In this video we’re going to look at how to help secure your home server to make sure that only the people you want to have access to your applications will be able to access your server.
I’m not a security professional or a network professional, but I’ve picked up a few tips to help keep your server safer. So let’s just jump into this!
Only Open Ports You Need To
You should only need about 3 ports open on your server in most cases. Those ports are 80, 440, and 1194 (or whatever port you put your VPN on). Port 80 is the port number assigned to commonly used internet traffic. This port is your insecure port. Port 443 is used for secure web browser communication. Data transferred across such connections are highly resistant to eavesdropping and interception.
Those 2 ports are used for the traffic going to your applications over the internet.
Use CloudFlare for DNS and DDOS protection
Cloudflare is one of the biggest networks operating on the Internet. People use Cloudflare services for the purposes of increasing the security and performance of their web sites and services.
Their free services include FREE SSLs and a firewall with up to 5 customized rules. Their service has a great platform to start with including free SSLs, a standard firewall that you can customize with 5 additional rules. I use a couple of those rules to block known bots and block countries outside of where I live.
More than that, CloudFlare can proxy your home’s IP address to make sure no one can ping your domain name and find your home IP. Their search will return a CloudFlare IP address that is DDOS protected.
Don’t Expose These Services
- Reverse Proxy Dashboard
Those services are the heart and soul of your server. Exposing them to the internet is like leaving a key in your front door when you leave home. These should only be accessible from INSIDE your network. If you want to access them remotely, setup a VPN on your network to give yourself a secret tunnel to get in.
Use a Reverse Proxy Manager
I use NGINX Proxy Manager to manage my application traffic as well as install local Let’s Encrypt SSLs and access lists.
Keep Your System Updated
When I say this, I mean:
- Make sure your OMV installation up-to-date. Check for updates regularly and apply them.
- Keep your Docker containers up-to-date. Use a service like WatchTower if you have to, but make sure your containers always have the latest security patches.
- Check for and apply updates with “apt update” and “apt upgrade” on a regular basis.
Trust Your Sources
Only use Docker containers from trusted sources that are being maintained regularly. If you see a container that you want to install, but it hasn’t been updated in several months or years, maybe see if you can find a more current version from a different developer.
BACKUP Your Server
I can’t stress this enough. Always make sure you have at least a local copy and a remote copy. I have my server setup to run 3 local backups per week. Then, once per week, my server pushes files to a cloud service for remote restoration should there be a catastrophic event at my home.
Don’t give access to anything that doesn’t need access
People, for the most part, aren’t super tech-savvy. That said, don’t give your tech-illiterate friends/family access to your system. If you MUST give them access, give them a unique user account and limit their access to the bare minimums to get them by. I only have one person outside my home who has access to my server and he ONLY has access to watch videos on Emby. He can’t add or remove videos. Nor can he update anything. He only needs access to view content, so that’s all he gets.
OpenMediaVault has its own set of security plugins available like Fail2Ban which you might consider installing and configuring as well.
As I mentioned earlier, this isn’t meant to be a completely comprehensive tutorial on how to build a Fort Knox-style server. These are just some basic tips to get you started. If you have other tips you’d like to share, please do so in the comments section down below.