Started off by
- Enabling unattended updates
- Enable only ssh login with key
- Create user with sudo privileges
- Disable root login
- Enable ufw with necessary ports
- Disable ping
- Change ssh default port 21 to something else.
Got the ideas from networkchuck
Did this on the proxmox host as well as all VMs.
Any suggestions?
from the internet side, I lock down ssh or administrative stuff to local network, and specific IPs, like work. inside my network, everything has a password to access, no defaults. vlans for specific use servers, etc.
I have a camera outside, I’m a pretty big guy, and my rack was built inside my office so it can’t be moved quickly.
Oh, you mean digital security? Lol I have a lot of subnets and don’t forward in much traffic. The WiFi password I give out gets you on my kids network. Plus I run DPI and IDS. I use cloudflare DNS (sometimes operating an internal pihole too). And I don’t browse social media on PCs only on mobile. The only holes punched from WiFi to internal are for printing. And even the wired clients are segregated from my work network.
Take a look at CIS benchmarks and DoD STIGs. Many companies are starting to harden their infrastructure using these standards, depending on the requirements of the environment. Once you get the hang of it, then automate deployment. DO NOT blow in ALL of the rules at once. You WILL break shit. Every environment has security exceptions. If you’re running Active Directory, run Ping Castle and remediate any issues. Audit often, make sure everything is being monitored.
i see a lot of stuff but not a single item about securing your homelab.
Lock and key
