• 0 Posts
  • 13 Comments
Joined 3 years ago
cake
Cake day: June 18th, 2023

help-circle








  • I wonder what you are securing against?

    OK, you’re familiar with vulnerability scanners and port scanners right?

    The threat model here isn’t really attackers specifically targeting your home network for any particular reason (unless you’re a LastPass engineer working remotely while running an exposed Plex server). They’re not looking for you, they’re looking for anything useful.

    The threat model is attackers using scanning tools to discover vulnerable systems connected to the Internet. All they need from you is an active connection and a system that can store data, from which they can host malware files for distribution to other targets or conduct attacks or just run a cryptominer (if you’re lucky and they’re not very ambitious). They can find this by scanning for open ports and then running a vulernability scanner to figure out if there’s some exposed hardware that can be exploited.

    An unsecured system is a hazard that could land you in jail when someone else starts using your device and network connection to commit crimes.

    Now, as long as you’re behind a standard residential network service, and your ISP is in control of your gateway device, you’re relatively safe from this. Most ISPs will block any traffic like that very strictly. If your ISP is in control of your gateway device then they’re responsible for its behavior (demarcation matters).

    But, most self-hosters run into limitations with their ISP blocking a lot of ports by default, because they want to access their personal server from outside their home, and so they take control by running their own gateway device or paying for a business connection which gives them complete control over which ports are open. This is where the risk comes in. You are assuming the responsibility for properly securing your connection to the public Internet, taking it off your ISP’s hands.

    If you’re going to do this, you should know exactly which ports you have open to the outside and why, and a general idea of what traffic you expect to see on them when and how much. Monitor that traffic at your firewall. Every other port should be closed and your firewall (on your router, gateway device, or better yet a dedicated OPNSense firewall) should be configured to drop packets received by closed ports (“stealth” mode). You don’t want it to respond that those ports are blocked, you want it to appear to not be there at all.

    Every other security implementation is a secondary concern for a home network. Yes you should patch your software regularly and you should practice deny-by-default and least-privilege as a matter of course, but you’re going to mitigate 90% of your risk by just not accepting incoming connections for anything you don’t need. Most vulnerable systems are discovered by automated scanning, so the less your system responds to external connections the better. If you’re going to worry about configuring, securing and patching one device, make it that front line firewall. And be very selective about which internally hosted services you expose externally.



  • Moving to another country is complicated and difficult even under normal, stable circumstances. Doing it successfully (not ending up broke and homeless with no support) requires a lot of planning and money, or else a lot of help from someone else.

    Even if the other country is willing to let you immigrate, and you have good prospects for a regular income and a stable living situation, you have to leave friends and family behind. That means leaving your support system. If you have children that’s going to be very difficult. If you have aging parents that you support, or other family with medical issues, it may be impossible.

    Really, the only people who think picking up and moving to another country is something you can just do are young, single, above the poverty line, and have no dependents.



  • The core problem with this approach is that antivirus scanning is generally based on signature recognition of malicious binaries. Behavior-based antivirus scanning mostly doesn’t work and tends to generate a lot of false positives. No freely available antivirus is going to have a signature library that is kept up to date enough to be worth the effort of running it on Linux - most vulnerabilities are going to be patched long before a free service gets around to creating a signature for malware that exploits those vulnerabilities, at which point the signature would be moot. If you want antivirus that is kept up to date on a weekly or better basis, you’re going to have to pay for a professional service.

    That said, there are other, simpler (and probably more effective) options for hardening your systems:

    • Firewall - if your servers are dedicated to specific services and you don’t plan on adding many more applications, you should be able to tighten up their firewalls to have only the ports they need open and nothing else. If network security is a priority, you should start with this.
    • Application Whitelisting - prevent unrecognized applications from running. There are more options for this on Windows (including the builtin Applocker), but there are some AWL options for Linux. It’s a lot easier to recognize the things that you do want to run than all of the things that you don’t want to run.
    • Secure OS - I assume you’re using Debian because it’s familiar, but it is a general-purpose OS with a broad scope. Consider switching to a more stripped-down variant like Alpine Linux (it can be installed on a Pi).