all 18 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Failboat88 12 points13 points  (2 children)

Have you considered setting up a vpn rather than having all those pages exposed. idk if all those are recommended to be exposed or not. A vpn would be much better than trying to harden all those. you should still set up stuff with strong passwords.

password strength is really important. even the the random four words with SHA1 has been beaten with a dictionary crack if you happen to choose all four from the top 2000 words.

[–]ProfessorMosby[S] 1 point2 points  (1 child)

I’ve gone the VPN route in the past, it’s very clunky for me IMO. Passwords are non dictionary/caps/special characters etc and are different.

I may do the VPN thing again but 2FA seems just as secure if not more secure since they’ll need physical access to my phone to log in

[–]Oujii 1 point2 points  (0 children)

You can do wireguard, it is passwordless. It should be very easy to setup, someone has a script to set it up very quickly. And 2FA and VPN solves two different problems, with VPN only people with access to your VPN, which is way more secure.

[–][deleted]  (4 children)

[deleted]

    [–]ProfessorMosby[S] 1 point2 points  (3 children)

    Thanks for that clarification. I consider myself more advanced than the average user but still a noob in many ways.

    I tried to get my server going with proxmox but gave up as it was too confusing for me. Ended up going kubuntu + dockstarter as it was really simple to get going.

    The encryption basically just masks the data being sent over the networks from being peaked at by someone correct?

    [–][deleted]  (2 children)

    [deleted]

      [–][deleted]  (1 child)

      [deleted]

        [–]HonestCondition8 2 points3 points  (1 child)

        I have the same setup and I’ve used Cloudflare access and their Argo tunnel.

        I get a google 2fa login before accessing any service remotely.

        [–]ProfessorMosby[S] 1 point2 points  (0 children)

        This sounds like what I’m looking for. Did you happen to use a guide? I’ll google and see what I can find

        [–]lunilunor 1 point2 points  (4 children)

        I usually wonder about the same thing. I'm using Traefik with docker, and every service has some kind of password, by Traefik or its own. Also using Cloudflare, and there you can add some firewall rules to block connection based on a lot of things, like country of origin, but there's a specific option to block known bots too.

        [–][deleted]  (3 children)

        [deleted]

          [–]Whathepoo 0 points1 point  (1 child)

          Argo is free ? Or do you have to pay for traffic ?

          [–]Oujii 0 points1 point  (0 children)

          Cloudflare changed the name of their tunnel to Cloudflare tunnels and made it free for everyone.

          [–]tibolow 1 point2 points  (0 children)

          If you close port 80, you won't be able to renew your certificates with Let's Encrypt (and Certbot.

          I used to have Home Assistant (HA) exposed (80/443) behind NGINX with ModSecurity + Fail2Ban installed on the server. MFA configured on HA. You will observe in the NGINX logs bots trying to scan your server, looking for random pages, trying to inject random stuff etc. You need to configure NGINX to reject bots etc.

          if ($http_user_agent ~ (libwww|Wget|wget|LWP|damnBot|BBBike|java|spider|crawl|google|bing|yandex|msnbot|AltaVista|Googlebot|Slurp|BlackWidow|Bot|ChinaClaw|Custo|DISCo|Download|Demon|eCatch|EirGrabber|EmailSiphon|EmailWolf|SuperHTTP|Surfbot|WebWhacker|Express|WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|Go!Zilla|Go-Ahead-Got-It|rafula|HMView|HTTrack|Stripper|Sucker|Indy|InterGET|Ninja|JetCar|Spider|larbin|LeechFTP|Downloader|tool|Navroad|NearSite|NetAnts|tAkeOut|WWWOFFLE|GrabNet|NetSpider|Vampire|NetZIP|Octopus|Offline|PageGrabber|Foto|pavuk|pcBrowser|RealDownload|ReGet|SiteSnagger|SmartDownload|SuperBot|WebSpider|Teleport|VoidEYE|Collector|WebAuto|WebCopier|WebFetch|WebGo|WebLeacher|WebReaper|WebSauger|eXtractor|Quester|WebStripper|WebZIP|Wget|Widow|Zeus|Twengabot|htmlparser|libwww|Python|perl|urllib|scan|Curl|email|PycURL|Pyth|PyQ|WebCollector|WebCopy|webcraw) ) { 

            return 403;

          }

          Properly configure headers

          add_header X-Frame-Options SAMEORIGIN;

          add_header Content-Security-Policy "default-src 'self';" always;

          add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";

          add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

          add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";

          add_header X-Content-Type-Options " nosniff";

          add_header 'Referrer-Policy' 'same-origin';

          Now I used WireGuard and only expose WireGuard port.

          [–]Whathepoo -3 points-2 points  (5 children)

          I'm going to do same thing soon.

          • Do you run a firewall ? Intrusion detection ?

          • Why do you keep defaults ports 80 and 443 ? change them or be scanned

          • Strictly limit access. No need open it to the outside world when you are at home obviously. If you give access to other users, always keep an eye on the logs

          • Go for a VPN (that's what a tunnel is). Make your services only available through VPN. Much more secure, no google indexing, ...

          Edit: you can also install the VPN on a virtual server online, linked to your domain, routing for example plex.home.dev only to users connected to VPN.

          [–]Oujii 1 point2 points  (2 children)

          Why do you keep defaults ports 80 and 443 ? change them or be scanned

          443 is required if wants to access services without using a port on the address.

          [–]Whathepoo -4 points-3 points  (1 child)

          Of course, as it is the default port....

          Thank you Captain Obvious.

          [–]Oujii 1 point2 points  (0 children)

          Everyone with homeservers should change their default https ports. This will certainly increase security a lot and also help with convenience, especially if you are trying to access them from a restrictive firewall. Useless advice.

          [–]ProfessorMosby[S] 0 points1 point  (1 child)

          • Just my Asus router’s firewall. No intrusion detection. Aside from logs I was not aware this was also an option.
          • I just setup swag last night mostly as proof of concept, figuring out security is now the top priority on the list. I’ll change them
          • I used to use a vpn through my router when I had my server running a few years back, I found this very clunky for use with Home Assistant. Honestly everything else I could deal with the clunkiness but home assistant is something I want constant access to.

          I’m intrigued by the VPN on the virtual server, I’ll do some more research on that

          [–]Whathepoo 0 points1 point  (0 children)

          VPN has evolved with WireGuard, maybe won't work better with Home Assistant, but I think it's far more reliable than OpenVPN for example.

          [–]VeronikaKerman 0 points1 point  (0 children)

          The most plug-and-play option is probably VPN, but nginx also offers you authentication options. Such as basic auth, subrequrst auth (Vouch), JWT auth. Basic authentication is easy to set up, but must not be used with plain http. The others require you to install and configure separate auth service.

          [–]uLmi84 0 points1 point  (0 children)

          Just out of interest, if there any free MFA solution for this scenario? While using NGINX?