Reorganize and update docs

2025-07-31 20:18:16 +02:00
parent 50144e083e
commit e3889870e5
12 changed files with 741 additions and 475 deletions
--- a/network-security.md
+++ b/network-security.md
@@ -0,0 +1,232 @@
+# Network & Security Configuration
+
+Complete guide for securing and networking your homelab.
+
+## SSH Security Setup
+
+### Initial Configuration
+```bash
+# Generate SSH key pair
+ssh-keygen -t ed25519 -C "homelab-key" -f ~/.ssh/homelab_ed25519
+
+# Copy public key to target
+ssh-copy-id -i ~/.ssh/homelab_ed25519.pub user@target
+```
+
+### SSH Hardening
+Edit `/etc/ssh/sshd_config`:
+```
+# Disable root login
+PermitRootLogin no
+
+# Use key-based authentication only
+PasswordAuthentication no
+PubkeyAuthentication yes
+
+# Change default port (optional)
+Port 2222
+
+# Restrict users
+AllowUsers hoborg
+
+# Security settings
+Protocol 2
+X11Forwarding no
+AllowTcpForwarding no
+ClientAliveInterval 300
+ClientAliveCountMax 2
+MaxAuthTries 3
+MaxStartups 2
+```
+
+Restart SSH: `sudo systemctl restart sshd`
+
+### SSH Client Configuration
+Create `~/.ssh/config`:
+```
+Host homelab
+    HostName your-domain.duckdns.org
+    User hoborg
+    Port 2222
+    IdentityFile ~/.ssh/homelab_ed25519
+    ServerAliveInterval 60
+```
+
+## Dynamic DNS with DuckDNS
+
+### Account Setup
+1. Create account at duckdns.org
+2. Create subdomain: `ak-homelab.duckdns.org`
+3. Get token from dashboard
+
+### Automatic IP Updates
+Update script at `~/.local/scripts/duckdns.py` (Python implementation)
+
+Cron job for automatic updates:
+```bash
+# Update every 5 minutes
+*/5 * * * * /home/hoborg/.local/scripts/duckdns.py >/dev/null 2>&1
+```
+
+### Testing
+```bash
+# Check current IP
+curl -s https://ipinfo.io/ip
+
+# Verify DNS resolution
+nslookup ak-homelab.duckdns.org
+```
+
+## VPN Setup with WireGuard
+
+### Server Configuration
+Install WireGuard: `pacman -S wireguard-tools`
+
+Generate keys:
+```bash
+wg genkey | tee server_private.key | wg pubkey > server_public.key
+```
+
+Server config `/etc/wireguard/wg0.conf`:
+```ini
+[Interface]
+PrivateKey = <SERVER_PRIVATE_KEY>
+Address = 10.0.0.1/24
+ListenPort = 51820
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = <CLIENT_PUBLIC_KEY>
+AllowedIPs = 10.0.0.2/32
+```
+
+### Client Configuration
+Generate client keys:
+```bash
+wg genkey | tee client_private.key | wg pubkey > client_public.key
+```
+
+Client config:
+```ini
+[Interface]
+PrivateKey = <CLIENT_PRIVATE_KEY>
+Address = 10.0.0.2/24
+DNS = 1.1.1.1
+
+[Peer]
+PublicKey = <SERVER_PUBLIC_KEY>
+Endpoint = ak-homelab.duckdns.org:51820
+AllowedIPs = 0.0.0.0/0
+PersistentKeepalive = 25
+```
+
+### Enable VPN
+```bash
+sudo systemctl enable wg-quick@wg0
+sudo systemctl start wg-quick@wg0
+```
+
+## Firewall Configuration
+
+### UFW Setup
+```bash
+# Install and enable UFW
+pacman -S ufw
+sudo ufw enable
+
+# Default policies
+sudo ufw default deny incoming
+sudo ufw default allow outgoing
+
+# SSH access
+sudo ufw allow 2222/tcp
+
+# WireGuard
+sudo ufw allow 51820/udp
+
+# HTTP/HTTPS for services
+sudo ufw allow 80/tcp
+sudo ufw allow 443/tcp
+```
+
+### Advanced Rules
+```bash
+# Rate limiting for SSH
+sudo ufw limit 2222/tcp
+
+# Allow from specific networks
+sudo ufw allow from 192.168.1.0/24 to any port 22
+
+# Log denied connections
+sudo ufw logging on
+```
+
+## Network Security Best Practices
+
+### Port Management
+- **Change default ports**: SSH (2222), WireGuard (51820)
+- **Close unused ports**: Regular port scans with nmap
+- **Port forwarding**: Only forward necessary ports
+
+### Access Control
+- **VPN-first approach**: Access services through VPN tunnel
+- **IP whitelisting**: Restrict access to known IPs when possible
+- **Rate limiting**: Prevent brute force attacks
+
+### Monitoring
+- **Log analysis**: Monitor `/var/log/auth.log` for SSH attempts
+- **Network monitoring**: Use netstat/ss to check listening ports
+- **Intrusion detection**: Consider fail2ban for automated blocking
+
+## Router Configuration
+
+### Port Forwarding
+Forward these ports to your homelab server:
+- SSH: External port → Internal 2222
+- WireGuard: 51820 → 51820
+- Web services: 80/443 → 80/443 (if needed)
+
+### Security Settings
+- **Disable WPS**: Turn off WiFi Protected Setup
+- **Strong WiFi password**: WPA3 with complex passphrase
+- **Guest network**: Separate network for guests
+- **Firmware updates**: Keep router firmware current
+
+## Network Planning
+
+### IP Address Scheme
+- **Router**: 192.168.1.1
+- **Homelab server**: 192.168.1.100 (static)
+- **DHCP range**: 192.168.1.10-99
+- **VPN subnet**: 10.0.0.0/24
+
+### DNS Configuration
+- **Primary DNS**: Router (192.168.1.1)
+- **Secondary DNS**: 1.1.1.1, 8.8.8.8
+- **Local domain**: homelab.local
+- **Dynamic DNS**: ak-homelab.duckdns.org
+
+### Service Architecture
+```
+Internet → Router → Homelab Server
+                 ↓
+    ┌─────────────────────────────┐
+    │  SSH (2222)                 │
+    │  WireGuard VPN (51820)      │
+    │  Web Services (80/443)      │
+    │  Monitoring & Logging       │
+    └─────────────────────────────┘
+```
+
+## Backup and Recovery
+
+### Configuration Backups
+- **SSH keys**: Store securely, separate from server
+- **WireGuard configs**: Document peer configurations
+- **Firewall rules**: Export UFW rules with `ufw status numbered`
+
+### Network Documentation
+- **IP mappings**: Document static assignments
+- **Port forwards**: List all forwarded ports and purposes
+- **Access credentials**: Secure storage of passwords/keys