Resources on homelab security?

Check this out https://taggartinstitute.org/p/the-homelab-almanac. (Shoutout once again to @mttaggart@infosec.town .)

The Homelab Show frequently explores the topic of security in a homelab. I’m a big fan of Jay LaCroix, since I learned how to use Proxmox from his fabulous Proxmox course. They touch on security from the broad to the specific, and talk about incidents, as well. You do have to search through it to find the episodes where security is a topic, but they are there.

Honestly start by thinking about what has access to what. From there you can focus on least privilege which will involve firewalls, vlans and isolation

Reading is fine and all, but in my experience of learning about networking and security, I have always learnt the best when I have a need for it.

Let's take the example you posted on your post. Now, we know that HTTPS is important so that nobody has access to the traffic you're forwarding to the Internet. Encryption usually just requires two things: the data (your traffic) and a key to encrypt it.

When you're visiting a website with a valid certificate, it sends its public key and the valid certificate to your browser. Your browser validates that the website you're trying to visit seems OK (not sure about the internals of the process), and encrypts your traffic with the public key of the website.

The website can now decrypt your traffic with its private key. Nobody gets to snoop on your data (but they do get to snoop on your metadata, which I'll come to in a bit). That's how the process works, and I have essentially provided an overview of the TLS handshake in my explanation.

Why did I say that your data isn't exactly secure even though you encrypt it? Well that's because your metadata isn't encrypted yet. It is only recently that the masses are picking up on ECH and ESNI (SNI - server name indicator; this is the DNS record of your request, which means your ISP knows which website you went to, but it doesn't know what you did on said website). With that said, I was talking about the broader Internet, which seems to be out of scope for this discussion.

Let's talk about another use-case of TLS in your homelab, since we're on the subject.

Problem: you want to find the padlock symbol on your browser every time you visit an internal website, but since you're using plain HTTP on your network, your browsers considers it fit to annoy you with a warning that your destination might be a malicious website (it's not, unless you don't know what you're hosting).

Immediate solution: use a reverse-proxy! Most reverse-proxies have integrations with certificate automation software (certbot FTW) which handles TLS on the client side and deals with the warnings (if you have understood the paragraphs that I have written till now, you will understand why this is the case).

Background: Have you heard of reverse-proxies? If not, a bit of reading on Wikipedia should do the trick, but basically, reverse proxies map a subdomain (slight understanding of DNS is required for this since certificates and DNS are tied closely) to a specific IP and port. This is important if you're hosting containers on a single machine since the only way to reach out a specific container is through the combination of IP:Port, but who wants to remember random numbers? Too lazy to do that.

Question: why not just use my DNS server to map subdomains and IPs? This might not be obvious to everyone if you don't know about DNS and its limitations (in this scenario).

Let me know if you're facing issues with anything that I typed here. It's a long, long journey (I've been learning for years now and I still don't get things right), but you'll get there. Just take your time, make sure to not get overwhelmed, and you'll make it.

Cheers

nothing wrong with being self taught, you could follow these basics topics before poking holes in firewall.

1. VLANS: learn how to separate your LAN into networks with different security requirements. For wireless, try to make a "main" and "IoT" network so that IoT network that can't talk to your "main" network but "main" can reach IoT devices. For wired, try to have a Management network, and a "Dirty network" etc.
2. Firewalls and Routing: You will need to be able to route between your VLANS and set firewall rules to allow certain traffic. Best practice is block everything and allow only what you need.
3. NMAP: learn how to do NMAP scans of your network to discover hosts and their open ports/services. This is a similar approach that "hackers" and script kiddies use on the public internet to find vulnerae and open services. Being able to probe your own network is crutial in understanding how others might approach in penetrating it.
4. Wireguard VPN: Learn to access your network remotely by setting up a wireguard VPN. Wireguard is preferred because it is "stealthy" and will not respond to unsolicited attempted to probe your network. Start small by using wireguard to access between VLANs so you don't run the risk of using the internet.
5. NGINX and Reverse Proxy: If necessary, learn to expose your services or blog or website by only exposing nginx and proxying to your services. Many guides on securing NGINX exist. Try not to expose anything, but sometimes necessary if you want others to reach your website/blog/hosting etc.

That's a rough outline that you can use to guide yourself and achieve milestones with hands on experience. In your pursuit you'll run into certificates and domain name hosting and stuff. But all this is on the web so let your curiosity (and paranoia) drive! Have fun!!

I know nothing about networking or security. What has helped me was going to the library and checking out any books they have on networking and security. I don’t actually read the books through, I scan them for terms I’m not familiar with and just read about those. It has helped me a lot more than trying to find it online or ask specific questions on forums. There’s so many books and info, I mean people go to college for this stuff. Even the “for dummy” books are a useful resource.

I use wildcard tls certs and wildcard dns records for my domains. this ensures that no service can be easily accessed unless you have full domain name. For example If you have plex and deluge then you have to set dns records to plex.abc.xyz and dns.abc.xyz. This can be seen by anyone else trying to find vulnerabilities. But if you have wildcard certs/dns, all anyone can see from outside is *.abc.xyz, only the reverse proxy (eg nginx) knows the domain.

Don't forward any ports unless you have to. Don't run any service on 0.0.0.0 unless you have to. Incoming ports on the internet can be super dangerous.

A safe way to do self hosting is with WireGuard, just setup a wireguard container on the server then you can access all the services anywhere when connected from a client without exposing any tcp ports.

For connections why not try traceroute? mtr traceroute

To see things within a packet you can use WireShark.

textbook from a university course on ICT that is considered particularly good?

IMO, text book covers more on theory. Generally text book are outdated when it comes out due to relatively longer time required for preparation and publishing.

For homelab, start with the absolute basics - setup a firewall, and make sure you understand how it works! Map out your network topology, even if it is just your DSL box, router & your PC + printer with a raspberry pi (or 2) for your project.

After you've made absolutely sure that the outside world can only get in where you've let it, then you can focus on having good application-level security; unfortunately this is really case-by-case.

As for resources, I would start with YouTube - you tend to get to focus your learning a bit better and spend less time searching for something relevant (as you mentioned, enterprise tends to be the focus, because they're often the main targets of network related attacks). For more depth, but not crazy detail, try the O'Reilly books or similar on networks & related security topics (there are a few!)