 and welcome to the homelab show Episode 74 Jay is not able to join today. He's got a couple things going on and We are going to talk about cybersecurity and your homelab This seems like a good topic because it's not a Specific topic that we covered before we've talked a lot about different tools and we always mentioned security But I figured hey, why not because it's the beginning of cybersecurity awareness month It is probably a good time to bring this up before we jump into that Let's quickly think a sponsor show and that is Linode Linode has been sponsored since the beginning if you are listening to this podcast that you downloaded you downloaded from a Linode server Because well, that's where we host all of our stuff. So we don't just talk about them as a sponsor We actually use them for the back end Jay has many demos using some of the fun things you can do on the node many of the projects We talk about here on the homelab show if you don't want to run them in your own lab Your lab can be well in Linode servers So we thank them again for being a sponsor show much appreciated And there's a link down below if you want to get started with the node now today I have a list of steps and things for Jumping into doing homelab in terms of security now There's a difference between building a cybersecurity lab Which maybe we'll talk about that as a topic at some point So I think that's probably a pretty worthy thing to speak of as well as building your own hacking lab and things like that But in this case, I just wanted to talk about just things you need to do to secure your homelab I'm gonna have some links in there down below. Most of stuff is not about tools It's gonna be about some of the other episodes. I'll be referencing But there are some things in here that are relatively actionable And further research you can always be doing on this and it's just an important aspect of You know building your homelab is making sure it does not get hacked and attacked Now the first good piece of news I have for all of you is homelabs are generally Considered with some exceptions. We'll talk about a lower value target. This means you're in luck People don't necessarily run out there hacker groups aren't going I need to get in that person's homelab The reality of it is they realize homelab people often and this is a frequent question It comes up is building a homelab on a budget, which also means there's not a huge Incentive to get into your network because there's not things that of such great great value Now this is not at all me saying that there's not a reason to secure your homelab because the value is Absolutely great to you matter of fact It is very valuable to you if it's your family photos or personal media that you've curated Especially, you know, I have a lot of my family pictures and stuff within my own homelab And it's like yeah, that's very valuable to me, but they realize it doesn't have a big market value so you are a little bit less targeted and the reason I bring that up because a Lot of people think that they're overly targeted and when you start looking at some of the you know Portscans that may occur on your public IP address reality is they're occurring on any public IP address You're not being singled out unless you're running services that are exposed on there now Let's talk about the exceptions and a really fun deep dive into it that we don't have time to cover in this episode But I believe you'll link and it's dark net diaries the link in Episode it was all about what happened to LinkedIn And it's a really good episode and it would be I think it's episode 86 that'll be linked down below it and put it in a show notes yet But that episode does talk about how someone's lab began the launching point now. This is where things get a little different the homelabs definitely is Going to be a target if you work for oh, I don't know LinkedIn and you're the beholder of the keys To be able to get into something so at that point your home lab May be a target because you are a target because of where you work so it may be that when a threat actors researching how to get into something and This is very frequent that people who have a day job as a sysadmin at a large company probably run their own home lab as Well, and yeah, you may be targeted So think about the context of it of you know, whether or not you are Going to be someone that is of high value to threat actors So I wanted to throw that out there right the beginning and it's just all things like the paranoia is certainly there once you start Running things that someone may get in there, but the value of the target means a little bit less target But one less let's still talk about securing it because in no way Do I think this is any reason you shouldn't secure it even if your job is not? Oh, I don't know some high-level sysadmin at LinkedIn Now this is going to be a debate Undoubtedly in the comments and that's going to be using a password manager now I definitely think you should use a password banter my own preference Especially running a business is that I use a password manager in the browser that allows me to interact with other people for sharing passwords It also does another thing and that is verify the URL This is where password managers I think offer a great value because well, hey typo squatting is real It looked like it said PayPal calm, but it's PayPal one calm with some, you know Really long URL and it's easy to overlook or when they misspell something on some of these different websites They send the phishing email it looks like it's the same company you were gonna log into but it's just a few letters off Well any letters off is Going to be a big difference to a password manager because you should be matching on the URL Exactly and for that login page of that service and what it doesn't match That's a good time to raise suspicions and start really looking at it. Why doesn't it fill in? Why do I have to try to get these credentials manually out of my password manager and paste them in for some reason? That's unusual that is like a good precursor to go I should stop and examine this in further detail because maybe you typed it wrong Maybe you misspelled something in a typo squatted for some site there's a lot of things that can go wrong and You know humans are humans. We are easily Fooled into because of the way we extrapolate data I misspelling and things like that. So this is one of the reasons I like a browser based password manager now I will not argue if you want to use like key pass. Maybe you keep your server passwords in there And that's fine. I don't think there's anything wrong with that as a tool. I'm not aware of any problems with it It's quite popular And I think there are some browser integration you can do with key pass. I just don't use it So I don't I've played with it, but I don't really use it for integration I know someone told me there's a way you can get it to synchronize Not just by saving the file, but like real-time synchronization with more than one user I've been told that exists, but it's not something I dig into It's really well vetted and well built into bit warden being my preference for password managers There's other ones out there a bit warden though has gone through several security audits It's open source and it's one of the reasons I like it I know there are other open source browsers out there Of open source password managers out there I just don't have the time to examine all of them and I haven't seen any of them Despite many people commenting about them that offered some compelling feature that bit warden didn't have now bit warden is self-hostable I seen someone comment on that It's a great service whether you self-hosted or use them for hosting I have a video talking about what password managers know about you and really they don't know your password Your master password. They don't hold on to it. They only hold on to the encrypted blobs so even if you're using a Hosted by bit warden version of it. Hey, it's still a solid password manager and all the other ones to my knowledge What other popular ones? I can't say this for all of them But last pass it has a pretty good security record overall I'm not aware of any flaws with them They've obviously had and been very transparent about recent security incidents But you know, I don't I don't really have a problem with that last pass or bit warden Those are at least two of them that I've used there's others out there But I'm not going to get way off topic on that Now browsers are probably a homelabs Hugest just like any end user on one of the huge risks, especially depending on a website you go to You always need to keep your browser up to date whether that's linux or mac And that's because in chromium being the most popular base for many of the browsers I'm sorry firefox lovers that I know you're just not as big as you used to be but I'm not showing You know, I'm not saying not to use firefox. It's just one of those things It's really important to use a browser that's up to date I use google chrome for my business and I use firefox for my personal and I keep the two Separates I don't even want to be in the same browser Of course, you can set up profiles if you're a Google chrome user and you want to use that But one of the reasons I don't use some of the third party browsers This is my opinion and maybe someone can change my mind in the comments on it But you know the way I see it Google chrome does an absolute top-notch job of one finding and securing and watching for vulnerabilities in the chromium project Which trickles down to the chromium based browsers, which also means the google chrome itself gets very frequent updates And there's some mitigations or some extremely complicated attacks built into chrome because the attack surface is very big with browsers And firefox also has a good track record of being very on top of security and putting a lot of effort into it Once you start looking at third parties and even if they're basing it on chromium the risk is are they Fast enough to keep up with the chromium updates and make sure those Mitigations and integrations are being pipelined into their build that you use This is just one of those things I think is a real concern when it comes to security Because I'm on websites all the time if that website has a compromise or a problem within it Well that could spread to the browser and be the way in and you would gain the browser level privileges I'm thinking about this a lot I keep my browser up to date all the time and back to these are the reasons why I choose to use that Browser whether it's chrome or firefox those browser choices are made by that I know someone's going to have different opinions on but there's this other one that claims to do These fancy features and I come back to how frequently is it updated? Are the updates coming in patch because that's a threat that can be opened up within the network now next one is blocking sites and this is kind of a Back and forth between some people may want it for ad blocking Some people may want it for threat blocking and you can do both because there's feeds for this and Piehole and pf blocker are two really popular projects in the home lab Piehole is kind of neat I definitely like the interface and some of the fancy features it has If you don't want to set a piehole or you're using a pf sense pf blocker is awesome to me That's what I like because it's integrated right into the firewall itself. So that's a good choice But then comes all the Won't all these threat feeds protect me and that's always been a cat and mouse game knowing a site's bad The only reason you know something's bad is because Someone a security researcher often people who curate these lists will go. Hey, that's interesting Why is this site doing this in some examination or sometimes some investigation through an attack that happened will Bring this list up and go we found it on a bad site But who was the victim? That's the first question. Hopefully not you It's a that's why that's such a cat and mouse game is Um, you know hoping those threat feeds are they better than nothing? Yeah, are they going to protect you from the latest attacks? Not really the good news is back to very first topic I brought up when I say home labs are less valuable targets One there's an exploit found and if it's found by some threat actor group that is possibly You know Funded by a nation state. They don't just throw it at the homeland people They have valuable valuable targets They throw things at first and it's kind of trickle down from there because once it's found out in the wild Because they're very careful try to not to try and not burn their exploits They get these exploits and go all right now here is the Um, you know target audience and we hope to not be found but if they do get found from some investigation Well, we burned it and then it'll end up in a feed list or a rural list of things that can be found So, uh, they're good to use and if you don't want to stuff something internally your network There's also quad nine. Uh, I found the quad nine is a very good job of sinkholing a lot of the dns of just garbage That's out there. No list is going to be perfect. It's like I said a cat from mouse game But hey, some of these uh, because they're not easily taken down hang out for a long time So once they get on lists like quad nine and their filtered lists great They stay on there for a while because well those ip's are Are in some time in the past and probably are for some a lot of time in the future until someone gets around to the takedown request probably doing something not good So not resolving them is a great thing quad nine. Like I said, one of my favorites for that next thing is backups untested backups Are just wishful thinking I've said that a lot Untested backups are frequently where a lot of people get into trouble because well, that's a pretty big risk to your home lab Not directly a security risk some but in a way indirectly because sometimes if something is hacked because things happens Things got exposed. Something was broken. You're like, well, did I have my backups? Are they in some form? And maybe they were offline because you literally power down the server after you back it up Like maybe you have an extra nas that you just physically unplug Or turn shut down when you're not running backups You run the backups you shut them off because it's less likely if a threat actor gets in there They would look for your backups boot up your nas And then delete them not an impossible but depending on the level of mitigation and how much separation You've created having those backups is really important having a process To go through and Put that in there is just huge Go through and test randomly grab a file and try to restore it test your backups test your process Make sure you're able to get those backups restored because that is kind of a mitigation where You know, this happens a lot in some of the enterprise security places This is why ransomware actors have moved towards the leaking of data is because companies have gotten better at backups Which is awesome And then they start leaking all the data because they're like, we're not paying these ransomware We're just going to reload the systems with the last known image In a home lab, maybe you're worried. Maybe you're not worried about people leaking the data online Or if they even take the time to expel it, but at least you have a backup to be able to restore from Just some thoughts to put in there Don't open ports on your home lab This is a huge one and I see this all the time I see this in the forums when i'm uh over at especially your own thing I'm talking about next next cloud people post the uniforms and they just open all the ports They just port forwarding as a really popular video. I have because so many people want to open all the things When you open the ports, that's when you kind of move yourself into risk. This is just Where the problems really start uh to fall for the home labbers is they uh, let's open all the ports or sometimes forgetting that you opened the ports to things And forgetting to update the thing that was on the service on the port Whatever possible use a vpn. There is tail scale out there to make vpn Extremely easy and if you don't want to use tail scales back end, there's head scale Which i've done a whole video on to control tail scale tail scale is even integrated into PfSense, it's probably one of the easiest way you can do easy vpn With even nat issues and everything else that you may have problems with Dealing with some of the other vpn technologies. It works runner up for that's going to be for remote user access open vpn is wonderful It's a solid way to do it. There's also zero tier and If you want to use wire guard now wire guard is a little bit trickier for some people But you do have to have a public ip address for open vpn or wire guard But hey, they're all great to use and all of them are better now people are probably asking Well, don't I have to open ports for the vpn you do but now you're relying on a very well vetted A very solid protocol that's been poked at heavily Which is the vpn protocols and you only have to maintain Let's say you have 20 things you want open on the back end But you only have to maintain one thing and that's the vpn and because the vpns are certificate based Which adds a challenge to even getting in there because you have to first have the certificates in the case of open vpn Or wire guard tail scale uses certificates, but they do certificate management for you That makes the bar a little higher For people to even gain access in compared to just opening a port where people can just see the port that's open And talk usually when you're opening ports, you're talking to web servers and yeah, that is just a Big big problem, uh for sure Yeah, um, I see someone comment nintendo recommends you open all the ports. Yeah Uh in g o ip listing if you open a port. Yeah, you can do that for both vpn and for Just opening ports in general, but g o ip listing a lot of the attacks happen from inside Of places they that are trusted so to speak I see it like that because you'll have companies that set up, you know wordpress hosting So you're inside of let's just use the us as an example But frequently inside the us and even many of the attacks and some of the big ones such as the solar winds attack With the orion incident a lot of that was All from internal us stuff you you block a limited amount of things If you block tor exit nodes, you're actually going to do a little better because so many random attacks come from a tor exit node But uh it helps some but it's only limited To some extent because just so many of the attacks do happen from You know takeovers of let's say a wordpress site and they use it as a launching system To you know pivot all the attacks from so they're coming from a trusted network not some random server. They purchased at a foreign land so Uh g o ip is not a bad idea, but it's um it it's only a small stopgap mitigation to it Now The next thing is What about viewing cameras? Shouldn't I just open? Uh The whole camera thing and this is probably the biggest thing that homeland people want is they want to view the cameras They don't want to do it over a vpn because they want other family members that may be less technical to view it I definitely fall into that category and this is where we're going to Pivot a little bit to vlan segmentation If you're going to run cameras put those cameras on a separate network put them on a network that doesn't have access to Your main network because if you are going to open in many nbr's and man I do not recommend the off-brand nbr's because they generally never get any security updates in our giant security flaws And are generally part of bot nets eventually They all they all seem to have a an end of life where they just become part of a bot net and this is all those uh Really cheap network no name I I don't even I don't know what they call them out and I guess no name security camera systems that you'll find They have bad menus. They're extremely popular. They only work with port forwarding I level up a little bit uh for even for home years. I recommend synology Uh ubiquities another one too. I've talked about both of those on my channel Those are pretty good ones and both of them have options to not open ports and use their relaying service But they'll even give you a warning though that they're a little faster with the ports open so bring it all the way over to Like using synology and opening a couple ports. Well, it's opened to a specific I have a small synology on a separate vlan with my cameras With my cameras, by the way the synology and the camera all live together and it does allow uh you to open ports and Then you think about what's going to happen with ladder movement if someone cracks my synology they would have access to my cameras and uh, that would be unfortunate But they would just see the outside of my house because that's the only place my camera's point and uh, so It would not be a happy time for somebody to get access to him if there was a flaw in it But synology does a good job of keeping these up to date and um, I would be limiting in scope what those people have access to Also the way you set up that vlan for cameras. You can put your synology in it I recommend a dedicated nbr device that way if something occurs on an nbr You're not also using it for your personal file sharing and things like that We recommend this to businesses as well But then the other thing to think about is you don't really need to give the cameras access So I usually have a filter rule that says allow the synology access to the internet deny the cameras because there's only a device Whatever the device ip of the analogy is that's the only thing I give access to the internet So that's a good way to restrict it and still you know maintain some security But go ahead and opening that port on there So that gives you you know good speed for viewing the cameras now file sharing itself next cloud I know everyone wants to open next cloud This is where if i'm in the churnass forums and or people ask you about next cloud or even the comments I get on my youtube videos whenever I mention the word next cloud is time. I want to open it up I want to open it up to everyone. I want to just use it for file sharing and have my friends share it And this is one of those problems homeland people get things set up and they don't maintain it and one of the things on there is going to be maintaining updates for these things If there's a flaw in next cloud and you have it publicly exposed You now in this happen There's only been one big incident that I can remember with next cloud and a lot of someone wrote some type of automated bot that ran around ransom wearing people's uh next cloud instances for What they thought was a reasonable amount of money I think it was something like if correct me if i'm wrong on the comments But I think they were asking like $400 it was it was a sub $1,000 ransomware because they knew Hey, homeland people use it and homeland people can't pay two million dollars in ransom But they might want their files back. So they an automated bot ran around encrypting your uh next cloud instances to do this unless you had a patched next cloud And people aren't always the best at patching. I still say don't expose it unless you For some reason have a Absolute need to Generally putting even a friend on tail scale is pretty easy so they can access resources that you may have set up for them But if you're going to expose it Make sure you have a plan to keep it up to date and patched in case there's any security flaws on it Go through that process make sure that server's secure and hey sponsor the show is Linode and you can host it in linode because that would keep it completely separate from your network So if someone were to pop that box and you have proper backups going off-site with it, you would be able to then restore from That backup and go, I don't know how they got in I'm going to go restore to a time when they weren't in snapshot back to that time And restore any data that was created between them provided you can check the integrity of that data So those are a couple things on running it that just running getting your home lab is probably where a lot of people gets pivoting in there so that's definitely um Definitely a something to consider now kind of on that other file sharing the other popular service People keep asking me about qNAP. I did a video about qNAP and the flaws and how hard Security researchers have had to work to get qNAP to update their software and how qNAP is really slow about updating their software Now qNAP has had a just a ton of problems in the last probably I think it's over the last couple years And there's the qLocker ransomware many people are asking about all the time Um qNAP just does not do a good job Of keeping software up to date So even if you have a plan to update qNAP doesn't seem to have a plan to give you those updates and until there's enough market pressure from Uh qLocker ransomware running around and locking up people's qNAPs just don't expose qNAPs They seem to just not be on the ball when it comes to security patches And there's probably that same rule for a lot of other ones qNAP Just being a singular big company that is popular among the home lab users Because I can't do a synology video without people telling me tom Did you know qNAP is cheaper than synology? That is always like people's favorite comment to put on there and i'm like Yes, did you see my video about qNAP and their lack of security? um That's they may make some good hardware, but uh running the qNAP software on them seems to be not not that great so Let's see back up your next cloud. I see people saying um Limiting the ip's I see other people to have some suggestions here in the comments Uh limiting those source ip's like gip. Yes, that's not a terrible idea but nonetheless just If you don't need to expose it don't expose it if you do expose it have a plan to update it moving on to the next one internally and maybe externally too Which if you're running something a linode you're running a linux server and linode Make sure when you set it up and this is part of how you can configure your linode account In other services support this as well. There's not this is not exclusive by any measure to linode But you want to make sure that when you're building your linux vms It's best to install them and have a script or have a setup that puts your keys in there So you're just using key authentication or use a strong password and the first step of setting up your linux server should be Using that strong password to log into it and then turning off password login. So it uses key login Logging in with ssh keys is huge. We've covered this as a topic Both me and jay on both of our channels all about setting up at ssh keys That is going to help you a lot because not having it with an interactive log on Will slow people down quite a bit because key login is substantially harder to get past than just you know guessing passwords and if you want to do an interesting experiment set up any Server on the internet random ip address that you get from Assigned from your provider such as linode and see how many brute force attacks come when you don't have that turned on you'll see it just kind of go through and Uh systems and usually automated ones are just poking away at it filling up logs and yeah It's kind of interesting to see a crowd sec is kind of a fun way to play around with that as well There's other tools that just fail to ban which can you know create lists and ban people from trying it But honestly limit your exposure on there next is if you have and you want to limit the attack surface even further You can filter it maybe for just your ip address if it's a cloud server that you're logging into So not just anyone can log in if you have a dynamic ip something not everyone thinks about but unless you're changing internet providers Your dynamic ip range from your inner provider has a limited scope now You can limit the scope to just your isps DHCP range that they're handing out so you can kind of look and see all right They're handing me this range now that would limit the attack of your online server to someone within the network Let's say your provider is comcast and you use comcast's DHCP block that they assign to home users. Yeah, that's still a Bigger than one person attack surface, but something to consider Out there is that you can filter it for that, but of course, there's also ways you can build Dynamic ip so you can say all right my piece changing. Here's the Reverse tns. I'm going to set up for myself and those are other ways to secure it but basically even internal servers all use keys pastoral authentication turned off just make your life a lot better in case anyone's in your network and Doesn't Uh and gets you know to that point of lateral movement. Obviously they get your computer where the keys are That's a different problem and the way you would want to mitigate that is make sure your ssh keys have a password on them as well so to use your ssh keys will Really be nice. Uh, it's it's really nice and it's easy if you've already created your keys You want to add a password later? You can do this You can add a password to use your keys that way if you ssh is something Before your system will prove will present the keys to the server you're logging into it'll prompt you for a password I believe me and j talked about that on our podcast with ssh. We both talked about it individually about In talking about managing ssh keys and having passwords on them. Definitely a good way to do it now Running kind of related. I'll just give this a quick mention Running everything is root probably not the best idea. So that way there's one more way They have to pivot you want to log into the user and then pivot to root in a system Or you sudo where you got to put in our password in that's not a bad way to do it That way if someone does get the keys, there's one more escalation that has to be done If you're running linux on your desktop, you're probably not running things as root linux by default Or I should say a bunch to in pop o s my to go to desktop versions of linux You're not going to be running everything you have to sudo into things which is great as a little bit extra layer You can do this with windows, but obviously I don't think many homelab people do Because running windows not as administrator and elevating your privilege every time you get install software might get tedious If you're using it for games and things like that, but you can you can do that if you're looking for the extra layer security from local management Now next let's talk a little bit more about the network segmentation. I mentioned it for things like well camera networks, but also if you have family that Oh, I don't know a kid who might load kali linux and poke at things that dad might be doing You probably want to put them on a separate network You probably want to put your iot devices on a separate network now the likelihood Is just because iot devices can be hacked The likelihood of them being hacked isn't always as high unless they're publicly exposed So the chromecast that you're saying well that google company. I don't trust them I got to put my chromecast on a special iot network So someone doesn't hack my chromecast and it use it as a pivot point to get in my network That's statistically not super likely but hey go ahead and put those all on a separate network And by the way, if you don't trust your chromecast don't trust your phone either because I do consider the phone an iot device People always ask about this go in time. How do you have control because I do like chromecast I have several how do you control your chromecast with your phone? I'm like really easy They're on the same network because why wouldn't they be the phone to some extent And it's built by my phone's a google phone So it's built by the same company but insert if you use an apple phone You have a similar problem if you're using apple tv and you're going I don't trust that apple tv It's on an iot device with the apple devices that are on that network Well, do you trust your apple phone in the same way? Doesn't it belong on there as well? And that generally solves some of those problems other Tools or other tools devices. I should say such as sonos or a popular one people try to stick on a separate vlan by itself Honestly, so knows if you want to control it from your phone and use the app It works best if it's on the same network as your phone. It just solves the headache Now let's get over to the important part non-home lab things you may want to isolate But more watch you say more home lab related things as in your server networks so your server networks and and if you're running some different hosted services and maybe you have Those that you want segmented out from your general users because most of us home lab people unless you're living at home by yourself Have a few other users on there just keeping all the users separate into different areas will help you immensely for troubleshooting reasons And generally for security reasons just create the rule So the servers can talk to the servers that need to or if you want to get really fun with it there's plenty of rfc 1918 to go around Subdivide your servers out into even smaller networks So each one is on its own network and you can't laterally move between any of them And that's just another way to think about it. So Yeah, it's all these little things like that that you want to make sure are segmented Um, so there's not this option for lateral movement But the biggest thing is go back to don't leave ssh keys or things easily accessible across the networks and then segmentation Is a nice mitigation But you know that letter movement will also get thwarted by People trying to move laterally where they can't because there's nothing to move into even though the servers are on the same network Because you've locked them down so well So a couple different perspectives on it, but it's not bad to segment your networks out And put all the iot stuff though the iot stuff at least I think all of us will agree on and can all go somewhere else It's well to not you agree that your phone is an iot device unattended upgrades for unintended consequences I've talked about this with linux servers of using the unattended upgrades option Which will just automatically keep patching things. I've got a video on this I think the nj have mentioned it numerous times throughout the podcast Having a plan to patch and using that plan to keep things patched. That is a huge problem Everywhere not just home lab. Home lab is just a small version of what enterprise people have Um a massive difficult problem with if you check out the latest warnings from sisa You'll see a warning for stuff that's like five years old that's being actively exploited Like we're seeing a mass exploit of this five-year-old problem. Yes pretty much that's because That's the thing people don't patch in the enterprise world And it kind of is a reflection of that a lot of people don't patch in a homeland world too and Have a plan to keep everything up to date. The problem is people get things working and that's where they stop They don't stop when they're secure. They stop when they work. This is actually a problem Uh persistent among humans because this is how a lot of coding people don't keep writing code until it's good They keep writing code until it works now the really good program is keep going further But a lot of people stop at hey it works and the last time I updated it it all broke um Yeah, so they get afraid to update things Please keep things up to date the number of people we find and you know, we do a lot of consulting So we see people all the time that are versions and versions behind and the further behind you get the harder It can be to update because so many different changes So trying to keep those updates and having a plan to do them massive for your security in terms of like Just the overall especially the firewall things that are public-facing Are a huge problem back to the cc report d-link was in the list of things being actively exploited And oh no not a new flaw in d-link. We're talking like a seven or eight year old flaw That's because these are part of big botnets now. Um, it's just a big headache Now here comes the fun one and we covered this in episode 42, which is security onion Now this is where I want to make sure people are very clear security onion is for monitoring and learning but not action The action is you so security onion is a really Probably the best out there open source sim tool. It's the most in-depth Complete system you can load that i'm aware of that has like every tool all built in for Dissecting all of your network traffic collecting it processing it dissecting it and Doug Burke and the security union team have just done an amazing job on this tool and I'm probably going to do some videos on it. I mean it's been a long time to do this to really dive into security union I've you've been using it But I it's just making the video because it's so there's so much to it It's a lot It's going to be a really long video which makes it a little bit harder to Figure out what all these to be in it But boy is it a great learning tool to understand all things cybersecurity how traffic flows work what you can what you can't see how to reverse things out um it's just absolutely one of the Greatest tools out there for open source that's completely free that you can do an amazing amount of intelligence Now the way it works though is it's going to work best through a port tap So you're going to mirror all of your internal network data to it But that's it it does not actively if it finds a threat if it sees something or if you're looking for something and looking for alerts it's not going to um Give you any tools that say stop this threat from acting This is completely a passive listening and analysis tool And investigative tool well investigative tools. I should say there's so many tools built into there It's got a nice web UI I think it's really great because you get a better understanding out of there You can also get a nice panic attack by looking at all the data that goes through and Seeing all the false alarms and going okay. That's that's a lot. It's one of those things where Back to the first thing of people thinking they're targeted a lot because they're running a home lab. No There's just that much noise on the internet targeting things and you didn't know until you started looking at so Uh security onion is absolutely great. Oh can security onion run on a raspberry pi This is probably a good thing to talk about here Security onion cannot run on a raspberry pi security onion. Well that I aware of it cannot The system requirements for security onion are pretty heavy And they scale with the speed of your network the faster your network the more Processing power you need with security onion or it just won't work So the I mean I want to say I don't remember how many gigs ran They have the specs for the latest version of security onion on their site when you download it But it it really should run on bare metal and have a very fast machine to run. So yeah, it is uh It is not something that is lightweight The problem with sim tools and why sim tools are challenging is because the processing power needed to examine all the traffic Process it parse it put it into buckets and analyze it. It's just intensive the the nature of that is a non trivial thing to do so it's going to need a lot of horsepower to Really you know To really process it well so to get any good experience out of it now kind of related to that is gray log This is another tool I like and you can do certain amounts of and similar things to security onion not as in depth of security gain But you can do some security monitoring I do a lot of security monitoring with gray log gray log is great for setting up alerts and notices for Everything you do on your home lab network. I've been meaning to do a video on how to do alerts and gray log But I you know even from people logging into anything ssh logins any of that stuff I have all my data sent to my security. I'm sorry my gray log for security reasons So that way I can not only reverse what happened You can kind of look through the logs of what got there and you can dump all your pf sense logs right to Gray log as well by dumping all my pf sense logs there I then can quickly parse through them Especially all the firewall logs if you're trying to reverse out what happened gray log is really great It doesn't it's it's a little bit more actionable because it can alert you now It does not take action and block an ip address, but it can Say hey, I found this information when there was a certain ip address We were discussing This was some security friends and there was an ip address A list of them recently found on a topic. Well recently at the time This was a few months back and if I wanted to know if my systems had ever reached out to those ip addresses because of some projects Well, yeah, I just do those ip addresses in there and I can go through the history I keep several months of logs for every ip address every system ever touched and what those firewall rules were And I can look to see if that fire that that ip showed up in that list I have of any machines I have and where they talked to That's actually a really cool way to do it with gray log But obviously that takes a lot of storage and but hey It's a good use for a lot of storage when you want to be able to track everything down And I've got a whole video on gray log. It's a great service Now IPS intrusion prevention systems. These are tools that take a more active role the IPS or ids i intrusion detection system or intrusion prevention system is kind of like a switch in pf sense for Snort or sarah kata you can't run them both you can run either or on pf sense I'm partial to sarah kata But I recently decided to run snort at home just because I want to see how much different it was Both of them have pretty much the same menus and interfaces inside of pf sense So if you know one you can pretty much figure out the other in terms of setting them up and The difference between whether they're in IPS Mode or ids mode is one they'll just do alerting or two They will go and block threats But do not turn them on and block threat mode the same day you install them and start enabling rules because you're going to have a bad Time and find it blocks everything second You're going to get a ton of false positives and I've I've laughed because I've seen a few people That don't understand it so he starts with the question Well, isn't there some company that'll just monitor all this and everything else or why doesn't the firewall? Just magically do it one of these you know sock and sim teams do at these companies And then they realize and this is a great way to learn when you start seeing how many false positives You'll find with sarah kata and snort and how you do investigations on it. You go Oh, that's what sock and sim teams do look at all these different rules See what's tripping the rules in that network. Why is it tripping the rules? Is it really tripping the rules? Was there something really going on and keep examining and having to you know Basically go through and allow or block the rules say yeah, this block was legit or no For some reason it thinks this is what's happening But I know that's not what's happening and that investigation can be its own You know hair pulling adventure that you go on because a lot of people as soon as they turn it on they go Oh, no my home lab It's got hackers in it because look at all these alerts. It says it found this it found a bad reputation ip being contacted Then you realize oh wait, it's just got some bad information in in there and now you have to Start going and allowing those rules and going out turn that rule off that rules You know is falsely reporting on this Uh in that process will continue those those are definitely It's a real problem that people wanted to it makes them panic a lot When they first turned it on but don't panic. Um, I mean, maybe there's a reason to panic I'm not saying there's zero reason to panic But hey, it's something to consider and think about when you turn those on a lot of false positives That's just normal managing that Just normal as well. Uh, we occasionally find things it hates over the years We've because we run it ourselves we get an alert it blocks something We don't know why it blocked it. We dig into why it blocked it. It's completely, you know We'll find a way to Repeatably go. Hey every time I run this Particular utility that reaches out to the internet for some reason snort or seracada thinks it's a threat and it's not so Uh kind of take it with a grain of salt. It's definitely a fun learning experience I do encourage people to turn it on under pf senses or if you're using open sense I believe they have seracada built in I haven't used in an open sense But I do know what's available on there if you're using that Next is end point protection Yes And end point protection is a really popular topic Now for homelab i'm keeping this narrow to homelab I actually think for running windows that microsoft defender is great Leave the hate down in the comments But the the microsoft built-in tools have gotten substantially better. They are Way better than they have been in the past. Um, I i'm impressed with how good microsoft has Really stepped up the game on this and a lot of security researchers You'll find saying the same thing they kind of say it cautiously you'll even see some tweets out there from Kyle who happens to run huntress who runs, you know an edr tool I'm friends with them and you'll see cyber security people talking about this going, you know I was surprised but uh microsoft did catch this or did catch that and it's gotten a whole lot better for windows endpoints I think for homelab it's adequate. I don't know and I just don't have time to test um, but It really seems to do a solid job compared to and it's always in those different independent labs that do the studies It rates at the top all the time for uh, pretty solid You know tools for doing that now the next one's a lot more complicated people always ask Do I need endpoint protection for linux and the question is better answered of I mean first there's clam av so i'll mention yes something exists But do you need it not exactly and that kind of depends on where you're Risk is coming from a lot of the risks from people running linux If you're on a desktop you risk because obviously we're more likely to be the browser But where the bigger risk comes in is a supply chain attacks And that's something that the av may or may not even pick up on this is why supply chain tax are so Um challenging essentially what you're looking at is if someone compromises something upstream Now if you're doing something like trusting the Ubuntu repositories The Ubuntu team is on top of security. So they're making sure that their repositories do not contain malicious files So you're pulling your data from this source and you're installing it from that source So you should be fine to trust those. It's when you start adding um All the different third party random. Hey look this person has a project all I gotta do is add the repositories Now you've opened up your threat surface by having these third party projects in there That's a big place where supply chain attacks have been happening people compromise Something that people use that's popular or there's a project you've been loading off of github for a while when you start pulling in third party code There's not necessarily that a av system would even catch that You'd have to kind of look and see if a new connections gone on there And of course this all depends on if someone really because you're not dealing often with compiled things if you're dealing with python You're just grabbing some extra scripts. Is this script doing something to send some data somewhere else and someone insert something in there This is where you really have to be careful when you're pulling things This goes back to and this has come up before type in or look for security researchers Looking for malicious docker packages because man people and me and j beat up on this quite a bit here That people will just grab any url that says here's a docker image to deploy this service because Building the service is like this 58 step process but Docker hey look docker compose and boom it works But who put that docker image together did someone put something in there that they shouldn't have and This is a challenge if you're not getting something that's vetted by the people that produce and maintain it such as bitwarden Has delivery via docker for the self-hosted version to maintain the server You get it right from bitwarden. So you can trust it. It's bitwarden verifying it. So that's great But if you're saying no, I want to use this other third party instance of things now In unifies an example of this people asking why tom just run unifying docker. Why don't you just run a unifying docker? And i'm like, well, who's the person maintaining it and person individual are they trustworthy? Do you know them? I don't know them And if you don't then now you kind of have the trust problem of do you trust the person that's maintaining it docker image For something that you may rely on are they doing something to ferries? This is where you're going to run into More problems now and even more in the future. I don't see a solution to this problem right now I see the problem getting bigger not smaller. So you really have to consider the source for anything you're setting up now If you are looking for a complex project that I haven't dove into in a while. It was complicated the last time I set it up uh it's more um It's it's a pretty cool project, but i'm gonna say it's on the Last time I said I guess the last time it's probably a lot more challenging. Which is wazu w a z u h now They've uh really been doing a lot of work to make it better But wazu is an endpoint tool It was part of ossec and it was forked uh to make it a little easier because I first started using ossec And ossec I would definitely say started a wazu wazu makes it a little bit easier But wazu is really an interesting tool. Um, that's an open source endpoint detection response tool So edr as they refer to it And it does a good job and it's got a lot of hooks into linux to look for things that look unusual Now the problems we ran into occasion with wazu is we found when we were running wazu It took a lot of tuning to get it working on some of our Servers that ran databases like my sequel it turns out certain things users did Like when they ran reports in the way they queried the database using the report through the web interface of a tool We have um wazu flagged it and it would stop that and block that process from running So sometimes it can get a little too aggressive. So that's One of the reasons I had to turn a lot of it off to get it working properly But I know that there's been a lot of work going into wazu recently So I do want to give it another go pretty soon to Examine it as a security tool because I think it's pretty cool. Um, I think where they're going with it's awesome I'm just hoping to make it a little bit easier to use But it's you know, it gives you some linux level and it has a windows component as well and has central management options To you know, put it together. So uh, definitely one worth checking out and probably make a fun homelab project But uh, that is the end of my list here. I'll spend a couple minutes see if there's any questions that pop up in here Um, that I can help people with but one of them right away I see people asking any tips for tuning sericata to get so many false positives. Yeah, don't turn on all the rules um, and that's what people do in sock and sim places is, um Yeah, you go through a lot of these this is what my I have a few friends that work in that I one of them i'm in trying he doesn't want to be on camera But I mentioned before maybe he should you know, I don't care we can anonymize because he can't say where he works But he works for a very large company Doing security response and you know the reality of doing it at a company that manages like 200 000 Endpoints that he's responsible for and dealing with all the security incidents and uh things that are going on with 200 000 Endpoints boy, there's a lot of false positives in there and that's just that the problem scales and This is why there can be limited utility of using snort and sericata is understanding You know false positives and getting too much noise Lots of noise is definitely a problem. You know probably worth mentioning in here Uh, I have a video on this you can set up some honeypots. Um, there's a free honeypot You can get from the canary token people They have some free canary tokens you can set up and play with I've done a video If you look on my channel for, um Canary tools you'll find how to use the free versions of it, which are great for home lab There's also a project linked in that video where I talk about how to use how to set up a, uh Honeypot so people can find it And if someone trips your honeypot because home lab is usually, you know, you building your home lab And if you have a honeypot mixed in with your servers You know when someone's on there when your honeypot gets tripped because it should only be you tripping your honeypot If if you didn't accidentally log into the honeypot and trip it Well, then you have a problem and that is nice because those are what they refer to as high fidelity You know signal to noise ratio if the honeypot goes off That's a time to panic It's not like a false positives from sericata because the honeypot is someone trying to actionably do something and that is definitely a uh, you know A reason for concern versus a bunch of noise in a intrusion detection system that is constantly flagging all the time on something So there's not any easy on there. So Someone says package poising is a huge concern for corporate. We run our own mirrors For mpm and such internally. What sort of things can we do at home? There's that's a You have to look at the projects themselves and decide are they trustworthy are enough people? um Looking at those projects that you run and I I'm sketchy on, you know, just loading anything When I see on there. So it's just like yeah, if I see something on The projects and it's just it Do I want to compile it and put it on a guest network? Sure Do I want to compile it put on my network? I don't know, you know, especially if it's a small new project I worry a lot about what those are. So there's not I don't know any easy one when you're pulling a lot of code from a lot of places It the supply chain needs to get better. I know lots of people are working hard on this google's working hard on this That whole supply chain confusion attack. I talked about it on my channel as well That is a wild attack for people even running their own repositories of how This guy hacked everyone from google to paypal Um Good news is we've made some inroads getting better as a supply chain I there's not a ton you can do as a home lab user other than be very suspicious of changes and updates that come through When you're using some weird independent project if you're using a really popular project Yeah, I don't think there's as much of an issue because those are you know There's many more eyes on the popular projects, but before you just load some random Hey, this person has the latest version of unify and docker. Who is this person? Do I trust their thing? That's probably where you're more likely to find a threat As a matter of fact if a threat actor is looking for a way to get things done They would probably just package popular things amongst home lab people. Hey, here's my uh whole instant docker setup of uh, how to torrent videos or whatever they may have It's a great way to get inside But I don't think there's a lot of threat actors putting together those because home lab users are less the target because well, they are Sorry All right any more questions here before we wind this one down It was much appreciated. We had 95 people here today at the live show. Awesome. So jay should be back. Um Next week. This was a uh fun episode for sure. I was happy. I made it I wasn't sure how long it would take me to run through all that list there, but thank you all for joining me Someone said don't give threat actors an idea threat actors don't need help finding ideas. They chase money That's the important thing is they're chasing the money if uh, home labbers have more money, then they'll probably They'll they'll start going after them the reality is I already know based on the popularity the question of What's the best budget home lab or some of the most popular videos? Um, home lab people have not have not become the source of revenue They're still bigger fish, uh for them to chase for the most part. So nonetheless, I don't Secure your network links are down below In the description of things I talk about check out that dark nut diaries episode That's definitely a lot of fun to listen to talking about someone's home lab. That's episode 86 And it's really it's how a home lab pivoted into being Uh, the entire compromise of all the linkedin data Just if you want to know, you know, how far it can go when you're a high value target That's definitely a big piece of it. So thanks for everyone for joining and I'll see you next week