What are the most paranoid network/OS security measures you've implemented in your homelab?

As the title says, I want to know the most paranoid security measures you've implemented in your homelab. I can think of SDN solutions with firewalls covering every interface, ACLs, locked-down/hardened OSes etc but not much beyond that. I'm wondering how deep this paranoia can go (and maybe even go down my own route too!).

Thanks!

shadowintheday2 ,

My most paranoid config is disabling Ipv4

That's it. If someone wants to attack me, they will need to adopt IPv6!

Pika ,
@Pika@sh.itjust.works avatar

My security is fairly simplistic but I'm happy with it

  • software protection

    • fail2ban with low warning hold
    • cert based login for ssh (no password Auth)
    • Honeypot on all common port numbers, which if pinged leads to a permanent IP ban
    • drop all firewall
    • PSAD for intrusion/scanning protection (so many Russian scanners... lol)
    • wireguard for VPN to access local virtual machines and resources
    • external VPN with nordVPN for secure containers (yes I know nord is questionable I plan to swap when my sub runs out)

  • physical protection

    • luksCrypt on the sensitive Data/program Drive ( I know there's some security concerns with luksCrypt bite me)
    • grub and bios locked with password
    • UPS set to auto notify on power outage
    • router with keep alive warning system that pings my phone if the lab goes offline and provides fallback dns

  • things I've thought about:

    • a mock recovery partition entry that will nuke the Luks headers on entry (to prevent potential exploit getting through grub)
    • removing super user access completely outside of local user access
NuXCOM_90Percent ,

Never used it "in anger" but:

I have my firewall plugged into a metered outlet (plugged into a UPS). I have it set up to send me alerts if power draw increases beyond a certain threshold. I've tested it and wireguard is measurable (yay) but so are DDOS attacks. If I get that alert, I can choose to turn off that plug and take my whole network offline until I get home and can sort that out.

Gotten a few false positives over the years but mostly that is just texting my partner to ask what they are doing.

const_void ,

Aren't you just DoSing yourself at that point?

betterdeadthanreddit ,

Nice try, attacker trying to get me to do their reconnaissance work for them. I'm on to you.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • selfhosted@lemmy.world
  • test
  • worldmews
  • mews
  • All magazines
    •