Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil.
-
No spam.
-
Posts are to be related to self-hosting.
-
Don't duplicate the full text of your blog or readme if you're providing a link.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.
-
AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
Segment the network as much as feasible, forbid the communication between the segments via FW rules, and set an alert when those rules are triggered.
For example: your dmz should never initiate any type of communication with your lan segment, your lan segment should not try to access services outside ports 80/443, your dns should log all resolutions performed and it would be nice to have at least a black list.
None of them should have dns over tls, and for specific hosts and networks segments, new domains with very looong active but idle connections should trigger an alert.
My personal opinion is that for a homelab is not realistic to perform a dpi to check that there is not an active attack ongoing, neither from the raw processing power, either from the human effort side, your best chance is to alert when something unusual is happening and then adjust your rules of the are false positives
Thanks for your helpful answer.
Do you do all of that on a separate log sever? Or on your firewall? I haven't found a good way to do that on opnsense that doesn't feel hacky.
My setup is "simple" and all these monitoring functions are performed in my opnsense box with the telegram plugin.
Most of the alerts are pretty basic and are done into the FW level or the outbound basic logging. So opnsense with the basic tooling is just enough.
I have in my todo to connect the logging system from opnsense to a proper Prometheus/grafana system to really have proper log of several days without having an impact on the FW but I never find the time to do it (lazyness problem)