Self-Hosting Security Guide for your HomeLab
Summary
TLDR本文介绍了在家庭实验室中自托管服务的最佳安全实践。从硬件到网络配置,再到防火墙设置,提供了全面的安全架构指导。强调了硬件固件更新的重要性,操作系统的选择和维护,以及虚拟化环境的管理。网络方面,建议进行网络分割以提升安全性和性能,并使用云服务如Cloudflare来增强外部网络安全。还讨论了反向代理、SSL证书、两因素认证等技术,以及如何通过Authelia增加服务的认证层。最后,鼓励用户根据自己的舒适度决定是否自托管服务,并提供了一些额外的安全建议。
Takeaways
- 🛡️ 安全性始于家庭实验室的基础,而不仅仅是最后一步。
- 🌐 推荐使用VPN来安全地公开服务,只允许拥有VPN访问权限的人访问。
- 🏢 在公共云中托管服务可以减少家庭网络的风险。
- 🔩 硬件需要保持最新的固件更新,包括服务器、主板、硬盘、网络适配器等。
- 🖥️ 虚拟化操作系统时,确保虚拟机管理程序保持最新并完全修补。
- 📊 选择一个安全的操作系统,定期打补丁,并遵循最小权限原则。
- 🚀 对于容器化应用,使用官方来源的容器,并考虑使用最小化基础镜像。
- 🔄 网络分割是控制网络流量和提高安全性的关键。
- 🌐 外部网络配置应只转发必要的端口,并使用公共反向代理如Cloudflare来提高性能和安全性。
- 🔒 使用防火墙规则和入侵检测/预防系统来增强网络安全。
- 🔗 内部反向代理可以简化证书管理和流量路由,同时提供额外的安全层。
- 🛡️ 使用Authelia等认证代理为服务提供额外的认证和授权层。
Q & A
什么是'最后一英里'在自托管服务中的含义?
-在自托管服务中,'最后一英里'指的是用户访问服务之前的最后一个跳转。这通常涉及到使用证书或反向代理等技术,以确保用户能够安全地访问服务。
为什么说安全从家庭实验室的基础开始?
-安全从家庭实验室的基础开始,因为整个系统的安全性依赖于其最薄弱的环节。这意味着,除了关注用户访问服务的'最后一英里'之外,还需要确保硬件、软件、网络配置等所有组件的安全性。
为什么硬件在自托管服务中很重要?
-硬件在自托管服务中很重要,因为它是运行应用程序的基础。需要确保服务器及其所有连接设备的固件都是最新的,以减少潜在的安全风险。
虚拟化操作系统和裸机运行有什么区别?
-虚拟化操作系统允许多个操作系统在同一硬件上运行,而裸机运行则是直接在硬件上运行操作系统。选择哪种方式取决于个人对基础设施的管理偏好,但关键是确保虚拟化技术得到积极维护和完全补丁化。
为什么要选择一个安全的操作系统?
-选择一个安全的操作系统可以降低安全风险。应该选择一个仍然得到支持且未达到生命周期终点的操作系统,并定期进行补丁更新。
什么是最小化容器镜像,为什么它更安全?
-最小化容器镜像是基于轻量级操作系统(如Alpine Linux)构建的容器,它体积小,依赖少,因此攻击面也较小,需要打补丁的地方也较少,从而减少了潜在的漏洞。
网络分割在自托管服务中有什么作用?
-网络分割可以将家庭实验室网络划分为多个子网或网络段,每个段像一个独立的小网络。这样可以控制不同网络段之间的流量,提高性能和安全性,降低设备被攻击时的风险。
为什么外部网络配置对自托管服务很重要?
-外部网络配置决定了用户和设备如何进入你的网络。正确配置端口转发规则,使用反向代理,以及结合Cloudflare等公共反向代理服务,可以提高性能,保护IP地址,提供缓存、TLS加密,并防御攻击。
如何使用Cloudflare增强自托管服务的安全性?
-通过将域名指向Cloudflare的反向代理,并利用其提供的免费服务,可以提高网站性能,保护IP地址,提供TLS加密,并利用Cloudflare的防御系统来检测和阻止恶意攻击。
什么是入侵检测系统(IDS)和入侵预防系统(IPS)?
-入侵检测系统(IDS)和入侵预防系统(IPS)是网络安全技术,用于检测和阻止基于已知签名的攻击。IDS会分析请求和流量,匹配签名并发出警报,而IPS则会在检测到攻击时主动阻止。
为什么建议在自托管服务中使用Authelia这样的认证代理?
-Authelia是一个认证代理,可以与反向代理一起工作,为服务提供认证和授权,即使这些服务本身不支持认证。这为应用程序提供了额外的安全层,特别是通过两因素认证确保只有授权用户才能访问。
Outlines
🏠 家庭实验室的自托管服务安全基础
在家庭实验室中自托管服务时,人们通常只关注最后一步,即用户访问服务前的最后一个跳转。虽然这一步非常重要,但安全措施应从基础做起。视频介绍了家庭实验室的架构,并强调了从硬件到网络配置的各个层面。提到了赞助商Micro Center,提供了硬件购买建议,并讨论了通过VPN暴露服务的安全性,以及公共云托管作为替代方案的优缺点。
🛡️ 自托管服务的硬件和操作系统安全
讨论了自托管服务时硬件的重要性,强调了保持服务器及其连接设备固件的最新状态的必要性。在选择操作系统时,建议选择仍在支持且非生命周期结束的系统,并定期打补丁。还提到了虚拟化操作系统的考虑因素,包括确保虚拟化软件的更新和使用官方来源的容器。此外,还强调了网络分割的重要性,以提高性能和安全性。
🌐 网络配置与外部保护的最佳实践
深入探讨了内部和外部网络配置,强调了仅转发所需端口的重要性,并推荐使用像Cloudflare这样的公共反向代理服务来提高性能和安全性。Cloudflare可以检测和阻止恶意攻击,提供缓存、TLS加密等。还介绍了如何通过条件端口转发规则强制流量通过Cloudflare,并讨论了防火墙规则、入侵检测系统和入侵预防系统的设置。
🔒 反向代理、认证和自托管服务的最终安全措施
讨论了内部反向代理的使用,它可以简化证书管理并提供流量路由。提到了使用Authelia这样的认证代理来为服务添加认证和授权层,特别是对于那些自身不支持这些功能的应用。最后,视频总结了从用户通过Cloudflare到防火墙,再到反向代理和认证代理,最终到达服务器的完整安全流程,并鼓励观众在评论中分享他们对家庭自托管服务的看法。
Mindmap
Keywords
💡自托管服务
💡最后英里
💡硬件
💡虚拟化
💡操作系统
💡容器化
💡网络分割
💡外部网络
💡防火墙规则
💡入侵检测系统(IDS)和入侵防御系统(IPS)
💡反向代理
💡两因素认证
Highlights
安全始于家庭实验室的基础,而不仅仅是最后一跳。
讨论了在家庭中自托管服务的最佳架构实践。
硬件和配置、应用程序托管考虑事项、网络配置和分割、反向代理、证书和双因素认证、防火墙配置、互联网安全设置等都是自托管服务的重要组成部分。
Microcenter是购买硬件和科技产品的最佳去处,为新客户提供了免费的SSD。
通过自托管VPN暴露服务是公开暴露服务的下一个最佳选择。
公共云托管可以减少在家托管的风险。
硬件选择和固件更新对于自托管服务至关重要。
虚拟化操作系统时,确保虚拟机管理程序是积极维护和完全修补的。
选择一个安全的操作系统并定期打补丁。
容器化时,确保容器引擎是最新的,使用官方来源的容器。
网络分割对于提高性能和安全性至关重要。
外部网络配置应该只转发必要的端口,使用反向代理提高安全性。
Cloudflare可以提供反向代理,免费层级即可使用,增强性能和安全性。
通过Cloudflare的IP范围列表设置条件端口转发规则,以增强安全性。
启用入侵检测系统和入侵预防系统来检测和阻止攻击。
使用内部反向代理可以简化证书管理和流量路由。
Authelia这样的认证代理可以为服务提供额外的认证和授权层。
从Cloudflare到防火墙,再到反向代理和认证代理,构建了一个完整的自托管服务安全链。
如果感到不舒服或未准备好,可以选择不自托管服务,而是使用VPN或公共云服务。
Transcripts
when most people think about
self-hosting services in their home lab
they often focus and only think about
the last mile and by last mile i mean
the last hop before a user accesses your
services this last hop whether it's
using certificates or a reverse proxy is
incredibly important but it's also
important to know that security starts
at the foundation of your home lab take
for instance this diagram this most
likely makes up most things in your home
lab and whether that be physical or
virtual you'll find that you have most
of these components but what if i told
you your home lab should look like this
that might seem incredibly complicated
but it's much easier than you think
today we're going to discuss some great
practices in architecture for
self-hosting services within your home
we'll dive into individual systems
hardware and configuration application
hosting considerations network
configuration and segmentation reverse
proxies certificates and two-factor auth
firewall configuration internet security
settings and we'll even lean into
external protection from a provider like
cloudflare this will cover everything
from the last mile all the way down to
the hardware and speaking of hardware if
you're looking for great deals on
hardware you should look no further than
our sponsor microcenter if you're a huge
nerd like me one of the best places to
shop for all your technology needs is
micro center nothing beats walking into
a store and feeling right at home and
that's how i feel the minute i walk into
a micro center store each and every time
they have the best deals on gear for
gamers streamers custom build pcs with
performance and budget options keyboard
and accessories desktops and laptops and
much much more whether you're looking to
build your own dream system networking
and storage pre-built desktops or
laptops home security and home
automation diy and tech hobbies even
printers and television or just some
help from any of their experts they
really do know what they're talking
about microcenter should be your
destination also microcenter has been
generous enough to give a free ssd to
all new customers and is available in
store only so see the link in the
description so be sure to visit your
local micro center store today and if
you can't make it in be sure to check
them out on the web oh and tell them
techno tim sent you they'll have no idea
who you're talking about so what's the
best way of protecting yourself while
self-hosting
don't
just don't do it seriously you don't
have to do it exposing yourself to the
internet also exposes yourself to risks
and the easiest way to mitigate that is
to just don't do it at all i know that's
not why you're here or what you want to
hear so let's move on to the next best
step also keep in mind that i'm not a
security professional i'm just some
random person on the internet giving you
advice exposing your services through a
self-hosted vpn is probably the next
best way of exposing your services
without doing it publicly this will
create a secure tunnel from the outside
of your network to the inside of your
network from there you can create
firewall rules and limit what the vpn
can access this is a quick win and a
secure way of exposing your services but
only the people with vpn access will be
able to access them so you've made it
this far and you decided you still want
to expose some services publicly so
let's talk about public options this
first option kind of falls into the
don't host it at home option
which is to host it in a public cloud
hosting it in a public cloud still has
its own set of concerns but it does
mitigate a lot of the risk of hosting it
at home that's because if that machine
gets compromised they haven't
compromised a machine on your local
network they've compromised a machine in
the public cloud but again that's not
why we're here today we're here to
self-host services on our own network
but for those who want to expose some
services directly from their home
this is where the fun begins and again
most people think of the last mile when
self-hosting services it's this path
right here
but security starts at a much deeper
level so rather than focus on this last
hop right here we're going to zoom in
and focus on the server that's running
your services
you typically don't think of the
hardware when you're hosting
applications in in the cloud you really
don't have to but since we're hosting in
our own personal cloud we do need to
consider this the biggest takeaway here
is to be sure that the hardware that
your application is running on are
patched with the latest firmware this
includes firmware for the server itself
firmware for devices like the
motherboard hard drives
network adapters
and any other device that's physically
connected to the server this also
includes any firmware for any router or
network device in your environment but
we'll get into configuration here in a
little bit and next we need to decide if
we're going to virtualize our operating
system or just run them bare metal
really there is no wrong answer here it
really depends on how you want to manage
your infrastructure the key takeaway
here is to make sure that your
hypervisor is actively maintained up to
date and fully patched there are some
networking considerations here but we'll
cover that in the networking section
since virtualized network and physical
network have a lot of the same concerns
next is making sure you'll choose a
secure operating system that your
applications will run on now this is a
big topic for debate so we aren't going
to go into which ones are more secure
but you have choices like windows
embedded and many flavors of linux here
are the takeaways you'll want to use one
that's still supported and not end of
life
you'll want to patch all of these
regularly and work it into your
maintenance schedule you'll also want to
use the principle of least privilege
meaning giving the minimum level of
access to any user on this system you
also want to be sure you don't run
anything as root or admin you also want
to restrict who has access to these
machines and try not to install
additional services on these machines
it's also a good idea if you can to use
an application firewall and at the end
of the day the os should be purposely
built and maintained if you're running
containers you'll have much of the same
concerns as you do with an operating
system
however at a much smaller scale
you'll first want to make sure that your
containerization engine is up to date
whether that be docker container d or
pod man or any other you want to be sure
that this service is patched and
up-to-date also i recommend using
containers from official sources
this can be a challenge but you'll want
to be sure that you're getting
containers from the maintainer
themselves or from a reputable source
something like linux server.io and after
you've chosen your container you'll want
to check to see if they support a
minimal image one that's built on
something like alpine the reason you
want to do this is for a couple of
reasons first of all you get a smaller
container next this container now has
less attack surface containers with less
dependencies means less to worry about
and containers with less dependencies
have less to patch or the possibility of
vulnerabilities so if you choose a
container that has more services that's
more to patch more with the possibility
of vulnerabilities and overall more to
worry about after you've selected your
container you'll also want to take into
consideration the tags that you use now
this is kind of a double-edged sword
because most people want to pin their
containers to latest to ensure that they
have the latest container and then
they'll use something like watchtower to
update it automatically however keep in
mind that latest may not have gone
through the same testing and rigor that
a tagged version of an image has this
convention is really going to be up to
the container maintainer but my general
guidance is looking at the nginx
container is that if you can pin to a
specific version like this one
1.21.5-alpine
that's a good bet or you can pin to a
less specific version like 1-alpine or
even 1.21-alpine
and then if all else fails you can pin
the latest if you really wanted a high
level a specificity you could actually
pin to this digest here but that's going
a little far but this does add some
maintenance over time and you'll need to
work this into your maintenance rotation
but the takeaway here is that the higher
level of specificity on your tag means
that it's more easily reproduced in the
future and now on to networking there
are two sections to networking that are
equally important
internal networking and external
networking starting with internal
networking it's a must to segment your
network if you're planning on
self-hosting applications the idea
behind network segmentation is that you
divide your network into multiple
segments or subnet each acting like its
own small network this allows you to
control the flow of the network between
two networks and even internally based
on a network policy
this can not only improve performance
but also security you can do this by
subnetting or vlans and this allows you
to keep trusted devices separate from
devices that are connected or exposed to
the internet or untrusted devices this
can help mitigate the risk that if one
of these devices get compromised
they can only communicate with other
devices on this network and if you have
a network policy in place
they can't get through to your trusted
devices thus mitigating the risk this is
not only a good idea for machines that
are publicly exposed to the internet but
also
a good idea for iot devices
[Music]
but maybe more on that some other time
the takeaway here is to segment your
network to mitigate risk and now on to
external network this is where the real
fun begins this is how users and devices
enter your network
and for obvious reasons you want to be
sure that only the ports you need to be
forwarded are forwarded to the proper
device in most cases you'll be hosting
something like a website and if that's
the case you'll want to be sure that
it's only going to port forward 443 for
https
to the server that it's running on you
don't want to open any additional ports
and in most cases you'll want to port
forward that to a reverse proxy that
sits in front of your website
however i highly recommend using a
public reverse proxy along with your own
so cloudflare provides a reverse proxy
even with a free tier that you can use
to improve performance
somewhat protect your ip online
provide some caching tls encryption or
certificates and i think most
importantly protect your site from
attacks cloudflare is able to detect and
block malicious attacks if you use them
for dns
and if you use them for dns your dns
will point at them at their reverse
proxy and it's in their best interest to
detect and block these types of attacks
since an attack on you is really an
attack against them and this might sound
complicated to set up but it's as easy
as using a dynamic dns container or
script that updates your domain to point
to cloudflare then this will route all
traffic through their reverse proxy and
forward it on to you with tls encryption
and if you're ever under attack you can
simply turn on attack mode and force the
javascript language challenge when
people visit it
so that attackers get stopped
but real human beings get through
and you can see some of my stats here
you can see lots of requests are being
routed through cloudflare you can see
the total bandwidth over time you can
see how many unique visitors visited and
then you can also check out the security
piece and you can see from this chart
that they've actually blocked some
threats and these were blocked at the
cloudflare level and they never made it
down to my reverse proxy you could see
threats by country by region and the
type of crawlers or bots i feel like
setting up cloudflare is a huge win for
privacy security and protection but
what's stopping anyone from just going
directly to my ip address what happens
if someone figures out my ip address and
wants to bypass cloudflare altogether
well in this setup nothing at all
don't worry friends there are ways to
protect against this too this is where
we'll combine our port forwarding rules
along with cloudflare we'll force anyone
from the outside coming in to go through
cloudflare
and if they don't we'll just block them
so it looks like this clownflare
publishes their list of ip ranges this
is super helpful because we can build
rules based on these ipv ranges
see where i'm going here from these list
of rules we can build a conditional port
forward to say that if you're not coming
from one of these sources just block and
if you are let them through and it looks
like this i'm basically doing
conditional poor forwarding and i'm
using udm and it works just the same
probably a lot easier on p of sense but
if we look at one of these rules what
we're saying that hey if the source is a
cloudflare ip on the port of 443 that's
https then we'll forward to our reverse
proxy otherwise we drop it and i had to
do this quite a few times in udm because
there isn't an easy way to do this but
it's much easier if you're using pfsense
and if you're using something else just
look at your port forwarding rules and
see if they support conditional port
forwarding and since we're talking about
cloudflare we may as well talk about
some firewall rules too that you can set
up there now some people will block
entire countries from their firewall or
even blocked or now i've never really
found these to be too helpful because
most of the time bad actors are just
going to use a vpn in your local country
and come in that way but if you do want
to block countries it's here in firewall
rules but while we're talking about
networking in firewalls we should also
talk about ids which is intrusion
detection system and ips which is
intrusion prevention system and
generally speaking these are just ways
to detect and block attacks based on
some signatures they do this by
analyzing the request and the traffic
and then seeing if that matches a
signature and then alerting you if you
have ids turned on and blocking it if
you have ips turned on now i would
definitely turn these both on
self-hosting or not because they block
against known attacks now i say known
because they're only as good as the
signatures that you have so if you're
running something like pfsense that'll
be snort or tsurikata and if you're
running udm pro it'll be right here
under firewall and security but you'll
want to make sure that you detect and
block and then you can set a sensitivity
level here i have mine to the highest
possible and here we can see the list of
threat categories now i have these all
turned on and you might have some
additional toggles like dark web blocker
and malicious website blocker but you'll
want to make sure that all of the
security systems that your firewall
supports are turned on and up to date
and you'll want to make sure that you
regularly check these for me that's as
simple as going into notifications and
making sure that any intrusion attempts
were blocked and now that we have
everything in place we can finally meet
in the middle and use our own internal
reverse proxy arguably you don't need
one if you're using cloudflare but i do
it with or without cloudflare so a
reverse proxy is an easy way to direct
traffic from your clients to one of your
servers
we talked about this with cloudflare and
it's also a place where you can have
your certificates having them here
versus each individual server makes
maintenance much easier and setting up a
reverse proxy can be challenging however
i've already documented this in a video
and the reverse proxy i usually choose
is traffic traffic can route requests to
your servers and get publicly signed
certificates for you to use and even
integrate with other systems using
middleware so speaking of middleware
another choice you'll have to make is
whether or not you want your services to
have authentication or not some services
do provide authentication
but they may not support two-factor
authentication this is where something
like authalia comes into play authalia
is an auth proxy that works with your
reverse proxy
to provide authentication and
authorization for your services even if
they don't have authentication of their
own this is great for applications that
need another layer of protection and
with two-factor authentication helps
give you confidence that your apps can
be accessed by you and only you put them
upside down because he's mad because
auth is in the middle but whatever this
is definitely an advanced use case and
should only be set up after you have
all of this already running
after we have this last step set up
we've gone all the way from the end user
going through cloudflare to your
firewall configured a firewall with
protection set up a reverse proxy then
set up an auth proxy and for a server we
configured our hardware
and the operating system and then our
service
if it's running in a container you
should now have a little more confidence
in self-hosting some things in your home
lab and remember you don't have to do
any of this
if you feel uncomfortable or you're not
ready you can still fall back to a vpn
or host it in a public cloud or do
nothing at all and there are also some
side quests we didn't talk about like
tunneling but you could set this up
different altogether so what do you
think about self-hosting some services
at home do you not want to expose
anything publicly but your vpn did i
miss anything in my guide
let me know in the comments section
below and remember if you found anything
in this video helpful
don't forget to like and subscribe
thanks for watching first name here from
the netherlands all right thank you
thank you so much funny i j i i won't go
into there but
people at work joke around because
they're like you must be big in the
netherlands and i was like actually a
fair portion of my traffic on youtube
comes from the netherlands but they they
joke around with me because once i
jumped on uh a call at work and the
people on the other side of the call
were from the netherlands and one guy
was like are you techno gym do you have
a youtube channel i kind of i didn't
even see it in chat and then later on
that you know they were teasing me at
work they're like you must be huge in
the netherlands because that guy
recognized you and i didn't even see in
chat that he had said he knew who i was
because it was zoom chat not like
anywhere else and that's obviously class
but anyways long story short someone
from from work
when i was on a call
recognized me i was like oh that's
that's pretty awesome anyways uh thank
you and welcome um from the us thank you
for being here
浏览更多相关视频
How Secure IoT is Transforming Supply Chains
AWS re:Inforce 2024 - Explorations of cryptography research (SEC204-INT)
Supply Chain: Supplier Selection & Performance Management
翻墙后如何保障自身隐私安全?clash删库请重视这几个地方,科学上网vpn工具小心暴露自己信息!别被喝茶还不清楚原因,详细整理了一份翻墙安全手册,新手必备,不敢百分百有效但能达到80-90%以上安全度
无敌的Xray - Reality协议!无须域名和证书的Reality协议+Vision流控,是否能够摆平一切顾虑!Reality指向网站寻找,Reality客户端推荐(关联节点搭建/科学上网)
24 Things You Need to Know Before Traveling to Korea 2024🇰🇷
5.0 / 5 (0 votes)