Which layer of a home network is most important to harden?

[thatscringebro]

I have an extensive home lab on my home network that hosts many services (think jellyfin, matrix, etc) that I'd like to expose to the Internet. I have however never done network security and it's hard to find answers without fear-mongering about opening ports on your home router. I am searching for the best way to secure my home network when I will open my services. Accessing my services via a VPN is not an option.

Here is a schema of my network:

INTERNET => ISP router with ports 80 and 443 forwarded to => Mikrotik router with ports 80 and 443 forwarded to => RaspberryPi 4 running caddy as a reverse proxy for => Ubuntu server machine that runs every service

Note: the ISP router is unfortunately necessary and cannot be discarded. It exists only because my ISP demands it and the Mikrotik router is the main router for my network.

In this setup, what should be my priority for hardening? Is a strong firewall on the Ubuntu server really necessary? Should I focus on the RaspberryPi 4, the routers?

 

[louie1961]

I am not familiar with the Mikrotik products. Is the Mikrotik router also a firewall? Personally I would want the firewall before the router or any other services. You should be hardening your entry point to your network with firm firewall rules. I would also want to have strong network segmentation (i.e., VLANs) so that you only port forward on the one VLAN and only services that need port forwarding sit in that VLAN. Think of this as a more sophisticated form of a DMZ. You will want strong firewall rules separating the VLANs. Anything that doesn't need port forwarding should sit in a more secure VLAN. I run six VLANs: Home, Guest, IOT, Telvisions, Server and Server management. I only have two PCs on the Home network and that VLAN can access all of the other VLANs, but not visa versa. Guest is for the kids and basically only lets them get to the internet. They can't muck about on any of my servers. IOT is for Ring cameras, Television is for the ROKU sticks. I have them in separate VLANs so I can send my Roku sticks out over a VPN if I want (watch blacked out ball games and such). Server is my VLAN that is exposed to the internet. Things like my Wordpress websites and Nextcloud. Server management is the management interfaces for my Proxmox nodes, switches and the like. Each of my VLANs (with the exception of server and server management) have their own IP address ranges, their own DHCP server, and their own SSID/password combination on the wireless access point. My wireless access point is VLAN aware.

All of my internal services are run on HTTPS with Lets Encrypt certificates. Nothing traverses unencrypted. Same for externally exposed certificates

I also use Cloudflare tunnels to expose all my services externally. Anything trying to come into my network other than by cloudflare is automatically blocked by pfSense. Cloudflare also adds protection such as web application firewalls, DDOS protection, etc. to the services you expose through them, all for free.

 

[louie1961]

Tim has a nice high level overview of security for the home lab

 

[Stephan]

Not fear mongering, but you will get hacked. Do not open anything except one UDP port for Wireguard or OpenVPN. Not even SSH on a random port if you are unexperienced with threats.

If VPN is inconvenient, maybe port-knocking is for you:

ipset -exist create whitelearned4 hash:ip family inet
iptables -t raw -A PREROUTING -i $EXT_IF -p tcp --dport 8384 -m string --string "GET /.blabla-secret-letmein/" --algo kmp -j SET --add-set whitelearned4 src --exist
iptables -A INPUT -i $EXT_IF -p tcp --dport 443 -m set --match-set whitelearned4 src -j ACCEPT

With some empty httpd daemon on 8384 listening for GETs just to let the TCP handshake finish. And always use a box outside to portscan yourself on all TCP- and UDP-ports with nmap to see if you missed something. And if you use IPv6, that too.

 

[homeserver78]

Not fear mongering, but you will get hacked. Do not open anything except one UDP port for Wireguard or OpenVPN. Not even SSH on a random port if you are unexperienced with threats.

Can you elaborate on this a bit? Some 15 years ago I ran ssh - with password login! - port-forwarded (on port 22) to one of my servers, and sure, there were lots of dictionary attacks (using all the typical user names) but no-one ever tried my username and I did have a good password, too. I did make sure only my user could login (with an AllowUsers statement).

Later I've been running a couple of game server VMs, again just port forwarded. These feel like a greater risk and each server is on its own locked-down VLAN.

If I have been hacked I haven't noticed it yet. Am I missing something? Or are you actually fear mongering?

 

[Stephan]

If I have been hacked I haven't noticed it yet. Am I missing something? Or are you actually fear mongering?

Can you exclude the possibility, that you are hacked? You can't.

Jokes aside. Every couple of years there will be a problem with the SSH daemon. Weak keys, problems in a library, or user enabling root with password he reused on that online portal a month ago. Can SSH be secure? Sure. But like you don't hand a gun to anyone without training and following proper safety procedures, I don't recommend he open up any ports on the firewall. At this point. When it is unclear he found pwgen yet, or will follow online sites with information about new exploits for any and all services he has exposed.

 

[homeserver78]

Can you exclude the possibility, that you are hacked? You can't.

True.

I think the key is to have many layers of security. All software is likely to have vulnerabilities at some point. Assume there will be intrusions and minimise the potential damage when it happens.

Accessing my services via a VPN is not an option.

Why? Like Stephan suggests, Wireguard or OpenVPN sounds like a good idea here since you want to open up many services.

If you have some services that you want others to use as well without having to log into your VPN - Matrix for instance? - then move each of those services to their own virtual machine with their own VLAN and use firewall rules in your router to restrict access between them.

I haven't run Jellyfin but if I did and I wanted it accessible from the outside I'd try to make sure the Jellyfin server itself had only read access to my media library (e.g. through a samba mount).

So there is no single point you need to harden, you need to think about how to harden every service and how to minimise the damage if it gets hacked.

 

[thatscringebro]

I have absolutely no experience with VLANs, is there a ressource to learn how to set one up? My hardware is as follows:

The router is a mikrotik router, model RB3011UiAS-RM, running RouterOS and the switch, where every device is connected to, is an HP V1910-48G, a 48 port L2 gigabit switch from HP.

Thanks

 

[louie1961]

There's lots of youtube content creators with good videos on VLANs and network segmentation. I would start there.

 

[Phence]

Layer 8