4 privacy settings that homelabbers almost always get wrong

Your homelab is the perfect place to learn the good and bad of networking and server infrastructure. On the one hand, a homelab is an extremely useful tool for any DIYer. On the other hand, it’s a security nightmare if not configured correctly. Here are four privacy settings that most homelabbers get wrong and how to fix them.

Expose admin dashboards to the internet

Proxmox was never designed to be managed outside of your local network

There are many admin dashboards in any homelab, and it always happens that something breaks when you’re away from home. While Tailscale and VPNs allow you to use your network from anywhere, the easiest solution is to just use a reverse proxy and open that admin dashboard on the network with a domain name, right? You’ve set up password authentication, so isn’t it secure? Most of the time, it’s not as secure as you think.

Having an admin dashboard open to the internet means that bots can search for that specific type of admin dashboard and try different brute force methods to access it. This happened to me recently, with one of my admin dashes I had behind a reverse proxy being compromised and a crypto bot deployed on my server without my knowledge.

Many Docker containers (or services in general) may have exploits that allow brute force attempts to breach the authentication stack and gain access to the application. So if you open this admin dashboard on the internet then you are in trouble.

Related

5 Uncomfortable Truths About Homelabbing You Need to Hear

Maybe this Netflix subscription would have been cheaper…

Leave default credentials on self-hosted apps

Default passwords are one of the easiest ways to be compromised

Credit: tomeqs / Shutterstock.com

Even if you don’t open your admin dashboards to the public, you should at least change the default login credentials for your self-hosted applications and network equipment. The fact is that your homelab is susceptible to infiltration whether or not you open it up to the wider Internet.

Hackers have several ways to gain access to your local network, whether through smart home devices with poor security, 3D printers, or even normal paper printers. Your network is not as secure as you think. If someone manages to access your local network in any way, they will also be able to access your self-hosted services.

If your setup is anything like mine, you’re probably using standard ports for various services, the same ports that every other homelabber uses as well. This makes it easy for hackers to access your self-hosted stack, or even your router’s admin pages, if you use the default login credentials.

Opening ports to the public when they should only be internal

Not all services need to be accessible from the Internet

The general rule should be to open as few network ports as possible on your router, because an open network port is an invitation for hackers to enter your network. Now I have several open ports on my network for various reasons, but I also know the risks of opening these ports.

The problem arises when you open ports on your network that don’t actually need to be opened. For example, if you want to run a Minecraft server at home, you need to open port 25565 on your network. However, if you are only using this server to play locally, there is no reason to open this port to the world.

The same is true with SSH. You should rarely, if ever, forward port 22 on your network. HTTP/S is also risky, although it’s something many hobbyists do, opening ports 80 and 443 to the web.

In reality, if you don’t have an explicitly valid reason to forward a port, simply don’t forward the port. It is best to have all ports closed on your network.

Keep API tokens or passwords stored as plain text

Plain Text Secrets Make Breaches Worse

Credit: Lucas Gouveia/How-To Geek | valiantin Suprunovich/Shutterstock

You will use a plot of API tokens in your homelab, so you’ll want to keep them written down somewhere. Please do not write your passwords or API keys in plain text. I made the mistake early on in my homelab journey by placing API keys in Obsidian, which stores notes as plain text Markdown files.

While this is convenient, it is anything but secure. In fact, vibe coders leak their API keys on GitHub all the time, because they are stored in plain text in files committed to their repository and released publicly. Don’t do this in your homelab.

Instead, use a password manager or other form of encrypted storage, so that even if the document is leaked, its contents are not available for others to use or abuse. Whether the API key belongs to your OpenAI account for ChatGPT access or it’s the API key for Sonarr, it should stay nice and secure where no one else can access it.

Brand

KAMRUÏ

Processor

AMD Ryzen 7 7735HS

Chart

AMD Radeon 680M

Memory

16 GB LPDDR5

Storage

512 GB NVMe

The KAMRUI Hyper H1 Mini PC is perfect for setups that need a high-performance desktop without spending an arm and a leg. It features the 8-core, 16-thread AMD Ryzen 7 7735HS processor and 16GB of LPDDR5 RAM (which is not user-upgradable). The pre-installed 512GB NVMe drive can be replaced with a larger drive, however, and there is a second NVMe slot for additional storage if needed.

Your homelab is as secure as you make it

As much as I love homelabbing, one of the biggest problems with running a homelab is being in charge of its security. If you know what you’re doing, it’s not that big of a deal. However, newcomers certainly can (and do) make mistakes when it comes to homelab security.

Ultimately, if you have questions about how secure your homelab is, opt for opening as few ports as possible and changing default passwords. If you just do these two things, your homelab should be pretty secure, at least until you learn how to set up VPNs, stacks like Authentik, and harden your services.