5.2 KiB
5.2 KiB
🔒 Security Hardening Guide
This guide details comprehensive security measures and best practices for securing the homelab infrastructure. Implementing these recommendations will significantly improve the security posture of your network.
🛡️ Network Security
Firewall Configuration
- Open only necessary ports (80, 443) at perimeter
- Block all inbound traffic by default
- Allow outbound access to all services
- Regular firewall rule reviews
Network Segmentation
- Implement VLANs for IoT and guest networks where possible
- Use WiFi-based isolation for IoT devices (current implementation)
- Segment critical services from general access
- Regular network topology audits
Tailscale VPN Implementation
- Leverage Tailscale for mesh VPN with zero-trust access
- Configure appropriate ACLs to limit service access
- Monitor active connections and node status
- Rotate pre-authentication keys regularly
🔐 Authentication & Access Control
Multi-Factor Authentication (MFA)
- Enable MFA for all services:
- Authentik SSO (TOTP + FIDO2)
- Portainer administrative accounts
- Nginx Proxy Manager (for internal access only)
- Gitea Git hosting
- Vaultwarden password manager
Service Authentication Matrix
| Service | Authentication | MFA Support | Notes |
|---|---|---|---|
| Authentik SSO | Local accounts | Yes | Centralized authentication |
| Portainer | Local admin | Yes | Container management |
| Nginx Proxy Manager | Local admin | No | Internal access only |
| Gitea Git | Local accounts | Yes | Code repositories |
| Vaultwarden | Master password | Yes | Password storage |
| Prometheus | Basic auth | No | Internal use only |
Access Control Lists
- Limit service access to only necessary hosts
- Implement granular Tailscale ACL rules
- Use Portainer role-based access control where available
- Regular review of access permissions
🗝️ Secrets Management
Password Security
- Store all passwords in Vaultwarden (self-hosted Bitwarden)
- Regular password rotations for critical services
- Use unique, strong passwords for each service
- Enable 2FA for Vaultwarden itself
Environment File Protection
- Ensure all
.envfiles have restrictive permissions (chmod 600) - Store sensitive environment variables in Portainer or service-specific locations
- Never commit secrets to Git repositories
- Secure backup of environment files (encrypted where possible)
Key Management
- Store SSH keys securely with proper permissions
- Rotate SSH keys periodically
- Use hardware security modules where possible for key storage
🛡️ Service Security
Container Hardening
- Run containers as non-root users when possible
- Regularly update container images to latest versions
- Scan for known vulnerabilities using image scanners
- Review and minimize container permissions
SSL/TLS Security
- Use wildcard certificates via Cloudflare (NPM)
- Enable HSTS for all public services
- Maintain modern cipher suites only
- Regular certificate renewal checks
- Use Let's Encrypt for internal services where needed
Logging & Monitoring
- Enable logging for all services
- Implement centralized log gathering (planned: Logstash/Loki)
- Monitor for suspicious activities and failed access attempts
- Set up alerts for authentication failures and system anomalies
🔍 Audit & Compliance
Regular Security Audits
- Monthly review of access permissions and user accounts
- Quarterly vulnerability scanning of active services
- Annual comprehensive security assessment
- Review of firewall rules and network access control lists
Compliance Requirements
- Maintain 3-2-1 backup strategy (3 copies, 2 media types, 1 offsite)
- Regular backup testing for integrity verification
- Incident response documentation updates
- Security policy compliance verification
🛠️ Automated Security Processes
Updates & Patching
- Set up automated vulnerability scanning for containers
- Implement patch management plan for host systems
- Monitor for security advisories affecting services
- Test patches in non-production environments first
Backup Automation
- Configure HyperBackup tasks with appropriate retention policies
- Enable automatic backup notifications and alerts
- Automate backup integrity checks
- Regular manual verification of critical backup restores
🔧 Emergency Security Procedures
Compromise Response Plan
- Isolate: Disconnect affected systems from network immediately
- Assess: Determine scope and extent of compromise
- Contain: Block attacker access, change all credentials
- Eradicate: Remove malware, patch vulnerabilities
- Recover: Restore from known-good backups
- Review: Document incident, improve defenses
Emergency Access
- Document physical access procedures for critical systems
- Ensure Tailscale works even during DNS outages
- Maintain out-of-band access methods (IPMI/iLO)
- Keep emergency access documentation securely stored
📚 Related Documentation
Last updated: 2026