Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9180d1399eb195dec3a2fb6d0c0b131c9c0e020e
homelab-optimized/docs/admin/security-hardening.md
Gitea Mirror Bot 9180d1399e
Some checks failed
Documentation / Build Docusaurus (push) Failing after 17m14s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details
Sanitized mirror from private repository - 2026-04-05 13:14:50 UTC
2026-04-05 13:14:50 +00:00

143 lines
5.2 KiB
Markdown
Raw Blame History

# 🔒 Security Hardening Guide
This guide details comprehensive security measures and best practices for securing the homelab infrastructure. Implementing these recommendations will significantly improve the security posture of your network.
## 🛡️ Network Security
### Firewall Configuration
- Open only necessary ports (80, 443) at perimeter
- Block all inbound traffic by default
- Allow outbound access to all services
- Regular firewall rule reviews
### Network Segmentation
- Implement VLANs for IoT and guest networks where possible
- Use WiFi-based isolation for IoT devices (current implementation)
- Segment critical services from general access
- Regular network topology audits
### Tailscale VPN Implementation
- Leverage Tailscale for mesh VPN with zero-trust access
- Configure appropriate ACLs to limit service access
- Monitor active connections and node status
- Rotate pre-authentication keys regularly
## 🔐 Authentication & Access Control
### Multi-Factor Authentication (MFA)
- Enable MFA for all services:
- Authentik SSO (TOTP + FIDO2)
- Portainer administrative accounts
- Nginx Proxy Manager (for internal access only)
- Gitea Git hosting
- Vaultwarden password manager
### Service Authentication Matrix
| Service | Authentication | MFA Support | Notes |
|---------|----------------|-------------|--------|
| Authentik SSO | Local accounts | Yes | Centralized authentication |
| Portainer | Local admin | Yes | Container management |
| Nginx Proxy Manager | Local admin | No | Internal access only |
| Gitea Git | Local accounts | Yes | Code repositories |
| Vaultwarden | Master password | Yes | Password storage |
| Prometheus | Basic auth | No | Internal use only |
### Access Control Lists
- Limit service access to only necessary hosts
- Implement granular Tailscale ACL rules
- Use Portainer role-based access control where available
- Regular review of access permissions
## 🗝️ Secrets Management
### Password Security
- Store all passwords in Vaultwarden (self-hosted Bitwarden)
- Regular password rotations for critical services
- Use unique, strong passwords for each service
- Enable 2FA for Vaultwarden itself
### Environment File Protection
- Ensure all `.env` files have restrictive permissions (`chmod 600`)
- Store sensitive environment variables in Portainer or service-specific locations
- Never commit secrets to Git repositories
- Secure backup of environment files (encrypted where possible)
### Key Management
- Store SSH keys securely with proper permissions
- Rotate SSH keys periodically
- Use hardware security modules where possible for key storage
## 🛡️ Service Security
### Container Hardening
- Run containers as non-root users when possible
- Regularly update container images to latest versions
- Scan for known vulnerabilities using image scanners
- Review and minimize container permissions
### SSL/TLS Security
- Use wildcard certificates via Cloudflare (NPM)
- Enable HSTS for all public services
- Maintain modern cipher suites only
- Regular certificate renewal checks
- Use Let's Encrypt for internal services where needed
### Logging & Monitoring
- Enable logging for all services
- Implement centralized log gathering (planned: Logstash/Loki)
- Monitor for suspicious activities and failed access attempts
- Set up alerts for authentication failures and system anomalies
## 🔍 Audit & Compliance
### Regular Security Audits
- Monthly review of access permissions and user accounts
- Quarterly vulnerability scanning of active services
- Annual comprehensive security assessment
- Review of firewall rules and network access control lists
### Compliance Requirements
- Maintain 3-2-1 backup strategy (3 copies, 2 media types, 1 offsite)
- Regular backup testing for integrity verification
- Incident response documentation updates
- Security policy compliance verification
## 🛠️ Automated Security Processes
### Updates & Patching
- Set up automated vulnerability scanning for containers
- Implement patch management plan for host systems
- Monitor for security advisories affecting services
- Test patches in non-production environments first
### Backup Automation
- Configure HyperBackup tasks with appropriate retention policies
- Enable automatic backup notifications and alerts
- Automate backup integrity checks
- Regular manual verification of critical backup restores
## 🔧 Emergency Security Procedures
### Compromise Response Plan
1. **Isolate**: Disconnect affected systems from network immediately
2. **Assess**: Determine scope and extent of compromise
3. **Contain**: Block attacker access, change all credentials
4. **Eradicate**: Remove malware, patch vulnerabilities
5. **Recover**: Restore from known-good backups
6. **Review**: Document incident, improve defenses
### Emergency Access
- Document physical access procedures for critical systems
- Ensure Tailscale works even during DNS outages
- Maintain out-of-band access methods (IPMI/iLO)
- Keep emergency access documentation securely stored
## 📚 Related Documentation
- [Security Model](../infrastructure/security.md)
- [Disaster Recovery Procedures](disaster-recovery.md)
- [Backup Strategy](../infrastructure/backup-strategy.md)
- [Monitoring Stack](../infrastructure/monitoring/README.md)
---
*Last updated: 2026*
Reference in New Issue View Git Blame Copy Permalink