What are the most paranoid network/OS security measures you've implemented in your homelab?

Nice try, attacker trying to get me to do their reconnaissance work for them. I'm on to you.

Logcheck. It took ages to make sure innocent logs are ignored, but now I get an email as soon as anything non-routine happens on my servers. I get emails with logs from every update, every time I log in, etc. This has given me the most confidence that nothing unexpected is happening on my servers. Of course, one needs to make sure that the firewall is configured well, and that you use ssh keys etc., but logcheck is how I know I'm doing enough.

Never used it "in anger" but:

I have my firewall plugged into a metered outlet (plugged into a UPS). I have it set up to send me alerts if power draw increases beyond a certain threshold. I've tested it and wireguard is measurable (yay) but so are DDOS attacks. If I get that alert, I can choose to turn off that plug and take my whole network offline until I get home and can sort that out.

Gotten a few false positives over the years but mostly that is just texting my partner to ask what they are doing.

My most paranoid config is disabling Ipv4

That's it. If someone wants to attack me, they will need to adopt IPv6!

I've replaced reconnaissance commands (a handful of them found here: https://www.cybrary.it/blog/linux-commands-used-attackers) -- whoami, uname, id, uptime, last, etc

With shell scripts which run the command but also send me a notification via pushover. I'm running several internet-facing services, and the moment those get run because someone is doing some sleuthing inside the machine, I get notified.

It doesn't stop people getting in, I've set up other things for that -- but on the off chance that there is some zero-day that I don't know about yet, or they've traversed the network laterally somehow, the moment they run one of those commands, I know to kill-switch the entire thing.

The thing is, security is an on-going process. Leave any computer attached to the internet long enough and it'll be gotten into. I don't trust being able to know every method that can be used, so I use this as a backup.

My security is fairly simplistic but I'm happy with it

software protection
- fail2ban with low warning hold
- cert based login for ssh (no password Auth)
- Honeypot on all common port numbers, which if pinged leads to a permanent IP ban
- drop all firewall
- PSAD for intrusion/scanning protection (so many Russian scanners... lol)
- wireguard for VPN to access local virtual machines and resources
- external VPN with nordVPN for secure containers (yes I know nord is questionable I plan to swap when my sub runs out)
physical protection
- luksCrypt on the sensitive Data/program Drive ( I know there's some security concerns with luksCrypt bite me)
- grub and bios locked with password
- UPS set to auto notify on power outage
- router with keep alive warning system that pings my phone if the lab goes offline and provides fallback dns
things I've thought about:
- a mock recovery partition entry that will nuke the Luks headers on entry (to prevent potential exploit getting through grub)
- removing super user access completely outside of local user access

Really all I do is setup fail2ban on my very few external services, and then put all other access behind wireguard.

Logs are clean, I'm happy.

Only remote access by wireguard and ssh on non standard port with key based access.

Fail2ban bans after 1 attempt for a year. Tweaked the logs to ban on more strict patterns

Logs are encrypted and mailed off site daily

System updates over tor connecting to onion repos.

Nginx only has one exposed port 443 that is accessible by wireguard or lan. Certs are signed by letsencrypt. Paths are ip white listed to various lan or wireguard ips.

Only allow one program with sudo access requiring a password. Every other privelaged action requires switching to root user.

I dont allow devices I dont admin on the network so they go on their own subnet. This is guests phones and their windows laptops.

Linux only on the main network.

I also make sure to backup often.

How do you all that have your services on your LAN accessing it over wireguard when external pass the wife/kids/family test? If I had to have my wife activate a VPN before she could access our nextcloud or bitwarden, she'd just never use it

I understand some of these words.

Using SPA firewall knocking (fwknop) to open ports to ssh in. I suppose if I was really paranoid, the most secure would be an air gap, but there's only so much convenience I'll give up for security.

I'm not super paranoid about security, but I do try to have a few good practices to make sure that it takes more than a bot scanning for /admin.php to find a way in.

Anything with SSH access uses key-based auth with password auth disabled. First thing I do when spinning up a new machine
Almost nothing is exposed directly to the Internet. I have wireguard set up on all my devices for remote access and also for extra security on public networks
Anyone who comes to visit gets put on the "guest" network, which is a separate subnet that can't see or talk to anything on the main network
For any service that supports creating multiple logins, I make sure I have a separate admin user with elevated permissions, and then create a non-privileged user that I sign in on other devices with
Every web-based service is only accessible with a FQDN which auto-redirects to HTTPS and has an actual certificate signed by a trusted CA. This is probably the most "paranoid" thing I do, because of the aforementioned not being accessible on the Internet, but it makes me happy to see the little lock symbol on my browser without having to fiddle around with trusting a self-signed cert.

Custom Router/Firewall running OPNsense and the Sensei plugin
Extensive DNS filtering through Pihole
Redirecting all DNS requests to my Pihole through OPNsense
My entire network is behind a multi hop VPN
I don't let any Windows systems connect to the internet, instead, I have a Linux server which is connected to the internet (through a VPN of course) and runs a browser, and I use X2go to access the browser which is running on the Linux server

I'm an enterprise guy, so that's the explanation for non home use things.

VPN for anything not my web or certificate revocation distribution point
Sophos IPS
sophos utm for web application firewall
transparent inline web proxy, sophos is doing https inspection. I have internal CA and all clients trust it. I don't inspect medical or banking, other common sense stuff.
heavily vlan segmented with firewall between
my windows clients are managed by active directory with heavy handed GPOs.
least priv accounts, different accounts for workstation admin, server, domain, network devices
security Onion IDS
separate red forest that has admin accounts for my management access and accounts on devices
trellix antivirus and global reputation based file monitoring
I've started applying disa STIGs on servers
site to site VPN with other family member household. They get managed trellix av also.
my public identity accounts like MS,.Google, etc all need 2fa, token, etc.

I bet this can still get exploited, just would take effort hopefully none does for a home network.

I'm still one shitty windows zero day click away from getting my workstation or browser tokens owned though, I can feel it.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
AP	WiFi Access Point
CA	(SSL) Certificate Authority
DNS	Domain Name Service/System
Git	Popular version control system, primarily for code
HTTP	Hypertext Transfer Protocol, the Web
HTTPS	HTTP over SSL
IP	Internet Protocol
NAT	Network Address Translation
PiHole	Network-wide ad-blocker (DNS sinkhole)
SBC	Single-Board Computer
SSH	Secure Shell for remote terminal access
SSL	Secure Sockets Layer, for transparent encryption
TLS	Transport Layer Security, supersedes SSL
VPN	Virtual Private Network
nginx	Popular HTTP server

15 acronyms in this thread; the most compressed thread commented on today has 16 acronyms.

[Thread #493 for this sub, first seen 6th Feb 2024, 16:55] [FAQ] [Full list] [Contact] [Source code]

I've got systems that can detect suspicious activities in the net, which result in a shutdown of the router. And not like "could you please shut down" but a hard power off type of shutdown.

Notifications on system file access

Notifications on root login/sudo

Declarative OS, tmpfs root, disabled sudo

Bastion server, but right now I don't have a proper router to do it at home

Yubikey, or a separate phone on Graphene OS for otp, keys, etc

Authelia + fascist fail2ban (or some CSF)

Most of these are pretty normal, but usually you don't do them all at once 😄 also, I don't really like hiding my services from the open internet, authelia is fine tuned to let people only access what they are supposed to. And regular users of my server usually don't notice that I even have it

After reading this thread I'm apparently not paranoid enough.

Internet facing services are on their own firewalled vlan (dmz), behind a rev proxy, and I have crowdsec running on the proxy and router.

Anything that can get away with putting up on a vps I have (e.g. this Lemmy server). But some things have storage/compute requirements I'm not willing to shell out for.

full disk encryption on everything except the router (no point in encrypting the router)
- the server doesn't have a display connected for obvious reasons, so I'm manually unlocking it via ssh on each boot
  - obviously, the SSH keys are different, so the server has a different IP in initrd. That said, I still don't have any protection against malicious modification of initrd or UEFI
the server scans all new SSL certificates in realtime using certspotter and notifies me of any new certificates issued for my domains that it doesn't know about (I use Cloudflare so it triggers relatively often, but I still do checks on who the issuer is)
firewall blocks outgoing 25 so nobody can impersonate my mailserver

Neat post and great comments. Saved. Thanks. :)

My personal setup includes:

non web facing homeserver for the juicy stuff
vps with stuff I‘d barely miss if it was gone
far too many backups
automatic cleanup of backups so my hdds dont fill up
fail2ban listening on every log, even docker containers with permaban enabled
scripts are root 700 and so on

I‘m aware that stuff might go horribly wrong but so far it hasnt.

NAT 🥴

Following for my own edification!

Air gapping? I keep a offline backup just in case.

I’m somewhat paranoid therefore running several isolated servers. And it’s still not bulletproof and will never be!

only the isolated server, ie. no internet access, can fetch data from the other servers but not vice versa.
SSH access key based only
Firewall dropping all but non-standard ports on dedicated subnets
Fail2ban drops after 2 attempts
Password length min 24 characters, 2FA, password rotation every 6 months
Guest network for friends, can’t access any internal subnet
Reverse proxy (https;443 port only)
Any service is accessed by a non-privileged user
Isolated docker services/databases and dedicated docker networks
every drive + system Luks-encrypted w/ passphrase only
Dedicated server for home automation only
Dedicated server for docker services and reverse proxy only
Isolated data/backup server sharing data to a tv box and audio system without network access via nfs
Offsite data/backup server via SSH tunnel hosted by a friend

I used to have all VMs in my QEMU/KVM server on their own /30 routed network to prevent spoofing. It essentially guaranteed that a compromised VM couldn’t give itself the IP of say, my web server and start collecting login creds. Managing the IP space got painful quick.

For about a year I was running a full out of band IPS on my network. My core switch was set up with port mirroring to spit out a copy of all traffic on one port so that my Suricata server could analyze it. Then, this was fed into ElasticSearch and a bunch of big data crap looked for anomalies.

It was cool. Basically useless because all it did was complain about the same IP crawler bots as my nginx logs. But fun to setup and ultimately good for my career lol.

I have Nginx Proxy Manager set up to let me access services running HTTP on other ports on the machine with a local network only access list just so my traffic even in my own network will use TLS. The likelihood that anyone is sniffing traffic on my own network is extremely small, but I’m paranoid. (Can’t let anyone see that I’m running Ubuntu Server. How embarrassing.)

npftables blocks all incoming except a particular set of ips. any connections from those ips hit pubkey authentication.

I've never had a problem

I am clearly not paranoid enough. For a while I was running an open source router inline between the network AP and the fiber to Ethernet box and running nids but the goddamn thing kept crapping out every few days so i took it back out until I can find a more stable solution.

I have plans if I can ever get around to it. I want the smart TV, printer and other shitty things on a separate network from the more trusted devices. I don't know how yet but I would like to set up 802.1X for the trusted stuff.

Mine's pretty simple, I have a "don't open ports until ABSOLUTELY NECESSARY" policy, wireguard works well enough for everything else I need to access remotely. I also keep SSH disabled on any machine that has direct access to the internet.

Tinyssh in a ssh user, su from there. I see privilege management in openssh as potential vulneranility.

One day I will setup my security onion, but I'm procrastinating