Self-Hosting Security Guide for your HomeLab
Summary
TLDRThis video script delves into best practices for securely self-hosting services at home. It emphasizes the importance of foundational security, starting from hardware and firmware updates to network segmentation and firewall configurations. The guide explores using VPNs for secure access, leveraging cloud services like Cloudflare for protection, and setting up reverse proxies and authentication for enhanced security. The script also touches on the use of intrusion detection systems and the principle of least privilege, offering a comprehensive approach to home lab security.
Takeaways
- 🛡️ The importance of securing the foundation of your home lab, not just the last mile, is emphasized for self-hosting services.
- 🏗️ A well-architected home lab should consider various components including hardware, network configuration, and security measures.
- 🛍️ Microcenter is recommended for great deals on hardware and technology needs for building and maintaining a home lab.
- 🔒 Self-hosting VPNs are suggested as a secure method to expose services without public exposure, limiting access to only those with VPN credentials.
- 🌐 Public cloud hosting is an alternative to self-hosting that mitigates some risks by isolating compromised machines from the local network.
- 🔩 The necessity of keeping server hardware and firmware up-to-date to maintain security in a home lab environment is highlighted.
- 🖥️ Choosing a secure and supported operating system for your applications and avoiding running services as root or admin is recommended.
- 🔁 The benefits of using minimal container images to reduce attack surfaces and the importance of containerization engine updates are discussed.
- 🌐 Network segmentation is crucial for security, allowing control over network traffic and mitigating risks from compromised devices.
- 🚧 External networking should only forward necessary ports and utilize a reverse proxy for added security and performance benefits.
- 🛡️ Utilizing services like Cloudflare can provide external protection, including DDoS attack mitigation, TLS encryption, and performance enhancements.
Q & A
What is meant by the 'last mile' in the context of self-hosting services?
-The 'last mile' refers to the final hop or connection point before a user accesses the self-hosted services. It often involves using certificates or a reverse proxy for security.
Why is it important to consider the foundation of a home lab for self-hosting services?
-Security and architecture of a home lab are crucial because they form the basis for the entire setup. A strong foundation ensures that the system is secure from the ground up, not just at the last mile.
What are some of the best practices in architecture for self-hosting services within a home lab?
-Best practices include individual systems and hardware configuration, application hosting considerations, network configuration and segmentation, reverse proxies, certificates, two-factor authentication, firewall configuration, and internet security settings.
Why should one consider using a VPN for self-hosting services?
-A VPN creates a secure tunnel from outside to inside the network, allowing for controlled access and mitigating the risks associated with exposing services directly to the internet.
What is the significance of keeping hardware patched with the latest firmware in a self-hosted environment?
-Keeping hardware patched ensures that the server and all connected devices are up to date with the latest security fixes, reducing the risk of vulnerabilities being exploited.
What are the considerations for choosing a secure operating system for self-hosting?
-One should choose an operating system that is still supported, regularly patched, and follows the principle of least privilege, ensuring minimal access levels for users and avoiding running services as root or admin.
Why is network segmentation important for self-hosting applications?
-Network segmentation divides the network into multiple segments or subnets, controlling the flow of traffic and improving both performance and security by isolating trusted devices from those exposed to the internet.
What role does a reverse proxy play in self-hosting services?
-A reverse proxy directs traffic from clients to servers, simplifies certificate management, and can integrate with other systems using middleware, enhancing both security and maintenance efficiency.
How can using an auth proxy like Authelia enhance security for self-hosted services?
-Authelia provides an additional layer of authentication and authorization for services, even if they don't have their own authentication mechanisms, including support for two-factor authentication.
What is the purpose of using an intrusion detection system (IDS) and intrusion prevention system (IPS) in self-hosting?
-IDS and IPS analyze traffic for signatures of known attacks and either alert the user (in the case of IDS) or block the traffic (in the case of IPS), providing an extra layer of security against threats.
Why is it recommended to use a public reverse proxy like Cloudflare along with a private one?
-Using Cloudflare improves performance, provides some protection against attacks, caching, TLS encryption, and can block malicious traffic before it reaches the private reverse proxy or server.
Outlines
🏠 Home Lab Security Foundations
The script emphasizes the importance of securing the foundational elements of a home lab beyond just the last mile. It suggests that while the final access point is critical, a holistic approach to security is necessary. The speaker introduces the concept of a complex yet manageable home lab architecture, covering hardware, network configuration, and security practices. The video promises to delve into best practices for self-hosting services, including the use of reverse proxies, certificates, two-factor authentication, firewall settings, and external protections like Cloudflare. The sponsor, Microcenter, is highlighted as a go-to store for hardware needs, offering deals and expertise for various tech purchases.
🛡️ Advanced Self-Hosting Security Measures
This paragraph delves into the nuances of self-hosting services securely. It discusses the benefits of using a VPN for private service exposure and the considerations of public cloud hosting versus home hosting. The focus then shifts to the importance of hardware security, including keeping firmware up to date for all connected devices. The choice between virtualized and bare-metal operating systems is explored, with an emphasis on maintaining a secure and updated environment. The paragraph also touches on the selection of a secure operating system, the principle of least privilege, and the use of application firewalls for added security.
🌐 Networking Strategies for Self-Hosted Services
The script discusses the critical aspects of internal and external networking for self-hosted services. It highlights the importance of network segmentation to enhance security and performance, suggesting the use of subnetting or VLANs to create distinct network segments. For external networking, the paragraph advises on the careful forwarding of ports to minimize exposure and the use of a reverse proxy for added security. The benefits of using Cloudflare as a public reverse proxy are underscored, including performance improvements, IP protection, and defense against attacks. The speaker also explains how to set up conditional port forwarding to ensure that traffic only comes through trusted sources like Cloudflare.
🔒 Final Security Layers for Self-Hosted Services
The final paragraph wraps up the discussion on self-hosting services by focusing on the last layers of security. It talks about setting up an internal reverse proxy for traffic direction and certificate management, as well as the use of middleware for authentication services like Authelia, which provides an additional layer of security through two-factor authentication. The paragraph concludes by summarizing the comprehensive approach to self-hosting, from Cloudflare to firewall configurations, and encourages viewers to consider their comfort level with these security measures. It also invites feedback and engagement from the audience, highlighting the speaker's personal connection with viewers from the Netherlands and the US.
Mindmap
Keywords
💡Self-hosting
💡Last mile
💡Reverse proxy
💡Certificates
💡Two-factor authentication
💡Firewall configuration
💡Network segmentation
💡Public cloud hosting
💡Containerization
💡Firmware
💡Cloudflare
Highlights
Importance of the last mile in self-hosting services and the often overlooked foundational security.
The necessity of a secure architecture for self-hosting services within a home lab.
Discussion on the best practices in architecture for self-hosting services.
Hardware considerations for self-hosting, including firmware updates and security.
Virtualization versus bare-metal operating systems and the importance of maintaining hypervisors.
Selecting a secure operating system and the principles of least privilege.
The role of containerization in self-hosting services and best practices for container security.
Network segmentation as a method to improve security and performance.
External networking and the importance of port forwarding rules for security.
Use of a public reverse proxy like Cloudflare for performance and security benefits.
Conditional port forwarding to ensure traffic only comes through trusted sources like Cloudflare.
Firewall configuration and the use of IDS and IPS for intrusion detection and prevention.
Setting up a reverse proxy for traffic direction and certificate management.
Authentication methods for services, including the use of auth proxies like Authelia.
The comprehensive approach to self-hosting, from hardware to service configuration.
Alternatives to self-hosting, such as using a VPN or public cloud hosting.
Personal anecdotes on the impact of self-hosting services and recognition in the Netherlands.
Transcripts
when most people think about
self-hosting services in their home lab
they often focus and only think about
the last mile and by last mile i mean
the last hop before a user accesses your
services this last hop whether it's
using certificates or a reverse proxy is
incredibly important but it's also
important to know that security starts
at the foundation of your home lab take
for instance this diagram this most
likely makes up most things in your home
lab and whether that be physical or
virtual you'll find that you have most
of these components but what if i told
you your home lab should look like this
that might seem incredibly complicated
but it's much easier than you think
today we're going to discuss some great
practices in architecture for
self-hosting services within your home
we'll dive into individual systems
hardware and configuration application
hosting considerations network
configuration and segmentation reverse
proxies certificates and two-factor auth
firewall configuration internet security
settings and we'll even lean into
external protection from a provider like
cloudflare this will cover everything
from the last mile all the way down to
the hardware and speaking of hardware if
you're looking for great deals on
hardware you should look no further than
our sponsor microcenter if you're a huge
nerd like me one of the best places to
shop for all your technology needs is
micro center nothing beats walking into
a store and feeling right at home and
that's how i feel the minute i walk into
a micro center store each and every time
they have the best deals on gear for
gamers streamers custom build pcs with
performance and budget options keyboard
and accessories desktops and laptops and
much much more whether you're looking to
build your own dream system networking
and storage pre-built desktops or
laptops home security and home
automation diy and tech hobbies even
printers and television or just some
help from any of their experts they
really do know what they're talking
about microcenter should be your
destination also microcenter has been
generous enough to give a free ssd to
all new customers and is available in
store only so see the link in the
description so be sure to visit your
local micro center store today and if
you can't make it in be sure to check
them out on the web oh and tell them
techno tim sent you they'll have no idea
who you're talking about so what's the
best way of protecting yourself while
self-hosting
don't
just don't do it seriously you don't
have to do it exposing yourself to the
internet also exposes yourself to risks
and the easiest way to mitigate that is
to just don't do it at all i know that's
not why you're here or what you want to
hear so let's move on to the next best
step also keep in mind that i'm not a
security professional i'm just some
random person on the internet giving you
advice exposing your services through a
self-hosted vpn is probably the next
best way of exposing your services
without doing it publicly this will
create a secure tunnel from the outside
of your network to the inside of your
network from there you can create
firewall rules and limit what the vpn
can access this is a quick win and a
secure way of exposing your services but
only the people with vpn access will be
able to access them so you've made it
this far and you decided you still want
to expose some services publicly so
let's talk about public options this
first option kind of falls into the
don't host it at home option
which is to host it in a public cloud
hosting it in a public cloud still has
its own set of concerns but it does
mitigate a lot of the risk of hosting it
at home that's because if that machine
gets compromised they haven't
compromised a machine on your local
network they've compromised a machine in
the public cloud but again that's not
why we're here today we're here to
self-host services on our own network
but for those who want to expose some
services directly from their home
this is where the fun begins and again
most people think of the last mile when
self-hosting services it's this path
right here
but security starts at a much deeper
level so rather than focus on this last
hop right here we're going to zoom in
and focus on the server that's running
your services
you typically don't think of the
hardware when you're hosting
applications in in the cloud you really
don't have to but since we're hosting in
our own personal cloud we do need to
consider this the biggest takeaway here
is to be sure that the hardware that
your application is running on are
patched with the latest firmware this
includes firmware for the server itself
firmware for devices like the
motherboard hard drives
network adapters
and any other device that's physically
connected to the server this also
includes any firmware for any router or
network device in your environment but
we'll get into configuration here in a
little bit and next we need to decide if
we're going to virtualize our operating
system or just run them bare metal
really there is no wrong answer here it
really depends on how you want to manage
your infrastructure the key takeaway
here is to make sure that your
hypervisor is actively maintained up to
date and fully patched there are some
networking considerations here but we'll
cover that in the networking section
since virtualized network and physical
network have a lot of the same concerns
next is making sure you'll choose a
secure operating system that your
applications will run on now this is a
big topic for debate so we aren't going
to go into which ones are more secure
but you have choices like windows
embedded and many flavors of linux here
are the takeaways you'll want to use one
that's still supported and not end of
life
you'll want to patch all of these
regularly and work it into your
maintenance schedule you'll also want to
use the principle of least privilege
meaning giving the minimum level of
access to any user on this system you
also want to be sure you don't run
anything as root or admin you also want
to restrict who has access to these
machines and try not to install
additional services on these machines
it's also a good idea if you can to use
an application firewall and at the end
of the day the os should be purposely
built and maintained if you're running
containers you'll have much of the same
concerns as you do with an operating
system
however at a much smaller scale
you'll first want to make sure that your
containerization engine is up to date
whether that be docker container d or
pod man or any other you want to be sure
that this service is patched and
up-to-date also i recommend using
containers from official sources
this can be a challenge but you'll want
to be sure that you're getting
containers from the maintainer
themselves or from a reputable source
something like linux server.io and after
you've chosen your container you'll want
to check to see if they support a
minimal image one that's built on
something like alpine the reason you
want to do this is for a couple of
reasons first of all you get a smaller
container next this container now has
less attack surface containers with less
dependencies means less to worry about
and containers with less dependencies
have less to patch or the possibility of
vulnerabilities so if you choose a
container that has more services that's
more to patch more with the possibility
of vulnerabilities and overall more to
worry about after you've selected your
container you'll also want to take into
consideration the tags that you use now
this is kind of a double-edged sword
because most people want to pin their
containers to latest to ensure that they
have the latest container and then
they'll use something like watchtower to
update it automatically however keep in
mind that latest may not have gone
through the same testing and rigor that
a tagged version of an image has this
convention is really going to be up to
the container maintainer but my general
guidance is looking at the nginx
container is that if you can pin to a
specific version like this one
1.21.5-alpine
that's a good bet or you can pin to a
less specific version like 1-alpine or
even 1.21-alpine
and then if all else fails you can pin
the latest if you really wanted a high
level a specificity you could actually
pin to this digest here but that's going
a little far but this does add some
maintenance over time and you'll need to
work this into your maintenance rotation
but the takeaway here is that the higher
level of specificity on your tag means
that it's more easily reproduced in the
future and now on to networking there
are two sections to networking that are
equally important
internal networking and external
networking starting with internal
networking it's a must to segment your
network if you're planning on
self-hosting applications the idea
behind network segmentation is that you
divide your network into multiple
segments or subnet each acting like its
own small network this allows you to
control the flow of the network between
two networks and even internally based
on a network policy
this can not only improve performance
but also security you can do this by
subnetting or vlans and this allows you
to keep trusted devices separate from
devices that are connected or exposed to
the internet or untrusted devices this
can help mitigate the risk that if one
of these devices get compromised
they can only communicate with other
devices on this network and if you have
a network policy in place
they can't get through to your trusted
devices thus mitigating the risk this is
not only a good idea for machines that
are publicly exposed to the internet but
also
a good idea for iot devices
[Music]
but maybe more on that some other time
the takeaway here is to segment your
network to mitigate risk and now on to
external network this is where the real
fun begins this is how users and devices
enter your network
and for obvious reasons you want to be
sure that only the ports you need to be
forwarded are forwarded to the proper
device in most cases you'll be hosting
something like a website and if that's
the case you'll want to be sure that
it's only going to port forward 443 for
https
to the server that it's running on you
don't want to open any additional ports
and in most cases you'll want to port
forward that to a reverse proxy that
sits in front of your website
however i highly recommend using a
public reverse proxy along with your own
so cloudflare provides a reverse proxy
even with a free tier that you can use
to improve performance
somewhat protect your ip online
provide some caching tls encryption or
certificates and i think most
importantly protect your site from
attacks cloudflare is able to detect and
block malicious attacks if you use them
for dns
and if you use them for dns your dns
will point at them at their reverse
proxy and it's in their best interest to
detect and block these types of attacks
since an attack on you is really an
attack against them and this might sound
complicated to set up but it's as easy
as using a dynamic dns container or
script that updates your domain to point
to cloudflare then this will route all
traffic through their reverse proxy and
forward it on to you with tls encryption
and if you're ever under attack you can
simply turn on attack mode and force the
javascript language challenge when
people visit it
so that attackers get stopped
but real human beings get through
and you can see some of my stats here
you can see lots of requests are being
routed through cloudflare you can see
the total bandwidth over time you can
see how many unique visitors visited and
then you can also check out the security
piece and you can see from this chart
that they've actually blocked some
threats and these were blocked at the
cloudflare level and they never made it
down to my reverse proxy you could see
threats by country by region and the
type of crawlers or bots i feel like
setting up cloudflare is a huge win for
privacy security and protection but
what's stopping anyone from just going
directly to my ip address what happens
if someone figures out my ip address and
wants to bypass cloudflare altogether
well in this setup nothing at all
don't worry friends there are ways to
protect against this too this is where
we'll combine our port forwarding rules
along with cloudflare we'll force anyone
from the outside coming in to go through
cloudflare
and if they don't we'll just block them
so it looks like this clownflare
publishes their list of ip ranges this
is super helpful because we can build
rules based on these ipv ranges
see where i'm going here from these list
of rules we can build a conditional port
forward to say that if you're not coming
from one of these sources just block and
if you are let them through and it looks
like this i'm basically doing
conditional poor forwarding and i'm
using udm and it works just the same
probably a lot easier on p of sense but
if we look at one of these rules what
we're saying that hey if the source is a
cloudflare ip on the port of 443 that's
https then we'll forward to our reverse
proxy otherwise we drop it and i had to
do this quite a few times in udm because
there isn't an easy way to do this but
it's much easier if you're using pfsense
and if you're using something else just
look at your port forwarding rules and
see if they support conditional port
forwarding and since we're talking about
cloudflare we may as well talk about
some firewall rules too that you can set
up there now some people will block
entire countries from their firewall or
even blocked or now i've never really
found these to be too helpful because
most of the time bad actors are just
going to use a vpn in your local country
and come in that way but if you do want
to block countries it's here in firewall
rules but while we're talking about
networking in firewalls we should also
talk about ids which is intrusion
detection system and ips which is
intrusion prevention system and
generally speaking these are just ways
to detect and block attacks based on
some signatures they do this by
analyzing the request and the traffic
and then seeing if that matches a
signature and then alerting you if you
have ids turned on and blocking it if
you have ips turned on now i would
definitely turn these both on
self-hosting or not because they block
against known attacks now i say known
because they're only as good as the
signatures that you have so if you're
running something like pfsense that'll
be snort or tsurikata and if you're
running udm pro it'll be right here
under firewall and security but you'll
want to make sure that you detect and
block and then you can set a sensitivity
level here i have mine to the highest
possible and here we can see the list of
threat categories now i have these all
turned on and you might have some
additional toggles like dark web blocker
and malicious website blocker but you'll
want to make sure that all of the
security systems that your firewall
supports are turned on and up to date
and you'll want to make sure that you
regularly check these for me that's as
simple as going into notifications and
making sure that any intrusion attempts
were blocked and now that we have
everything in place we can finally meet
in the middle and use our own internal
reverse proxy arguably you don't need
one if you're using cloudflare but i do
it with or without cloudflare so a
reverse proxy is an easy way to direct
traffic from your clients to one of your
servers
we talked about this with cloudflare and
it's also a place where you can have
your certificates having them here
versus each individual server makes
maintenance much easier and setting up a
reverse proxy can be challenging however
i've already documented this in a video
and the reverse proxy i usually choose
is traffic traffic can route requests to
your servers and get publicly signed
certificates for you to use and even
integrate with other systems using
middleware so speaking of middleware
another choice you'll have to make is
whether or not you want your services to
have authentication or not some services
do provide authentication
but they may not support two-factor
authentication this is where something
like authalia comes into play authalia
is an auth proxy that works with your
reverse proxy
to provide authentication and
authorization for your services even if
they don't have authentication of their
own this is great for applications that
need another layer of protection and
with two-factor authentication helps
give you confidence that your apps can
be accessed by you and only you put them
upside down because he's mad because
auth is in the middle but whatever this
is definitely an advanced use case and
should only be set up after you have
all of this already running
after we have this last step set up
we've gone all the way from the end user
going through cloudflare to your
firewall configured a firewall with
protection set up a reverse proxy then
set up an auth proxy and for a server we
configured our hardware
and the operating system and then our
service
if it's running in a container you
should now have a little more confidence
in self-hosting some things in your home
lab and remember you don't have to do
any of this
if you feel uncomfortable or you're not
ready you can still fall back to a vpn
or host it in a public cloud or do
nothing at all and there are also some
side quests we didn't talk about like
tunneling but you could set this up
different altogether so what do you
think about self-hosting some services
at home do you not want to expose
anything publicly but your vpn did i
miss anything in my guide
let me know in the comments section
below and remember if you found anything
in this video helpful
don't forget to like and subscribe
thanks for watching first name here from
the netherlands all right thank you
thank you so much funny i j i i won't go
into there but
people at work joke around because
they're like you must be big in the
netherlands and i was like actually a
fair portion of my traffic on youtube
comes from the netherlands but they they
joke around with me because once i
jumped on uh a call at work and the
people on the other side of the call
were from the netherlands and one guy
was like are you techno gym do you have
a youtube channel i kind of i didn't
even see it in chat and then later on
that you know they were teasing me at
work they're like you must be huge in
the netherlands because that guy
recognized you and i didn't even see in
chat that he had said he knew who i was
because it was zoom chat not like
anywhere else and that's obviously class
but anyways long story short someone
from from work
when i was on a call
recognized me i was like oh that's
that's pretty awesome anyways uh thank
you and welcome um from the us thank you
for being here
Ver Más Videos Relacionados
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
CompTIA Security+ SY0-701 Course - 2.5 Mitigation Techniques Used to Secure the Enterprise
What Is Network Security? | Introduction To Network Security | Network Security Tutorial|Simplilearn
Security Services
My new homelab Firewall is insane! // Sophos XGS 2100
Network Services - CompTIA A+ 220-1101 - 2.4
5.0 / 5 (0 votes)