Self-Hosting Security Guide for your HomeLab

00:00

when most people think about

00:01

self-hosting services in their home lab

00:03

they often focus and only think about

00:05

the last mile and by last mile i mean

00:08

the last hop before a user accesses your

00:10

services this last hop whether it's

00:12

using certificates or a reverse proxy is

00:14

incredibly important but it's also

00:16

important to know that security starts

00:18

at the foundation of your home lab take

00:20

for instance this diagram this most

00:22

likely makes up most things in your home

00:24

lab and whether that be physical or

00:26

virtual you'll find that you have most

00:28

of these components but what if i told

00:29

you your home lab should look like this

00:31

that might seem incredibly complicated

00:33

but it's much easier than you think

00:35

today we're going to discuss some great

00:37

practices in architecture for

00:38

self-hosting services within your home

00:41

we'll dive into individual systems

00:43

hardware and configuration application

00:45

hosting considerations network

00:47

configuration and segmentation reverse

00:49

proxies certificates and two-factor auth

00:52

firewall configuration internet security

00:54

settings and we'll even lean into

00:56

external protection from a provider like

00:58

cloudflare this will cover everything

01:00

from the last mile all the way down to

01:02

the hardware and speaking of hardware if

01:05

you're looking for great deals on

01:06

hardware you should look no further than

01:08

our sponsor microcenter if you're a huge

01:10

nerd like me one of the best places to

01:12

shop for all your technology needs is

01:14

micro center nothing beats walking into

01:16

a store and feeling right at home and

01:18

that's how i feel the minute i walk into

01:20

a micro center store each and every time

01:22

they have the best deals on gear for

01:24

gamers streamers custom build pcs with

01:26

performance and budget options keyboard

01:28

and accessories desktops and laptops and

01:31

much much more whether you're looking to

01:32

build your own dream system networking

01:34

and storage pre-built desktops or

01:36

laptops home security and home

01:38

automation diy and tech hobbies even

01:41

printers and television or just some

01:43

help from any of their experts they

01:45

really do know what they're talking

01:46

about microcenter should be your

01:48

destination also microcenter has been

01:50

generous enough to give a free ssd to

01:52

all new customers and is available in

01:54

store only so see the link in the

01:55

description so be sure to visit your

01:57

local micro center store today and if

01:59

you can't make it in be sure to check

02:01

them out on the web oh and tell them

02:03

techno tim sent you they'll have no idea

02:05

who you're talking about so what's the

02:07

best way of protecting yourself while

02:09

self-hosting

02:10

don't

02:12

just don't do it seriously you don't

02:13

have to do it exposing yourself to the

02:15

internet also exposes yourself to risks

02:18

and the easiest way to mitigate that is

02:20

to just don't do it at all i know that's

02:22

not why you're here or what you want to

02:24

hear so let's move on to the next best

02:26

step also keep in mind that i'm not a

02:28

security professional i'm just some

02:30

random person on the internet giving you

02:32

advice exposing your services through a

02:34

self-hosted vpn is probably the next

02:36

best way of exposing your services

02:39

without doing it publicly this will

02:41

create a secure tunnel from the outside

02:42

of your network to the inside of your

02:44

network from there you can create

02:46

firewall rules and limit what the vpn

02:48

can access this is a quick win and a

02:51

secure way of exposing your services but

02:53

only the people with vpn access will be

02:55

able to access them so you've made it

02:57

this far and you decided you still want

02:59

to expose some services publicly so

03:01

let's talk about public options this

03:03

first option kind of falls into the

03:05

don't host it at home option

03:07

which is to host it in a public cloud

03:09

hosting it in a public cloud still has

03:11

its own set of concerns but it does

03:13

mitigate a lot of the risk of hosting it

03:15

at home that's because if that machine

03:17

gets compromised they haven't

03:19

compromised a machine on your local

03:21

network they've compromised a machine in

03:23

the public cloud but again that's not

03:25

why we're here today we're here to

03:27

self-host services on our own network

03:29

but for those who want to expose some

03:31

services directly from their home

03:34

this is where the fun begins and again

03:36

most people think of the last mile when

03:38

self-hosting services it's this path

03:40

right here

03:41

but security starts at a much deeper

03:43

level so rather than focus on this last

03:46

hop right here we're going to zoom in

03:47

and focus on the server that's running

03:49

your services

03:51

you typically don't think of the

03:52

hardware when you're hosting

03:53

applications in in the cloud you really

03:55

don't have to but since we're hosting in

03:58

our own personal cloud we do need to

04:00

consider this the biggest takeaway here

04:02

is to be sure that the hardware that

04:04

your application is running on are

04:06

patched with the latest firmware this

04:08

includes firmware for the server itself

04:11

firmware for devices like the

04:13

motherboard hard drives

04:15

network adapters

04:16

and any other device that's physically

04:18

connected to the server this also

04:21

includes any firmware for any router or

04:23

network device in your environment but

04:25

we'll get into configuration here in a

04:27

little bit and next we need to decide if

04:29

we're going to virtualize our operating

04:32

system or just run them bare metal

04:34

really there is no wrong answer here it

04:37

really depends on how you want to manage

04:38

your infrastructure the key takeaway

04:41

here is to make sure that your

04:42

hypervisor is actively maintained up to

04:44

date and fully patched there are some

04:47

networking considerations here but we'll

04:49

cover that in the networking section

04:51

since virtualized network and physical

04:53

network have a lot of the same concerns

04:56

next is making sure you'll choose a

04:58

secure operating system that your

05:00

applications will run on now this is a

05:02

big topic for debate so we aren't going

05:03

to go into which ones are more secure

05:05

but you have choices like windows

05:08

embedded and many flavors of linux here

05:11

are the takeaways you'll want to use one

05:13

that's still supported and not end of

05:16

life

05:17

you'll want to patch all of these

05:18

regularly and work it into your

05:19

maintenance schedule you'll also want to

05:21

use the principle of least privilege

05:24

meaning giving the minimum level of

05:26

access to any user on this system you

05:28

also want to be sure you don't run

05:30

anything as root or admin you also want

05:32

to restrict who has access to these

05:34

machines and try not to install

05:37

additional services on these machines

05:39

it's also a good idea if you can to use

05:41

an application firewall and at the end

05:44

of the day the os should be purposely

05:46

built and maintained if you're running

05:48

containers you'll have much of the same

05:50

concerns as you do with an operating

05:51

system

05:52

however at a much smaller scale

05:57

you'll first want to make sure that your

05:58

containerization engine is up to date

06:01

whether that be docker container d or

06:03

pod man or any other you want to be sure

06:05

that this service is patched and

06:07

up-to-date also i recommend using

06:09

containers from official sources

06:12

this can be a challenge but you'll want

06:14

to be sure that you're getting

06:15

containers from the maintainer

06:16

themselves or from a reputable source

06:19

something like linux server.io and after

06:22

you've chosen your container you'll want

06:25

to check to see if they support a

06:26

minimal image one that's built on

06:28

something like alpine the reason you

06:30

want to do this is for a couple of

06:32

reasons first of all you get a smaller

06:34

container next this container now has

06:37

less attack surface containers with less

06:40

dependencies means less to worry about

06:42

and containers with less dependencies

06:44

have less to patch or the possibility of

06:48

vulnerabilities so if you choose a

06:50

container that has more services that's

06:52

more to patch more with the possibility

06:55

of vulnerabilities and overall more to

06:57

worry about after you've selected your

07:00

container you'll also want to take into

07:01

consideration the tags that you use now

07:04

this is kind of a double-edged sword

07:06

because most people want to pin their

07:07

containers to latest to ensure that they

07:09

have the latest container and then

07:11

they'll use something like watchtower to

07:13

update it automatically however keep in

07:15

mind that latest may not have gone

07:17

through the same testing and rigor that

07:20

a tagged version of an image has this

07:22

convention is really going to be up to

07:24

the container maintainer but my general

07:27

guidance is looking at the nginx

07:28

container is that if you can pin to a

07:31

specific version like this one

07:32

1.21.5-alpine

07:35

that's a good bet or you can pin to a

07:37

less specific version like 1-alpine or

07:41

even 1.21-alpine

07:43

and then if all else fails you can pin

07:45

the latest if you really wanted a high

07:48

level a specificity you could actually

07:51

pin to this digest here but that's going

07:53

a little far but this does add some

07:55

maintenance over time and you'll need to

07:57

work this into your maintenance rotation

07:59

but the takeaway here is that the higher

08:01

level of specificity on your tag means

08:04

that it's more easily reproduced in the

08:06

future and now on to networking there

08:09

are two sections to networking that are

08:11

equally important

08:12

internal networking and external

08:14

networking starting with internal

08:16

networking it's a must to segment your

08:19

network if you're planning on

08:20

self-hosting applications the idea

08:23

behind network segmentation is that you

08:25

divide your network into multiple

08:28

segments or subnet each acting like its

08:30

own small network this allows you to

08:32

control the flow of the network between

08:35

two networks and even internally based

08:37

on a network policy

08:40

this can not only improve performance

08:42

but also security you can do this by

08:44

subnetting or vlans and this allows you

08:47

to keep trusted devices separate from

08:50

devices that are connected or exposed to

08:52

the internet or untrusted devices this

08:55

can help mitigate the risk that if one

08:57

of these devices get compromised

09:04

they can only communicate with other

09:07

devices on this network and if you have

09:10

a network policy in place

09:12

they can't get through to your trusted

09:13

devices thus mitigating the risk this is

09:16

not only a good idea for machines that

09:19

are publicly exposed to the internet but

09:21

also

09:22

a good idea for iot devices

09:24

[Music]

09:27

but maybe more on that some other time

09:29

the takeaway here is to segment your

09:31

network to mitigate risk and now on to

09:33

external network this is where the real

09:36

fun begins this is how users and devices

09:39

enter your network

09:42

and for obvious reasons you want to be

09:44

sure that only the ports you need to be

09:45

forwarded are forwarded to the proper

09:48

device in most cases you'll be hosting

09:50

something like a website and if that's

09:52

the case you'll want to be sure that

09:54

it's only going to port forward 443 for

09:57

https

09:59

to the server that it's running on you

10:01

don't want to open any additional ports

10:03

and in most cases you'll want to port

10:05

forward that to a reverse proxy that

10:08

sits in front of your website

10:11

however i highly recommend using a

10:13

public reverse proxy along with your own

10:16

so cloudflare provides a reverse proxy

10:19

even with a free tier that you can use

10:21

to improve performance

10:23

somewhat protect your ip online

10:25

provide some caching tls encryption or

10:28

certificates and i think most

10:30

importantly protect your site from

10:32

attacks cloudflare is able to detect and

10:35

block malicious attacks if you use them

10:37

for dns

10:39

and if you use them for dns your dns

10:41

will point at them at their reverse

10:43

proxy and it's in their best interest to

10:46

detect and block these types of attacks

10:48

since an attack on you is really an

10:51

attack against them and this might sound

10:54

complicated to set up but it's as easy

10:56

as using a dynamic dns container or

10:59

script that updates your domain to point

11:01

to cloudflare then this will route all

11:04

traffic through their reverse proxy and

11:06

forward it on to you with tls encryption

11:09

and if you're ever under attack you can

11:11

simply turn on attack mode and force the

11:14

javascript language challenge when

11:16

people visit it

11:20

so that attackers get stopped

11:22

but real human beings get through

11:26

and you can see some of my stats here

11:28

you can see lots of requests are being

11:30

routed through cloudflare you can see

11:32

the total bandwidth over time you can

11:34

see how many unique visitors visited and

11:37

then you can also check out the security

11:38

piece and you can see from this chart

11:41

that they've actually blocked some

11:42

threats and these were blocked at the

11:44

cloudflare level and they never made it

11:46

down to my reverse proxy you could see

11:48

threats by country by region and the

11:51

type of crawlers or bots i feel like

11:53

setting up cloudflare is a huge win for

11:55

privacy security and protection but

11:58

what's stopping anyone from just going

12:00

directly to my ip address what happens

12:03

if someone figures out my ip address and

12:05

wants to bypass cloudflare altogether

12:08

well in this setup nothing at all

12:11

don't worry friends there are ways to

12:13

protect against this too this is where

12:15

we'll combine our port forwarding rules

12:17

along with cloudflare we'll force anyone

12:19

from the outside coming in to go through

12:21

cloudflare

12:22

and if they don't we'll just block them

12:24

so it looks like this clownflare

12:27

publishes their list of ip ranges this

12:29

is super helpful because we can build

12:31

rules based on these ipv ranges

12:34

see where i'm going here from these list

12:36

of rules we can build a conditional port

12:38

forward to say that if you're not coming

12:40

from one of these sources just block and

12:44

if you are let them through and it looks

12:46

like this i'm basically doing

12:48

conditional poor forwarding and i'm

12:50

using udm and it works just the same

12:53

probably a lot easier on p of sense but

12:56

if we look at one of these rules what

12:58

we're saying that hey if the source is a

13:01

cloudflare ip on the port of 443 that's

13:04

https then we'll forward to our reverse

13:07

proxy otherwise we drop it and i had to

13:10

do this quite a few times in udm because

13:12

there isn't an easy way to do this but

13:15

it's much easier if you're using pfsense

13:17

and if you're using something else just

13:19

look at your port forwarding rules and

13:21

see if they support conditional port

13:23

forwarding and since we're talking about

13:25

cloudflare we may as well talk about

13:26

some firewall rules too that you can set

13:28

up there now some people will block

13:30

entire countries from their firewall or

13:32

even blocked or now i've never really

13:34

found these to be too helpful because

13:37

most of the time bad actors are just

13:39

going to use a vpn in your local country

13:41

and come in that way but if you do want

13:43

to block countries it's here in firewall

13:45

rules but while we're talking about

13:47

networking in firewalls we should also

13:49

talk about ids which is intrusion

13:51

detection system and ips which is

13:54

intrusion prevention system and

13:56

generally speaking these are just ways

13:58

to detect and block attacks based on

14:00

some signatures they do this by

14:02

analyzing the request and the traffic

14:04

and then seeing if that matches a

14:06

signature and then alerting you if you

14:09

have ids turned on and blocking it if

14:11

you have ips turned on now i would

14:13

definitely turn these both on

14:15

self-hosting or not because they block

14:16

against known attacks now i say known

14:20

because they're only as good as the

14:21

signatures that you have so if you're

14:23

running something like pfsense that'll

14:24

be snort or tsurikata and if you're

14:27

running udm pro it'll be right here

14:29

under firewall and security but you'll

14:31

want to make sure that you detect and

14:33

block and then you can set a sensitivity

14:35

level here i have mine to the highest

14:37

possible and here we can see the list of

14:40

threat categories now i have these all

14:42

turned on and you might have some

14:44

additional toggles like dark web blocker

14:46

and malicious website blocker but you'll

14:48

want to make sure that all of the

14:49

security systems that your firewall

14:51

supports are turned on and up to date

14:53

and you'll want to make sure that you

14:55

regularly check these for me that's as

14:57

simple as going into notifications and

15:00

making sure that any intrusion attempts

15:02

were blocked and now that we have

15:04

everything in place we can finally meet

15:07

in the middle and use our own internal

15:09

reverse proxy arguably you don't need

15:12

one if you're using cloudflare but i do

15:15

it with or without cloudflare so a

15:17

reverse proxy is an easy way to direct

15:20

traffic from your clients to one of your

15:22

servers

15:23

we talked about this with cloudflare and

15:25

it's also a place where you can have

15:28

your certificates having them here

15:30

versus each individual server makes

15:32

maintenance much easier and setting up a

15:35

reverse proxy can be challenging however

15:38

i've already documented this in a video

15:40

and the reverse proxy i usually choose

15:42

is traffic traffic can route requests to

15:44

your servers and get publicly signed

15:46

certificates for you to use and even

15:49

integrate with other systems using

15:52

middleware so speaking of middleware

15:54

another choice you'll have to make is

15:56

whether or not you want your services to

15:58

have authentication or not some services

16:01

do provide authentication

16:03

but they may not support two-factor

16:05

authentication this is where something

16:07

like authalia comes into play authalia

16:09

is an auth proxy that works with your

16:12

reverse proxy

16:13

to provide authentication and

16:15

authorization for your services even if

16:18

they don't have authentication of their

16:20

own this is great for applications that

16:22

need another layer of protection and

16:24

with two-factor authentication helps

16:26

give you confidence that your apps can

16:28

be accessed by you and only you put them

16:31

upside down because he's mad because

16:33

auth is in the middle but whatever this

16:36

is definitely an advanced use case and

16:38

should only be set up after you have

16:40

all of this already running

16:43

after we have this last step set up

16:45

we've gone all the way from the end user

16:47

going through cloudflare to your

16:49

firewall configured a firewall with

16:51

protection set up a reverse proxy then

16:54

set up an auth proxy and for a server we

16:57

configured our hardware

17:02

and the operating system and then our

17:04

service

17:05

if it's running in a container you

17:07

should now have a little more confidence

17:09

in self-hosting some things in your home

17:11

lab and remember you don't have to do

17:14

any of this

17:15

if you feel uncomfortable or you're not

17:17

ready you can still fall back to a vpn

17:20

or host it in a public cloud or do

17:23

nothing at all and there are also some

17:25

side quests we didn't talk about like

17:26

tunneling but you could set this up

17:29

different altogether so what do you

17:31

think about self-hosting some services

17:33

at home do you not want to expose

17:34

anything publicly but your vpn did i

17:37

miss anything in my guide

17:39

let me know in the comments section

17:40

below and remember if you found anything

17:43

in this video helpful

17:44

don't forget to like and subscribe

17:47

thanks for watching first name here from

17:49

the netherlands all right thank you

17:50

thank you so much funny i j i i won't go

17:53

into there but

17:55

people at work joke around because

17:56

they're like you must be big in the

17:57

netherlands and i was like actually a

18:00

fair portion of my traffic on youtube

18:02

comes from the netherlands but they they

18:04

joke around with me because once i

18:05

jumped on uh a call at work and the

18:08

people on the other side of the call

18:09

were from the netherlands and one guy

18:11

was like are you techno gym do you have

18:13

a youtube channel i kind of i didn't

18:15

even see it in chat and then later on

18:17

that you know they were teasing me at

18:19

work they're like you must be huge in

18:20

the netherlands because that guy

18:21

recognized you and i didn't even see in

18:23

chat that he had said he knew who i was

18:26

because it was zoom chat not like

18:27

anywhere else and that's obviously class

18:29

but anyways long story short someone

18:32

from from work

18:33

when i was on a call

18:35

recognized me i was like oh that's

18:37

that's pretty awesome anyways uh thank

18:39

you and welcome um from the us thank you

18:42

for being here