Best security for a home network?

Here’s a fun one, from my public facing server, JUST failed SSH login counts by guessed usernames (most of which don’t even exist on the machine, likely bots trying stuff).

Mate that is gold. Really helps to drive the point home. How many devices have a default account called admin? The amount of times I’ve created a ‘test’ account too. Bots out here looking for easy wins. What’s going on here exactly? How are people gaining access to your public server? How will they know if they guessed the username right? I’m guessing they spam usernames and passwords just hoping to get lucky?

In the case of pfSense they also sell “off the shelf boxes” branded by Netgate (the company that puts it out) but for home use its usually cheaper to use a spare small form factor PC and throw a used Intel server quad-port NIC in it. Its just FreeBSD with some Netgate software on top. OPNSense is very similar but a different community effort.

I’m torn between pfsense and OPNsense as my starting point. Might trial both. Any reason you prefer pfsense?

I mean realistically even if I had notifications and a camera…I probably can’t do squat anyway. Try and find the “long” phone number to call the local police and they’ll get there half an hour later when the perps are gone? I can VPN in and view it remotely on my server if I want - I have a server I configured with Ubuntu and Zoneminder that is whitelisted thru so it can reach the cameras on the required port and trust the server I configured more than random cameras (most of which go EOL and never get updates).

I did some research and installed an off-the-shelf security solution for an ex gf once. In the UK you can get a motion sensor and an alert sent to the authorities when It’s triggered for a few hundred. Looks like you’re quite casual with that aspect of your security. I’m not so worried about robberies and CCTV to catch perps myself. More worried about hacking and stalking.

I’d say 99% of the time I don’t even think about it.

I’ve installed Ubuntu on VMs but only just to play around. Never used it for extended periods. Might give it a try. I mostly use browser based apps anyway so if I can install Brave and use Google then I probably won’t notice I’m not on Windows 99% of the time either. A former colleague did recommend it before.

firewall rules are basically a whitelist or blacklist of matching criteria

It’s looking like pfsense or OPNsense will be my best bet to lockdown my whole network. I’m leaning towards OPN because I’ve been told there’s a plugin to explore ngfw capabilities. An AI comparison also told me OPN has a better UX.

You can totally run pfSense or other stuff as a barebones basic home router, in fact out of the box that’s basically how it is with no VLANs or fancy rules just a WAN and LAN interface and default lets stuff out to the internet

Are you using the terms ‘router’ and ‘firewall’ interchangeably? Right now I’m thinking to install the software and use it as a firewall - monitor traffic and block potential threats.

What’s going on with your alias list? That your internal addresses? You have fake IP addresses that your devices use? Tor is literally built into the Brave browser. So if I open up a tor tab then I’m gonna have an agent trying to hack me?

You mentioned proton. Is their email any more secure than gmail for example? I also hear that some VPNs can sell data too. Can you be sure that proton Isn’t selling your data?

I’m in the UK so not sure if you’d know the companies if you’re not from here.

That looks interesting. Good to have the option to go next gen after I’ve got my head around OPNsense.

I don’t think they will know they guessed a username right until they get in.

With password authentication, it collects both username and password, then attempts to authenticate. With certificate-only authentication it collects username and private-key and attempts to authenticate.

Either way it just terminates unsuccessfully if the combination of both username to credential is not correct. I can tell in my logs, but I don’t think someone outside can tell.

AFAIK they are just bots going thru lists of possible usernames and lists of possible passwords hoping that eventually one combination will let them in.

Public servers are…public. Just like someone could sit there on gmail.com and over and over guessing usernames ans passwords until the server bans them or they get in. To offer something as an online service there has to be something somewhere to grant entry and if one person can “speak” to it, in most cases others can too (or you should treat it like that at least)

I’m torn between pfsense and OPNsense as my starting point. Might trial both. Any reason you prefer pfsense?

Main reason I went with pfSense was I had a roomate using it for a while. There’s been some “disagreement” about their licensing and making more stuff paid recently. OPNSense is like 99.9% the same but a different UI and slightly different versions of stuff I think.

I’ve installed Ubuntu on VMs but only just to play around. Never used it for extended periods. Might give it a try. I mostly use browser based apps anyway so if I can install Brave and use Google then I probably won’t notice I’m not on Windows 99% of the time either. A former colleague did recommend it before.

Yeah, Google Chrome is out there if you really want it, or open source Chromium. I prefer Firefox myself which is preinstalled by most distributions. Never used it but I see Brave Browser is in the software package repositories from Ubuntu/Mint and probably others.

​

Are you using the terms ‘router’ and ‘firewall’ interchangeably? Right now I’m thinking to install the software and use it as a firewall - monitor traffic and block potential threats.

Most routers incorporate firewall or access control list functionality so that blurs lines a bit.

There’s firewalls like for a standalone PC to filter what can come in and go out.

Then there’s firewall rules/routing rules/access control list rules (whatever you want to call it, or a mix of it - I think there’s some “technically” definition that differentiates, but they all tell the system what to block/allow to where which is the immediate important point to understand) on a router so that you can tell it what things you do/don’t want routed between the different network subnets it can talk to.

And its having multiple layers of security. The router can filter what goes in and out of the network subnets, cutting down a portion of the traffic. Then each PC can further filter what comes in and out of itself. Traffic “within” the same subnet never sees the router so one machine trying to access another on the same subnet would only be stopped by a firewall on the particular machine.

I’d say “generally” one VLAN is one subnet, and one subnet is one VLAN. VLANs are the “layer 2” splitting up of traffice and subnets are a “layer 3” splitting of traffic within the OSI model. But there’s no rule saying you can’t have more than one subnet on the same VLAN (or physical wire even)…just like there’s no rule says you can’t feed the same subnet into more than one VLAN. I can’t think of a good usecase for it, but you could certainly do it and it would function.

What do you mean? Those are all legit addresses. You should probably learn the basics of IP addressing and subnetting. Say VLAN10 is 10.55.10.0/24. When presented with 10.55.10.0/24 this signifies that whole network segment, that includes literally any device on VLAN10. If I want to block VLAN10 from talking to VLAN20 at 10.55.20.0/24 you would put the IP address in as shown. Say if you put the VLAN20 interface IP of 10.55.20.2 it will only block coms to that specific IP and you would still be able to PING other devices on that network segment for example 10.55.20.10 you’d still be able to ping and cross talk across that network. Once you understand basic IP addressing and subnetting you’ll probably understand everything a lot better.

Also here is your tor with brave INFORMATION. What I meant is if you try to use the Tor browser that you download that’s fucked, just do a quick google search of Tor and us government.

For a long time Google read all of your e-mails, in a way breached was the default state.

​

They used the contents of your E-mails to add information to the profile they built on all of us for the purposes of better targeted advertising (higher revenue) , this models can predict our behavior better than we can ourselves.

If you are not the customer, you are the product being sold.

I was looking for this a reference for this but apparently i am out of data, for the most part this is no longer the case as of 2017. kinda.

https://mashable.com/article/google-reading-your-emails-response

​

​

Proton has a different model, they sell privacy,

In theory if I were to send an e-mail to another proton account it would be encrypted along its entire journey from me to them, but in practice in 5 years I have never sent an e-mail to another proton account.

regardless when Proton receives my unencrypted e-mails they are encrypted on their servers and not decrypted again until it is on my device.

​

proton wants to sell their private service, it is in their interest to maintain the security and privacy of my e-mail, to breach that trust would destroy the value their customers see in their product.

Ohh I was gonna google your isp and see if there’s any solutions like putting your router into passthrough mode

Ive been running it for over a year, been very satisfied. Zenarmor has great graphs and other data presentation. Another plugin called Ntopng has great visualizations for all firewall traffic as well, such as current bandwidth usage per device. It can be quite a bit to learn if you are green but its worth the control and visibility it offers in my opinion.

OK so It’s not like someone specifically targeted your server, there’s probably just a bot programmed to search for random urls and spam the logon console with a list of authentication credentials?

Main reason I went with pfSense was I had a roomate using it for a while. There’s been some “disagreement” about their licensing and making more stuff paid recently. OPNSense is like 99.9% the same but a different UI and slightly different versions of stuff I think.

Others have said pfsense is used by corporations so that makes me think it could be good to check it out for that reason.

Yeah, Google Chrome is out there if you really want it, or open source Chromium. I prefer Firefox myself which is preinstalled by most distributions. Never used it but I see Brave Browser is in the software package repositories from Ubuntu/Mint and probably others.

Brave has some interesting features like blocking tracking and even a built-in tor enabled browser. What’s your opinion on tor? Apparently using it will get you on a watch list.

Most routers incorporate firewall or access control list functionality so that blurs lines a bit.

It turns out that I can put my ISP router into passthrough or bridge mode and use my own router. Is this a configuration you would recommend for pfsense?

I learned that there were some court orders to provide logs with customer details in the past and certain VPN providers have been forced to comply. This obviously proves that some providers are collecting data. It seems that Proton is different though.

Apparently they don’t keep any logs in the first place. End to end encryption from their servers to your browser or device as you suggested. On top of that, authorities can’t force them to start collecting logs in special circumstances because of the privacy laws in the country they’re based in (Switzerland).

I can’t say I’ve done much homework on VPNs but Proton certainly looks like one of the better ones. I also like the idea of decentralised VPNs due to there not being any centralised servers. What’s your thoughts on the security implications of dVPN architecture?

I’m with British Telecom (BT) and an AI told me I can put their routers into passthrough or bridge mode! How about that. What alternative device would you recommend?

Do you know the difference between that and the standard Windows Firewall?

Even less complex than that…there’s only 4,294,967,296 unique IPv4 addresses. And the bots have unlimited time to scan those 4 billion addresses over and over and over again, trying to get in. The bots won’t get tired or bored, and can spend as much time guessing as they want. And when they find a host they can get into, now they can infect that machine and have yet another machine to help scan endlessly.

I suppose if a botnet operator was smart they could also somehow divide up the workload so suppose they have 1,000 machines each one would only need to scan a mere 4 million some IPs to have scanned every possible IPv4 address. If they had 10,000 machines its only like 400,000 IPs per machine.

pfSense is used by some companies, they sell a commercial version and license. I’ve seen it in customer labs I have had to support at my job too, but usually on smaller deployments or testing environments. Most seem to like the big name hardware like Cisco boxes for large enterprises.

A lot of browsers have stuff to reduce tracking now, and I already have a few addons (like ublock origin, facebook container, javascript block) that add some protections, but I’m also not overly paranoid about tracking at the moment. If you look into stuff like what Facebook actually tracks its scary - even if you have no account, and they somehow manage to track real world purchases and stuff in a surprising number of cases (like I’ve found on my facebook account it somehow “knows” if I have gone and made a brick-and-morter purchase)

I usually prefer a separate modem and router boxes but passthrough would probably work the same way as a standalone modem if its supported. Note you wouldn’t be able to reuse it as a WiFi access point or network switch while its in passthru acting as a modem, so you’d want to get a separate network switch for your LAN devices, and a WiFi access point to give you a WiFi network for wireless LAN devices.

I learned that there were some court orders to provide logs with customer details in the past and certain VPN providers have been forced to comply.

Proton got caught up in this as well, that privacy only goes so far if a nation state wants your data, https://www.theverge.com/2021/9/6/22659861/protonmail-swiss-court-order-french-climate-activist-arrest-identification.

There are a lot of VPN’s with various levels of quality, as far as I know none of the free ones are worth having, some are even actively malicious, your VPN provider is ideally positioned to preform a “man in the middle attack” or just scoop up you data.

Trust in your VPN provider is necessary, a DVPN does not get me that, the idea of using random people as my exit node comes with risk and I absolutely do not want to be an exit node for random people. 90% of people can be trusted to do the right thing but there are some evil humans out there and I do not want to be accountable for their web traffic. nor do I have the bandwidth to spare, I have too many kids, all of them like streaming services and we have a weak fixed wireless internet connection especially upload.

I have specific needs for a VPN, my biggest threat is civil liability from torrent activity, my file server running Linux does all the torrenting it connects to the internet only through a VPN, I use ufw to form a kill switch, the VPN tunnel is the only way out to WAN, I do not do my personal browsing with all of its attending identifiable information on that VPN connection, that computer does not even have a web browser.

Proton is pretty solid VPN provider, biggest complaint is I need port forwarding to speed up seeding and help my ratio’s with torrents, and currently that can only be done via their desktop application which I don’t use, I instead just bring my credentials to Debians openvpn utility and let it handle the connection.

Mulvad is another solid choice from a privacy perspective. solid protections you can even anonymously pay with cash or bitcoin, I would switch if they did not require you to run their application. I like sticking within my distributions repository for software as much as possible.