Cloudflare and whitelist CF ips, they publish a file
This is ofc to redirect the traffic the services that are on the cloud.
And those services reside on a separate VLAN and have their own reverse proxy on their own VM/docker whatever.
Tailscale, expose nothing to the wider web if not actually needed.
I just host a bunch of worthless stuff that no one wants.
set up vpn and disable ssh access from outside network
Disable root login covers 99.9999 percent of it, as long as your box has only one or two obscure login accounts.
If it's a Debian system, "Create user with sudo privileges" and "Disable root login" can be done during initial setup. Just leave the root password blank and it'll disable the root user and grant sudo permission to the regular user you create.
Create a separate management VLAN and use it for all your infra (web UIs of all your networking hardware, Proxmox, SSH for servers, etc).
For unattended upgrades, ensure the auto updaters are properly configured so they're used ONLY for bug and security fixes, nor for minor or major releases! Debian unattended-upgrades has good settings out-of-the-box but you may want to add any custom repos you're using. Make sure you have an email relay server configured in the Exim config, as it uses apt-listchanges to email the changelogs to you.
But above all, press the power button to turn it off and then never turn it on again. 100% unhackable.
Anything that faces the internet I have on a separate vlan. Each system on that vlan is treated as if it was facing the internet directly, that way if one of them gets compromised the hacker will not get far trying to get into any other machines.
Rest of my network is a little more tame just for ease of access since it's only me on here.
Although at some point I do want to revisit my security protocol even locally, just in case. Hitting some kind of drive by trojan script or something within the browser is always a possibility, it could work in reverse where it connects to an external server and then accesses the rest of the network that way. I'm not aware of such trojans but I'm sure it's possible.
I do block all outbound ports except for base internet ports but a properly written malicious script would probably take that into account and use a common port like 443.
At some point I might setup a honeypot. Just need to name the VM "cryptowallet" or something like that and it would be a very fast target. If access to it is detected it would alert me and shut off the internet.
Opnsense firewall at perimeter...and that's about it. Chances of anything getting in with no exposed ports is pretty slim so I don't really bother with anything more.
For SSH exposed servers/VPS I do change the port though. Cut down log noise & maybe dodge the odd portscanner or two
I know this is a feature in Unifi, but disabling access from countries with know bot farms (China, India) etc.
Unless you need access to them.
With a leash. She is very hyper.
Hopes and prayers
Non standard ports.
Ssh keys.
Web certificates.
Do not discount physical security, lock the doors to your house and get an enclosed rack that you can lock
You have a good list to start with. Consider adding sshguard or fail2ban in the short term and crowdsec in the long term. Also use lynis on Unix systems and PingCastle on AD systems and see what suggestions those make. Just a few suggestions off the top of my head.
Change all root usernames and passwords to “toor”
Who is going to guess that? Not me.
I hid the server under my desk. They'll never find it there!
My homelab is in my garage - the storage array is the only thing I care about not losing so using ZFS encryption and Clevis + tang so it needs to be on the home network and able to contact the server to get the decryption keys.
on the hardware side of the story.
Dont Forget to update all your firmware's and Bios for possible vital penetrations.
Disable all incoming, use cloudflare tunnel
It's not visible from the internet at all, that's about it
Not forwarding ports. I use Tailscale Funnel.
Lock and key
Filter incoming traffic from countries with malicious attacks :)
Don't expose unnecessary things to the internet, keep any client PCs patched, use some sort of malware protection ... and that's all you need to do.
All these VLANs are such are just overkill unless you're actively exposing things to the internet. They wind up breaking really useful stuff, especially stuff that relies on multicast.
Besides, that Chinese IoT device can't get hacked if it's not open to the 'net in the first place.
My home lab and production network are separated by a firewall.
I have backups and plans to rebuild my lab, I actually do it regularly.
My labs do risky things, I get comfortable with those things before doing it in production.
from the internet side, I lock down ssh or administrative stuff to local network, and specific IPs, like work. inside my network, everything has a password to access, no defaults. vlans for specific use servers, etc.
I use practical security measures that match my level of exposure and don't severely limit my convienience.
If your lab isn't exposed directly to the internet, at the very least update your servers from time to time, use a string root (admin users as well) password. That's more than enough.
If your lab is exposed, the same applies but update more often. Use SSH keys.
Don't go overboard - the majority of security incidents are from lack of basic security
i see a lot of stuff but not a single item about securing your homelab.
Deny outside access to the core management interfaces. Ne'er-do-wells from the .cn domain trying to hack my router can fuck right off.