ironicbadger / pms-wiki

The aim is to share knowledge and information about building an open-source media server.
https://perfectmediaserver.com
Other
405 stars 55 forks source link

Security #65

Closed snowwolf3388 closed 1 year ago

snowwolf3388 commented 1 year ago

Hi! I love PMS and frequently come back to reread it. I love how it continues to change and grow. Something that I'm learning about even more with this whole fun adventure is server security. As you showed, using a Bastion and other security features is recommended for any public facing server. Can you point users like me to resources for how to set up security for this kind of machine more clearly? The https://github.com/geerlingguy/ansible-role-security repo seems like it is a good start, but not complete. I read everywhere that you should have security, but rarely do I find detailed instructions on how to actually set it up and what to run.

I've learned a little about Snort (and Pulled Pork to accompany it). Are they necessary? Recommended? How to implement them correctly/easily? What about Firewalls? As a layman (and I consider myself pretty smart and learned on stuff like this), I still struggle with how to set up a firewall correctly, especially at home without spending hundreds of dollars on expensive equipment? Does the bastion and firewall have to be physically different servers? Or could it be a Proxmox virtual machine on the main server?

RealOrangeOne commented 1 year ago

"security" is an incredibly vague thing. What kind of thing are you trying to secure, what is your threat model, how much effort is too much effort. You've clearly done some research, what's wrong with your findings from that?

snowwolf3388 commented 1 year ago

I mean those are totally fair questions. And yes security is a huge topic, but i don’t see any information targeted toward this audience. I see everywhere that it is important or you shouldn’t expose anything or you need a dedicated computer just for an OPNsense firewall and router custom setup.

I would argue that I am exactly your target audience for this with a bias toward doing more research than most, but I’ve never heard the term threat model until just now. I like and trust your advice. Can you help us determine what should be our “threat model”? I think all fall into a pretty predictable bucket if we are a typical user of this system. Our exposure is: services that must be public facing to work with multiple users/devices: Plex, Ombi, Nextcloud. Then other services that don’t need to be exposed, but some might because it is so easy with traefik (like the Arrs). I’ve learned that it is better to just leave those unexposed and vpn to them. Even SSH, I’m happy to keep unexposed and only access after connecting with VPN.

A lot of what I’ve found is enterprise level. So with that exposure of just what is “necessary”, is a full standalone firewall necessary? Is the built-in stuff with the ISP modem/router or netgear nighthawk enough? Is intrusion detection necessary? If yes to any of this, what is the simplest way to set it up? How does it work? I think I set up Snort right, but I don’t know how to test it. You’ve done such a nice job, I just think that you can help build a walkthrough that is for the right level of user that I haven’t found anywhere else in any sort of comprehensive way.

ironicbadger commented 1 year ago

We were just having a discussion on the podcast discord about how to open up Jellyfin to the internet. Some folks are fine with port forwarding through a firewall directly onto a host in their LAN. Others will run a VPN and expose nothing. It's a good area for thought perhaps warrants an article or two.

BatteryPower commented 1 year ago

additionally might address at same time how people behind cgnat can use the same techniques to expose their services

ironicbadger commented 1 year ago

Closing due to inactivity.