From time to time I like to review my network to see where I can tighten up. Review logs, check out the landscape, and make sure there are no gaps. Today, I have some downtime, so I figured it’d be a good for it. Since I am not a certified IT professional, this is what I have cobbled together reading, and seeing what others have done. I’d like to bounce this off you guys who are more experienced than I and get your impressions. If you have any recommendations, I’m always down to be schooled.

So if you’d like to participate in my audit, I have a home network as follows:

  • Modem receiving IP from ISP. Modem to router. Router to stand alone pfsense firewall. Router has a 54 character complex password for WiFi. There are no guest provisions for WiFi.
  • Pfsense firewall with pfblockerng & suricata running on both lan and wan, both with a full array of rules/feeds updated daily. pfsense has tailscale as an overlay vpn. Server traffic and PC traffic have their own VLAN provided by pfsense. My approach is to deny all until something complains and address that on a case by case basis. Additionally ntopng is utilized for traffic analysis. IPv6 is disabled.
  • Server running Tailscale as an overlay VPN, UFW deny all posture, and fail2ban with an aggressive posture. Server has been hardened against Lynis spec where applicable. Not all recommendations apply to my server. Server is utilizing host deny/host allow and SSH keys.
  • Server is utilizing containers for services.
  • Server is using Cloudflare tunnel/zero trust.
  • Server and pfsense communicate via Tailscale encrypted tunnel. PC/Phone/mobile device can communicate with pfsense via Tailscale.
  • Server services are accessed via https.
  • PC connected to pfsense firewall with same rules as server. PC is using a VPN with Cloudflare 1.1.1.1/1.0.0.1 for DNS queries. Firefox is using 1.1.1.1/1.0.0.1. Settings for Firefox are the strictest for Enhanced Tracking Protection, and DOH. HTTPS-Only mode enabled. PC is also running a soft firewall.
  • All other devices such as phones, laptops, and tablets run a VPN with Cloudflare 1.1.1.1/1.0.0.1 for DNS queries.
  • IoT devices are isolated. Phones are isolated. Smart TVs are isolated.

How secure would you say this network is and give any recommendations to further harden the network besides keeping up with current updates, monitoring and auditing logs.

Thanks

  • irmadlad@lemmy.worldOPEnglish
    1·
    5 hours ago

    That should help clarify a lot of what you’ll see in traffic on your segment.

    Thank you for the links and guidance. I will definitely read those. Yeah I do see a lot of things like:

    • SURICATA STREAM FIN2 FIN with wrong seq (this is from local chatter)
    • ET INFO DNS Query for Suspicious .ml Domain (must check out this suspicious domain /s)
    • ET INFO Observed DNS Query to .world TLD (same as above)
    • SURICATA STREAM Packet with invalid timestamp (local chatter - common triggered event from what I understand)
    • SURICATA STREAM FIN invalid ack (known domain speedtest)

    So, since I am working within the framework of my own personal shortcomings and have to know, I research them to find out why they get triggered. That way I don’t freak out over them A lot of them are benign and due to normal occurrences between server and user.