As the title says, I want to know the most paranoid security measures you’ve implemented in your homelab. I can think of SDN solutions with firewalls covering every interface, ACLs, locked-down/hardened OSes etc but not much beyond that. I’m wondering how deep this paranoia can go (and maybe even go down my own route too!).

Thanks!

  • easeKItMAn@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 months ago

    I’m somewhat paranoid therefore running several isolated servers. And it’s still not bulletproof and will never be!

    • only the isolated server, ie. no internet access, can fetch data from the other servers but not vice versa.
    • SSH access key based only
    • Firewall dropping all but non-standard ports on dedicated subnets
    • Fail2ban drops after 2 attempts
    • Password length min 24 characters, 2FA, password rotation every 6 months
    • Guest network for friends, can’t access any internal subnet
    • Reverse proxy (https;443 port only)
    • Any service is accessed by a non-privileged user
    • Isolated docker services/databases and dedicated docker networks
    • every drive + system Luks-encrypted w/ passphrase only
    • Dedicated server for home automation only
    • Dedicated server for docker services and reverse proxy only
    • Isolated data/backup server sharing data to a tv box and audio system without network access via nfs
    • Offsite data/backup server via SSH tunnel hosted by a friend
    • MigratingtoLemmy@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      Would you have to compromise on your security according to your threat model if you ran VMs rather than dedicated devices? I’m no security engineer and I don’t know if KVM/QEMU can fit everyones needs, but AWS uses XCP-ng, and unless they’re using a custom version of it, all changes are pushed upstream. I’d definitely trust AWS’ underlying virtualisation layer for my VMs, but I wonder if I should go with XCP or KVM or bhyve.

      This is my personal opinion, but podman’s networking seems less difficult to understand than Docker. Docker was a pain the first time I was reading about the networking in it.

      Really like your setup. Do you have any plans to make it more private/secure?

      • easeKItMAn@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        9 months ago

        I used VMs some time ago but never managed to look deeper into separation of bare metal vs VMs. Hence I can’t assess this reasonably.
        Docker got me interested when it started and after discovering its networking capabilities I never looked back.
        Basically I’m trying to minimize the possibility that by intercepting one dockerized service the attacker is able to start interacting with all devices. And I have lots of devices because of a fully automated house. ;) My paranoia will ensure the constant growth of privacy and security :)