Elvith Ma'for

Former Reddfugee, found a new home on feddit.de. Server errors made me switch to discuss.tchncs.de. Now finally @ home on feddit.org.

Likes music, tech, programming, board games and video games. Oh… and coffee, lots of coffee!

I � Unicode!

  • 0 Posts
  • 45 Comments
Joined 10 months ago
cake
Cake day: June 21st, 2024

help-circle



  • If done correctly, those may only be open from the internet, but not from the local network. While SSH may only be available from your local network - or maybe only by the fixed IP of your PC. Other services may only be reachable, when coming from the correct VLAN (assuming you did segment your home network). Maybe your server can only access the internet, but not to the home network, so that an attacker has a harder time spreading into your home network (note: that’s only really meaningful, if it’s not a software firewall on that same server…)


  • Instead of thinking with layers, you should use think of Swiss cheese. Each slice of cheese has some holes - think of weaknesses in the defense (or intentional holes as you need a way to connect to the target legitimately). Putting several slices back to back (in random order and orientation) means that the way to penetrate all layers is not a simple straight way, but that you need to work around each layer.





    • Daily incremental (and occasionally full) backup to an external HDD - a full image of my PCs, so that I should be able to restore anything back to what it was in the last ~14 days, assuming no ransomware or fire or…
    • All the data I care about gets synced to my Nextcloud (VPS, not home lab) - somewhat ransomware protected as I could restore VPS backups independently from my PC.
    • Most precious data (mostly photos) gets backed up regularly to an encrypted zip file and then gets send to a glacier tier S3 bucket. Some manual retention is done on the zip file level, so that I can get a tad older backup restored.
    • At least monthly a full backup image of my PCs is created on a separate external HDD which is not stored at home, but in a place I could access 24/7 if I really needed to restore something fast.

    Phones, etc? Just sync to the mentioned Nextcloud, PC downloads from there and everything gets then into the aforementioned backups.

    Homeserver? See “PC” above. With the caveat that some VMs/containers are not in the backup cycle, as they do not store any valuable data besides temp files, etc. For these, only things like docker compose files, custom config, ansible playbooks,… are in my backup.












  • I really like them but they do have two downsides for “more advanced” users (or at least for me) - it is a home device as after all.

    1. No support for VLAN or VLAN tagging - you can set up you WiFi and a guest WiFi. You can also map the guest network to an Ethernet port. But that’s about it.
    2. There is no way to change the DNS suffix (*. fritz.box) to another value - I do own a domain that I use for the local services on my home server, etc. which then allows for Let’s Encrypt certificates, but I cannot use it “out of the box”.

    If you’re an advanced user, there’s plenty of ways around that, though. I just wished that these two thing were to exist in the firmware to have less work with my home infrastructure.