One thing I enjoy about runing a home server is that there are so many levels of “hygeine.” These levels range from “running everything as root with no SSH hardening and asking to get hacked” to “locked down with 97% of the security measures of a large tech company” and everything in between. Here are a few levels I have traversed:

  • Dedicated users for each service (or a dedicated kubernetes user if you go that route)
  • SSH and firewall hardening to do things like forbid password-based authentication, only allow connections from specific IP addresses or interfaces, forcing the use of modern cryptographic algorithms and key-exchange mechanisms, even forcing all outbound traffic to go through a proxy that enforces rules/standards.
  • BACKUPS. Regular and tested.
  • Locked down file permissions with group membership or ACLs mediating much of the access control.
  • Quarterly security audits of installed packages, registered users, permissions, etc.
  • (rootless) containerization with limited and deliberately mounted directories/files from the host to limit the blast radius of compromised services
  • Auditable and reproducible infrastructure as code (how long would it take you to reconfigure your server from a fresh OS install?)
  • TLS/SSL to prevent/practice preventing man-in-the-middle attacks in web services.

I have learned that good security is layered (defense in depth ) and even if one layer is compromised, there are other layers still acting as defense. A good barometer of a well-secured home server is “if some web service I run is compromised, could an attacker exfiltrate my family photos or important documents?) And learning/understanding these layers is a journey. You start at one level to get off the ground and as long as you use a tool like Ansible, you can effectively reflect on the security-convenience-simplicity tradeoffs made and make things more secure over time. There really is something to be said for “just starting” and iteratively improving. There really is no single “here is the initial checklist of security measures from which you can expand” because everyone starts from a different place. And it is difficult for an individual who has been paid lots of money as a software engineer to understand production-grade linux server environments to appreciate exactly how difficult it is for someone without mentors, an “infosec” team, and hours every day to spend on this nonsense how difficult this really is. Even something simple like “forbid password-based SSH authentication” is difficult because one should only take this measure when one truly understands how asymmetric cryptography works and the exact kinds of attacks it prevents.

The Threat Model in a Home Server

For a couple of years, I only exposed services to my local network (in my apartment) and eventually exposed very specific services to the outside world using cloudflare tunnels. Since I generally knew everyone who connected to my home network, this was a good sandbox to iteratively improve my security posture. Sure friends or family could do all sorts of shenanigans with physical access to my server, but my friends and family had no interest in doing so. My apartment building has indirect forms of security, so I never worried about someone breaking in. CGNAT heavily complicates the process of an attacker compromising my home server from outside of my network. Upon reflection, Cloudflare Tunnels are ridiculous and I don’t like them very much. While wireguard is generally superior, Cloudflare Tunnels is a decently secure way to initially expose some services to the outside world. It is very satisfying access my Jupyterlab analytics environmne tfrom all the way in India. And I am kind Part of server administration is having some incremental satisfaction of the server actually serving you or others and that gives the motivation to do more security stuff. In that sense, cloudflare tunnels is a wonderful rool for people who are just starting to cosplay as sysadmins.

In many ways the largest threat in a home server is posed by an ~incompetent~ inexperienced sysadmin who accidently deletes a bunch of data. This is why backups are especially important

Why I enjoy homelabbing

In some sense, running my own homelab gives me the option of “controlling some of the means of production” that fundamentally belong to my employer in my day jobfundamentally belong to my employer in my day job.t work, I program computers that my employer owns. Fundamentally, I help my employer harness the power of physics, engineering, maethematics, and chemistry to make money. And in my homelab, Iget to harness all of those forces for my own knowkedge. t workd, I use things like Parquet and databases to gamble, and at home, I use those same tools to learn about economic historyl At work, I use Python to ingest information to gamble. At home, I use Python to manage my personal finances. At work, I organize files containing data used for gambling. At home, I organize files ontaining memories and my family pictures. In some sense, I took the best parts of the technology landscape at a hedge fund and use that for my own enrichment and fulfillment. At work, I use Rclone to download data used to gamble and wage war on behalf of the rich. At home, I uuse Rclone to back up my family pictures offsite (with encryption, of course). Honestly too many people use the means of production only for the ends of their employers and never for themseles. Sometimes the means of prpoduction are outside of what they can personally own. Sometimes they dont have the phsical space for such means. Sometimes people are just too tired at the end of the day. But I have tried my best to learn how to use these tools at work and use them for my own benefit at home. That is somewhat cool, in my opinion. We should wonder whether the world might look a bit different if more people did so. I am inclined to believe that it wouldn’t but maybe just a little.