Oh no, you!

  • 0 Posts
  • 86 Comments
Joined 2 years ago
cake
Cake day: November 3rd, 2024

help-circle
  • My home servers have generally a lot smaller attack surface, as only a few ports are actually routed to them, so in theoey I could get away with a more relaxed approach. But I’m also a big believer in defense-in-depth, so I follow the same rules of thumb:

    • iptables (or equivalent) that drops anything incoming that isn’t wanted. It also rejects anything going out that isn’t planned for.
    • any public facing service (except ssh) gets its own user
    • disable root login via ssh
    • ssh login with key only on any user in sudoers


  • Well, there’s a footnote on my end: Me taking the drives home is a bit of a grey area, as the procedures say that the drives are to be mechanically destroyed when no longer needed. It doesn’t specify needed by whom. And I do attack them with my angle grinder, so it’s in accordance with company policy.

    And yes, my employer knows and is OK with it. We go through a ridiculous amount of drives due to large storage needs, so pragmatism tends to trump bureaucracy.





  • Depends if you’re hosting something public, or something private.

    For public, a webserver is a simple start. Can be anything you want it to be, but as complexity increases, so does the amount of potential attack vectors, so keep that in mind of you’re considering adding things like WordPress and the like.

    For private, a NAS and/or a simple game server is a simple and useful start.

    As for how, there’s a million ways to do it, and I’m an old stubborn BOFH that still cling to the old ways of doing it (as in, no VMs, no containers), so I’ll defer to others for that.

    While purpose built server hardware is always nice since it comes with some useful additions, the truth is that “any” machine will do. Old discarded PC will do just fine.