When most people think about self-hosting services in their home lab they often focus and only think about the last mile and by last mile i mean the last hop before a user accesses your services this last hop whether it’s using certificates or a reverse proxy is incredibly important but it’s also Important to know that security starts at the foundation of your home lab take for instance this diagram this most likely makes up most things in your home lab and whether that be physical or virtual you’ll find that you have most of these components but what if i told You your home lab should look like this that might seem incredibly complicated but it’s much easier than you think today we’re going to discuss some great practices in architecture for self-hosting services within your home we’ll dive into individual systems hardware and configuration application hosting considerations network configuration and segmentation reverse Proxies certificates and two-factor auth firewall configuration internet security settings and we’ll even lean into external protection from a provider like cloudflare this will cover everything from the last mile all the way down to the hardware and speaking of hardware if you’re looking for great deals on hardware you should look no further than Our sponsor microcenter if you’re a huge nerd like me one of the best places to shop for all your technology needs is micro center nothing beats walking into a store and feeling right at home and that’s how i feel the minute i walk into a micro center store each and every time They have the best deals on gear for gamers streamers custom build pcs with performance and budget options keyboard and accessories desktops and laptops and much much more whether you’re looking to build your own dream system networking and storage pre-built desktops or laptops home security and home automation diy and tech hobbies even Printers and television or just some help from any of their experts they really do know what they’re talking about microcenter should be your destination also microcenter has been generous enough to give a free ssd to all new customers and is available in store only so see the link in the Description so be sure to visit your local micro center store today and if you can’t make it in be sure to check them out on the web oh and tell them techno tim sent you they’ll have no idea who you’re talking about so what’s the best way of protecting yourself while self-hosting don’t Just don’t do it seriously you don’t have to do it exposing yourself to the internet also exposes yourself to risks and the easiest way to mitigate that is to just don’t do it at all i know that’s not why you’re here or what you want to Hear so let’s move on to the next best step also keep in mind that i’m not a security professional i’m just some random person on the internet giving you advice exposing your services through a self-hosted vpn is probably the next best way of exposing your services without doing it publicly this will Create a secure tunnel from the outside of your network to the inside of your network from there you can create firewall rules and limit what the vpn can access this is a quick win and a secure way of exposing your services but only the people with vpn access will be Able to access them so you’ve made it this far and you decided you still want to expose some services publicly so let’s talk about public options this first option kind of falls into the don’t host it at home option which is to host it in a public cloud Hosting it in a public cloud still has its own set of concerns but it does mitigate a lot of the risk of hosting it at home that’s because if that machine gets compromised they haven’t compromised a machine on your local network they’ve compromised a machine in the public cloud but again that’s not Why we’re here today we’re here to self-host services on our own network but for those who want to expose some services directly from their home this is where the fun begins and again most people think of the last mile when self-hosting services it’s this path right here But security starts at a much deeper level so rather than focus on this last hop right here we’re going to zoom in and focus on the server that’s running your services you typically don’t think of the hardware when you’re hosting applications in in the cloud you really Don’t have to but since we’re hosting in our own personal cloud we do need to consider this the biggest takeaway here is to be sure that the hardware that your application is running on are patched with the latest firmware this includes firmware for the server itself firmware for devices like the Motherboard hard drives network adapters and any other device that’s physically connected to the server this also includes any firmware for any router or network device in your environment but we’ll get into configuration here in a little bit and next we need to decide if we’re going to virtualize our operating System or just run them bare metal really there is no wrong answer here it really depends on how you want to manage your infrastructure the key takeaway here is to make sure that your hypervisor is actively maintained up to date and fully patched there are some networking considerations here but we’ll Cover that in the networking section since virtualized network and physical network have a lot of the same concerns next is making sure you’ll choose a secure operating system that your applications will run on now this is a big topic for debate so we aren’t going to go into which ones are more secure But you have choices like windows embedded and many flavors of linux here are the takeaways you’ll want to use one that’s still supported and not end of life you’ll want to patch all of these regularly and work it into your maintenance schedule you’ll also want to use the principle of least privilege Meaning giving the minimum level of access to any user on this system you also want to be sure you don’t run anything as root or admin you also want to restrict who has access to these machines and try not to install additional services on these machines It’s also a good idea if you can to use an application firewall and at the end of the day the os should be purposely built and maintained if you’re running containers you’ll have much of the same concerns as you do with an operating system however at a much smaller scale You’ll first want to make sure that your containerization engine is up to date whether that be docker container d or pod man or any other you want to be sure that this service is patched and up-to-date also i recommend using containers from official sources this can be a challenge but you’ll want To be sure that you’re getting containers from the maintainer themselves or from a reputable source something like linux server.io and after you’ve chosen your container you’ll want to check to see if they support a minimal image one that’s built on something like alpine the reason you Want to do this is for a couple of reasons first of all you get a smaller container next this container now has less attack surface containers with less dependencies means less to worry about and containers with less dependencies have less to patch or the possibility of vulnerabilities so if you choose a Container that has more services that’s more to patch more with the possibility of vulnerabilities and overall more to worry about after you’ve selected your container you’ll also want to take into consideration the tags that you use now this is kind of a double-edged sword because most people want to pin their Containers to latest to ensure that they have the latest container and then they’ll use something like watchtower to update it automatically however keep in mind that latest may not have gone through the same testing and rigor that a tagged version of an image has this convention is really going to be up to The container maintainer but my general guidance is looking at the nginx container is that if you can pin to a specific version like this one 1.21.5-alpine that’s a good bet or you can pin to a less specific version like 1-alpine or even 1.21-alpine and then if all else fails you can pin The latest if you really wanted a high level a specificity you could actually pin to this digest here but that’s going a little far but this does add some maintenance over time and you’ll need to work this into your maintenance rotation but the takeaway here is that the higher Level of specificity on your tag means that it’s more easily reproduced in the future and now on to networking there are two sections to networking that are equally important internal networking and external networking starting with internal networking it’s a must to segment your network if you’re planning on self-hosting applications the idea Behind network segmentation is that you divide your network into multiple segments or subnet each acting like its own small network this allows you to control the flow of the network between two networks and even internally based on a network policy this can not only improve performance But also security you can do this by subnetting or vlans and this allows you to keep trusted devices separate from devices that are connected or exposed to the internet or untrusted devices this can help mitigate the risk that if one of these devices get compromised they can only communicate with other Devices on this network and if you have a network policy in place they can’t get through to your trusted devices thus mitigating the risk this is not only a good idea for machines that are publicly exposed to the internet but also a good idea for iot devices But maybe more on that some other time the takeaway here is to segment your network to mitigate risk and now on to external network this is where the real fun begins this is how users and devices enter your network and for obvious reasons you want to be Sure that only the ports you need to be forwarded are forwarded to the proper device in most cases you’ll be hosting something like a website and if that’s the case you’ll want to be sure that it’s only going to port forward 443 for https to the server that it’s running on you Don’t want to open any additional ports and in most cases you’ll want to port forward that to a reverse proxy that sits in front of your website however i highly recommend using a public reverse proxy along with your own so cloudflare provides a reverse proxy Even with a free tier that you can use to improve performance somewhat protect your ip online provide some caching tls encryption or certificates and i think most importantly protect your site from attacks cloudflare is able to detect and block malicious attacks if you use them for dns And if you use them for dns your dns will point at them at their reverse proxy and it’s in their best interest to detect and block these types of attacks since an attack on you is really an attack against them and this might sound complicated to set up but it’s as easy As using a dynamic dns container or script that updates your domain to point to cloudflare then this will route all traffic through their reverse proxy and forward it on to you with tls encryption and if you’re ever under attack you can simply turn on attack mode and force the javascript language challenge when People visit it so that attackers get stopped but real human beings get through and you can see some of my stats here you can see lots of requests are being routed through cloudflare you can see the total bandwidth over time you can see how many unique visitors visited and Then you can also check out the security piece and you can see from this chart that they’ve actually blocked some threats and these were blocked at the cloudflare level and they never made it down to my reverse proxy you could see threats by country by region and the Type of crawlers or bots i feel like setting up cloudflare is a huge win for privacy security and protection but what’s stopping anyone from just going directly to my ip address what happens if someone figures out my ip address and wants to bypass cloudflare altogether well in this setup nothing at all Don’t worry friends there are ways to protect against this too this is where we’ll combine our port forwarding rules along with cloudflare we’ll force anyone from the outside coming in to go through cloudflare and if they don’t we’ll just block them so it looks like this clownflare Publishes their list of ip ranges this is super helpful because we can build rules based on these ipv ranges see where i’m going here from these list of rules we can build a conditional port forward to say that if you’re not coming from one of these sources just block and If you are let them through and it looks like this i’m basically doing conditional poor forwarding and i’m using udm and it works just the same probably a lot easier on p of sense but if we look at one of these rules what we’re saying that hey if the source is a Cloudflare ip on the port of 443 that’s https then we’ll forward to our reverse proxy otherwise we drop it and i had to do this quite a few times in udm because there isn’t an easy way to do this but it’s much easier if you’re using pfsense And if you’re using something else just look at your port forwarding rules and see if they support conditional port forwarding and since we’re talking about cloudflare we may as well talk about some firewall rules too that you can set up there now some people will block entire countries from their firewall or Even blocked or now i’ve never really found these to be too helpful because most of the time bad actors are just going to use a vpn in your local country and come in that way but if you do want to block countries it’s here in firewall rules but while we’re talking about Networking in firewalls we should also talk about ids which is intrusion detection system and ips which is intrusion prevention system and generally speaking these are just ways to detect and block attacks based on some signatures they do this by analyzing the request and the traffic and then seeing if that matches a Signature and then alerting you if you have ids turned on and blocking it if you have ips turned on now i would definitely turn these both on self-hosting or not because they block against known attacks now i say known because they’re only as good as the signatures that you have so if you’re Running something like pfsense that’ll be snort or tsurikata and if you’re running udm pro it’ll be right here under firewall and security but you’ll want to make sure that you detect and block and then you can set a sensitivity level here i have mine to the highest Possible and here we can see the list of threat categories now i have these all turned on and you might have some additional toggles like dark web blocker and malicious website blocker but you’ll want to make sure that all of the security systems that your firewall Supports are turned on and up to date and you’ll want to make sure that you regularly check these for me that’s as simple as going into notifications and making sure that any intrusion attempts were blocked and now that we have everything in place we can finally meet In the middle and use our own internal reverse proxy arguably you don’t need one if you’re using cloudflare but i do it with or without cloudflare so a reverse proxy is an easy way to direct traffic from your clients to one of your servers we talked about this with cloudflare and It’s also a place where you can have your certificates having them here versus each individual server makes maintenance much easier and setting up a reverse proxy can be challenging however i’ve already documented this in a video and the reverse proxy i usually choose is traffic traffic can route requests to Your servers and get publicly signed certificates for you to use and even integrate with other systems using middleware so speaking of middleware another choice you’ll have to make is whether or not you want your services to have authentication or not some services do provide authentication but they may not support two-factor Authentication this is where something like authalia comes into play authalia is an auth proxy that works with your reverse proxy to provide authentication and authorization for your services even if they don’t have authentication of their own this is great for applications that need another layer of protection and with two-factor authentication helps Give you confidence that your apps can be accessed by you and only you put them upside down because he’s mad because auth is in the middle but whatever this is definitely an advanced use case and should only be set up after you have all of this already running After we have this last step set up we’ve gone all the way from the end user going through cloudflare to your firewall configured a firewall with protection set up a reverse proxy then set up an auth proxy and for a server we configured our hardware and the operating system and then our service If it’s running in a container you should now have a little more confidence in self-hosting some things in your home lab and remember you don’t have to do any of this if you feel uncomfortable or you’re not ready you can still fall back to a vpn Or host it in a public cloud or do nothing at all and there are also some side quests we didn’t talk about like tunneling but you could set this up different altogether so what do you think about self-hosting some services at home do you not want to expose Anything publicly but your vpn did i miss anything in my guide let me know in the comments section below and remember if you found anything in this video helpful don’t forget to like and subscribe thanks for watching first name here from the netherlands all right thank you Thank you so much funny i j i i won’t go into there but people at work joke around because they’re like you must be big in the netherlands and i was like actually a fair portion of my traffic on youtube comes from the netherlands but they they Joke around with me because once i jumped on uh a call at work and the people on the other side of the call were from the netherlands and one guy was like are you techno gym do you have a youtube channel i kind of i didn’t Even see it in chat and then later on that you know they were teasing me at work they’re like you must be huge in the netherlands because that guy recognized you and i didn’t even see in chat that he had said he knew who i was because it was zoom chat not like Anywhere else and that’s obviously class but anyways long story short someone from from work when i was on a call recognized me i was like oh that’s that’s pretty awesome anyways uh thank you and welcome um from the us thank you for being here Video Information
This video, titled ‘Self-Hosting Security Guide for your HomeLab’, was uploaded by Techno Tim on 2022-01-29 16:00:06. It has garnered 183203 views and 7783 likes. The duration of the video is 00:18:43 or 1123 seconds.
When most people think about self-hosting services in their HomeLab, they often think of the last mile. By last mile I mean the very last hop before a user accesses your services. This last hop, whether that’s using certificates or a reverse proxy, is incredibly important, but it’s also important to know that security starts at the foundation of your HomeLab. Today, we’ll work our way up from hardware security, to OS, to networking, to containers, to firewalls, IDS/IPS, reverse proxies, auth proxies for authentication and authorization, and even lean in to an external provider like Cloudflare.
A HUGE thanks to Micro Center for sponsoring this video!
New Customers Exclusive – Get a Free 240gb SSD at Micro Center: https://micro.center/0ef37a (paid)
★ Subscribe! https://l.technotim.live/subscribe ★ I’m Live on Twitch https://l.technotim.live/twitch ★ Get Help in Our Discord Community! https://l.technotim.live/discord ★ Subscribe to Techno Tim Talks! https://l.technotim.live/subscribe-ttt ★ Documentation found here https://l.technotim.live/docs __________________________________________
⚙ Gear Recommendations ⚙ ► https://l.technotim.live/gear
(Affiliate links may be included in this description. I may receive a small commission at no cost to you.) __________________________________________
♦ Patreon https://l.technotim.live/patreon ♦ GitHub https://l.technotim.live/github ♦ Twitch https://l.technotim.live/twitch ♦ Twitter https://l.technotim.live/twitter ♦ Discord https://l.technotim.live/discord ♦ Instagram https://l.technotim.live/instagram ♦ Facebook https://l.technotim.live/facebook ♦ TikTok https://l.technotim.live/tiktok __________________________________________
00:00 – Intro 01:10 – Advertisement 02:06 – Don’t Self-Host 02:27 – Disclaimer 02:33 – Self-Hosted VPN 02:57 – Public Cloud 03:24 – The Last Mile 03:50 – Hardware 04:28 – Virtual vs. Bare Metal 04:56 – Operating System 05:47 – Container Security 06:58 – Container Tags 08:07 – Network Segmentation 09:32 – Firewall & Port Forwarding 10:11 – Cloudflare (Reverse Proxy) 11:26 – Cloudflare Settings & Stats 11:58 – Cloudflare + Conditional Port Forwarding 13:24 – Cloudflare Firewall Rules 13:46 – IDS and IPS 15:03 – Internal Reverse Proxy 15:53 – Auth Proxy (Authentication and Authorization) 16:42 – Security Overview 17:07 – Are you going to Self-Host? 17:41 – Stream Highlight “I’m big in the Netherlands (not)”
#SelfHosted #HomeLab #Security
“Overzealous Punch” is from Harris Heller’s album Sunset. https://l.technotim.live/sb-music-license
Icons in this video have been created by Freepik from flaticon https://www.flaticon.com/authors/freepik