chirping

@chirping@infosec.pub

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Every single time I think of restructuring my homelab storage. What do you use for storage engines and how does it benefit you?⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
no what you really need is backups, isn’t it? having an external hdd that you’re backing up to is a lot better against data loss than putting that same drive into any kind of raid. (because now you truly have a copy, while in a raid it’s still a single point of failure)

I can feel your pain on the ISP part though. (Haven’t looked into this, but sounds like a zfs-job) Just saying that backups doesn’t have to be offsite, but they do need to be separate from the original data medium. Going offsite is an important early step, but getting it on separate storage is the first step.

If anything, I would argue that especially in a homelab, the risk of misconfigurations or by mistakes when tinkering can increase by using raid. If you’ve have a couple of years of experience with raid and do not see my above argument, then please share your experiences.

I am sorry for this wall of text, your comment caught my eye while thinking about something else, tl;dr: raid is not a backup
⁨Comment⁩ on ⁨How do you all handle security and monitoring for your publicly accessible services?⁩ ⁨⁨9⁩ ⁨months⁩ ago⁩:
Some of these you’re already doing, but writing a complete* list. *almost garuanteed not to be complete, suggestions welcome
1. Have everything behind the same reverse proxy, so that you have only one endpoint to worry about. Run it through ssllabs or similar to check your config.
2. On your reverse proxy, add one or more layers of authentication if possible. Many possibilities here: If one app supports client certificates, while another has limited capabilities, you could probably tie together something where IPs are whitelisted to the ither services based on that certificate auth.
3. Geoblock all countries you won’t be accessing from
4. crowdsec is pretty nice, this detects/blocks threats. kinda like fail2ban but on steroids.
5. if you use one of those 5$/month VPSes, with a VPN tunnel to your backend services, that adds one layer of “if it’s compromised, they’re not in your house”.
lastly consider if these things need to be publically avilable at all. I’m happy with 95% of my services only being available through Tailscale (mesh VPN, paid service with good enough free tier, open source+free alternatives available), and I’ve got tailscale on all my devices