4b7eca8a46
All checks were successful
Reindex Knowledge Base / reindex (push) Successful in 3s
Adds title, description, type, domain, and tags frontmatter to every doc for improved KB semantic search. The description field is prepended to every search chunk, and domain/type/tags enable filtered queries. Type values: context, guide, runbook, reference, troubleshooting Domain values match directory structure (networking, docker, etc.) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
3.3 KiB
3.3 KiB
| title | description | type | domain | tags | |||||
|---|---|---|---|---|---|---|---|---|---|
| Home Lab Security Improvements | Security audit and migration plan from password-based SSH to key-based authentication, covering risk assessment, server hardening, and phased rollout. | guide | networking |
|
Home Lab Security Improvements
Current Security Issues
Critical Issues Found:
- Password Authentication: All servers using password-based SSH authentication
- Credential Reuse: Same password used across 7 home network servers
- Insecure Storage: Passwords stored in FileZilla (base64 encoded, not encrypted)
- Root Access: Cloud servers using root user accounts
Risk Assessment:
- High: Password-based authentication vulnerable to brute force attacks
- High: Shared passwords create single point of failure
- Medium: FileZilla credentials accessible to anyone with file system access
- Medium: Root access increases attack surface
Implemented Solutions
1. SSH Key-Based Authentication
- Generated separate key pairs for home lab vs cloud servers
- 4096-bit RSA keys for strong encryption
- Descriptive key comments for identification
2. SSH Configuration Management
- Centralized config in
~/.ssh/config - Host aliases for easy server access
- Port forwarding pre-configured for common services
- Security defaults (ServerAliveInterval, StrictHostKeyChecking)
3. Network Segmentation
- Home network (10.10.0.0/24) uses dedicated key
- Cloud servers use separate key pair
- Service-specific aliases for different server roles
Additional Security Recommendations
Immediate Actions:
- Deploy SSH keys using the provided script
- Test key-based authentication on all servers
- Disable password authentication once keys work
- Remove FileZilla passwords after migration
Server Hardening:
# On each server, edit /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no # (create non-root user on cloud servers first)
Port 2222 # Change default SSH port
AllowUsers cal # Restrict SSH access
Monitoring:
- SSH login monitoring with fail2ban
- Key rotation schedule (annually)
- Access logging review
Future Enhancements:
- Certificate-based authentication (SSH CA)
- Multi-factor authentication (TOTP)
- VPN access for home network
- Bastion host for cloud servers
Migration Plan
Phase 1: Key Deployment ✅
- Generate SSH key pairs
- Create SSH configuration
- Document server inventory
Phase 2: Authentication Migration
- Deploy public keys to all servers
- Test SSH connections with keys
- Verify all services accessible
Phase 3: Security Lockdown
- Disable password authentication
- Change default SSH ports
- Configure fail2ban
- Remove FileZilla credentials
Phase 4: Monitoring & Maintenance
- Set up access logging
- Schedule key rotation
- Document incident response
Connection Examples
After setup, you'll connect using simple aliases:
# Instead of: ssh cal@10.10.0.42
ssh database-apis
# Instead of: ssh root@172.237.147.99
ssh akamai
# With automatic port forwarding:
ssh pihole # Forwards port 8080 → localhost:80