I’m a software developer working in the telecam sector on security related products, so I know a fair bit about system security. Yet I wound secure my own system far less than most people here if I didn’t enjoy cybersecurity as a hobby.

I wonder what you are securing against? Some examples:

  • jellyfin: unless you have home videos on there, what does it matter if someone exfiltrates some movies? Surely you have basic DOS protection and/or region locking to reduce wasted network traffic, right?
  • linux: I assume nobody is using their servers as daily drive PCs, so what does it matter if somehow your system is superficially compromised. You can always reimage. Sure they could mine some bitcoin with your system, but it doesn’t have that much PSU headroom to cost you much on your bills, right?

It just seems like most attack vectors lead to mild annoyance at most for most systems.

Do you guys just enjoy cybersecurity? Do you actually keep sensitive data on your self hosted systems? Do you self-host on expensive hardware? What am I missing?

  • irmadlad
    link
    fedilink
    English
    arrow-up
    2
    ·
    15 hours ago

    This is the security I’ve implemented on my network:

    • Modem receiving IP from ISP. Modem to router. Router to stand alone pfsense firewall. Router has a 54 character complex password for WiFi. There are no guest provisions for WiFi.
    • Pfsense firewall with pfblockerng & suricata running on both lan and wan, both with a full array of rules/feeds updated daily. pfsense has tailscale as an overlay vpn. Server traffic and PC traffic have their own VLAN provided by pfsense. My approach is to deny all until something complains and address that on a case by case basis. Additionally ntopng is utilized for traffic analysis. IPv6 is disabled.
    • Server running Tailscale as an overlay VPN, UFW deny all posture, and fail2ban with an aggressive posture. Server has been hardened against Lynis spec where applicable. Not all recommendations apply to my server. Server is utilizing host deny/host allow and SSH keys.
    • Server is utilizing containers for services.
    • Server is using Cloudflare tunnel/zero trust.
    • Server and pfsense communicate via Tailscale encrypted tunnel. PC/Phone/mobile device can communicate with pfsense via Tailscale.
    • Server services are accessed via https.
    • PC connected to pfsense firewall with same rules as server. PC is using a VPN with Cloudflare 1.1.1.1/1.0.0.1 for DNS queries. Firefox is using 1.1.1.1/1.0.0.1. Settings for Firefox are the strictest for Enhanced Tracking Protection, and DOH. HTTPS-Only mode enabled. PC is also running a soft firewall.
    • All other devices such as phones, laptops, and tablets run a VPN with Cloudflare 1.1.1.1/1.0.0.1 for DNS queries.
    • IoT devices are isolated. Phones are isolated. Smart TVs are isolated.

    I’ve been told repeatedly that I go overboard on security.

    Do you guys just enjoy cybersecurity?

    To the extent of my knowledge thereof, yes.

    Do you actually keep sensitive data on your self hosted systems?

    No I do not. No password vaults, no financial info, etc.

    Do you self-host on expensive hardware?

    No. In fact I just finished decommissioning one of my Dell T320s. In it’s place I put an Optiplex 7020 SFF. The Dell T320 was adding $40 USD of my electric bill, while the Optiplex 7020 sips about $8 a month, plus it doesn’t pump heat in to the lab like the T320s do. I have one more T320 to decommission and then I’ll be done with that type of equipment. I’m looking to sell the two T320s, but I’m not sure someone wants to pay to ship a boat anchor.

    It’s not that the data on my server is so sensitive. I just don’t want anyone mucking around in my lab all willy nilly, which is why I run all the above and isolate everything I can, so that anyone who might get through, wouldn’t have any lateral movement,

      • irmadlad
        link
        fedilink
        English
        arrow-up
        3
        ·
        14 hours ago

        Yes VLANS. Server is on one, PC is on one, My lady friend gets one because when she comes over, she gets grumpy if she doesn’t see a wall of advertisements…especially her VLAN. LOL