I am still very much a novice in the self-hosting space, Linux etc. having fairly recently switched from using macOS as my daily driver and not tinkering much at all.
One of the things that often confuses me is networking and making sure my setup is secure. This is currently holding me back from hosting more stuff locally that I would require access to from outside my home, as I am afraid I am doing something that could severely compromise my data. It can sometimes be difficult to follow explanations from more advanced users due to the many different components of networking and security, and different layers of abstraction, which prevents me from following completely. I might understand one particular case, but then be unable to make connections to another one. So I would want to research this more intensively, and ideally I would end up being able to easily understand the data flows - the paths the data takes (e.g. I make a HTTPS request to some server from my laptop, how is that traffic routed correctly through my local area network and later the wide area network), in what forms (i.e. different protocols, encryption layers etc.).
In communities like this, I see there are a lot of very knowledgeable people who maybe could recommended any resources that cover this from the basics and onto more advanced stuff? Maybe a textbook from a university course on ICT that is considered particularly good? A YouTube channel with great explanations and visualizations? I am looking both at home LAN and internet in general. Enterprise level networks are not very interesting to me (at the moment).
Check this out https://taggartinstitute.org/p/the-homelab-almanac. (Shoutout once again to @mttaggart@infosec.town .)
Nice, the TOC seems promising for several of the things I am looking to learn more about.
The table of contents hints there is only one section relevant to security, Lab Firewall Config.
Anyone have experience with this book that could vouch for other chapters that explore best practices for security?
textbook from a university course on ICT that is considered particularly good?
IMO, text book covers more on theory. Generally text book are outdated when it comes out due to relatively longer time required for preparation and publishing.
But a lot of the underlying technology is unchanged for a long time, right? So to get a deeper grasp of e.g. different protocols and data flows, I imagine it could at least be a good starting point.
The Wikipedia-article on the Internet protocol suite of course provides a lot of information on this, but my issue with learning from Wikipedia is that it provides a long article on one topic with tons of links, but often no natural flow to the next topic. This could lead to reading up on things in the wrong order, making the learning process more difficult that it has to be. A text book on the other hand, if written well, is more a curated set of texts that introduces topics in a logical order, so that a topic is not introduced until the required prerequisites have already been treated.
A YouTube-channel (or perhaps rather a YouTube-playlist) can also provide such a curated set of material, although in my experience these videos can often be a little to superficial to get any proper understanding of the subject. There are of course exceptions.
Your have a point.
In addition to the textbook, check out certificate oriented book like network+ and security+
The Homelab Show frequently explores the topic of security in a homelab. I’m a big fan of Jay LaCroix, since I learned how to use Proxmox from his fabulous Proxmox course. They touch on security from the broad to the specific, and talk about incidents, as well. You do have to search through it to find the episodes where security is a topic, but they are there.
Sweet, thanks for the tip. I also have learned a lot of Linux basics from Jay through LearnLinux TV. Good educator. Did not know about The Homelab Show though, so I will definitely check that out.
nothing wrong with being self taught, you could follow these basics topics before poking holes in firewall.
- VLANS: learn how to separate your LAN into networks with different security requirements. For wireless, try to make a "main" and "IoT" network so that IoT network that can't talk to your "main" network but "main" can reach IoT devices. For wired, try to have a Management network, and a "Dirty network" etc.
- Firewalls and Routing: You will need to be able to route between your VLANS and set firewall rules to allow certain traffic. Best practice is block everything and allow only what you need.
- NMAP: learn how to do NMAP scans of your network to discover hosts and their open ports/services. This is a similar approach that "hackers" and script kiddies use on the public internet to find vulnerae and open services. Being able to probe your own network is crutial in understanding how others might approach in penetrating it.
- Wireguard VPN: Learn to access your network remotely by setting up a wireguard VPN. Wireguard is preferred because it is "stealthy" and will not respond to unsolicited attempted to probe your network. Start small by using wireguard to access between VLANs so you don't run the risk of using the internet.
- NGINX and Reverse Proxy: If necessary, learn to expose your services or blog or website by only exposing nginx and proxying to your services. Many guides on securing NGINX exist. Try not to expose anything, but sometimes necessary if you want others to reach your website/blog/hosting etc.
That's a rough outline that you can use to guide yourself and achieve milestones with hands on experience. In your pursuit you'll run into certificates and domain name hosting and stuff. But all this is on the web so let your curiosity (and paranoia) drive! Have fun!!
I use wildcard tls certs and wildcard dns records for my domains. this ensures that no service can be easily accessed unless you have full domain name. For example If you have plex and deluge then you have to set dns records to plex.abc.xyz and dns.abc.xyz. This can be seen by anyone else trying to find vulnerabilities. But if you have wildcard certs/dns, all anyone can see from outside is *.abc.xyz, only the reverse proxy (eg nginx) knows the domain.
Don't forward any ports unless you have to. Don't run any service on 0.0.0.0 unless you have to. Incoming ports on the internet can be super dangerous.
A safe way to do self hosting is with WireGuard, just setup a wireguard container on the server then you can access all the services anywhere when connected from a client without exposing any tcp ports.
For connections why not try traceroute? mtr traceroute
To see things within a packet you can use WireShark.
