Attack on my Home Server

[arup]

Update (06/12/2024):

A special thanks to @rsaeon for his suggestion and for helping me via DM. He understood my requirements and guided me in the right direction.

I'm currently using Tailscale VPN, and after almost a month of usage, I can confirm it fully meets my needs. I've disabled the web port (port 80) and implemented a firewall to monitor incoming connections effectively.

 

[jayanttyagi]

Update (06/12/2024):

A special thanks to @rsaeon for his suggestion and for helping me via DM. He understood my requirements and guided me in the right direction.

I'm currently using Tailscale VPN, and after almost a month of usage, I can confirm it fully meets my needs. I've disabled the web port (port 80) and implemented a firewall to monitor incoming connections effectively.

Which firewall?

 

[arup]

Windows firewall. Configured to block most things and allow only those which I need.

If you're on a windows PC , you can navigate to Control Panel\System and Security\Windows Defender Firewall\Allowed applications and you'll be surprized to see how many apps on your PC has added exclusion in your firewall.

 

[rahuljawale]

If you have time, consider trying CrowdSec. It functions similarly to fail2ban but offers a more up-to-date database of attack vectors and source IPs. I have it running on my firewall (OPNsense) and the parsers on my home lab servers.

 

[jayanttyagi]

Windows firewall. Configured to block most things and allow only those which I need.

If you're on a windows PC , you can navigate to Control Panel\System and Security\Windows Defender Firewall\Allowed applications and you'll be surprized to see how many apps on your PC has added exclusion in your firewall.

Most apps add exclusions to work. You should manage network at gateway level not at machine level.

If you have time, consider trying CrowdSec. It functions similarly to fail2ban but offers a more up-to-date database of attack vectors and source IPs. I have it running on my firewall (OPNsense) and the parsers on my home lab servers.

Yes this is the way. Reverse proxy with crowdsec as middleware.

 

[AmeyaVS]

Hello @rsaeon ,
Would it be possible to share your recommendations or any references?

Update (06/12/2024):

A special thanks to @rsaeon for his suggestion and for helping me via DM. He understood my requirements and guided me in the right direction.

I'm currently using Tailscale VPN, and after almost a month of usage, I can confirm it fully meets my needs. I've disabled the web port (port 80) and implemented a firewall to monitor incoming connections effectively.

On another note I am currently exploring Tailscale seems to be working for me, but I still need to setup a firewall on local services for monitoring services in case of any attempt.
I had explored ufw and fail2ban long time back but found it to be a little cumbersome to maintain.

Does anyone have recommendation of replicating the setup across systems, I have multiple systems but manually configuring each of them is time consuming?
I am mostly working on Ubuntu/Debian systems.

 

[burntwingzZz]

sophos home edition 4 core , 6 gb ram with complete suite of FW

 

[AmeyaVS]

If you have time, consider trying CrowdSec. It functions similarly to fail2ban but offers a more up-to-date database of attack vectors and source IPs. I have it running on my firewall (OPNsense) and the parsers on my home lab servers.

Will this work with a CG-NAT ISP provider and a proxy host?
I don't have a public IP address from my isp, so I use a VM by a cloud provider and use it to proxy my connection through it.

 

[badwhitevision]

Will this work with a CG-NAT ISP provider and a proxy host?
I don't have a public IP address from my isp, so I use a VM by a cloud provider and use it to proxy my connection through it.

If you use tailscale and these services are only for you/immediate family, the easiest option is to disconnect the reverse proxy and directly use tailscale (ie.) Use tailscale as a VPN between your phone (client) and homelab server. This way you can avoid all attack attempts (provided tailscale is safe) because CG-NAT itself is a firewall of sorts, preventing all sorts of direct attacks, further no port forwarding at the router level to open up a new attack vector.

If the reverse proxy is an absolute necessity, I would prefer you set the firewall at the reverse proxy stage (ie. Cloud VM).

For example, most Oracle VMs use iptables by default, where they restrict everything and you need to open specific ports.

 

[rsaeon]

Privacy, security and safety concerns have always negated the usefulness of having a public ip for a home connection. Especially in India's political climate. Any controversial tweet or facebook post from your home connection would have local authorities knocking at your door asking you to take down your post/tweet.

For example, under the previous state government, citizens would tweet at the power discom to notify them of an outage and it would be resolved that way. No calling or visiting the local office was necessary. But after a new government was formed, whoever was put in charge sent electrical workers to the homes of whoever tweeted to scold them about making issues public and told them to visit the local office instead. They had your address even if you did not share your connection details.

CG-NAT is often looked down upon as a cost-cutting measure by the ISP but it is a form of privacy-through-obscurity that I consider absolutely necessary. I have multiple connections, and they're power cycled randomly twice a day, so as to mimic real-world power outages or disconnects. Each time I'm assigned a different public IP.

With Tailscale and Wireguard, CG-NAT becomes a non-issue. You don't need to open or forward any ports and can have a very strict firewall put in place:

That's ~35 million packets dropped on attempts that tried to access my router from the wan interface, an average of ~300,000 per day.

The interface is Winbox, a utility to manage Mikrotik routers. All of their routers use the same app and differ only in hardware features (ports, compute power).

This firewall rule drops any new connections that do not originate from the LAN, existing connections to the internet that were initiated from the LAN will work as normal.

@AmeyaVS the essence was that tailscale is incredibly easy to implement and will suffice for most, if not all, cases where you need to access something on your home network, when you're not on your network. Then, as you learn by implementing and experimenting, you can look into virtualized firewalls/routers to get access to other devices like NVRs.

If you absolutely need a Public IP on a home connection, then it would be wise to have it on a separate connection specifically for that purpose, and not use it for personal browsing (messaging, social media).

 

[AmeyaVS]

Thank you @badwhitevision and @rsaeon for your valuable input.
Sorry for the delayed response, am having issues with my Internet connection.
I will be continuing to use Tailscale for the time being, will probably explore public services when any need arises.