Help me harden my home server
https://lemmy.sdf.org/post/24652924
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Is keeping everything inside of a local “walled garden”, then exposing the minimum amount of services needed to a WireGuard VPN not sufficient?
There would be be no attack surface from WAN other than the port opened to WireGuard
=> More informations about this toot | More toots from root@lemmy.world
Minimum open services is indeed best practice but be careful about making statements that the attack surface is relegated to open inbound ports.
Even Enterprise gear gets hit every now and then with a vulnerability that’s able to bypass closed port blocking from the outside. Cisco had some nasty ones where you could DDOS a firewall to the point the rules engine would let things through. It’s rare but things like that do happen.
You can also have vulnerabilities with clients/services inside your network. Somebody gets someone in your family to click on something or someone slips a mickey inside one of your container updates, all of a sudden you have a rat on the inside. Hell even baby monitors are a liability these days.
I wish all the home hardware was better at zero trust. Keeping crap in isolation networks and setting up firewalls between your garden and your clients can either be prudent or overkill depending on your situation. Personally I think it’s best for stuff that touches the web to only be allowed a minimum amount of network access to internal devices. Keep that Plex server isolated from your document store if you can.
=> More informations about this toot | More toots from linearchaos@lemmy.world
text/geminiThis content has been proxied by September (3851b).