How does one audit a home network reasonably?
-
How does one audit a home network reasonably? Thinking of setting up some self hosted stuff that may involve internet ingress.
I can DMZ a machine, but it's an i-dont-know-what-i-dont-know situation. Are firewall rules enough? How much should I actually be worrying about someone getting access to my local network segments?
#infosec #cybersecurity #diy #selfhosting -
How does one audit a home network reasonably? Thinking of setting up some self hosted stuff that may involve internet ingress.
I can DMZ a machine, but it's an i-dont-know-what-i-dont-know situation. Are firewall rules enough? How much should I actually be worrying about someone getting access to my local network segments?
#infosec #cybersecurity #diy #selfhosting@adangerbartels
you can also consider reverse proxy solutions like Cloudflare Tunnels or ngrok and the likes. -
How does one audit a home network reasonably? Thinking of setting up some self hosted stuff that may involve internet ingress.
I can DMZ a machine, but it's an i-dont-know-what-i-dont-know situation. Are firewall rules enough? How much should I actually be worrying about someone getting access to my local network segments?
#infosec #cybersecurity #diy #selfhosting@adangerbartels I used to have all my machines on static addresses and only firewalled on the machines themselves.
The worst that happened was I stupidly installed Windows 2000 and didn't install SP4 quick enough, and it became a spam relay for a few hours
Nowadays my router is an old server running OPNsense, which has some firewall rules, and everything else is on a DMZ with 1:1 static NATs (annoyingly - my ISP won't give me a proper subnet).
Because most of my servers run web servers, I run a script that searches the logs for obvious script-kiddie type stuff (eg requests for "../../", "/admin" (when I don't have an admin page etc).
The unique addresses get stored in a text file which is web-accessible, and then OPNsense picks up these files from each web server every few minutes and adds them to a block list, so all my devices are protected.
Atm, most of my servers have picked up a few hundred IPs, but right now, my Mastodon server has flagged 24k, erk!! I'd better check that out now
.I also download the @stratosphere blocklists daily, and I have manually blocked some IPs (like Metas IPv4 and IPv6 scanners).
So far so good, I have been doing this for over 3 years, and I have been fine.
I used to expose SSH to the internet, but not any more - I just use Wireguard (which is built into OPNsense) first before I connect to any admin interfaces using the internal addresses.
If you wanted to try doing a security scan, you could try this: https://openvas.org/
I've not used it for a while, but it was good, and the free version was enough for me to check for "low-hanging fruit".
I hope that helps. Feel free to ask me questions
-
R relay@relay.mycrowd.ca shared this topicR relay@relay.publicsquare.global shared this topic
