this post was submitted on 23 Nov 2023
6 points (100.0% liked)
Homelab
371 readers
3 users here now
Rules
- Be Civil.
- Post about your homelab, discussion of your homelab, questions you may have, or general discussion about transition your skill from the homelab to the workplace.
- No memes or potato images.
- We love detailed homelab builds, especially network diagrams!
- Report any posts that you feel should be brought to our attention.
- Please no shitposting or blogspam.
- No Referral Linking.
- Keep piracy discussion off of this community
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It all comes down to risk management at the end of the day. And the good old equation threat X asset X vulnerability = risk.
So how sensitive is your data? At the end of the day this is the asset you are protecting. Is it all of your family photos and memories with no backup? Or is it your animated GIF collection from ‘99 before giphy made it absolete. What is the IMPACT if this gets compromised.
In terms of threats what do you worry about? Ransomware, script kiddies, organized crime? And which do you think you can reasonably mitigate against.
It is impossible to predict potential future vulnerabilities in a product. There could be unauthenticated remote code execution vulnerabilities that grant an attacker remote access. Vulnerabilities are reduced with controls so you have some in place. What about patch management, etc? With your controls in place what is the likelihood that the threat you care about could impact you?
Out comes a risk value (low, medium, high).
Do you accept it or not?
For me I have a tiny FreeBSD server running that I’ve hardened (pf firewall, no root login, ssh keys only auth method, ansible playbook to check for an apply updates daily). Its sole purpose in life is to run wireguard. My various devices including NAS are clients that I allow access to the NAS over wireguard. I run PF on the wireguard interface and only allow access to specific services on the NAS. I don’t store anything sensitive on the NAS and I send encrypted backups to backblaze for files I don’t want to lose
In my equation it’s a level of risk I am happy with. And if something bad happens I’m prepared to rebuild everything in my home network from scratch.
Good luck deciding.
Surprised to see this answer so low in the post! I agree; you want to reduce the attack surface and vectors as much as you can to a minimal footprint + security through layers and a good dash of obscurity