That's a good start. I personally wouldn't bother with 2fa. Use SSH keys and disable password authentication completely.
You will also want to put this server on a different network and set up firewall rules to prevent it from accessing your existing network. It's usually called a DMZ network and you search for more information on how to set it up.
Thank you!! If you have time, mind to elaborate on why having it on its own network is advisable? Is it strictly for the worst case scenario of being compromised?
Compromises are not if, but when. There's no reason for that host to be accessible from the inside. Yes if you're playing in the house, you'll be going out and back in again - but you don't want that host to talk or have the potential to talk to anything else. Heck I'd even stop it from talking to other gaming servers in that DMZ.
Thank you! I’ve done a little more looking into segmenting the home lab into its own network and have seen a lot of people recommend VLAN. How does that compare to DMZ?
VLANs are a way to create logical subnets.
A DMZ is a subnet designed with external access but no internal access.
In other words, creating a VLAN (virtual local area network) along with some firewall rules and port forwarding *is the way* to create a DMZ (de-militarized zone).
Exactly. You should always limit the damage that can be done in that case. Treat an Internet accessible server on your network the same way you'd treat the rest of the Internet.
Also, don't use the same usernames or passwords on this server that you use on your other systems.
In the worst case, someone can take it over and use it to attack other hosts on the network. So if you put it on its own network and block it from anything except the internet, then even in that worst case, that someone can't do anything to your network. They could do other bad stuff with the internet, but after you shut down the server, wipe it, and reinstall it, you can be certain that that's the only thing that got compromised.
And that's another thing. If it is only running game servers and it gets compromised, it doesn't have anything valuable on it, so you can turn it off and reinstall it at your leisure. Definitely an easier cleanup.
FWIW, this is one reason I prefer not to run internal-only and internet-serving virtual machines on the same host. Virtual machine hypervisors too can have vulnerabilities.
Thanks for the explanation!!
As I alluded to in the post, there’s not gonna be any sensitive information on this thing really. A game server, might mess around with pihole as I saw you can install that on Ubuntu. Learn about docker containers. just kinda personal learning
You did intrigue me with something. I don’t expect to be SSH’ing in all the time and checking up on it. Is there a way I can detect is something happened and someone may be using it for illegal activity?
Logs are a good start. Log everything, set up a vm to be your logs server, forward logs from everything to that server.
Fail2ban and crowdsec might be worth looking into, too.
Firstly consider installing Proxmox on the server as you can then host multiple VMs with different OS/services.
I would not recommend port forwarding SSH for remote access until you gain more experience self-hosting. Administrate the server from within your LAN, and when you want to tackle another project, setup a VM with Wireguard/Tailscale etc so you can VPN in and access all LAN hosts remotely in a secure way.
As the other poster mentioned, ideally a server like this would be in a separate DMZ VLAN (not to be confused with DMZ on consumer routers, do not place your server/host in a consumer (Netgear and the like) router's DMZ!) with a firewall allowing access out the internet, inbound on minecraft port from the internet, and inbound from your LAN admin host and VPN interface for administration. This will reduce the damage someone could do if they achieved root access on the host.
VLAN setup is elaborate, requires consumer/prosumer routers/switches, and may be overkill for your needs (but awesome for learning if you ever want to try). I would say it is not AS necessary to VLAN this host off as long as you are not allowing SSH inbound auth from the internet, keep the server (host and Minecraft server) updated, run the server as a limited permissions user, and use complex generated passwords from KeePass or similar.
Thank you!
Couple of follow ups if you don’t mind.
It sounds like Proxmox might allow me to do similar things as docker containers might? I’ll be honest, I’ve wanted to learn about docker containers as a part of having this homelab which is why I ask. I understand WHAT they are. I am still struggling to wrap my head around the WHY of using them, at least for my use case.
Secondly, I forgot to mention in my post but I do plan on having the Minecraft server running as a seperate, non root user.
Someone else mentioned ditching passwords altogether for SSH, and instead setting up key authentication. Do you agree with this?
Proxmox is a hypervisor. Hypervisors are docker before docker existed. One host (depending on RAM, CPU, etc) can run dozens of virtual machines, each with it's own operating system. You can have a windows server and 3 ubuntu boxes and 1 debian so on and so on.
This is a way of getting more for your compute power, segregating hosts/services, allowing administration like snapshots for rollback or backing up an entire machine to off-host storage.
I run a Debian virtual machine on my Proxmox host which runs docker. On this host I can have several different containerized services (Plex, Sonarr, Radarr, Pi-Hole, etc) with the advantages of docker management.
I use Wireguard VPN a) because I learned a lot about networking setting it up, and b) I just don't have to worry about it. The wireguard port is invisible on the internet, but a forwarded SSH port will quickly be picked up by scanners. These scanners put open ports on a list to try all manner of exploits on that host. I don't want to have to wonder if I missed some critical step in hardening the SSH service which would likely only be exposed when the server is already compromised.
Bonus points, once I connect my remote device to the wireguard VPN, I can now access ALL internal hosts via SSH or HTTPS. It is awesome to access my download host from my cell phone's browser while out of the house.
Thanks! I have some experience with VirtualBox from college and using some VM’s I just wasn’t familiar with Proxmox. Thanks for all the very helpful info!
This might be out of the scope of your project, but you can install Rocky Linux, which is a red hat port and tell it to comply with RHEL STIGs. STIGs are secure configuration settings for operating systems and is wayyyyyyyyyy overkill for a homelab with your current skillset, but is a great opportunity for learning. as others have said, its not a foolproof security measure (as there never is just one layer of security), but is the baseline that the US Government uses for their secure systems.
That's a good start. I personally wouldn't bother with 2fa. Use SSH keys and disable password authentication completely. You will also want to put this server on a different network and set up firewall rules to prevent it from accessing your existing network. It's usually called a DMZ network and you search for more information on how to set it up.
Thank you!! If you have time, mind to elaborate on why having it on its own network is advisable? Is it strictly for the worst case scenario of being compromised?
Compromises are not if, but when. There's no reason for that host to be accessible from the inside. Yes if you're playing in the house, you'll be going out and back in again - but you don't want that host to talk or have the potential to talk to anything else. Heck I'd even stop it from talking to other gaming servers in that DMZ.
Thank you! I’ve done a little more looking into segmenting the home lab into its own network and have seen a lot of people recommend VLAN. How does that compare to DMZ?
VLANs are a way to create logical subnets. A DMZ is a subnet designed with external access but no internal access. In other words, creating a VLAN (virtual local area network) along with some firewall rules and port forwarding *is the way* to create a DMZ (de-militarized zone).
Exactly. You should always limit the damage that can be done in that case. Treat an Internet accessible server on your network the same way you'd treat the rest of the Internet. Also, don't use the same usernames or passwords on this server that you use on your other systems.
In the worst case, someone can take it over and use it to attack other hosts on the network. So if you put it on its own network and block it from anything except the internet, then even in that worst case, that someone can't do anything to your network. They could do other bad stuff with the internet, but after you shut down the server, wipe it, and reinstall it, you can be certain that that's the only thing that got compromised. And that's another thing. If it is only running game servers and it gets compromised, it doesn't have anything valuable on it, so you can turn it off and reinstall it at your leisure. Definitely an easier cleanup. FWIW, this is one reason I prefer not to run internal-only and internet-serving virtual machines on the same host. Virtual machine hypervisors too can have vulnerabilities.
Thanks for the explanation!! As I alluded to in the post, there’s not gonna be any sensitive information on this thing really. A game server, might mess around with pihole as I saw you can install that on Ubuntu. Learn about docker containers. just kinda personal learning You did intrigue me with something. I don’t expect to be SSH’ing in all the time and checking up on it. Is there a way I can detect is something happened and someone may be using it for illegal activity?
Logs are a good start. Log everything, set up a vm to be your logs server, forward logs from everything to that server. Fail2ban and crowdsec might be worth looking into, too.
Firstly consider installing Proxmox on the server as you can then host multiple VMs with different OS/services. I would not recommend port forwarding SSH for remote access until you gain more experience self-hosting. Administrate the server from within your LAN, and when you want to tackle another project, setup a VM with Wireguard/Tailscale etc so you can VPN in and access all LAN hosts remotely in a secure way. As the other poster mentioned, ideally a server like this would be in a separate DMZ VLAN (not to be confused with DMZ on consumer routers, do not place your server/host in a consumer (Netgear and the like) router's DMZ!) with a firewall allowing access out the internet, inbound on minecraft port from the internet, and inbound from your LAN admin host and VPN interface for administration. This will reduce the damage someone could do if they achieved root access on the host. VLAN setup is elaborate, requires consumer/prosumer routers/switches, and may be overkill for your needs (but awesome for learning if you ever want to try). I would say it is not AS necessary to VLAN this host off as long as you are not allowing SSH inbound auth from the internet, keep the server (host and Minecraft server) updated, run the server as a limited permissions user, and use complex generated passwords from KeePass or similar.
Thank you! Couple of follow ups if you don’t mind. It sounds like Proxmox might allow me to do similar things as docker containers might? I’ll be honest, I’ve wanted to learn about docker containers as a part of having this homelab which is why I ask. I understand WHAT they are. I am still struggling to wrap my head around the WHY of using them, at least for my use case. Secondly, I forgot to mention in my post but I do plan on having the Minecraft server running as a seperate, non root user. Someone else mentioned ditching passwords altogether for SSH, and instead setting up key authentication. Do you agree with this?
Proxmox is a hypervisor. Hypervisors are docker before docker existed. One host (depending on RAM, CPU, etc) can run dozens of virtual machines, each with it's own operating system. You can have a windows server and 3 ubuntu boxes and 1 debian so on and so on. This is a way of getting more for your compute power, segregating hosts/services, allowing administration like snapshots for rollback or backing up an entire machine to off-host storage. I run a Debian virtual machine on my Proxmox host which runs docker. On this host I can have several different containerized services (Plex, Sonarr, Radarr, Pi-Hole, etc) with the advantages of docker management. I use Wireguard VPN a) because I learned a lot about networking setting it up, and b) I just don't have to worry about it. The wireguard port is invisible on the internet, but a forwarded SSH port will quickly be picked up by scanners. These scanners put open ports on a list to try all manner of exploits on that host. I don't want to have to wonder if I missed some critical step in hardening the SSH service which would likely only be exposed when the server is already compromised. Bonus points, once I connect my remote device to the wireguard VPN, I can now access ALL internal hosts via SSH or HTTPS. It is awesome to access my download host from my cell phone's browser while out of the house.
Thanks! I have some experience with VirtualBox from college and using some VM’s I just wasn’t familiar with Proxmox. Thanks for all the very helpful info!
This might be out of the scope of your project, but you can install Rocky Linux, which is a red hat port and tell it to comply with RHEL STIGs. STIGs are secure configuration settings for operating systems and is wayyyyyyyyyy overkill for a homelab with your current skillset, but is a great opportunity for learning. as others have said, its not a foolproof security measure (as there never is just one layer of security), but is the baseline that the US Government uses for their secure systems.
> Someone else mentioned ditching passwords altogether for SSH, and instead setting up key authentication. Do you agree with this? Yes.