--- title: "Home Lab Security Improvements" description: "Security audit and migration plan from password-based SSH to key-based authentication, covering risk assessment, server hardening, and phased rollout." type: guide domain: networking tags: [ssh, security, authentication, hardening, migration] --- # Home Lab Security Improvements ## Current Security Issues ### Critical Issues Found: - **Password Authentication**: All servers using password-based SSH authentication - **Credential Reuse**: Same password used across 7 home network servers - **Insecure Storage**: Passwords stored in FileZilla (base64 encoded, not encrypted) - **Root Access**: Cloud servers using root user accounts ### Risk Assessment: - **High**: Password-based authentication vulnerable to brute force attacks - **High**: Shared passwords create single point of failure - **Medium**: FileZilla credentials accessible to anyone with file system access - **Medium**: Root access increases attack surface ## Implemented Solutions ### 1. SSH Key-Based Authentication - **Generated separate key pairs** for home lab vs cloud servers - **4096-bit RSA keys** for strong encryption - **Descriptive key comments** for identification ### 2. SSH Configuration Management - **Centralized config** in `~/.ssh/config` - **Host aliases** for easy server access - **Port forwarding** pre-configured for common services - **Security defaults** (ServerAliveInterval, StrictHostKeyChecking) ### 3. Network Segmentation - **Home network** (10.10.0.0/24) uses dedicated key - **Cloud servers** use separate key pair - **Service-specific aliases** for different server roles ## Additional Security Recommendations ### Immediate Actions: 1. **Deploy SSH keys** using the provided script 2. **Test key-based authentication** on all servers 3. **Disable password authentication** once keys work 4. **Remove FileZilla passwords** after migration ### Server Hardening: ```bash # On each server, edit /etc/ssh/sshd_config: PasswordAuthentication no PubkeyAuthentication yes PermitRootLogin no # (create non-root user on cloud servers first) Port 2222 # Change default SSH port AllowUsers cal # Restrict SSH access ``` ### Monitoring: - **SSH login monitoring** with fail2ban - **Key rotation schedule** (annually) - **Access logging** review ### Future Enhancements: - **Certificate-based authentication** (SSH CA) - **Multi-factor authentication** (TOTP) - **VPN access** for home network - **Bastion host** for cloud servers ## Migration Plan ### Phase 1: Key Deployment ✅ - [x] Generate SSH key pairs - [x] Create SSH configuration - [x] Document server inventory ### Phase 2: Authentication Migration - [ ] Deploy public keys to all servers - [ ] Test SSH connections with keys - [ ] Verify all services accessible ### Phase 3: Security Lockdown - [ ] Disable password authentication - [ ] Change default SSH ports - [ ] Configure fail2ban - [ ] Remove FileZilla credentials ### Phase 4: Monitoring & Maintenance - [ ] Set up access logging - [ ] Schedule key rotation - [ ] Document incident response ## Connection Examples After setup, you'll connect using simple aliases: ```bash # Instead of: ssh cal@10.10.0.42 ssh database-apis # Instead of: ssh root@172.237.147.99 ssh akamai # With automatic port forwarding: ssh pihole # Forwards port 8080 → localhost:80 ```