245 lines
6.4 KiB
Plaintext
245 lines
6.4 KiB
Plaintext
====== Security Setup ======
|
|
|
|
Secure your homelab with proper authentication, encryption, and access controls.
|
|
|
|
===== Two-Factor Authentication =====
|
|
|
|
**Enable 2FA for Authelia:**
|
|
|
|
1. **Access Authelia:**
|
|
* URL: `https://auth.yourdomain.duckdns.org`
|
|
* Login with admin credentials
|
|
|
|
2. **Configure TOTP:**
|
|
* Go to **Settings** → **One-Time Password**
|
|
* Install authenticator app (Google Authenticator, Authy, etc.)
|
|
* Scan QR code or enter secret manually
|
|
* Enter verification code to enable
|
|
|
|
3. **Backup Codes:**
|
|
* Generate backup codes for recovery
|
|
* Store securely (encrypted password manager)
|
|
* Use only for emergency access
|
|
|
|
**2FA Best Practices:**
|
|
* Use hardware security keys when possible
|
|
* Enable biometric authentication on mobile
|
|
* Regularly rotate backup codes
|
|
* Test recovery process
|
|
|
|
===== Access Control Policies =====
|
|
|
|
**Authelia Configuration:**
|
|
* Location: `/opt/stacks/core/authelia/configuration.yml`
|
|
|
|
**Default Policies:**
|
|
```yaml
|
|
access_control:
|
|
default_policy: deny
|
|
rules:
|
|
# Admin services - require 2FA
|
|
- domain: "*.yourdomain.duckdns.org"
|
|
policy: two_factor
|
|
|
|
# Media services - bypass SSO (app compatibility)
|
|
- domain: jellyfin.yourdomain.duckdns.org
|
|
policy: bypass
|
|
- domain: plex.yourdomain.duckdns.org
|
|
policy: bypass
|
|
|
|
# Home Assistant - bypass (built-in auth)
|
|
- domain: ha.yourdomain.duckdns.org
|
|
policy: bypass
|
|
```
|
|
|
|
**Policy Types:**
|
|
* **deny**: Block all access
|
|
* **one_factor**: Username + password only
|
|
* **two_factor**: Username + password + 2FA
|
|
* **bypass**: No authentication required
|
|
|
|
===== SSL/TLS Security =====
|
|
|
|
**Certificate Management:**
|
|
* **Issuer**: Let's Encrypt (trusted CA)
|
|
* **Type**: Wildcard certificate (*.yourdomain.duckdns.org)
|
|
* **Algorithm**: ECDSA P-256 with SHA-256
|
|
* **Validity**: 90 days with automatic renewal
|
|
|
|
**Security Headers:**
|
|
* **HSTS**: HTTP Strict Transport Security
|
|
* **CSP**: Content Security Policy
|
|
* **X-Frame-Options**: Clickjacking protection
|
|
* **X-Content-Type-Options**: MIME sniffing prevention
|
|
|
|
**Traefik Security:**
|
|
```yaml
|
|
# In traefik.yml
|
|
http:
|
|
middlewares:
|
|
security-headers:
|
|
headers:
|
|
customRequestHeaders:
|
|
X-Forwarded-Proto: "https"
|
|
customResponseHeaders:
|
|
X-Frame-Options: "SAMEORIGIN"
|
|
X-Content-Type-Options: "nosniff"
|
|
Referrer-Policy: "strict-origin-when-cross-origin"
|
|
Permissions-Policy: "geolocation=(), microphone=(), camera=()"
|
|
```
|
|
|
|
===== Firewall Configuration =====
|
|
|
|
**UFW Rules (automatically configured):**
|
|
```bash
|
|
# Allow SSH
|
|
sudo ufw allow ssh
|
|
|
|
# Allow HTTP/HTTPS
|
|
sudo ufw allow 80
|
|
sudo ufw allow 443
|
|
|
|
# Enable firewall
|
|
sudo ufw enable
|
|
```
|
|
|
|
**Docker Security:**
|
|
* Containers run as non-root users
|
|
* No privileged containers
|
|
* Minimal exposed ports
|
|
* Network isolation
|
|
|
|
===== Password Security =====
|
|
|
|
**Strong Password Requirements:**
|
|
* Minimum 12 characters
|
|
* Mix of uppercase, lowercase, numbers, symbols
|
|
* No dictionary words or common patterns
|
|
* Unique per service
|
|
|
|
**Password Manager Integration:**
|
|
* Use Bitwarden/Vaultwarden for password storage
|
|
* Enable auto-fill for services
|
|
* Regular password rotation
|
|
* Emergency access setup
|
|
|
|
===== VPN and Network Security =====
|
|
|
|
**Download Protection:**
|
|
* qBittorrent routes through Gluetun VPN
|
|
* All torrent traffic encrypted
|
|
* No IP leaks during downloads
|
|
|
|
**Network Segmentation:**
|
|
* Services isolated in Docker networks
|
|
* Database access restricted
|
|
* External services proxied through Traefik
|
|
|
|
===== Backup Security =====
|
|
|
|
**Encrypted Backups:**
|
|
* Use Backrest with encryption
|
|
* Store encryption keys securely
|
|
* Offsite backup storage
|
|
* Regular integrity checks
|
|
|
|
**Backup Verification:**
|
|
```bash
|
|
# Test backup restoration
|
|
restic restore latest --target /tmp/restore-test
|
|
restic check
|
|
```
|
|
|
|
===== Service-Specific Security =====
|
|
|
|
**Nextcloud Security:**
|
|
* Enable brute force protection
|
|
* Configure trusted domains
|
|
* Set up file encryption
|
|
* Regular security scans
|
|
|
|
**Gitea Security:**
|
|
* Disable public registration
|
|
* Enable SSH key authentication
|
|
* Configure access tokens
|
|
* Regular repository backups
|
|
|
|
**Database Security:**
|
|
* Strong database passwords
|
|
* Network isolation
|
|
* Regular updates
|
|
* Query logging
|
|
|
|
===== Monitoring and Alerts =====
|
|
|
|
**Security Monitoring:**
|
|
* Enable fail2ban for SSH protection
|
|
* Monitor authentication attempts
|
|
* Set up intrusion detection
|
|
* Log analysis with Loki/Promtail
|
|
|
|
**Alert Configuration:**
|
|
* Failed login notifications
|
|
* Certificate expiration warnings
|
|
* Service downtime alerts
|
|
* Security vulnerability notifications
|
|
|
|
===== Incident Response =====
|
|
|
|
**Security Breach Response:**
|
|
1. **Isolate**: Disconnect affected systems
|
|
2. **Assess**: Determine scope of breach
|
|
3. **Contain**: Change all passwords
|
|
4. **Recover**: Restore from clean backups
|
|
5. **Learn**: Update security policies
|
|
|
|
**Emergency Access:**
|
|
* Keep backup authentication methods
|
|
* Document recovery procedures
|
|
* Test incident response plans
|
|
* Regular security audits
|
|
|
|
===== Advanced Security =====
|
|
|
|
**Certificate Pinning:**
|
|
* Pin Let's Encrypt intermediate certificates
|
|
* Monitor certificate transparency logs
|
|
* Automated certificate validation
|
|
|
|
**Zero Trust Architecture:**
|
|
* Every access request verified
|
|
* Minimal privilege access
|
|
* Continuous authentication
|
|
* Network micro-segmentation
|
|
|
|
**Compliance Considerations:**
|
|
* Data encryption at rest and in transit
|
|
* Access logging and monitoring
|
|
* Regular security assessments
|
|
* Privacy-preserving configurations
|
|
|
|
===== Security Checklist =====
|
|
|
|
**Initial Setup:**
|
|
* [ ] 2FA enabled for all admin accounts
|
|
* [ ] Strong, unique passwords everywhere
|
|
* [ ] SSL certificates properly configured
|
|
* [ ] Firewall rules verified
|
|
* [ ] VPN configured for downloads
|
|
|
|
**Ongoing Security:**
|
|
* [ ] Regular password rotation
|
|
* [ ] Security updates applied
|
|
* [ ] Backup encryption verified
|
|
* [ ] Access logs reviewed
|
|
* [ ] Security scans performed
|
|
|
|
**Emergency Preparedness:**
|
|
* [ ] Backup authentication methods available
|
|
* [ ] Incident response plan documented
|
|
* [ ] Recovery procedures tested
|
|
* [ ] Contact information current
|
|
|
|
Your homelab is now secure! Continue to [[architecture:security|Security Architecture]] for detailed technical information.
|
|
|
|
**Need help?** Check [[troubleshooting:ssl|SSL Troubleshooting]] or visit [[https://github.com/kelinfoxy/AI-Homelab/discussions|GitHub Discussions]]. |