I am still very much a novice in the self-hosting space, Linux etc. having fairly recently switched from using macOS as my daily driver and not tinkering much at all.
One of the things that often confuses me is networking and making sure my setup is secure. This is currently holding me back from hosting more stuff locally that I would require access to from outside my home, as I am afraid I am doing something that could severely compromise my data. It can sometimes be difficult to follow explanations from more advanced users due to the many different components of networking and security, and different layers of abstraction, which prevents me from following completely. I might understand one particular case, but then be unable to make connections to another one. So I would want to research this more intensively, and ideally I would end up being able to easily understand the data flows - the paths the data takes (e.g. I make a HTTPS request to some server from my laptop, how is that traffic routed correctly through my local area network and later the wide area network), in what forms (i.e. different protocols, encryption layers etc.).
In communities like this, I see there are a lot of very knowledgeable people who maybe could recommended any resources that cover this from the basics and onto more advanced stuff? Maybe a textbook from a university course on ICT that is considered particularly good? A YouTube channel with great explanations and visualizations? I am looking both at home LAN and internet in general. Enterprise level networks are not very interesting to me (at the moment).
nothing wrong with being self taught, you could follow these basics topics before poking holes in firewall.
- VLANS: learn how to separate your LAN into networks with different security requirements. For wireless, try to make a “main” and “IoT” network so that IoT network that can’t talk to your “main” network but “main” can reach IoT devices. For wired, try to have a Management network, and a “Dirty network” etc.
- Firewalls and Routing: You will need to be able to route between your VLANS and set firewall rules to allow certain traffic. Best practice is block everything and allow only what you need.
- NMAP: learn how to do NMAP scans of your network to discover hosts and their open ports/services. This is a similar approach that “hackers” and script kiddies use on the public internet to find vulnerae and open services. Being able to probe your own network is crutial in understanding how others might approach in penetrating it.
- Wireguard VPN: Learn to access your network remotely by setting up a wireguard VPN. Wireguard is preferred because it is “stealthy” and will not respond to unsolicited attempted to probe your network. Start small by using wireguard to access between VLANs so you don’t run the risk of using the internet.
- NGINX and Reverse Proxy: If necessary, learn to expose your services or blog or website by only exposing nginx and proxying to your services. Many guides on securing NGINX exist. Try not to expose anything, but sometimes necessary if you want others to reach your website/blog/hosting etc.
That’s a rough outline that you can use to guide yourself and achieve milestones with hands on experience. In your pursuit you’ll run into certificates and domain name hosting and stuff. But all this is on the web so let your curiosity (and paranoia) drive! Have fun!!
Honestly start by thinking about what has access to what. From there you can focus on least privilege which will involve firewalls, vlans and isolation
The Homelab Show frequently explores the topic of security in a homelab. I’m a big fan of Jay LaCroix, since I learned how to use Proxmox from his fabulous Proxmox course. They touch on security from the broad to the specific, and talk about incidents, as well. You do have to search through it to find the episodes where security is a topic, but they are there.
Check this out https://taggartinstitute.org/p/the-homelab-almanac. (Shoutout once again to @[email protected] .)
The table of contents hints there is only one section relevant to security, Lab Firewall Config.
Anyone have experience with this book that could vouch for other chapters that explore best practices for security?