Security Guidelines

Overview

This document outlines the security policies, best practices, and procedures implemented in the homelab environment.

Security Principles

Core Principles

Defense in Depth: Multiple layers of security controls
Least Privilege: Minimum necessary access rights
Zero Trust: Verify explicitly, never assume trust
Security by Design: Security considered from the start
Continuous Monitoring: Constant vigilance and alerting

Network Security

Firewall Configuration

pfSense/OPNsense Firewall

Stateful packet inspection
Default deny policy
Explicit allow rules only
Geo-blocking for high-risk countries
Rate limiting and DDoS protection

Example Firewall Rules

# Management VLAN access to servers
allow tcp from 192.168.1.0/24 to 192.168.10.0/24 port 22,443 stateful

# Block IoT devices from LAN
block from 192.168.20.0/24 to 192.168.0.0/16

# Allow specific IoT cloud services
allow from 192.168.20.0/24 to any port 443 stateful log

Network Segmentation

VLAN	Security Level	Access Controls
Management	High	Admin only, MFA required
Servers	High	Service-based ACLs
IoT	Low	Isolated, outbound only
Guest	Minimal	Internet only, no LAN
Lab	Medium	Testing, isolated from production

VPN Security

WireGuard Configuration

Modern cryptography (Curve25519, ChaCha20)
Per-device keys
Split-tunnel for home access
Kill-switch enabled
Regular key rotation

Access Control

Authentication

Multi-Factor Authentication (MFA)

Required for all administrative access
TOTP (Time-based One-Time Password)
Hardware keys (YubiKey) for critical systems
Backup codes securely stored

Password Policy

Minimum 16 characters for admin accounts
Complexity requirements enforced
Password manager recommended (Vaultwarden)
No password reuse across services
Regular password rotation (90 days for admin)

Authorization

Role-Based Access Control (RBAC)

Roles:
- Administrator: Full system access
- Operator: Day-to-day operations, no security changes
- Developer: Development environments only
- ReadOnly: Monitoring and reporting
- Guest: Limited internet access

Principle of Least Privilege

Service accounts with minimal permissions
Just-in-time access for elevated privileges
Regular access reviews
Automatic revocation of unused accounts

SSH Security

SSH Hardening

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
AllowUsers admin-user
Port 22022  # Non-standard port
Protocol 2

Key Management

ED25519 keys preferred
Keys encrypted with passphrase
SSH keys rotated annually
Separate keys per device

System Security

Operating System Hardening

Linux Systems

Minimal installation (no unnecessary packages)
Regular security updates (unattended-upgrades)
SELinux/AppArmor enabled
File system encryption where applicable
Secure boot enabled

Update Management

# Automated security updates
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

# Update schedule
Daily:   Security updates
Weekly:  Package updates
Monthly: Kernel updates (with reboot)

Container Security

Docker Security

Run containers as non-root user
Read-only root filesystem where possible
Drop unnecessary capabilities
Use official or verified images only
Regular image scanning for vulnerabilities

# Example secure docker-compose.yml
services:
  app:
    image: app:latest
    user: "1000:1000"
    read_only: true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    security_opt:
      - no-new-privileges:true

Kubernetes Security

Network policies enforced
Pod Security Standards (restricted)
RBAC for all service accounts
Secrets encrypted at rest
Regular security audits

Data Security

Encryption

Data at Rest

Full disk encryption (LUKS)
Encrypted ZFS pools
Database encryption enabled
Backup encryption (AES-256)

Data in Transit

TLS 1.3 for all web services
Strong cipher suites only
HSTS enabled
Certificate pinning where applicable

Secrets Management

Vault/Secret Management

Centralized secrets storage
Encrypted at rest and in transit
Automatic secret rotation
Audit logging of access
No secrets in git repositories

# Example: Using environment variables
# Never commit .env files
source /secure/path/.env

Backup Security

Backups encrypted before storage
Off-site backups in secure locations
Access logs for all restore operations
Regular restore testing
Immutable backup copies (ransomware protection)

Monitoring and Logging

Security Monitoring

Intrusion Detection/Prevention

Suricata IDS/IPS deployed
Signature-based and anomaly detection
Real-time alerting
Automatic blocking of threats

Log Management

Centralized logging (Loki/Elasticsearch)
Log retention: 90 days online, 1 year archive
Log integrity verification
Tamper-proof log storage

Security Events Monitored

Failed authentication attempts
Privilege escalation
Unusual network traffic
File integrity changes
Service anomalies
Resource exhaustion

Alerting

Alert Categories

Critical: Immediate action required (active breach)
High: Security incident (investigate within 1 hour)
Medium: Suspicious activity (review within 24 hours)
Low: Informational (weekly review)

Vulnerability Management

Vulnerability Scanning

Regular Scans

Weekly automated vulnerability scans
Container image scanning (Trivy/Clair)
Web application scanning (OWASP ZAP)
Network vulnerability assessment

Patch Management

Critical patches: 24 hours
High severity: 7 days
Medium severity: 30 days
Low severity: Quarterly

Security Audits

Monthly Reviews

Firewall rule review
Access control review
Certificate expiration check
Service exposure assessment

Quarterly Audits

Comprehensive security assessment
Penetration testing
Compliance verification
Policy review and updates

Incident Response

Incident Response Plan

Phase 1: Detection and Analysis

Detect security event
Determine scope and severity
Classify incident type
Activate response team

Phase 2: Containment

Isolate affected systems
Preserve evidence
Prevent lateral movement
Maintain business continuity

Phase 3: Eradication and Recovery

Remove threat from environment
Apply security patches
Restore from clean backups
Verify system integrity

Phase 4: Post-Incident

Document incident details
Conduct lessons learned
Update security controls
Communicate to stakeholders

Contact Information

Primary Contact: [Admin Email]
Backup Contact: [Secondary Email]
Emergency: [Phone Number]

Compliance and Best Practices

Standards and Frameworks

NIST Cybersecurity Framework
CIS Controls
OWASP Top 10
ISO 27001 principles

Documentation

Security policies reviewed annually
All security changes documented
Runbooks for common security tasks
Regular security training

Physical Security

Server Room Access

Locked server cabinet
Video surveillance
Access logging
Environmental monitoring (temperature, humidity)

Device Security

Full disk encryption on all devices
Automatic screen lock (5 minutes)
Lost device wipe capability
Physical security locks

Third-Party Services

Cloud Service Security

MFA enabled on all accounts
API keys rotated regularly
Least privilege IAM policies
Audit logging enabled

Vendor Management

Security review before adoption
Regular vendor security assessments
Data processing agreements
Exit strategy documented

Security Tools

Tools in Use

Firewall: pfSense/OPNsense
IDS/IPS: Suricata
Vulnerability Scanner: OpenVAS, Trivy
SIEM: Wazuh
Password Manager: Vaultwarden
Secret Management: HashiCorp Vault
Certificate Management: cert-manager

Future Security Enhancements

Implement SIEM solution
Deploy EDR on endpoints
Add honeypots for threat intelligence
Implement security automation (SOAR)
Enhance DLP capabilities
Add biometric authentication
Implement micro-segmentation

References

Document Version: 1.0 Last Updated: 2025-11 Next Review: Quarterly

Security: krakenhavoc/HomeLab

Security

docs/security.md