Stormwyrm: 蛟龍

I’ve made some attempts to make my home network a slightly harder target. As it is, I’m using a consumer-grade WiFi mesh system (TP-Link Deco M9) for my underlying network while my ISP has me behind a carrier-grade NAT. The M9 is basically my firewall, and I suppose it will have to do until I can figure out something better.

To make servers accessible to the outside world I pay a few bucks a month to maintain a virtual private server with a public IPv4 address that I use as a VPN access point and a virtual host for what servers I want to be able to set up.

As an example, I have a PhotoPrism instance running on my home server, which connects to the VPS with OpenVPN/WireGuard and is given a VPN IP address. On the VPS I run an Nginx reverse proxy that accesses the home server over the VPN.

First of all is securing the VPS. This is exposed to the Big Bad Internet and as such I need to be very careful about what access I allow to it. SSH is the most direct attack point and as such I’ve needed to restrict it heavily. First of all I placed absolute restrictions forbidding all password-based authentication. All authentication should be by public key authentication only. Second, two-factor authentication should make this even harder to crack. I have several FIDO2 keys but it seems that only my Yubikey 5C’s will work for this. Fortunately I have two, in case I lose this one that I bring around, I have a spare that I keep in a lockbox at home.

This suffices for most logins, but I’ve also found it necessary to be able to copy the generated LetsEncrypt keys and certificates from the VPS (which is the only system that can generate them) down to the home server at regular intervals. Since this seems to be a very common use case, it seems that there is a restricted rsync, called ‘rrsync‘ that is supposed to be used for this purpose. It can be put into the configuration of an an authorised public key so that this is the only command that is permitted, so the .ssh/authorized_keys file has a line that looks like this:

command="/usr/bin/rrsync -ro /etc/letsencrypt",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding ssh-ed25519 <actual public key here>

With root logins permitted only via the VPN IP address of the home server, public key authentication the only permitted method of authentication, and with the only authorised key for root login given this kind of very harsh restriction, I think there isn’t a lot more that I can do to lock it down further. Of course the VPS provider is the one link here that I don’t fully control, but at least my own access to them is also 2FA restricted and they probably take security even more seriously than I can afford to.