Ancestors

Written by miau@lemmy.sdf.org on 2024-11-04 at 14:31

Help me harden my home server

https://lemmy.sdf.org/post/24652924

=> More informations about this toot | More toots from miau@lemmy.sdf.org

Toot

Written by just_another_person@lemmy.world on 2024-11-04 at 14:53

Wireguard is a VPN, so that’s not going to help you much here unless you’re forwarding all your traffic through a remote server, in which case anyone gets in there will still be able to get your local machines. It’s another hop in the chain, but that’s about it.

If you want to be more on guard about reacting to attacks, or just bad traffic, you probably want something like Crowdsec. You’ll at least be able to detect and ban IPs probing your services. If that’s too much work, leverage OoenWRT reporting and some scripting to ban bad actors that probe your firewall and open ports. That’s a good first step.

If you’re concerned about the containers, consider using something more secure than dockerd. Podman rootless with a dedicated service user is a good start. Then maybe look at something more complex: Kata, gvisor, lxc…etc. The goal being sandboxing the containers more to prevent jailbreaks.

=> More informations about this toot | More toots from just_another_person@lemmy.world

Descendants

Written by miau@lemmy.sdf.org on 2024-11-04 at 15:08

Thanks for the amazing reply and specially for the explanation regarding wireguard.

I didnt know about crowsec and kata containers, both amazing projects, I will definetely look into it and try to set them up.

Just one quick follow up question, when you mention dedicanted service user, do you mean its best to have a sepate user for each service, such as one for nginx, one for adguardhome and so on? Currently all of them run under the same user and I didnt think about this possibility before.

=> More informations about this toot | More toots from miau@lemmy.sdf.org

Written by just_another_person@lemmy.world on 2024-11-04 at 15:46

Yeah, so if you’re running rootless containers, they aren’t run by root, and for added security, you don’t want them run by your normal user because if they get broken, then they’d have access to what your user has access to. Just create another user that only runs containers, and doesn’t have access to your things or root.

=> More informations about this toot | More toots from just_another_person@lemmy.world

Written by miau@lemmy.sdf.org on 2024-11-04 at 18:31

That makes a lot of sense. Thats also very easy to setup so I will do it tonight.

Thanks again for your amazing input!

=> More informations about this toot | More toots from miau@lemmy.sdf.org