Securing My Home Lab
I tend to be on the paranoid side of the security spectrum. I’m not an expert, but I try to stay informed and follow best practices for security including:
- only expose what I need to the public internet
- keep my systems patched and on supported software versions
- stay informed by reading about security on sites like Hackernews and listening to security podcasts like Security Now
- leverage tools and best practices posted by people who know more than I do
Running SSH Securely
When I do expose something to the internet I first like to understand the best practices I can follow to do it securely. At a high level I follow a few simple rules for SSH:
- only allow access using SSH keys
- restrict logins to expected user IDs and never
root - limit the crypto ciphers available to modern ones (see below)
- block IPs in geographies I never visit
- run Fail2ban on my servers to block IPs with failed login attempts
I also expose my SSH server on non-standard ports on the internet. This isn’t meant to be a security best practice - I just don’t see any harm in doing so and there is less background noise in the logs.
SSH Audit and Hardening Guides
SSH Audit is a great example of a community tool you can use to ensure you are using recommended crypto ciphers and validate your configuration. Because security best practices are constantly evolving, I try to revisit them every few years by reviewing the latest guides and running the audit against my servers.
This only takes a few minutes - I highly recommend trying it yourself if you expose SSH externally.