As the title says, I want to know the most paranoid security measures you’ve implemented in your homelab. I can think of SDN solutions with firewalls covering every interface, ACLs, locked-down/hardened OSes etc but not much beyond that. I’m wondering how deep this paranoia can go (and maybe even go down my own route too!).

Thanks!

  • RedFox
    link
    fedilink
    English
    210 months ago

    Sorry for confusion. I use Sophos utm as a WAF for exchange. Basically reverse proxy that is specifically programmed for exchange attacks. It allows OWA to keep working.

    I put the exchange admin URL behind authentication, so you try to go to /ecp, it Sophos intercepts and make you authenticate to Sophos utm first, which is passing to ad with radius.

    MS got rid of intune on prem. It’s only Azure service now. I think.

    My router is my biggest vuln. Oddly the most important. It’s an enterprise ISR. It’s updated as far as possible. My paranoia ends with the US gov/NSA. I don’t care if they want back door oddly. I don’t want China using me for attack relay however.

    Loads of monitoring. You do a span/mirror port to your IDS like security Onion. Let it analyze all your traffic. Apparently there are some state sponsored exploits that allow them to owe a router at kernel level and hide their activities from you and monitoring, but that’s a level I can’t deal with.

    As far as lock out, you create a break glass on everything. Emergency account with non rememberable ridiculous password, saved in a safe place.

    • @MigratingtoLemmyOP
      link
      English
      210 months ago

      As far as lock out, you create a break glass on everything. Emergency account with non rememberable ridiculous password, saved in a safe place.

      This is such a great and a simple idea. Thanks.

      I think I followed your setup at a high level, but because I don’t have hands-on experience with AD I didn’t quite catch the scope of it. Thanks for letting me know, I’ll get some reading done when I get the time!