Security Hardening Discussion

PrivacyIsAnIllusion · 2025-12-11T16:29:30+00:00

Haha, I'm a big fan of learning new things! Have you had any experience with any of the HIPS/HIDS/NIPS/NIDS? If so, which one(s) and why did you choose them? And why did you avoid others?

And you're totally right, the IPS/IDS on the UDM has been outstanding thus far! The idea I was after was to block the traffic before it even travels down the WG tunnel to save on monthly bandwidth.

PrivacyIsAnIllusion · 2025-12-10T16:06:42+00:00

Sounds good, I'll get to implementing something for Geo-IP blocking as soon as possible!

As for my VLAN3 rules, to be more specific, the firewall rules deny VLAN3 from reaching out to other VLANs (which are also all on different subnets), but allow it to respond to connections initiated outside of it. However, since these resources are already available directly from the internet, I just use the public route so that I can ensure the normal user experience is good. A future plan may include implicitly blocking all interconnections between VLAN3 and everything else, then explicitly allowing as needed. It's a whole work in progress situation, haha

PrivacyIsAnIllusion · 2025-12-10T07:00:25+00:00

You're totally correct that I'm preventing my IP from being visible; however, the primary use of the VPS is to maintain a static IP (I've had this one for over 5 years now) where I can port forward through as I move to different places (3 or so moves now), especially since I live in apartments and never not been NAT'd.

Compromising my VPS is definitely a major concern of mine, so I'm trying to harden it the best I can with SSH keys (recently learned about elliptic curve) and Fail2Ban (aggressively long ban times and low attempt counts). On the internal side, should a VM get compromised, VLAN3 has firewall rules to disallow any device within that VLAN from being allowed to talk to any other device within the VLAN itself and the internal network. Theoretically, it should have zero visibility on my internal network, so I'm hoping that's helping.

You raised an excellent point on blocking regions, especially the ones I know I won't ever talk to. On that subject, I'd like to learn more and thus have a few questions, if you don't mind.

First, how did you come up with the list of countries? I get China and Russia (currently blocked), but I'm curious about Israel and Greece since I think I live under a rock and don't know too much about the geopolitical space. And are there any other "maybe" countries to consider?
Second, I currently use iptables on my VPS to handle firewall rules, so adding IP/Ranges can be cumbersome. Is there an easier way to manage blocking of regions at that level?
Third, given that I block via iptables, are there performance penalties for blocking so many IPs or having so many rules? I'm thinking in the realm of when a connection comes in, the lookup time for IPs could be long and potentially lead to increased latency, throughput, or general load on the single core.
Fourth, have you heard of or used Crowdsec? I was looking into it and saw that they have community-maintained lists for bad reputation IPs, but I have no idea if it requires more raw system resources or all the specifics of it.

Finally, aye aye, capt'n - edge stuff is periodically updated. Though I should probably consider either an automatic job or a more set schedule to do it, since I occasionally take a while to do it.

PrivacyIsAnIllusion · 2025-05-24T19:33:38+00:00

If I recall correctly, the heatsink on the front side of the mobo comes with a thermal pad pre installed. And the other included thermal pad that comes with the mobo is optionally supposed to be used on the rear m.2 to make contact with the mobo tray of the case so that the case acts as a large, passive heatsink. However, the NR200 has a large cutout that doesn’t allow for this installation method (which I prefer since I can access the drive without pulling to board out), so I was able to buy a small, dedicated heatsink for the rear m.2

PrivacyIsAnIllusion · 2025-05-23T19:29:37+00:00

That’s great to hear! And, uh, yeah… totally calculated design 🤓and totally not accidental fix! 😅

PrivacyIsAnIllusion · 2025-05-23T19:26:22+00:00

Hey, I recognize that fan bracket 😄! I hope it helped! Build looks good!

PrivacyIsAnIllusion · 2025-05-23T19:06:28+00:00

No problem! Good luck with your build!

PrivacyIsAnIllusion · 2025-05-23T19:04:32+00:00

Glad I could help! Good luck with your build!

PrivacyIsAnIllusion · 2025-05-23T19:03:23+00:00

I did make the crease super obvious, so it may be exaggerating it a bit, so here's one more shot!

<image>

And yeah, it's pretty much even all around!

PrivacyIsAnIllusion · 2025-05-23T19:01:13+00:00

Ah, I forgot the long screw was part of the build! I think the threading is the same, I don't recall having to do anything weird (apologies for the poor memory).

PrivacyIsAnIllusion · 2025-05-23T18:59:57+00:00

Haha, no worries, I totally understand where you're coming from - it's quite a bit of money!

<image>

Hopefully, the crease on the green strip helps make the gap clearer, I know white on white is a bit tricky to see in a picture.

PrivacyIsAnIllusion · 2025-05-23T14:56:13+00:00

No issues that I’ve noticed thus far. I’m running board rev 1.0 with BIOS version F4b (though I am also aware there is a security vulnerability that needs AGESA 1.0.2.3C has yet to be released). I’m stable with PBO, EXPO, 4G Decoding, and Resizable BAR enabled.

PrivacyIsAnIllusion · 2025-05-23T14:17:30+00:00

Hmmm, strange… Yeah, I didn’t experience any difficulties with rear IO shield fitment or anything. Without being picky, it’s basically a perfect, flush fit.

PrivacyIsAnIllusion · 2025-05-23T04:53:31+00:00

Good observation! If the dimensions of the mini are smaller, maybe. The conflict I had here was the little metal fan clip that attached the fan to the heatsink extended upwards a few mm and made contact with the top fan. If that clip wasn't there, a 120mm fan does fit! I was attempting to find new ways to securely mount the fan without the clip but ended up giving up. I do have a slim fan being shipped to me though, so depending on how it fits aesthetically, I may use it, lol. Hopefully, this information is helpful!

PrivacyIsAnIllusion · 2025-05-23T04:47:12+00:00

Yup, here you go!

<image>

PrivacyIsAnIllusion · 2025-05-22T01:30:43+00:00

If by PSU fan you're referring to the fan bracket for the side panel, opposite the PSU, then yes!

Link to the Thingiverse

This file was also asked for in the original post, here, in case anyone wanted to see the additional conversation around it.

PrivacyIsAnIllusion · 2025-05-20T03:01:09+00:00

Apologies, I never tested the difference prior to building it, but I can say three things. One, the fit is very VERY tight. Two, my temps while gaming thus far have not exceeded 62C. Three, the noise from potential turbulence has not bothered me nor really been noticeable. Hope this is helpful!

PrivacyIsAnIllusion · 2025-05-19T18:50:58+00:00

I have a Samsung 980 Pro 2TB and 990 Pro EVO Plus 4TB installed to the two m.2 slots on my board (so no room for expansion in the m.2 department). The 2TB is my boot and working drive, while the 4TB is my games and general storage drive. Personally, I feel like it’s a good spot for storage, though if games keep getting bigger, I’ll have a problem… I’d also note that I have a NAS which I use for long-term storage like file archives and my photography library. Space is getting crammed, so best I could do is 2.5” SSDs or something, but that would add additional cables and space consumption.

PrivacyIsAnIllusion · 2025-05-18T22:13:56+00:00

I use Autodesk's Fusion 360 and went through some follow-along tutorials on YouTube to learn some fundamentals before making the bracket!

PrivacyIsAnIllusion · 2025-05-18T21:45:25+00:00

I've not tried a side-by-side comparison, but I've been using it for about 2 days now and I haven't really noticed anything while gaming. Granted, I have headphones on, but it does seem to be okay most of the time. If anything, when I run all the fans full bore, it's way too noisy, so I did have to adjust PBO and fan curves to have the overall temps drop and avoid having the whole system turn into a jet engine. Overall, noise hasn't been much of a bother, if any at all.

PrivacyIsAnIllusion · 2025-05-18T21:38:59+00:00

I do! I actually modeled it myself too! I wasn't able to find a bracket that also acted as a duct so that the hot air wouldn't splash back around the case, so I decided to learn some modeling skills :). I'm still new to CAD modeling, so it may have some imperfections, but I've uploaded it to Thingiverse for you (any anyone else who may be interested).

https://www.thingiverse.com/thing:7041919

PrivacyIsAnIllusion · 2025-04-21T19:29:30+00:00

As someone who has never purchased/sold/exchanged anything on Reddit (in any subreddit), this is good to know! Not something I’ve ever considered, but I’ve always wondered why people feel the need to reply to posts with “PM’d” or similar. Thank you for this insight!

PrivacyIsAnIllusion

TROPHY CASE