New to home networking - Security advice? - eviltoast

I’m very new to home networking. I’m not new to computers (hardware or software) - but for whatever reason, anything network-related has always been an enigma to me.

That said - I just got a new (to me) server. It’s a beefy one (made a post about it in another community). And so I figured why not just start playing around with Proxmox, learning some new things and spinning up a bunch of random VMs and whatnot.

I figured the first step would be to set up something such that I can connect to my computers from anywhere - and I’ve already done so. For that, I used Tailscale. But my question, I suppose, is now that my computers are on the internet (as in, for real on the internet, through Tailscale) - are there security precautions I have to take now and things I need to be more concerned about? Do I have to set up my own special firewall to make sure I don’t get hacked or something? I am honestly pretty clueless in that whole domain. So… ELI5 what I have to do, security-wise. Any and all help is welcomed and appreciated.

Bonus question: beefy server is beefy (yes yes, lots of power consumption, I’ve already come to terms with it. About 200W idle and should run me ~$40/mo.). Dual 18-core E5-2699 v3s. 768GB of RAM. More SSD storage in both boot drives and storage drives than the average human would use in a thousand years (SAS, SATA, & NVMe). I asked this over on c/piracy - what should I do with it? I’ve put Proxmox on it, and as said above, plan on learning things about VM hosting and different operating systems and whatnot. I’m also planning on hosting my own Jellyfin server. But… what else? Does anyone have any good ideas for any (non-GPU-intensive) things I can do with the server? Anything and everything welcome, lol - I wanna have fun with this thing!

TIA for the responses :)

  • navigatron@beehaw.org
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    Networking is super simple - or at least it started out like that. Then we ran out of numbers, and had to invent nat. Then we invented ipv6, which has lots of numbers, but is unfathomably complicated.

    I recommend learning about NAT / network address translation. NAT is not a stateful firewall, but acts kinda like one.

    You can understand a stateful firewall by understanding the tcp handshake. TCP is hugely important. Don’t worry about fin_wait_2 and that nonsense, just get syn/synack/ack down.

    People will brush off udp because it’s easier, but it’s also important.

    Once you get NAT/stateful firewalls, I would look into wireguard. That’s the protocol underneath tailscale. Know that it wraps your tcp packets in an encrypted udp datagram. Then find out how tailscale sets up your wireguard connections without port forwarding - or don’t, as webrtc-style signaling is famously impossibly complicated.

    Here’s what you should do - spin up all the services you want, but put them behind an nginx reverse proxy. Then put that behind a WAF. Getting those layers aligned will teach you a huge amount of useful stuff.

    In general, don’t worry about hackers unless exposing a port to the internet. Then worry. Your router’s stateful firewall will do a good job until you poke holes in it.

    If you want a cool side project, listen on port 20 and dump the characters that the web scanners send to you. If they don’t send anything, send a username prompt after the tcp handshake - the robots will give you the login creds that they try against weak boxes :)