Comment

Comment on [deleted]

easeKItMAn@lemmy.world ⁨11⁩ ⁨months⁩ ago

I’m somewhat paranoid therefore running several isolated servers. And it’s still not bulletproof and will never be!

only the isolated server, ie. no internet access, can fetch data from the other servers but not vice versa.
SSH access key based only
Firewall dropping all but non-standard ports on dedicated subnets
Fail2ban drops after 2 attempts
Password length min 24 characters, 2FA, password rotation every 6 months
Guest network for friends, can’t access any internal subnet
Reverse proxy (https;443 port only)
Any service is accessed by a non-privileged user
Isolated docker services/databases and dedicated docker networks
every drive + system Luks-encrypted w/ passphrase only
Dedicated server for home automation only
Dedicated server for docker services and reverse proxy only
Isolated data/backup server sharing data to a tv box and audio system without network access via nfs
Offsite data/backup server via SSH tunnel hosted by a friend

source

Sort:hotnew top

Appoxo@lemmy.dbzer0.com ⁨11⁩ ⁨months⁩ ago
Why would you rotate passsord though?
Rather choose something random and strong than changing it every 6th moon.

source
- easeKItMAn@lemmy.world ⁨11⁩ ⁨months⁩ ago
  Rotating passwords only for web services. Vaultwarden does make it easy. Not all services allow 2FA.
  
  source
  - Appoxo@lemmy.dbzer0.com ⁨11⁩ ⁨months⁩ ago
    Sounds still excessive but that’s what the thread is here for.
    Would probably understand it more if I knew more aspects.
    
    Cheers to more cybersec :)
    
    source
    easeKItMAn@lemmy.world ⁨11⁩ ⁨months⁩ ago
    Guessing it is more a habit from back in time when ssl certification wasn’t common. Panic of MITM attacks, friends sharing their trusted access to other friends, etc. all contributed to my actual status of paranoia.
    Don’t make me reconsider my cybersec approach ;)
    
    source
    -> View More Comments
MigratingtoLemmy@lemmy.world ⁨11⁩ ⁨months⁩ ago
Would you have to compromise on your security according to your threat model if you ran VMs rather than dedicated devices? I’m no security engineer and I don’t know if KVM/QEMU can fit everyones needs, but AWS uses XCP-ng, and unless they’re using a custom version of it, all changes are pushed upstream. I’d definitely trust AWS’ underlying virtualisation layer for my VMs, but I wonder if I should go with XCP or KVM or bhyve.

This is my personal opinion, but podman’s networking seems less difficult to understand than Docker. Docker was a pain the first time I was reading about the networking in it.

Really like your setup. Do you have any plans to make it more private/secure?

source
- easeKItMAn@lemmy.world ⁨11⁩ ⁨months⁩ ago
  I used VMs some time ago but never managed to look deeper into separation of base vs VMs. Hence I can’t assess this reasonably.
  Docker got me interested when it started and after discovering its networking capabilities I never looked back.
  Basically I’m trying to minimize the possibility that by intercepting one dockerized service the attacker is able to start interacting with all devices. And I have lots of devices because of a fully automated house. ;) My paranoia will ensure the constant growth of privacy and security :)
  
  source