Securing server and management computer
Introduction
In this article I will focus on things that should be done to secure homelab servers and management computer used for connecting to these servers. Compromise of one or another can have very negative consequences for home infrastructure. I even think that management computer is more important because it is an access point to all of servers. I will try to cover some of topics mentioned here in future posts.
Management computer
Isolation
- Isolate management of servers from other activities such as web browsing, emails, gaming etc:
- Use separate computers, one for accessing servers and another for general use.
- Or use virtual machines to isolate different use cases. Host is only a hypervisor and you should use virtual machines for each task e.g. VM for servers access; VM for web, emails, office work; VM for gaming. Isolate virtual machines from each other using firewall (external or another VM configured as firewall).
- If you want ready-to-use solution with virtual machines and you have decent computer use Qubes OS. If you don't know Qubes OS here are some use cases what this system is capable of.
- Perform daily tasks on computer/virtual machine using user account and not administrator/root account.
Passwords and authentication
- Use password manager. I recommend KeePassXC.
- Use YubiKey as hardware protection:
- For securing
sudocommand and computer login. - For securing
sshconnections. - For securing passwords vault - KeePassXC has such option.
- For securing
- Use SSH keys. Don't use passwords for accessing servers. Additionally:
- Encrypt SSH private keys with passwords when creating those keys.
- Store SSH private keys in passwords vault - KeePassXC has such option.
Hardware
- Block untrusted USB devices with tool like
usbguard.
Network separation
- Use separate VLAN for management network in which you will have your: management computer, hypervisors, network hardware. It is best to keep virtual machines in other VLANs with one way access - you can initiate connection to virtual machine, virtual machine can not initiate connection to management computer.
Encryption
- Encrypt your computer especially if it's a laptop and you travel with it. It wouldn't be good if a thief who stole your computer could read your network documentation.
Servers
Network
- Use router with firewall as your networks main entry point. If you have money buy ready out of the box solution. If not, buy a cheap computer with min. 2 network adapters and use for example OPNsense on such computer.
- Architect your network and make a good drawing of it. This will be a great help in future homelab developments.
- Put servers in proper network segments by using VLANs and firewall rules.
Periodically test those rules with test machines which you have in such network segments. These can be simple virtual machines in different network segments from which you use
pingandnmaptools. - Hide your home IP. One solution I know of that makes this possible is by using Cloudflare with Proxy option for DNS entry.
- It is recommended to have min. 2 network adapters in host machine with hypervisor: one for management network and another for accessing services provided by virtual machines.
Hypervisor
- Use hypervisors and virtualize your servers. This has many benefits like taking snapshots of virtual machines and reverting back if something fails, creating templates of virtual machines, cloning of virtual machines etc. Additionally, virtualization enhances security through the isolation of virtual machines.
Authentication
- I will repeat this one - use SSH keys for accesing servers.
- Use two factor authentication when available for web applications that you are running.
Firewall
- Run firewall on each of your servers (or use hypervisors firewall) and open only those ports that are needed (SSH, web app etc).
Updates
- Update your systems regularly to patch any new discoverd vulnerabilities.
- Run automatic updates of operating system on your servers.
- With applications, it's up to you to decide whether automatic updates are a good option. This depends on how critical the service is to you and what would happen if after an update it wouldn't run and you hadn't taken snapshot before update.
- With firewall and hypervisors it's better to perform manual updates but before that read changelogs. These two elements are critical components of your infrastructure so it is recommended to update them under controlled conditions.
- Track changelogs for: firewall, hypervisor, web applications that you are using with RSS reader. This way you will know what changed in new versions, which can help if there are any problems after updates.
Monitoring and hardening
- Use Fail2Ban on servers for SSH and other web applications to prevent brute force attacks.
- Periodically scan your hosts with web app scanner like ZAP (formerly OWASP ZAP).
- Audit your servers with audit tools like Lynis.
- Monitor your hosts for vulnerabilities with software like Wazuh.
- Periodically check your hosts with software for rootkit searching like Rootkit Hunter.
- Collect logs on central log server.
- Monitor your network and hosts using monitoring software like Zabbix to know when your network goes down, you are running out of free space, your web application is not running etc.
Encryption
- Encrypt your hypervisors (it's less work than encrypting every virtual machine). Your home lacks physical protections found in datacenters and computers are good loot for thieves. You wouldn't want a thief to browse your data on your servers. Encrypting Proxmox hypervisor with remote access can be a bit tricky, but not very hard to do so I will make future post about it.
Backups
- Make regular backups of your infrastructure. Proxmox with Proxmox Backup Server make it really easy and space efficient.
Power loss prevention
- Use UPS to prevent data loss in the event of a power outage.
- Use good quality batteries in your UPS (don't be stingy, it will save you some problems later).
- Periodically check your UPS battery.