use cloudflare tunnels which skips having to open ports and can also proxy the connection so people can’t find your home IP address depending on what services you’re setting up
Obligatory Cloudflare notice
What’s the notice?
People don’t like centralizing the Internet in a single service. There’s nothing wrong with the product. It works great and is much more secure than opening ports in your home network. This community is just more biased toward decentralization and privacy, which is a common reason for people to start self hosting.
I think wireguard can allow you to set up a similar external connection with some extra steps. This would remove Cloudflare from the loop.
Oh got it, I use wire guard as a VPN for services that only I need but for things I share with multiple people I use cloudflare tunnel after learning about it from youtube tutorials
Do you need to serve an actual public like a website does? If not then you shouldn’t be exposing any fucking services except for wireguard for you and your handful of users.
I’ve never set up a VPN. I’ve connected to them for work, sure, and I’ve dealt with port forwarding for games back in the day. Is it much trickier? Their site makes it sound pretty easy.
