Self-Hosting Security Guide for your HomeLab

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Wow! Stumbled on this share! Thank you so much for the warm reception!

👍︎︎ 75 👤︎︎ u/Techno-Tim 📅︎︎ Jan 30 2022 🗫︎ replies

I hide behind Wireguard, and I'm proud of it.

👍︎︎ 71 👤︎︎ u/[deleted] 📅︎︎ Jan 29 2022 🗫︎ replies

Really like that he pointed out hiding behind cloudflare and locking down your firewall to only cloudflare. You can take it a step Further and use cloudflare teams for access control. It’s free.

👍︎︎ 11 👤︎︎ u/[deleted] 📅︎︎ Jan 30 2022 🗫︎ replies

Reminds... me of William... Shatner. Great video, loved the icons.

👍︎︎ 3 👤︎︎ u/ToKyNET 📅︎︎ Jan 30 2022 🗫︎ replies

Great guy, i watched and learned a lot form him during self hosting.

👍︎︎ 10 👤︎︎ u/Potential_Anything70 📅︎︎ Jan 29 2022 🗫︎ replies

thanks Tim just picked up my free SSD :)

👍︎︎ 2 👤︎︎ u/Rorixrebel 📅︎︎ Jan 30 2022 🗫︎ replies

Well done! This video lays it out great!

👍︎︎ 2 👤︎︎ u/muchTasty 📅︎︎ Jan 30 2022 🗫︎ replies

Was a good video, should be a mandatory watch for new members ;)

👍︎︎ 3 👤︎︎ u/Absolute_Sausage 📅︎︎ Jan 29 2022 🗫︎ replies

Remindme! 2 days

👍︎︎ 1 👤︎︎ u/vkapadia 📅︎︎ Jan 29 2022 🗫︎ replies

Captions

when most people think about self-hosting services in their home lab they often focus and only think about the last mile and by last mile i mean the last hop before a user accesses your services this last hop whether it's using certificates or a reverse proxy is incredibly important but it's also important to know that security starts at the foundation of your home lab take for instance this diagram this most likely makes up most things in your home lab and whether that be physical or virtual you'll find that you have most of these components but what if i told you your home lab should look like this that might seem incredibly complicated but it's much easier than you think today we're going to discuss some great practices in architecture for self-hosting services within your home we'll dive into individual systems hardware and configuration application hosting considerations network configuration and segmentation reverse proxies certificates and two-factor auth firewall configuration internet security settings and we'll even lean into external protection from a provider like cloudflare this will cover everything from the last mile all the way down to the hardware and speaking of hardware if you're looking for great deals on hardware you should look no further than our sponsor microcenter if you're a huge nerd like me one of the best places to shop for all your technology needs is micro center nothing beats walking into a store and feeling right at home and that's how i feel the minute i walk into a micro center store each and every time they have the best deals on gear for gamers streamers custom build pcs with performance and budget options keyboard and accessories desktops and laptops and much much more whether you're looking to build your own dream system networking and storage pre-built desktops or laptops home security and home automation diy and tech hobbies even printers and television or just some help from any of their experts they really do know what they're talking about microcenter should be your destination also microcenter has been generous enough to give a free ssd to all new customers and is available in store only so see the link in the description so be sure to visit your local micro center store today and if you can't make it in be sure to check them out on the web oh and tell them techno tim sent you they'll have no idea who you're talking about so what's the best way of protecting yourself while self-hosting don't just don't do it seriously you don't have to do it exposing yourself to the internet also exposes yourself to risks and the easiest way to mitigate that is to just don't do it at all i know that's not why you're here or what you want to hear so let's move on to the next best step also keep in mind that i'm not a security professional i'm just some random person on the internet giving you advice exposing your services through a self-hosted vpn is probably the next best way of exposing your services without doing it publicly this will create a secure tunnel from the outside of your network to the inside of your network from there you can create firewall rules and limit what the vpn can access this is a quick win and a secure way of exposing your services but only the people with vpn access will be able to access them so you've made it this far and you decided you still want to expose some services publicly so let's talk about public options this first option kind of falls into the don't host it at home option which is to host it in a public cloud hosting it in a public cloud still has its own set of concerns but it does mitigate a lot of the risk of hosting it at home that's because if that machine gets compromised they haven't compromised a machine on your local network they've compromised a machine in the public cloud but again that's not why we're here today we're here to self-host services on our own network but for those who want to expose some services directly from their home this is where the fun begins and again most people think of the last mile when self-hosting services it's this path right here but security starts at a much deeper level so rather than focus on this last hop right here we're going to zoom in and focus on the server that's running your services you typically don't think of the hardware when you're hosting applications in in the cloud you really don't have to but since we're hosting in our own personal cloud we do need to consider this the biggest takeaway here is to be sure that the hardware that your application is running on are patched with the latest firmware this includes firmware for the server itself firmware for devices like the motherboard hard drives network adapters and any other device that's physically connected to the server this also includes any firmware for any router or network device in your environment but we'll get into configuration here in a little bit and next we need to decide if we're going to virtualize our operating system or just run them bare metal really there is no wrong answer here it really depends on how you want to manage your infrastructure the key takeaway here is to make sure that your hypervisor is actively maintained up to date and fully patched there are some networking considerations here but we'll cover that in the networking section since virtualized network and physical network have a lot of the same concerns next is making sure you'll choose a secure operating system that your applications will run on now this is a big topic for debate so we aren't going to go into which ones are more secure but you have choices like windows embedded and many flavors of linux here are the takeaways you'll want to use one that's still supported and not end of life you'll want to patch all of these regularly and work it into your maintenance schedule you'll also want to use the principle of least privilege meaning giving the minimum level of access to any user on this system you also want to be sure you don't run anything as root or admin you also want to restrict who has access to these machines and try not to install additional services on these machines it's also a good idea if you can to use an application firewall and at the end of the day the os should be purposely built and maintained if you're running containers you'll have much of the same concerns as you do with an operating system however at a much smaller scale you'll first want to make sure that your containerization engine is up to date whether that be docker container d or pod man or any other you want to be sure that this service is patched and up-to-date also i recommend using containers from official sources this can be a challenge but you'll want to be sure that you're getting containers from the maintainer themselves or from a reputable source something like linux server.io and after you've chosen your container you'll want to check to see if they support a minimal image one that's built on something like alpine the reason you want to do this is for a couple of reasons first of all you get a smaller container next this container now has less attack surface containers with less dependencies means less to worry about and containers with less dependencies have less to patch or the possibility of vulnerabilities so if you choose a container that has more services that's more to patch more with the possibility of vulnerabilities and overall more to worry about after you've selected your container you'll also want to take into consideration the tags that you use now this is kind of a double-edged sword because most people want to pin their containers to latest to ensure that they have the latest container and then they'll use something like watchtower to update it automatically however keep in mind that latest may not have gone through the same testing and rigor that a tagged version of an image has this convention is really going to be up to the container maintainer but my general guidance is looking at the nginx container is that if you can pin to a specific version like this one 1.21.5-alpine that's a good bet or you can pin to a less specific version like 1-alpine or even 1.21-alpine and then if all else fails you can pin the latest if you really wanted a high level a specificity you could actually pin to this digest here but that's going a little far but this does add some maintenance over time and you'll need to work this into your maintenance rotation but the takeaway here is that the higher level of specificity on your tag means that it's more easily reproduced in the future and now on to networking there are two sections to networking that are equally important internal networking and external networking starting with internal networking it's a must to segment your network if you're planning on self-hosting applications the idea behind network segmentation is that you divide your network into multiple segments or subnet each acting like its own small network this allows you to control the flow of the network between two networks and even internally based on a network policy this can not only improve performance but also security you can do this by subnetting or vlans and this allows you to keep trusted devices separate from devices that are connected or exposed to the internet or untrusted devices this can help mitigate the risk that if one of these devices get compromised they can only communicate with other devices on this network and if you have a network policy in place they can't get through to your trusted devices thus mitigating the risk this is not only a good idea for machines that are publicly exposed to the internet but also a good idea for iot devices [Music] but maybe more on that some other time the takeaway here is to segment your network to mitigate risk and now on to external network this is where the real fun begins this is how users and devices enter your network and for obvious reasons you want to be sure that only the ports you need to be forwarded are forwarded to the proper device in most cases you'll be hosting something like a website and if that's the case you'll want to be sure that it's only going to port forward 443 for https to the server that it's running on you don't want to open any additional ports and in most cases you'll want to port forward that to a reverse proxy that sits in front of your website however i highly recommend using a public reverse proxy along with your own so cloudflare provides a reverse proxy even with a free tier that you can use to improve performance somewhat protect your ip online provide some caching tls encryption or certificates and i think most importantly protect your site from attacks cloudflare is able to detect and block malicious attacks if you use them for dns and if you use them for dns your dns will point at them at their reverse proxy and it's in their best interest to detect and block these types of attacks since an attack on you is really an attack against them and this might sound complicated to set up but it's as easy as using a dynamic dns container or script that updates your domain to point to cloudflare then this will route all traffic through their reverse proxy and forward it on to you with tls encryption and if you're ever under attack you can simply turn on attack mode and force the javascript language challenge when people visit it so that attackers get stopped but real human beings get through and you can see some of my stats here you can see lots of requests are being routed through cloudflare you can see the total bandwidth over time you can see how many unique visitors visited and then you can also check out the security piece and you can see from this chart that they've actually blocked some threats and these were blocked at the cloudflare level and they never made it down to my reverse proxy you could see threats by country by region and the type of crawlers or bots i feel like setting up cloudflare is a huge win for privacy security and protection but what's stopping anyone from just going directly to my ip address what happens if someone figures out my ip address and wants to bypass cloudflare altogether well in this setup nothing at all don't worry friends there are ways to protect against this too this is where we'll combine our port forwarding rules along with cloudflare we'll force anyone from the outside coming in to go through cloudflare and if they don't we'll just block them so it looks like this clownflare publishes their list of ip ranges this is super helpful because we can build rules based on these ipv ranges see where i'm going here from these list of rules we can build a conditional port forward to say that if you're not coming from one of these sources just block and if you are let them through and it looks like this i'm basically doing conditional poor forwarding and i'm using udm and it works just the same probably a lot easier on p of sense but if we look at one of these rules what we're saying that hey if the source is a cloudflare ip on the port of 443 that's https then we'll forward to our reverse proxy otherwise we drop it and i had to do this quite a few times in udm because there isn't an easy way to do this but it's much easier if you're using pfsense and if you're using something else just look at your port forwarding rules and see if they support conditional port forwarding and since we're talking about cloudflare we may as well talk about some firewall rules too that you can set up there now some people will block entire countries from their firewall or even blocked or now i've never really found these to be too helpful because most of the time bad actors are just going to use a vpn in your local country and come in that way but if you do want to block countries it's here in firewall rules but while we're talking about networking in firewalls we should also talk about ids which is intrusion detection system and ips which is intrusion prevention system and generally speaking these are just ways to detect and block attacks based on some signatures they do this by analyzing the request and the traffic and then seeing if that matches a signature and then alerting you if you have ids turned on and blocking it if you have ips turned on now i would definitely turn these both on self-hosting or not because they block against known attacks now i say known because they're only as good as the signatures that you have so if you're running something like pfsense that'll be snort or tsurikata and if you're running udm pro it'll be right here under firewall and security but you'll want to make sure that you detect and block and then you can set a sensitivity level here i have mine to the highest possible and here we can see the list of threat categories now i have these all turned on and you might have some additional toggles like dark web blocker and malicious website blocker but you'll want to make sure that all of the security systems that your firewall supports are turned on and up to date and you'll want to make sure that you regularly check these for me that's as simple as going into notifications and making sure that any intrusion attempts were blocked and now that we have everything in place we can finally meet in the middle and use our own internal reverse proxy arguably you don't need one if you're using cloudflare but i do it with or without cloudflare so a reverse proxy is an easy way to direct traffic from your clients to one of your servers we talked about this with cloudflare and it's also a place where you can have your certificates having them here versus each individual server makes maintenance much easier and setting up a reverse proxy can be challenging however i've already documented this in a video and the reverse proxy i usually choose is traffic traffic can route requests to your servers and get publicly signed certificates for you to use and even integrate with other systems using middleware so speaking of middleware another choice you'll have to make is whether or not you want your services to have authentication or not some services do provide authentication but they may not support two-factor authentication this is where something like authalia comes into play authalia is an auth proxy that works with your reverse proxy to provide authentication and authorization for your services even if they don't have authentication of their own this is great for applications that need another layer of protection and with two-factor authentication helps give you confidence that your apps can be accessed by you and only you put them upside down because he's mad because auth is in the middle but whatever this is definitely an advanced use case and should only be set up after you have all of this already running after we have this last step set up we've gone all the way from the end user going through cloudflare to your firewall configured a firewall with protection set up a reverse proxy then set up an auth proxy and for a server we configured our hardware and the operating system and then our service if it's running in a container you should now have a little more confidence in self-hosting some things in your home lab and remember you don't have to do any of this if you feel uncomfortable or you're not ready you can still fall back to a vpn or host it in a public cloud or do nothing at all and there are also some side quests we didn't talk about like tunneling but you could set this up different altogether so what do you think about self-hosting some services at home do you not want to expose anything publicly but your vpn did i miss anything in my guide let me know in the comments section below and remember if you found anything in this video helpful don't forget to like and subscribe thanks for watching first name here from the netherlands all right thank you thank you so much funny i j i i won't go into there but people at work joke around because they're like you must be big in the netherlands and i was like actually a fair portion of my traffic on youtube comes from the netherlands but they they joke around with me because once i jumped on uh a call at work and the people on the other side of the call were from the netherlands and one guy was like are you techno gym do you have a youtube channel i kind of i didn't even see it in chat and then later on that you know they were teasing me at work they're like you must be huge in the netherlands because that guy recognized you and i didn't even see in chat that he had said he knew who i was because it was zoom chat not like anywhere else and that's obviously class but anyways long story short someone from from work when i was on a call recognized me i was like oh that's that's pretty awesome anyways uh thank you and welcome um from the us thank you for being here

Info

Channel: Techno Tim

Views: 111,230

Rating: undefined out of 5

Keywords: technotim, techno tim, selfhosted, self hosted, self-hosted, security, self-hosted security, homelab security, security home lab, cloudflare, traefik, architecture, homelab architecture, diagram, reverse proxy, certificates, letsencrypt, firewall, rules, ids, ips, intrusion prevention system, intrusion detection system, hardware, firmware, authelia, 2fa, auth proxy, vpn, protect against hackers, home server, hosting at home, hosting, container security, docker, vlan, network segmentation, subnets, ddos

Id: Cs8yOmTJNYQ

Channel Id: undefined

Length: 18min 43sec (1123 seconds)

Published: Sat Jan 29 2022