Is this a security question or a online privacy concern?
Microsoft collects metrics on what you do, so does your web browser and most other things (internal privacy threats). A firewall may help, if it knows the telematics. So, a ngfw with constant updates of these sources can help from that perspective. Otherwise, your windows firewall will generally protect you from external threats.
This is a loaded topic to cover.
I’d be curious about your thoughts too…I don’t have a good concise TLDR but I’ll try and break into half-readable paragraphs. Everything has pros and cons, and its a big balancing act because more secure usually means less plug-and-play.
I don’t know if its “impressive”, but I’ve done a lot to try and just limit attack surfaces. I’ve got a whitebox PC running router software (there are many…pfSense, OPNSense, etc) and a used enterprise L2 managed switch, with enterprise grade access points that also support VLANs and multiple SSIDs and PoE from the switches.
VLANs…if stuff doesn’t require internet, it can’t access internet at all. My cameras for example are isolated and only the DVR/NVR server is allowed to one-way access into them, they can’t access back out. Similarly VLANs for guest access like work PCs that has no business being able to talk to my personal NAS.
Along similar lines…be choosy about what stuff you get. Does your vacuum cleaner REALLY need to be internet connected? Or your TV, just because it can, do you actually need to connect it vs using it as a big monitor? Is there another alternative product with local control? I much prefer Z-Wave smart switches/thermostats/sensors, Zigbee or ESPHome flash-able devices if I can’t get it in Z-Wave. All those can stay on-prem radio, and Home Assistant which can run 100% within my house vs 100 different random devices phoning home to who-knows-where. Also that means I’m less likely to have the company shut down and brick my stuff, and my home automation keeps working if my ISP goes down as long as my local server has power to run.
Firewalls running on all the LAN machines too, allowing only the explicitly required services thru.
When possible, IPS software…I’m mostly Linux and I have found Fail2Ban simple and effective at blacklisting IPs when something tries to log in too many times…and learning how to write rules so stuff like hitting my personal webserver for nonexistant admin pages (e.g. I don’t run webmin, but if something is hammering looking for webmin admin pages, its blocked in the firewall automatically). And recursive rules so repeat offenders get blocked for weeks/months vs hours/days.
Just not running services exposed if it isn’t needed…and limiting authentication. Don’t use passwords for SSH if you can help it, use strong public/private key encryption for a client to connect.
Review stuff you’re installing that it sets up and runs as non-admin user. Make sure you set up any service accounts so they can’t be logged into with a password externally…least privilege access. If something doesn’t need to access a directory, set permissions so it is not able to.
Lear how to use other audit and control tools in your OS…in the case of Fedora/RHEL/CentOS/similar figure out how to configure selinux (and now there’s fapolicyd too) to whitelist only things you need vs turning it off and allowing any random executable/read/write. Yes, it can be a pain to debug, but you only have to do it once usually.
Backups…RAID isn’t a backup. Online backups (not as in cloud, but as in regular connected/accessible) are convenient for accidental loss but offline (as in unplugged, in a drawer) rotated backups so if you get hit with something that wipes/encrypts you can restore data. And then there’s offsite backup (either cloud/remote server or carry-a-brick-to-another-building) that can help protect against fire, flooding, and physical theft data loss of backups.
I’ve not dived into fancy stuff at home like Splunk or similar tools to review stuff, but I do periodically use some simple grep and other lines to evaluate logs…and for curiosity see who’s been trying to log in as what user how many times. Its amazing how many SSH root login attempts you get on a public facing system…upward of 10s of thousands an hour before implementing fail2ban.
Its also a fine line between making things more limited when possible, but not pissing off too many people because now its too hard to access something. At the end of the day, my random photo libraries or movie collection or whatever at home isn’t a very good target for attack, but I hope to avoid my smart-plug becoming leveraged as a botnet attack on something. It would be /nice/ to further limit some stuff like isolating the “normal PCs” from streaming devices, but that makes the user experience worse with some…or certain appliance devices sometimes have non-customizable rules of their own and will refuse to talk to your phone/computer if its not on the same subnet, so pick and choose when you need that convenience weighed against security.
I had been looking at a more severe restrictive firewall with pfBlockerNG but quickly found I was spending more time debugging my stuff and my roomates’ stuff being broken and decided that was more effort than was worth it at this time. At the end of the day, its probably a bigger risk some teen will smash a window and break in to grab some computers/tablets/whatever looks expensive to flip at a pawn shop.
That isn’t good enough for the paranoid. ISP still sees where you’re going. Just not what your doing there.
That’s best to be explained by a YouTube video. I would do your own research before implementing anything. I would recommend to start with networking for beginners.
I personally run Pfsense 2.7.x CE as a firewall/router. If you want more security look into firewalls and DNS filtering. Instead of using Pihole I use Pfblocker on Pfsense. forget using google chrome, use brave or another browser that doesn’t use a lot of tracking.
Firewall/DNS/Subnetting/VLANs/VPN all part of a secure network. Being secure and not leaving a trail are two different things.
I don’t recommend the use of a VPN for full home encryption only per interface/device. I personally don’t use a VPN because of the latency and slower throughout speeds. Only use a VPN if needed.
Proxies….don’t even get into these unless your experienced. Adding proxies are like tunneling through multiple VPNs so more latency and other issues. Oh and if you want to be put on a watch list this is the option for you.
Thats an interesting case and shows that much of personal privacy and security happens not on our devices or even our home networks but the entirety of our footprint, the physical world, our online selves.
Certainly secure your home network, you may even want to employ intrusion detection, OPNsense / PFsense is a good platform for home users, new users have a bit of a leaning curve but there is a lot of help and tutorials out there. but privacy and security do not stop at your router.
One also has to be aware and minimize personal data that is housed outside of our control. many of us are walking beacons screaming out to the entire would our every action. little of this is actually secure.
You attain a reasonable level of privacy and security by obtaining, practicing and updating skills & knowledge, it is not a product you buy, it is a sliding scal between convenience and safety.
I have two podcast recommendations:
Dark-net diaries, a window into how hackers operate and the many unexpected paths they use both digital and physical. Jack is a good stroy teller with lot of polish and first hand testimonials from the people involved in incidents, he gets stories from hackers, of all hats white, black and grey, defensive and offensive teams, even those involved in nation state level work.https://darknetdiaries.com/
Extreme Privacy with Michael Bazzel, He is a consultant & author, he works with stalking victims & high profile personalities that need greater than normal security.
Nope no slowdown at all, infact since I’ve switched to unifi ap’s I haven’t had wireless issues either.
It is a security question, but could privacy not be a security issue? I just looked up NGFW. Not sure if I’ll need the features that they have. Is there anything you would recommend for a home office?
First of all, I never knew people ran router software on a PC, that’s super interesting. Multiple SSIDs could keep potential hackers guessing or allow you to connect specific devices to specific networks, I like that. VLANs on the switch could be useful if you have a number of devices then you can isolate them similar to using multiple SSIDs. PoE from switch to AP should rule out the wireless attack point in that area. It’s a well thought out strategy.
Cameras without internet via VLAN is cool. I was hesitant to install cameras because I thought they could be hacked and used against me. But if you were getting robbed while you were out, you would probably want an alert and to get a live feed from your cameras wouldn’t you?
What firewalls on your LAN machines? Like standard Windows firewall? Ah you’re using Linux. I heard they have better security. Is it practical to use Linux machines for everyday use?
You’re stopping unused services? That’s brilliant! Did you write a logon script for that or something? I wouldn’t even know where to start with figuring out what Isn’t necessary.
Whitelisting is a great idea. In theory that alone could stop unwanted things running on my machine.
I’ve worked in tech support before and done backups. Never considered taking my home network that seriously before.
Thousands of attempts per hour? Wow. I used to use Peerblock and was amazed at how many times I saw someone monitoring my connection. Would be ideal to get that kind of overview for all my devices including different operating systems. I guess that’s what you get with your router software?
Great post man appreciate the detail. I’m saving this to revisit another time. I’m thinking in order to better protect myself I’ll have to become a software engineer and cybersecurity guy myself!
Same sentiment towards dVPN?
Some good tips there thanks. Why pfsense over OPNsense? It’s a good point about latency. I don’t want to slow my network to a crawl but the point is be secure. Maybe starting with the firewall is for the best. Regarding getting on a watch list, what else will get you on that? Using tor?
Contributors to this thread already enlightened me to the importance of a number of things. I’ve brushed up on the OSI model and how firewall software like OPNsense and pfsense can be configured to provide ids and ips.
You make a good point about digital footprints and things like identity theft that could arise from being out in the world. These are all things I’ve worked on over the years myself. But It’s like you said about convenience and safety. I have to ask myself - to what extent do I take things to? Do I wrap myself in tin foil, delete all online accounts and stay in my cupboard because some psycho is spying on social media?
Still gotta live our lives ain’t we? Just gotta do what we can to be as secure as possible. But of course if someone is motivated enough then maybe there’s not much that you can do.
Thanks for the links. That Darknet one looks super interesting, subscribed. I saw Michael Bazzel has something on Naomi Brockwell’s YouTube channel. I like Naomi, I’ll check that vid out.
What did you do to retire the ISP router? I asked my ISP if I could use a 3rd party device instead of their one and they said It’s not possible.
I would use a ngfw (like Untangle) for that, but if you dont want that, any basic firewall is going to work, opnsense for example.
Here’s a fun one, from my public facing server, JUST failed SSH login counts by guessed usernames (most of which don’t even exist on the machine, likely bots trying stuff). And this is WITH auto-banning for days after 3 failed tries. JUST over the past month of logs.
I cut off JUST usernames with >100 tries because its pages and pages long otherwise. Most are likely lots of bots, and they keep trying from lots of IPs.
2793 admin
2313 ubuntu
993 test
723 user
485 postgres
396 oracle
319 deploy
312 git
309 ftpuser
301 sysadmin
296 ali
287 mysql
240 es
231 hadoop
227 guest
224 minecraft
202 ubnt
202 testuser
198 user1
184 vagrant
182 support
176 tomcat
175 jenkins
167 dev
159 centos
157 debian
155 test1
153 nagios
149 web
149 steam
149 odoo
149 ansible
144 tester
144 demo
141 gpadmin
139 server
138 pi
138 kafka
138 administrator
135 alex
131 bitrix
129 weblogic
128 zabbix
128 www
123 teamspeak
116 rede
114
113 admin1
111 ts3
111 ec2-user
110 dbadmin
109 sammy
103 daniel
101 frappe
Crude command for a CentOS/RHEL 7 system to pull together some stats… egrep "Invalid user|maximum authentication attempts exceeded" /var/log/secure* | grep -v "for invalid user" | awk '{if (NF == 12) {print $8} else {print $12}}' | sort | uniq -c | sort -n -r
First of all, I never knew people ran router software on a PC, that’s super interesting. Multiple SSIDs could keep potential hackers guessing or allow you to connect specific devices to specific networks, I like that. VLANs on the switch could be useful if you have a number of devices then you can isolate them similar to using multiple SSIDs. PoE from switch to AP should rule out the wireless attack point in that area. It’s a well thought out strategy.
In the case of pfSense they also sell “off the shelf boxes” branded by Netgate (the company that puts it out) but for home use its usually cheaper to use a spare small form factor PC and throw a used Intel server quad-port NIC in it. Its just FreeBSD with some Netgate software on top. OPNSense is very similar but a different community effort.
Cameras without internet via VLAN is cool. I was hesitant to install cameras because I thought they could be hacked and used against me. But if you were getting robbed while you were out, you would probably want an alert and to get a live feed from your cameras wouldn’t you?
I mean realistically even if I had notifications and a camera…I probably can’t do squat anyway. Try and find the “long” phone number to call the local police and they’ll get there half an hour later when the perps are gone? I can VPN in and view it remotely on my server if I want - I have a server I configured with Ubuntu and Zoneminder that is whitelisted thru so it can reach the cameras on the required port and trust the server I configured more than random cameras (most of which go EOL and never get updates).
What firewalls on your LAN machines? Like standard Windows firewall? Ah you’re using Linux. I heard they have better security. Is it practical to use Linux machines for everyday use?
I use Linux Mint as my daily machine at home…and at work we do software development for RedHat so I find it nice. Mint is based on Ubuntu…and like Ubuntu it mostly-just-works on most not-brand-new consumer machines. You only run into issues when you want really specific specialty software that is usually Windows-only, or if you’re heavy into gaming that is usually Windows-only but some Steam games are Linux compatible (and there’s a Steam app for Linux).
I’d say 99% of the time I don’t even think about it.
Also this wasn’t a security decision - I ran Windows as my main PC and Linux on my home-servers until Windows 8 came along and I was getting all kinds of PITA issues. Automatic updates without notice rebooting in the middle of running multi-day jobs (ham radio hobby, I’d set up controlling a radio for a special event and it would “update” in spite of having said no updates are available, rebooting losing hours of special event logs, or in other cases days of solar meter logging because it force closed apps to reboot). Then other times it would “update” drivers such that my monitor kept rotating upside-down relative to the mouse or serial USB adapters failed to work until I rebooted EVERY time I plugged them in. And several times the “feature updates” would spend hours loading only to roll back and say “Something Happened” and then begin installing all over in a loop requiring me to do a full reinstall. THAT is why I abandoned windows at home, I got fed up with the issues and Linux has a big learning curve but it’s almost entirely customizable if you try hard enough.
You’re stopping unused services? That’s brilliant! Did you write a logon script for that or something? I wouldn’t even know where to start with figuring out what Isn’t necessary.
More like blocking unused ports…say I want a service installed for local use but it doesn’t need to be exposed, just don’t open the port on the machine’s firewall. But you can also disable services in the OS. Windows has a services control panel, Linux you can configure in Systemd to disable. Like I have VNC installed so I can manually run it if I wanted, but its disabled because I don’t need it to auto-start all the time. I have a few things installed so I could choose to manually start but don’t need often.
Whitelisting is a great idea. In theory that alone could stop unwanted things running on my machine.
All firewall rules are basically a whitelist or blacklist of matching criteria…“X IP range source, Y IP range destination, A source port, B destination port, Block/Allow”. Put a large number of them in order you want to prioritize things and get more complex policy.
So like my guest VLAN rules starts with “block anything → router’s IP config ports” so guests can’t muck with the router but then “allow anything else → the router” so it can route to the public internet.
I’ve worked in tech support before and done backups. Never considered taking my home network that seriously before.
Look up “homelab” as a search term you’ll see what some people do…basically play with stuff you might not be able to at work or other environment to learn is a big part.
And if you do build yourself something to play with and learn on, don’t forget to claim such credit as experience on a resume if you’ve been doing it for a while. SO many people I interview at work leave off loads of relevant experience that is on their own just because its not a structured school class or job position…but then poking and asking if they do stuff find out they built and run some home server for games or to experiment with and can talk a lot more in depth.
Thousands of attempts per hour? Wow. I used to use Peerblock and was amazed at how many times I saw someone monitoring my connection. Would be ideal to get that kind of overview for all my devices including different operating systems. I guess that’s what you get with your router software?
Its more poking at logs and running searches on them that I’ve found that kind of stuff. I rent a server to run some public website stuff and…just wow.
When I have a bit more time maybe I can grab an example log to post a reply.
Great post man appreciate the detail. I’m saving this to revisit another time. I’m thinking in order to better protect myself I’ll have to become a software engineer and cybersecurity guy myself!
It takes time, but yeah its kinda fun to play with. And don’t have to do it all at once…I started with “let me get this router software because I’m sick of consumer expensive router-wifi gear breaking every year-ish” and then slowly grew as I wanted to do other this or that. You can totally run pfSense or other stuff as a barebones basic home router, in fact out of the box that’s basically how it is with no VLANs or fancy rules just a WAN and LAN interface and default lets stuff out to the internet.
That’s for the tin foils to figure out. I don’t care. Someone who is concerned will need to do their own VPN research.
I went with Pfsense because of its use in commercial/business environments. Figured if I was going to learn one or the other id rather go with one that is more “officially” supported. Tor has been snuffed out by the gov already but yes if you are openly using Tor you are probably on a watch list. If you Torrent things you are on your ISP’s watch list and can be fined. Use VPN if your torrent things if you can. But here is my alias list at this LINK
I have to ask myself - to what extent do I take things to? Do I wrap myself in tin foil, delete all online accounts and stay in my cupboard because some psycho is spying on social media?
Thats a hard one, and ever evolving but it should be a question you ask of all things, keeping your threat model in mind can help you decide where to draw that line.
Reddit is a good example, its horrible from a privacy perspective, we are actively participating in intelligence gathering on our selves, but it is also super handy if you have a lot of random hobbies and want information. I keep using it but feel dirty about it.
I sometimes change my username, using a new disposable e-mail address, it does nothing to stop reddit itself, they see my IP, but at least other mining info will here have to work for it, using writing styles and other clues to tie my reddit comments to my identity. hopefully I am never that interesting.
Facebokk is another that is horrible from a privacy perspective, leaving Facebook was painful, I am of an age (old) where all my friends are there. but it wound up on the wrong side of the line for me.
keep in mind that if it is free you are the product that is for sale, they are gathering details about you for the purposes of selling this info to advertisers, this info regularly breached and sold to those with even more nefarious purposes, start moving away from free online services like webmail, use end to end encryption where you can like proton and signal, where if your data is breached it will take real effort (time/$) to decrypt.
I have lately taken an interest in self hosting, where I use open source tools to handle my own services on my own hardware, it becomes a hobby of its own but it can dramatically reduce your footprint and attack surfaces.
Opnsense alsp offers plugins like zenarmor that make your opnsense fw a NGFW. Also suricata
I think at this point I should use the free tools available until I feel like I need more. OPNsense looks like a good starting point, thanks!