Self-Hosting Security Guide for your HomeLab
Vložit
- čas přidán 20. 05. 2024
- When most people think about self-hosting services in their HomeLab, they often think of the last mile. By last mile I mean the very last hop before a user accesses your services. This last hop, whether that’s using certificates or a reverse proxy, is incredibly important, but it’s also important to know that security starts at the foundation of your HomeLab. Today, we'll work our way up from hardware security, to OS, to networking, to containers, to firewalls, IDS/IPS, reverse proxies, auth proxies for authentication and authorization, and even lean in to an external provider like Cloudflare.
Video Notes: technotim.live/posts/self-hos...
Support me on Patreon: / technotim
Sponsor me on GitHub: github.com/sponsors/timothyst...
Subscribe on Twitch: / technotim
Become a CZcams member: / @technotim
Merch Shop 🛍️: l.technotim.live/shop
Gear Recommendations: l.technotim.live/gear
Get Help in Our Discord Community: l.technotim.live/discord
2nd channel: / @technotimtalks
A HUGE thanks to Micro Center for sponsoring this video!
New Customers Exclusive - Get a Free 240gb SSD at Micro Center: micro.center/0ef37a (paid)
(Affiliate links may be included in this description. I may receive a small commission at no cost to you.)
00:00 - Intro
01:10 - Advertisement
02:06 - Don't Self-Host
02:27 - Disclaimer
02:33 - Self-Hosted VPN
02:57 - Public Cloud
03:24 - The Last Mile
03:50 - Hardware
04:28 - Virtual vs. Bare Metal
04:56 - Operating System
05:47 - Container Security
06:58 - Container Tags
08:07 - Network Segmentation
09:32 - Firewall & Port Forwarding
10:11 - Cloudflare (Reverse Proxy)
11:26 - Cloudflare Settings & Stats
11:58 - Cloudflare + Conditional Port Forwarding
13:24 - Cloudflare Firewall Rules
13:46 - IDS and IPS
15:03 - Internal Reverse Proxy
15:53 - Auth Proxy (Authentication and Authorization)
16:42 - Security Overview
17:07 - Are you going to Self-Host?
17:41 - Stream Highlight "I'm big in the Netherlands (not)"
#SelfHosted #HomeLab #Security
"Overzealous Punch" is from Harris Heller's album Sunset.
l.technotim.live/sb-music-lic...
Icons in this video have been created by Freepik from flaticon www.flaticon.com/authors/freepik - Věda a technologie
New Customers Exclusive - Get a Free 240gb SSD at Micro Center: micro.center/0ef37a (paid)
American only. 🤦♂️
i dont have a microcenter near me :(
This set up is far more secure than any company I've worked for.
And we can do this at home!
I still occasionally run into companies with passwords in the form of "CompanyName1234" so I'm not sure any kind of setup would really save them...
I'm a sysadmin specializing in security and I block countries at work. It saved us a ton from exploit scans and from attempted exploits that we've previously patched. Our firewall can detect and block exploits and there is tons coming from a handful of countries. Also, it may have also saved us from being exploited on one occasion when an exploit attempt came from Russia going to an unpatched Pulse VPN appliance. There is a possibility that other measures would have caught it as well, but it was an excellent first layer of security in this instance. I highly recommend blocking Countries. I highly recommend blocking Russia, China, Ukraine, Crimea, and North Korea. You are correct that most attacks that I see originate from the US, so a layered security model is important but this one rules kills about 60% of all exploit and exploit scanning activity.
Thank you for your valuable insight!
Blocking countries can be a terrible idea in some instances so it would be case by case. Where I work, we can’t. You end up blocking edge locations and CDNs. Not to mention our clients customers. Usually I can only block middle eastern countries.
I'm not in the US and you can bet I'll be blocking the entire continent
I'd be blocking the US as well lol
Also Iran or Nigeria to be blocked I say.
Security professional here. Thanks for making this video! I'll be recommending folks view this video. You've described everything I suggest folks with home-labs do.
The only minor disagreement I have is with setting up the proxy authentication after everything else is working. Set it up from the start and apply it to all services behind the proxy. You're in a much better spot if everything on your home-lab requires authentication on the proxy. Even if it means logging-in twice (to the proxy and the back-end service). This drastically lowers the attack surface. You can later exclude any services you'd like to remain public.
Also, use some type of split DNS; where you serve the internal IP of the proxy to all internal clients. That way you can skip the hop to Cloudflare internally. And you can still access all your home-lab services if your internet connection goes out.
Good call! Thank you for your expertise! It should be in place prior to! Also, I have a guide on split DNS with PiHole, should have mentioned it!
Good idea with internal DNS, it fixed my problem with all my selfhosted apps being routed through my slow 10mbps upload speed via cloudflare. I even get SSL still when using local dns for routing my domain to my server's local IP
@@TechnoTimcan we get a video on split DNS?
Would actually appreciate if Linode would sponsor a series on your channel with topics of your choosing that compare and contrast and shows how to run services remotely for distributed friends and family
I would so much rather listen to Linode tutorials from Tim rather than the guy they seem to have buddied with currently who spends a 20 minute video giving you the first 3 sentences of a man page.
You should make a video of home lab hosting from square 0 if you were to start from nothing (or start over) and how to set it up. Episode one: bare necessary hardware and how to set up Vlans. Episode two set up server (old pc), setup docker, and setup backups. Etc
Ditto.
Getting some pointers to absolute beginners are a great idea, because there's too much to learn and no clear, easy way of achieving it.
I don’t think you need VLANs on your homelab. You have L3 switches and huge variety of internal networks, so, you can just use port isolation. It’s good for learning, but if your case is not learning or you want just to make it done with less configuring, you can skip VLANs and lose nothing.
That'd be pretty dope
Are we not gonna talk about the awesome illustration using those stickers or cardboard!, this video is amazing end to end, awesome visuals, clear, cuts to the chase.
I really like this and have enjoyed every bit.
Would be awesome if you can showcase the process of setting some of these stuff you mentioned in separate videos.
Would love to see that and again awesome job 🙏
Thank you!
*looks over at Self Hosting video I just posted with disappointment*
Wooooo Microcenter sponsorship! Let’s Go!!! I’m digging the style of this vid.
I saw yours a few days ago! It was great! This just compliments it!
This is sooo good!! Many years wondering what I would need to do to self-host stuff without putting myself at risk and you just told me everything in less than 20 minutes. Thanks a lot!!!
Great video, thanks! The production value is also really nice, it's obvious you're making great progress and you are by far my favorite homelab/tech youtuber. It's easy to recommand such a great channel. Thank you for everything you're doing and I hope to see many more of your content.
Thank you!
Your video quality just keeps on improving. I really enjoy your work and you do a great job representing the self hosting community with a lot of polish and enthusiasm.
Thank you!
Great video as always! Your concise, easy to follow and straight to the point videos are at this point kind of therapeutic to me! Like a few others have already suggested, I would also like to suggest making this video the start of a series of other videos, each of which goes into the actual set up of the main steps mentioned in this video. It would ultimately make for a very nice play list on home-labbing best security practices, and how tos!
Cool video! Using pictograms makes it so easy to visualize :) For containers, running them with the least privileges possible (preventing privilege escalation), using specialized socket proxies for the services needing it (ie Traefik, Watchtower, Portainer...) and segmenting their networks to the lowest possible level is also a good idea
This was such a great video. You covered so much with simple explanations. Thanks!
Hi Tim! I love your tutorials and homelab. Would be great to see a dedicated Pfsense video with VLAN setups including a managed router.
Thank you! Noted!
@@TechnoTim Thanks for the reply. I am so excited for the next video. All the best to you.
That can probably be extended to include interesting features, for example if we put all IoT devices in a separate network, they should still be able to access Internet and be available from our trusted devices (phones), but should not have access (initiate connections) to our trusted devices.
@@vaddimka use rules / patterns like this. This is quite easy with Mikrotik routers.
If source = IoT vlan & destination = phone vlan, then drop connection.
Swop it around like this:
If source = phone vlan & destination = IoT vlan, then allow.
This would be great, Vlan in Pfsense for starters
Love it Tim! Although you say it is for a home lab, your excellent account, and all the great comments elaborating on it, will be an inspiration to improve the setup at my workplace.
Thank you from a Dutchman!!
Thank you!
This video was amazing! Having the big picture (the visuals were perfect!) helps pull all these concepts together. I've watched a lot of videos of the self hosted pieces but without understanding how they fit together and the why, I felt lost.
Glad it was helpful!
Dude I'm learning so much from your videos! I got wireguard up and running recently and have only been hiding behind that, but this video is an awesome roadmap for me to up my selfhosting game. Def earned my sub, looking forward to learning more from you
Glad to hear it! Thank you!
You have no idea how much knowledge I gained from this video/tutorial. I have watched a few of your videos including the "Put SSL on everything" but this was by far my favorite. Appreciate the effort that went into this.
Subbed
Thank you so much for the kind words and recognizing how much work went into this!
Thanks for this detailed and wonderfully illustrated explanation. Before coming across your video, I had read and watched many guides on self hosting that were not very clear on security steps (if they mentioned security at all). Your video is a gem of a resource!
YESSSSSSS. I'm researching this subject recently! THANK YOU
This videos are just getting better every day, keep it up.
Great video! First one I've seen so far to talk about the most basic, firmware updates.
Your videos are getting better every time, you're doing a great job. Not easy to explain and put all this together. Thanks
I appreciate that!
I had to go Light Mode on this one 😎
Need a darkmode Button for this video.
i just wanted to search more about this topic! and the you come whit this video!
Great to see cloudflare getting recognition. There are only a handful of videos that I've seen that stick to using cloudflare for firewall. They may sell data, and had an outage recently but for a inexpensive firewall, dns record management, and more, I recommend them. Been using them for almost two years now.
Great overview. To summarize home lab architecture this thoroughly in 18 minutes is downright impressive! I would just suggest adding a quick comment or addendum to the guide somewhere that Cloudflare proxies alone can't be depended on for blocking external attacks, even with IP allow lists. You'll also need to setup MTLS, otherwise another Cloudflare account could proxy malicious traffic to your account through to your servers.
Another really informative and clearly presented video! Thank you for the time and effort you put into the channel.
Bro Thank you so much for the Conditional Port Fowarding Advice, it makes so much sense!
Happy to see you doing a security video, I just got my domain setup with cloud flare.. really cool to see that I can host public services without exposing my public IP.
Thanks man! Took a risk on this one!
Really helpful in terms of networking, however I missed a bit of endpoint hardening, configuring the OS firewall, hardening docker, kernel hardening, file permissions, etc. Although its kind of a rabbit hole to get into that lol
🐰🕳 it never ends!
Love Techno Tim insanely helpful videos about sorting our digital life.
Great job on the video. I'm glad I found your channel. Keep up the good work!
WOW, This is by far one of the best self hosting videos on CZcams! Excellent stuff Tim!
Wow, thanks!
This is such a good video, keep it up bro, I can already feel the 100k subs
Didn't realise that I should do conditional port forwarding. Just got Cloudflare's IP ranges added to my router. Excellent. Now to learn about VLANs as that's really the only other thing I don't have configured. Cheers Techno Tim!
I had to go Light Mode on this video 😎
I love how you make so easy to understand thank you Tim.
Thanks for the tip of NATing only Cloudfflare IPs. That's one thing I've been missing and it really helps a lot with my conscience! :D
I am windows system engineer and I have been thinking about self hosted services for sometime now (around 2 years) somehow your video motivated me to start I have just started with the hardware and I am using your videos as a guide and inspiration and ideas to achieve what I want. Keep up the good work and the nice ideas
Thank you! You got this!
Such a great use of pictograms! Awesome video, much appreciated. Cheers from the Netherlands :)
Once more a great video and another excellent source of inspiration. Totally love the little paper icons. You are good dude! I have to say that your channel has become my favorite one when it comes to IT related content. I am surprise that you haven't got more than 1 million subscribers considering the quality of your videos. It will be soon I am sure. This video comes just when I was considering rehosting some customers websites, perfect timing.
Awesome, thank you! This is all new to me, so just figuring it all out!
@@TechnoTim Hello Tim. Thank you for your kind message. In case you are reading this, I believe you would be the perfect person to do a tutorial on how to setup IPV6 with Docker. I have been struggling for the last week with this on my infrastructure. Proxmox in bridge mode with a /24 subnet from my ISP, Docker swarm on KVMs and PFSense on bare metal. I am trying to implement a vanilla IPV6 config with DHCPv6 on PFSense. Totally insane that I could not find a proper recipe to do this. The docker gateway behavior makes the whole access to containers particularly weird. In case you have some knowledge on this type of setup, it would be a great material to add to your collection. Take care !
Incredible job ! Thanks for sharing !
Noooo.. The purple ambient lighting is gone! 😄
Thanks for your awesome videos. They are amazing and I learn so easily with you explaining it all.
Mannn, I'm such a visual learner and these little dynamic icons/symbols you're using give me a good basis to follow along with.
So much to think about now. A lot to work on now that I'm changing my network stack around.
Excellent video Tim, you covered quite a bit.
One thing i might add (which would fall into permissions) is to make sure UNC (known as backdooring) is turned off. This makes it harder for an attacker to easily spread ransomware/malware throughout your network.
Great tip!
commenting just to say that microcenter is the best, and every machine I've ever built has come from them
dude, I love the graphics! great Job.
The visuals here made the content easy to understand, along with your expert explaination. Thanks!
Glad it was helpful! Thank you!
@@TechnoTim it would be amazing to see a similar video for securing a cloud vps for self hosted applications. A lot more people now are leveraging the likes of Linode or DigitalOcean, but wish to retain privacy and security.
These illustrations are really cool.
I'm creeped out the most about my personal machine being compromised, because of the local cluster.
Thanks for the tip about the cloudflare IP ranges
Thanks for this great video. It makes it easy to break it down into smaller tasks that are easier to tackle, because self-hosting is an abstract and large project to do properly. One question, though: how do you decide on server hardware selection? Is there a way to find out what piece of hardware will continue to receive patches or that it uses open drivers? And, finally, what are your thoughts on memory safety like DDR3 vs DDR4/DDR5 that, if I remember correctly, are more vulnerable to rowhammer attacks?
This is Excellent, this is exactly how it should be done, Professionál! Very good video
I would add to this that you can make use of Qualys (self hosted) in order to scan for vulnerabilities in your Home lab. They have a free version for up to 16 devices !
Thanks, Tim. The weekend project.
Textbook quality educational content in the form of a video, one of the finest creations I've ever come across, in any category.
Thank yoiu so much!
These are really great advices that you learn even in CCNA, so, good stuff. But the aspect of the host itself, about containers, os, virtualization, and updates it's something you don't see teached around often. Probably because is a market that's always changing, but it would be great to have an in-depth video about this part!
Thank you!
Another fan here from the Netherlands! I'm learning so much from your videos!
Thank you!
Friends do not let friends use latest.
Simply put: A good auto-update tool uses digests and actuall versioned tags(preferably preventing automatic master updates), to ensure a stable environment ;-)
I really wish that there was a "latest-stable" tag like how there are LTS versions of operating systems. This way you could have a patching cycle that just checks for and applies the latest stable patch.
There is with nginx, it really depends on the container maintainer and how they manage their releases!
@@TechnoTim Thanks!
Hi I really enjoyed this video! What job roles should i look into if I enjoy working on projects like that mentioned in the video? Thanks!
Fantastic. Very much appreciate the visuals.
Hi, thanks for the video, really well done. What do you think of the clouflare tunnels?
Amazing presentation bro. Awesome.
I love the props explanations in this video. Good job
Thank you!
Thanks for another great video.m!! Your first advice is great: just don’t open up your home. As a non-professional have learned this the hard way a couple of years ago. Thanks for not forgetting to put in that advice!
Thank you!
What happened?
@@alexitanguay Putting a server online while having forgotten having set up a test account called test with password test - it is one of those things that gets your ISP connection suspended until you explained your error after finding it in the first place. If you're not a professional in the field you are bound to do silly things like that.
This really comes down to the use case, some times integrating 3rd party services by them self could actually cause more damage than setting up everything local only.
Great video. Can you make a series following up this video how to setup all your advice?
Thank you very much you are very helpful, and I learned a lot from your videos thank you again
Kudos from the Netherlands too
Your hoodie is insane, regards from Germany
Great video - if I was to host at home, I would add a second router behind my first router/firewall - so I have somehting like a DMZ - or go the VLAN path...
Awesome video Tim! What do you think about of doing a video setting up a job scheduler like cronicle for example on your home lab? I really enjoy the home lab videos, would be awesome to see that
this is great guideline for start self hosting security. If you need some kind of inspiration for the video, you might split this one into few yt videos and describe each section in details, giving some basic explanation for newbies on each topic, maybe using more examples and advices, or even setting this kind of server hosting from scratch giving examples on options within each layer of security. I've got this idea watching this section: 9:32, so it may be good starting point
Good work covering supply chain attack from dodgy containers.
An additional method of protection I use when it comes to Cloudflare is ASN blocking. I've spent a lot of time collecting a lot of webhost and VPN providers network ASNs to effectively block a lot of potential bad traffic. I find this blocks A LOT of "bad actors" especially when attackers often rent multiple IPs from the same host. Simply blocking the hosts ASN will effectively block every possible IP that hosting provider owns, without necessarily having to block IP ranges themselves.
Excellent video. Thanks for sharing!
Great video! Your public speaking skills are impeccable! Learned heaps!
Thank you so much! It takes practice! I think I still have much to work on!
Your video is very much helpful and I have one doubt , Do you have any recommendations for pfsense packages which help to achieve more security and easier to manage
Thank you for making this video, it is VERY useful :)
Great video! Are you going to have a series on setting each component up?
wow, loving the background
I recognize that "thank you" sign, that's awesome
Thank you! 😀
I have to say I am loving the paper items and the shuffling off them - very cool. Dutch crew reporting in
Thank you!
Great tutorial!
This is excellent content. Thanks!
You should make a video in tandem with Network Chuck
With the new lights, I feel like TechnoTim is giving us the 10 Security Commandments 😂
thanks for this, some great new things I need to setup. FYI not from Netherlands.
Hey Tim thank you for your work and videos. I am having trouble configuring and connecting to my new proxmox server anyway you could help?
My man you are our hero 🇳🇱❤️
Setup CrowdSec the other day to block IPs in iptables on my reverse proxy VM (since it's the machine requests get forwarded to).
Great video. The presentation was great. I've done all of this except Authelia, then I decided, it's just me who accesses my services, so I just go in via VPN.
Any chance of a tour of how your network is laid out? From the modem to your servers? Maybe a how to of how you have your stuff setup? Perhaps a video series/playlist? I would like to redo my home lab to do a better job of segmenting things out.
Or a guide on network layout strategies and techniques? Suggestion on traffic segmentation, pros/cons and ways to accomplish.
Brilliant video! How you’ve not got more subscribers is mental!!
Thank you!
Great video. I just set up an app with Cloudflare Argo Tunnel and restricted access to the domain with Cloudflare ZeroTrust. I wonder if it's worth it to put the APP behind a virtualized opnsense or if that is overkill
"Hey, that MicroCenter looks familiar." Howdy neighbor, keep up the great work!
Great video, thought it should be pointed out that it is possible to allow a group of ingress IP's within UniFi by creating a firewall rule and apply it before predefined rules. The action should accept, then create an IP and port group for the source (this will be the cloudflare IPs that you created a rule per IP block for) and the destination should then be the machine to forward to. This does require 1 (ONE) port forward rule setup the way that you have setup, and then exclude the ingress IP used in the port forward from the cloudflare group.
It's a bit of a hacky solution but it works.
Interesting. I tried for hours to do something similar but ended up just using the clunky ui for port forwards without aliases. Thank you!