I understand some of these words.

I’m not super paranoid about security, but I do try to have a few good practices to make sure that it takes more than a bot scanning for /admin.php to find a way in.

• Anything with SSH access uses key-based auth with password auth disabled. First thing I do when spinning up a new machine
• Almost nothing is exposed directly to the Internet. I have wireguard set up on all my devices for remote access and also for extra security on public networks
• Anyone who comes to visit gets put on the “guest” network, which is a separate subnet that can’t see or talk to anything on the main network
• For any service that supports creating multiple logins, I make sure I have a separate admin user with elevated permissions, and then create a non-privileged user that I sign in on other devices with
• Every web-based service is only accessible with a FQDN which auto-redirects to HTTPS and has an actual certificate signed by a trusted CA. This is probably the most “paranoid” thing I do, because of the aforementioned not being accessible on the Internet, but it makes me happy to see the little lock symbol on my browser without having to fiddle around with trusting a self-signed cert.

Nice try, attacker trying to get me to do their reconnaissance work for them. I’m on to you.

Using SPA firewall knocking (fwknop) to open ports to ssh in. I suppose if I was really paranoid, the most secure would be an air gap, but there’s only so much convenience I’ll give up for security.

• Custom Router/Firewall running OPNsense and the Sensei plugin
• Extensive DNS filtering through Pihole
• Redirecting all DNS requests to my Pihole through OPNsense
• My entire network is behind a multi hop VPN
• I don’t let any Windows systems connect to the internet, instead, I have a Linux server which is connected to the internet (through a VPN of course) and runs a browser, and I use X2go to access the browser which is running on the Linux server

My security is fairly simplistic but I’m happy with it

• software protection

  • fail2ban with low warning hold
  • cert based login for ssh (no password Auth)
  • Honeypot on all common port numbers, which if pinged leads to a permanent IP ban
  • drop all firewall
  • PSAD for intrusion/scanning protection (so many Russian scanners… lol)
  • wireguard for VPN to access local virtual machines and resources
  • external VPN with nordVPN for secure containers (yes I know nord is questionable I plan to swap when my sub runs out)

• physical protection

  • luksCrypt on the sensitive Data/program Drive ( I know there’s some security concerns with luksCrypt bite me)
  • grub and bios locked with password
  • UPS set to auto notify on power outage
  • router with keep alive warning system that pings my phone if the lab goes offline and provides fallback dns

• things I’ve thought about:

  • a mock recovery partition entry that will nuke the Luks headers on entry (to prevent potential exploit getting through grub)
  • removing super user access completely outside of local user access

Only remote access by wireguard and ssh on non standard port with key based access.

Fail2ban bans after 1 attempt for a year. Tweaked the logs to ban on more strict patterns

Logs are encrypted and mailed off site daily

System updates over tor connecting to onion repos.

Nginx only has one exposed port 443 that is accessible by wireguard or lan. Certs are signed by letsencrypt. Paths are ip white listed to various lan or wireguard ips.

Only allow one program with sudo access requiring a password. Every other privelaged action requires switching to root user.

I dont allow devices I dont admin on the network so they go on their own subnet. This is guests phones and their windows laptops.

Linux only on the main network.

I also make sure to backup often.

My most paranoid config is disabling Ipv4

That’s it. If someone wants to attack me, they will need to adopt IPv6!

deleted by creator

I’ve got systems that can detect suspicious activities in the net, which result in a shutdown of the router. And not like “could you please shut down” but a hard power off type of shutdown.

I have Nginx Proxy Manager set up to let me access services running HTTP on other ports on the machine with a local network only access list just so my traffic even in my own network will use TLS. The likelihood that anyone is sniffing traffic on my own network is extremely small, but I’m paranoid. (Can’t let anyone see that I’m running Ubuntu Server. How embarrassing.)

For about a year I was running a full out of band IPS on my network. My core switch was set up with port mirroring to spit out a copy of all traffic on one port so that my Suricata server could analyze it. Then, this was fed into ElasticSearch and a bunch of big data crap looked for anomalies.

It was cool. Basically useless because all it did was complain about the same IP crawler bots as my nginx logs. But fun to setup and ultimately good for my career lol.

• full disk encryption on everything except the router (no point in encrypting the router)
  • the server doesn’t have a display connected for obvious reasons, so I’m manually unlocking it via ssh on each boot
    • obviously, the SSH keys are different, so the server has a different IP in initrd. That said, I still don’t have any protection against malicious modification of initrd or UEFI
• the server scans all new SSL certificates in realtime using certspotter and notifies me of any new certificates issued for my domains that it doesn’t know about (I use Cloudflare so it triggers relatively often, but I still do checks on who the issuer is)
• firewall blocks outgoing 25 so nobody can impersonate my mailserver

I’m somewhat paranoid therefore running several isolated servers. And it’s still not bulletproof and will never be!

• only the isolated server, ie. no internet access, can fetch data from the other servers but not vice versa.
• SSH access key based only
• Firewall dropping all but non-standard ports on dedicated subnets
• Fail2ban drops after 2 attempts
• Password length min 24 characters, 2FA, password rotation every 6 months
• Guest network for friends, can’t access any internal subnet
• Reverse proxy (https;443 port only)
• Any service is accessed by a non-privileged user
• Isolated docker services/databases and dedicated docker networks
• every drive + system Luks-encrypted w/ passphrase only
• Dedicated server for home automation only
• Dedicated server for docker services and reverse proxy only
• Isolated data/backup server sharing data to a tv box and audio system without network access via nfs
• Offsite data/backup server via SSH tunnel hosted by a friend

I’m an enterprise guy, so that’s the explanation for non home use things.

• VPN for anything not my web or certificate revocation distribution point
• Sophos IPS
• sophos utm for web application firewall
• transparent inline web proxy, sophos is doing https inspection. I have internal CA and all clients trust it. I don’t inspect medical or banking, other common sense stuff.
• heavily vlan segmented with firewall between
• my windows clients are managed by active directory with heavy handed GPOs.
• least priv accounts, different accounts for workstation admin, server, domain, network devices
• security Onion IDS
• separate red forest that has admin accounts for my management access and accounts on devices
• trellix antivirus and global reputation based file monitoring
• I’ve started applying disa STIGs on servers
• site to site VPN with other family member household. They get managed trellix av also.
• my public identity accounts like MS,.Google, etc all need 2fa, token, etc.

I bet this can still get exploited, just would take effort hopefully none does for a home network.

I’m still one shitty windows zero day click away from getting my workstation or browser tokens owned though, I can feel it.