As the title says, I want to know the most paranoid security measures you’ve implemented in your homelab. I can think of SDN solutions with firewalls covering every interface, ACLs, locked-down/hardened OSes etc but not much beyond that. I’m wondering how deep this paranoia can go (and maybe even go down my own route too!).

Thanks!

  • Pika@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    17
    ·
    edit-2
    10 months ago

    My security is fairly simplistic but I’m happy with it

    • software protection

      • fail2ban with low warning hold
      • cert based login for ssh (no password Auth)
      • Honeypot on all common port numbers, which if pinged leads to a permanent IP ban
      • drop all firewall
      • PSAD for intrusion/scanning protection (so many Russian scanners… lol)
      • wireguard for VPN to access local virtual machines and resources
      • external VPN with nordVPN for secure containers (yes I know nord is questionable I plan to swap when my sub runs out)
    • physical protection

      • luksCrypt on the sensitive Data/program Drive ( I know there’s some security concerns with luksCrypt bite me)
      • grub and bios locked with password
      • UPS set to auto notify on power outage
      • router with keep alive warning system that pings my phone if the lab goes offline and provides fallback dns
    • things I’ve thought about:

      • a mock recovery partition entry that will nuke the Luks headers on entry (to prevent potential exploit getting through grub)
      • removing super user access completely outside of local user access