I have a VPS that I secure as much as possible since the IP is public, but does a wireguard-access-only homelab warrant the same efforts? Those with homelabs like this, what do you do?

  • neidu3@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    3 hours ago

    My home servers have generally a lot smaller attack surface, as only a few ports are actually routed to them, so in theoey I could get away with a more relaxed approach. But I’m also a big believer in defense-in-depth, so I follow the same rules of thumb:

    • iptables (or equivalent) that drops anything incoming that isn’t wanted. It also rejects anything going out that isn’t planned for.
    • any public facing service (except ssh) gets its own user
    • disable root login via ssh
    • ssh login with key only on any user in sudoers