Self-Hosting Security Guide for your HomeLab

Показать описание

When most people think about self-hosting services in their HomeLab, they often think of the last mile. By last mile I mean the very last hop before a user accesses your services. This last hop, whether that’s using certificates or a reverse proxy, is incredibly important, but it’s also important to know that security starts at the foundation of your HomeLab. Today, we'll work our way up from hardware security, to OS, to networking, to containers, to firewalls, IDS/IPS, reverse proxies, auth proxies for authentication and authorization, and even lean in to an external provider like Cloudflare.

A HUGE thanks to Micro Center for sponsoring this video!

(Affiliate links may be included in this description. I may receive a small commission at no cost to you.)

00:00 - Intro
01:10 - Advertisement
02:06 - Don't Self-Host
02:27 - Disclaimer
02:33 - Self-Hosted VPN
02:57 - Public Cloud
03:24 - The Last Mile
03:50 - Hardware
04:28 - Virtual vs. Bare Metal
04:56 - Operating System
05:47 - Container Security
06:58 - Container Tags
08:07 - Network Segmentation
09:32 - Firewall & Port Forwarding
10:11 - Cloudflare (Reverse Proxy)
11:26 - Cloudflare Settings & Stats
11:58 - Cloudflare + Conditional Port Forwarding
13:24 - Cloudflare Firewall Rules
13:46 - IDS and IPS
15:03 - Internal Reverse Proxy
15:53 - Auth Proxy (Authentication and Authorization)
16:42 - Security Overview
17:07 - Are you going to Self-Host?
17:41 - Stream Highlight "I'm big in the Netherlands (not)"

#SelfHosted #HomeLab #Security

"Overzealous Punch" is from Harris Heller's album Sunset.

Рекомендации по теме

Комментарии

This set up is far more secure than any company I've worked for.

SB-qmwg

I'm a sysadmin specializing in security and I block countries at work. It saved us a ton from exploit scans and from attempted exploits that we've previously patched. Our firewall can detect and block exploits and there is tons coming from a handful of countries. Also, it may have also saved us from being exploited on one occasion when an exploit attempt came from Russia going to an unpatched Pulse VPN appliance. There is a possibility that other measures would have caught it as well, but it was an excellent first layer of security in this instance. I highly recommend blocking Countries. I highly recommend blocking Russia, China, Ukraine, Crimea, and North Korea. You are correct that most attacks that I see originate from the US, so a layered security model is important but this one rules kills about 60% of all exploit and exploit scanning activity.

MisterGlassy

Security professional here. Thanks for making this video! I'll be recommending folks view this video. You've described everything I suggest folks with home-labs do.

The only minor disagreement I have is with setting up the proxy authentication after everything else is working. Set it up from the start and apply it to all services behind the proxy. You're in a much better spot if everything on your home-lab requires authentication on the proxy. Even if it means logging-in twice (to the proxy and the back-end service). This drastically lowers the attack surface. You can later exclude any services you'd like to remain public.

Also, use some type of split DNS; where you serve the internal IP of the proxy to all internal clients. That way you can skip the hop to Cloudflare internally. And you can still access all your home-lab services if your internet connection goes out.

ericesev

You should make a video of home lab hosting from square 0 if you were to start from nothing (or start over) and how to set it up. Episode one: bare necessary hardware and how to set up Vlans. Episode two set up server (old pc), setup docker, and setup backups. Etc

jimmyscott

Would actually appreciate if Linode would sponsor a series on your channel with topics of your choosing that compare and contrast and shows how to run services remotely for distributed friends and family

lgic

Are we not gonna talk about the awesome illustration using those stickers or cardboard!, this video is amazing end to end, awesome visuals, clear, cuts to the chase.
I really like this and have enjoyed every bit.
Would be awesome if you can showcase the process of setting some of these stuff you mentioned in separate videos.
Would love to see that and again awesome job 🙏

mahmoodfathy

*looks over at Self Hosting video I just posted with disappointment*
Microcenter sponsorship! Let’s Go!!! I’m digging the style of this vid.

RaidOwl

I'm starting my journey into the world of servers with my first homelab and I've already watched this video a thousand times. Amazing content! It's very difficult to find accessible documentation that helps you understand why each step is necessary. I'm not a computer layman, but it's very difficult to get all the pieces to work together with the certainty that I'm not doing anything crazy. Thank you very much for the video, my friend!

morrisseybr

You have no idea how much knowledge I gained from this video/tutorial. I have watched a few of your videos including the "Put SSL on everything" but this was by far my favorite. Appreciate the effort that went into this.
Subbed

itskagiso

I am windows system engineer and I have been thinking about self hosted services for sometime now (around 2 years) somehow your video motivated me to start I have just started with the hardware and I am using your videos as a guide and inspiration and ideas to achieve what I want. Keep up the good work and the nice ideas

abdulhadies

Your video quality just keeps on improving. I really enjoy your work and you do a great job representing the self hosting community with a lot of polish and enthusiasm.

gianlazzarini

Hi Tim! I love your tutorials and homelab. Would be great to see a dedicated Pfsense video with VLAN setups including a managed router.

nohay

This video was amazing! Having the big picture (the visuals were perfect!) helps pull all these concepts together. I've watched a lot of videos of the self hosted pieces but without understanding how they fit together and the why, I felt lost.

jeremykramer

Love it Tim! Although you say it is for a home lab, your excellent account, and all the great comments elaborating on it, will be an inspiration to improve the setup at my workplace.
Thank you from a Dutchman!!

LarsBerntropBos

Great video, thanks! The production value is also really nice, it's obvious you're making great progress and you are by far my favorite homelab/tech youtuber. It's easy to recommand such a great channel. Thank you for everything you're doing and I hope to see many more of your content.

GotCookies

Cool video! Using pictograms makes it so easy to visualize :) For containers, running them with the least privileges possible (preventing privilege escalation), using specialized socket proxies for the services needing it (ie Traefik, Watchtower, Portainer...) and segmenting their networks to the lowest possible level is also a good idea

Moukrea

Great to see cloudflare getting recognition. There are only a handful of videos that I've seen that stick to using cloudflare for firewall. They may sell data, and had an outage recently but for a inexpensive firewall, dns record management, and more, I recommend them. Been using them for almost two years now.

realMattGavin

Happy to see you doing a security video, I just got my domain setup with cloud flare.. really cool to see that I can host public services without exposing my public IP.

Pro-cheeseburger

Dude I'm learning so much from your videos! I got wireguard up and running recently and have only been hiding behind that, but this video is an awesome roadmap for me to up my selfhosting game. Def earned my sub, looking forward to learning more from you

currydude

Great overview. To summarize home lab architecture this thoroughly in 18 minutes is downright impressive! I would just suggest adding a quick comment or addendum to the guide somewhere that Cloudflare proxies alone can't be depended on for blocking external attacks, even with IP allow lists. You'll also need to setup MTLS, otherwise another Cloudflare account could proxy malicious traffic to your account through to your servers.

DevinSlick

Self-Hosting Security Guide for your HomeLab

Self-Hosting Security Guide for your HomeLab

The Downsides of Self-Hosting Your Applications at Home

Understand Self Hosting in 5 Minutes! Self Hosting for Noobs!

Self-Hosting & Home Server Security Tips

Self-Hosting Tutorial: Leveraging Proxies for Efficiency and Security - A Guide with 3 Examples

Self Host 101 - Set up and Secure Your Own Server

EXPOSE your home network to the INTERNET!! (it's safe)

Self Hosting on your Home Server - Cloudflare + Nginx Proxy Manager - Easy SSL Setup

Securing the Supply Chain: A Practical Guide to SLSA Compliance from Build to... Enguerrand Allamel

Self-Hosting Tutorial 1: Step-by-Step Guide to Run Your First Self-Hosted App

HomeLab Services Tour 2024 - What Am I Self Hosting?

This tool makes self hosting simple

How to protect Linux from Hackers // My server security strategy!

Online Privacy & Security 101: How To Actually Protect Yourself?

build your own cloud

Why you should SELF-HOST your software 👩‍💻 #code #programming #technology #tech #software #develop...

how did I NOT know about this?

stop giving your passwords to hackers

Additional Self-Hosted Security with Authelia on NGINX Proxy Manager

Quick and Easy Local SSL Certificates for Your Homelab!

host ALL your AI locally

What's On My Home Server? Storage, OS, Media, Provisioning, Automation

The Benefits of Self-Hosting Your Applications at Home

Top 5 Mistakes HomeLabs Make (watch before you start)