Jump to content

Network Security Best Practices?

Steven Schaefer
By Steven Schaefer
in Networking
 Share
Posted

Hello! I am currently doing some updates to my home network setup and I have a few questions about how to practice good security.

 

My setup is as follows:

2 desktop workstations (for me an my partner) that are usually turned off when not in use. Neither have a bio-metric login option

2 framework laptops with fingerprint scanners

1 HTPC that is always running and restarts every night

1 server always running used for file storage, to run home assistant, and possibly security cameras with something like Blue Iris in the future.

1 Linksys E5350 Router/access point

 

Here are my questions:

1. Is the firewall that's running on something like my Linksys router considered to be very safe? What are the attack vectors that someone might use in order breach my network? Is there a way to check that the firewall is working? Is it more of a case of "Someone who knows that they're doing could definitely get into your network pretty easily, but if you're running a basic firewall they're unlikely to target you and instead look for lower-hanging fruit"?

 

2. If my HTPC and file server are always running and logged into Windows, is that a vulnerability? The HTPC is set up to auto-login so I can play music with Spotify without having to touch it, so if someone were to gain access to that computer, they would essentially have access to the whole network. Same with the Server, though I could probably set that up to not auto-login, but what does that matter if there's another computer on the network logged in that has access to everything anyway?

 

3. I have fairly weak login passwords for the workstations because I don't want to have to type long, complicated passwords every time I sit down at the computer, and I don't know of a way that my password manager (Bitwarden) can help with that. Is that okay? Would it make sense to just set the workstations to auto-login too since they're in my home and no one would ever have access to them without my supervision?

 

4. None of the machines are running antivirus beyond the parts of Windows Defender that are difficult to disable. From my understanding that's basically fine as long as you don't visit sketchy websites. Is that true?

 

5. Can anyone recommend a good resource that provides answers to these questions and more, such as how to safely do port forwarding etc?

 

I appreciate any recommendations!

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 minutes ago, Steven Schaefer said:

Hello! I am currently doing some updates to my home network setup and I have a few questions about how to practice good security.

 

My setup is as follows:

2 desktop workstations (for me an my partner) that are usually turned off when not in use. Neither have a bio-metric login option

2 framework laptops with fingerprint scanners

1 HTPC that is always running and restarts every night

1 server always running used for file storage, to run home assistant, and possibly security cameras with something like Blue Iris in the future.

1 Linksys E5350 Router/access point

 

Here are my questions:

1. Is the firewall that's running on something like my Linksys router considered to be very safe? What are the attack vectors that someone might use in order breach my network? Is there a way to check that the firewall is working? Is it more of a case of "Someone who knows that they're doing could definitely get into your network pretty easily, but if you're running a basic firewall they're unlikely to target you and instead look for lower-hanging fruit"?

 

2. If my HTPC and file server are always running and logged into Windows, is that a vulnerability? The HTPC is set up to auto-login so I can play music with Spotify without having to touch it, so if someone were to gain access to that computer, they would essentially have access to the whole network. Same with the Server, though I could probably set that up to not auto-login, but what does that matter if there's another computer on the network logged in that has access to everything anyway?

 

3. I have fairly weak login passwords for the workstations because I don't want to have to type long, complicated passwords every time I sit down at the computer, and I don't know of a way that my password manager (Bitwarden) can help with that. Is that okay? Would it make sense to just set the workstations to auto-login too since they're in my home and no one would ever have access to them without my supervision?

 

4. None of the machines are running antivirus beyond the parts of Windows Defender that are difficult to disable. From my understanding that's basically fine as long as you don't visit sketchy websites. Is that true?

 

5. Can anyone recommend a good resource that provides answers to these questions and more, such as how to safely do port forwarding etc?

 

I appreciate any recommendations!

 

Every shortcut you make, makes it easier to break in. Are your passwords different for every site/login? Was your data ever compromised in a data breach? Try MFA to get more secure. I am sure Windows would log failed login attemps in Eventviewer. Does the router have the default password and login?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
1 minute ago, HoodedUnicorn said:

Every shortcut you make, makes it easier to break in.

Yes, but it has to be a balance between convenience and security, so I'm trying to identify where that balance should be for me.

 

3 minutes ago, HoodedUnicorn said:

Are your passwords different for every site/login?

For anything that I use Bitwarden to store the password, yes. However, like I said, using Bitwarden for logging into the individual machines is impractical, so the Windows login passwords are shared between some of the computers.

 

5 minutes ago, HoodedUnicorn said:

Was your data ever compromised in a data breach?

Not that I'm specifically aware of, but I would assume it has been at some point. But since all of my website passwords are different, it's not a huge concern to me.

 

8 minutes ago, HoodedUnicorn said:

I am sure Windows would log failed login attemps in Eventviewer.

Does anyone know if I could set something up to notify me when this happens?

 

9 minutes ago, HoodedUnicorn said:

Does the router have the default password and login?

Nope, I use Bitwarden for that.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 minutes ago, Steven Schaefer said:

Yes, but it has to be a balance between convenience and security, so I'm trying to identify where that balance should be for me.

 

For anything that I use Bitwarden to store the password, yes. However, like I said, using Bitwarden for logging into the individual machines is impractical, so the Windows login passwords are shared between some of the computers.

 

Not that I'm specifically aware of, but I would assume it has been at some point. But since all of my website passwords are different, it's not a huge concern to me.

 

Does anyone know if I could set something up to notify me when this happens?

 

Nope, I use Bitwarden for that.

I believe in the Firewall you can have an allowed IP range that can visit it. But I am all out of ideas. Hope you find what you're looking for

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
36 minutes ago, Steven Schaefer said:

Hello! I am currently doing some updates to my home network setup and I have a few questions about how to practice good security.

 

My setup is as follows:

2 desktop workstations (for me an my partner) that are usually turned off when not in use. Neither have a bio-metric login option

2 framework laptops with fingerprint scanners

1 HTPC that is always running and restarts every night

1 server always running used for file storage, to run home assistant, and possibly security cameras with something like Blue Iris in the future.

1 Linksys E5350 Router/access point

 

Here are my questions:

1. Is the firewall that's running on something like my Linksys router considered to be very safe? What are the attack vectors that someone might use in order breach my network? Is there a way to check that the firewall is working? Is it more of a case of "Someone who knows that they're doing could definitely get into your network pretty easily, but if you're running a basic firewall they're unlikely to target you and instead look for lower-hanging fruit"?

 

2. If my HTPC and file server are always running and logged into Windows, is that a vulnerability? The HTPC is set up to auto-login so I can play music with Spotify without having to touch it, so if someone were to gain access to that computer, they would essentially have access to the whole network. Same with the Server, though I could probably set that up to not auto-login, but what does that matter if there's another computer on the network logged in that has access to everything anyway?

 

3. I have fairly weak login passwords for the workstations because I don't want to have to type long, complicated passwords every time I sit down at the computer, and I don't know of a way that my password manager (Bitwarden) can help with that. Is that okay? Would it make sense to just set the workstations to auto-login too since they're in my home and no one would ever have access to them without my supervision?

 

4. None of the machines are running antivirus beyond the parts of Windows Defender that are difficult to disable. From my understanding that's basically fine as long as you don't visit sketchy websites. Is that true?

 

5. Can anyone recommend a good resource that provides answers to these questions and more, such as how to safely do port forwarding etc?

 

I appreciate any recommendations!

 

1. Firewalls in cheap routers are usually quite bad, but they are enough. Think Window's defender it's not great but it does it's job. I did not check the statistics, but I am pretty sure that 99% of all breaks in happen because of your own mistakes.... Not upgrading your programs.... There are a lot of exploits that get patched, but are easily exploitable and even widely known few months after they are discovered. Just keep your stuff up to date. Or the most common way of getting infected is just downloading unsafe files. I can promise you that if you are not some big tech company or some big shot nobody, will try to break into your computer trough your router firewall etc... 

 

 

 

To answer all your other questions in bulk:

 

Nobody is trying to get you. If you don't visit sketchy sites don't download everything without checking most likely nobody is going to try to get access to your network.

I mean what's the point of doing that ? Even if I could do it easily I wouldn't since, I would gain nothing from it. 

 

 

Best resources are cyber security courses. Since they teach you general stuff too, so you are safe. It's easy to have firewall etc, but then miss a stupid thing, like having a port open that allows someone to just easily connect and get access (it's just an example). 

 


I know it's not very informative, but the above dude was also right. Don't take shortcuts it helps attackers too, but again nobody would bother. Unless it's a mass malware, but you install them yourself.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

check haveibeenpwned.com to see if you've been in a data breach. try all of your emails. 
First and foremost, Physical Security is top priority. if someone can touch it, they own it. especially if you use auto-login. 


you can always install a firewall, it should be as close to (or on) the router as possible, but how you check if it's working depends on the software/hardware you use. 

if you use port forwarding never use default SSH port 22. always change the port for ssh on any service that requires/uses it if you can. 
every public facing IP is constantly being bombarded by bots attempting to brute force their way into any system they can find. they just use dictionary attacks on every port, so disable root login from SSH on anything you can. make sure you NEVER NEVER NEVER use default username and password combinations for devices that have ports forwarded to them. 

Using things like TeamViewer, VNC, RDP, and other remote technologies opens up more attack vectors if those technologies have any CVEs

That being said, capability and security are always opposed. you know this, otherwise you wouldn't be asking about for to harden your home LAN. Use remote technology at your own risk. 

Don't run anything you don't trust. phishers will reverse shell your ass like it's mario cart. 

to directly address your questions: 


1) If someone wants in, they will get in. if you are being targeted there is no way to stop them. even the best firewall is defeated with attack pivots. 
2) Yes, autologin is a vulnerability at the physical level. and if there is no password, at the remote level. 
3) get better passwords. longer the better. there is no shortcut here. string a whole bunch of words together to make something crazy yet easy to type. 
 - BlindDonkeyShotJimmy is a lot better than  D1lakiss (most common password #21) https://nordpass.com/most-common-passwords-list/
4) yeah, windows defender is pretty okay if you don't turn it off. 
5) take a cyber security course, or buy the Security+ CompTIA book. if it tickles you in the right way pay $300 to take the test and go be a cyber professional. that's basically the foot in the door certification. There are many more, but it will let you know if you really like the under-the-hood view of computers. 

We can't Benchmark like we used to, but we have our ways. One trick is to shove more GPUs in your computer. Like the time I needed to NV-Link, because I needed a higher HeavenBench score, so I did an SLI, which is what they called NV-Link back in the day. So, I decided to put two GPUs in my computer, which was the style at the time. Now, to add another GPU to your computer, costs a new PSU. Now in those days PSUs said OCZ on them, "Gimme 750W OCZs for an SLI" you'd say. Now where were we? Oh yeah, the important thing was that I had two GPUs in my rig, which was the style at the time! They didn't have RGB PSUs at the time, because of the war. The only thing you could get was those big green ones. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
5 minutes ago, VioDuskar said:

2) Yes, autologin is a vulnerability at the physical level. and if there is no password, at the remote level. 
3) get better passwords. longer the better. there is no shortcut here. string a whole bunch of words together to make something crazy yet easy to type.

Thanks for the insights!
Looking at both of these points, it leads me to this conclusion:

 

If I am unwilling to type a strong password when logging in, and I am very confident in my physical security, then it would be better to create very strong passwords and use auto-login.

 

Do you agree?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
13 minutes ago, Steven Schaefer said:

Thanks for the insights!
Looking at both of these points, it leads me to this conclusion:

 

If I am unwilling to type a strong password when logging in, and I am very confident in my physical security, then it would be better to create very strong passwords and use auto-login.

 

Do you agree?

a long password is a strong password, it doesn't have to have many different character sets if it's super long.  I would never suggest autologin. 
a long password can be typed in easier without being complex, notice I didn't use "?Bl!ndD0nk3ySh0tJ1mmy!" as an example. 

 

Your server can run a service without being logged in constantly. login once on reboot, make a task schedule to run what you need at login, then relock your machine. 

or, if your service can be ran at boot without login, schedule that on reboot. 

pressing WindowsKey+L will lock a machine.

We can't Benchmark like we used to, but we have our ways. One trick is to shove more GPUs in your computer. Like the time I needed to NV-Link, because I needed a higher HeavenBench score, so I did an SLI, which is what they called NV-Link back in the day. So, I decided to put two GPUs in my computer, which was the style at the time. Now, to add another GPU to your computer, costs a new PSU. Now in those days PSUs said OCZ on them, "Gimme 750W OCZs for an SLI" you'd say. Now where were we? Oh yeah, the important thing was that I had two GPUs in my rig, which was the style at the time! They didn't have RGB PSUs at the time, because of the war. The only thing you could get was those big green ones. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

enjoy this xkcd comic on the topic of passwords. 
https://preshing.com/20110811/xkcd-password-generator/

We can't Benchmark like we used to, but we have our ways. One trick is to shove more GPUs in your computer. Like the time I needed to NV-Link, because I needed a higher HeavenBench score, so I did an SLI, which is what they called NV-Link back in the day. So, I decided to put two GPUs in my computer, which was the style at the time. Now, to add another GPU to your computer, costs a new PSU. Now in those days PSUs said OCZ on them, "Gimme 750W OCZs for an SLI" you'd say. Now where were we? Oh yeah, the important thing was that I had two GPUs in my rig, which was the style at the time! They didn't have RGB PSUs at the time, because of the war. The only thing you could get was those big green ones. 

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×