Your homelab is a production environment — it runs your DNS, media, backups, and maybe even your smart home. Treat it like one. This guide walks you through every layer of hardening, from the network edge to individual services, so you can self-host with confidence.
1. Firewall Rules
Your firewall is the first line of defence. Whether you run pfSense, OPNsense, or a Unifi gateway, the principles are the same.
Default Deny
- Set your default WAN-in policy to drop all. Only allow outbound traffic you explicitly need.
- Block all inbound traffic on WAN unless you have a specific port-forward with a documented reason.
- Create an explicit rule to block RFC1918 (private) addresses on the WAN interface to prevent spoofing.
Inter-VLAN Rules
- Block IoT devices from reaching your management or server VLANs. Allow only the ports they actually need (e.g. mDNS for Chromecast).
- Allow your trusted VLAN to reach server services but block server-to-trusted initiation (servers should not be connecting to your workstation unprompted).
- Log denied traffic for the first 30 days — you will find misconfigured devices quickly.
GeoIP Blocking
- If your homelab only serves local clients, block all inbound from outside your country.
- For services you expose (VPN, Nextcloud), restrict source countries to where you actually travel.
2. VLAN Segmentation
VLANs isolate devices so a compromised IoT bulb cannot pivot to your NAS. Here is a practical VLAN layout for most homelabs.
| VLAN | ID | Purpose | Internet |
|---|---|---|---|
| Management | 1 | Switches, APs, router admin | Limited |
| Trusted | 10 | Your workstations, laptops | Full |
| Servers | 20 | Docker hosts, NAS, Proxmox | Updates only |
| IoT | 30 | Cameras, smart plugs, sensors | Cloud only |
| Guest | 40 | Visitors, untrusted devices | Full (isolated) |
Tag your switch ports and assign SSIDs per VLAN. Test isolation by trying to ping across VLANs — it should fail unless your firewall explicitly allows it.
3. SSH Hardening
SSH is how you manage everything. A weak SSH config is an open door.
/etc/ssh/sshd_config recommendations
# Disable password auth — keys only
PasswordAuthentication no
ChallengeResponseAuthentication no
# Disable root login
PermitRootLogin no
# Limit to your user
AllowUsers yourusername
# Change default port (optional, reduces noise)
Port 2222
# Idle timeout
ClientAliveInterval 300
ClientAliveCountMax 2
# Use only strong algorithms
KexAlgorithms curve25519-sha256
Ciphers [email protected],[email protected]
MACs [email protected]After editing, run sshd -t to validate, then systemctl restart sshd. Always test from a second terminal before closing your current session.
4. Fail2ban & Intrusion Prevention
Even with key-only SSH, bots will pound your ports. Fail2ban watches logs and bans offenders automatically.
Install and configure
# Install
sudo apt install fail2ban
# Create local config (never edit jail.conf directly)
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local/etc/fail2ban/jail.local — key settings
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 3
[sshd]
enabled = true
port = 2222
logpath = /var/log/auth.logCheck banned IPs with sudo fail2ban-client status sshd. For Nginx or Traefik, add jails that watch access logs for brute-force patterns against your web apps.
5. Updates & Patching
Unpatched software is the number one attack vector. Automate what you can.
- Unattended upgrades — enable on Debian/Ubuntu for security patches:
sudo apt install unattended-upgrades && sudo dpkg-reconfigure unattended-upgrades - Watchtower — auto-update Docker containers:
docker run -d --name watchtower -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower --cleanup --schedule "0 4 * * *" - Proxmox — subscribe to the no-subscription repo and run
apt update && apt dist-upgrademonthly. - Firmware — check Unifi, NAS, and UPS firmware quarterly. Subscribe to vendor security advisories.
6. Monitoring & Alerting
You cannot protect what you cannot see. Set up basic monitoring so you know when something is wrong before it becomes a breach.
- Uptime Kuma — lightweight self-hosted monitoring. Ping every service, get alerts via Telegram, Discord, or email.
- Grafana + Prometheus — for deeper metrics. Monitor CPU, memory, disk, and network across all hosts with node_exporter.
- Log aggregation — send syslog from all devices to a central collector (Loki, Graylog, or even a simple rsyslog server). Correlate events across your stack.
- Alerts that matter — do not alert on everything. Focus on: failed SSH logins, firewall drops from internal IPs, disk > 85%, service down > 2 minutes, and certificate expiry < 14 days.