How much do you secure a home server that's only accessible with VPN?
from jello@programming.dev to selfhosted@lemmy.world on 05 Jul 22:40
https://programming.dev/post/53068238
from jello@programming.dev to selfhosted@lemmy.world on 05 Jul 22:40
https://programming.dev/post/53068238
I have a VPS that I secure as much as possible since the IP is public, but does a wireguard-access-only homelab warrant the same efforts? Those with homelabs like this, what do you do?
#selfhosted
threaded - newest
i duct-tape a 22 to the side of the server with the trigger trip-wired to the wan port.
your move, iptables
No salt circle to prevent hostile spirits from possessing it? No anti-seabear circle? Talk about amateur hour.
And while YOU were worrying about the seabear, you foolishly forgot your anti sea rhinoceros undergarments?!?!
I use pangolin and traefik together and expose a few of my services that way. But not everything.
I slot services into categories based on:
Then the service is either not externally open at all, secured behind pangolin SSO, or secured behind pangolin SSO AND that service’s native auth. Which is an annoying double auth, but I feel like it’s another layer of protection in case one of them gets a 0-day exploit.
Yes, I do lock it down. It’s still worth securing it because “internal servers” can still get exposed and touched, even though there are less paths to them, and it’s not as punishing to slip up vs a public server. For example, One of the wireguard client devices downloads a virus, and now you have a cyberattacker with access.
Another problem is supply chain issues. If the distributor of a docker container is hacked, it’s not that bad… as long as your kernel is up to date and is protected against some of the recent vulns, that would enable someone to break out of a docker container
Blajah.zone’s lemmy instance was hacked partially becuase internal servers weren’t being held to the same security standards as the public ones:
pen.blahaj.zone/supakaity/weve-been-hacked
I have a comment on that post with some potential solutions, that would have cut off attack paths.
Though, I guess, it still does depend. Like if it’s just gonna you wireguarding in and no one else, then the data on your devices is probably worth more than the data on the server, so no, it wouldn’t be worth spending too much effort to secure less valuable data.
But if you are handing out internal access to people, including to some relative who keeps falling for scammers, then yeah, I’d take some time to harden the systems.
My home servers have generally a lot smaller attack surface, as only a few ports are actually routed to them, so in theoey I could get away with a more relaxed approach. But I’m also a big believer in defense-in-depth, so I follow the same rules of thumb:
You should consider the VPN as a part of the protection (and also as a part of an attack vector).
I run a weekly vuln scan against my ip ranges. If anything comes up I deal with it.
Could you provide some more information on how you perform a vuln scan, or what services/softwares you use to perform the scan?
I use tenable but i get it from work for free. You could use Nessus.
Tenable owns Nessus. But they have a free tier.
The FOSS equivalent is Greenbone OpenVAS: greenbone.github.io/docs/latest/
If it’s just wireguard on a nonstandard port, then you are pretty much done. It’s UDP and won’t reply to incorrectly signed packets so it’s essentially invisible.
Putting it on a non standard port will change nothing
It is going to make fingerprinting more annoying while evading default port scans. That isnt nothing but you do you boo
Security through obscurity is not sufficient. It’s also not nothing.
Wireguard doesn’t respond to port scans so it changes nothing
Assume a security researcher finds a bug in wireguard that, if sent a malformed packet, it can crash the service. Then it would be trivialy easy to send that packet to the default port on every IP address and just crash everything for fun.
It costs me nothing to increment the port by 1 and avoid all that drama.
VPS bad!
Can’t put your rings of garlic around it.
After installing tailscale with my Headscale server, I just left it as is. Maybe people in the comments can chime in but if you expose only your VPN server or broker (Headscale), you kinda narrowed down your attack vectors and a VPN itself is really solid. From my basic knowledge, it’s the server and client which are the bottleneck at that point, but there’s only so much you can do and if you continuously update both and maybe stay on stable / ltsc branches, you kinda did everything.
I guess there’s something to say about the encryption algorithms used. What I remember from back in the day is everything elliptic curves that’s common is quite good so if you see “ECDSA” / “ECDH” you should be fine. RSA unfortunately is not that great anymore.
I have my home server behind a wireguard vpn access.
While I am no security expert, or precisely because of that, I still try to follow security best practices for the internal setup if I can.
Of course you propably do not have to be as vigilant as if your services were publicly exposed. But I believe it is still a good idea to have some “defence in depth” and not assume only one possible attack vector, e.g. what if there already is a bad actor on your home network maybe via a trusted device that has some virus. Also a plus is i guss if you ever decide to expose something later on you wont have as many issues.
I have a hammer hanging above the hard drive on a string, and every time I want to access it, I have to convince an AI it’s really me. If doubt level rises above 20%, the hammer drops.