Stop Compromising Your Home Server Security by Oversharing
I’m a big advocate of self hosting. I have a server rack at home where I run a dozen or so services. I’ve been involved in the r/selfhosted and r/homelab communities for a few years. It pains me to say, but there are a lot of people out there that do not follow the best security practices, and often times compromise themselves though carelessness. So lets talk about how oversharing information can compromise your server security.
System Administrators are Prideful
This is going to sting a bit, but its true. From experience, when you point out a gaping whole in a sysadmins network, they are probably going to get defensive before getting concerned. I believe this comes down to a “Pride” thing, which I get. The equipment and the way it is ran is a reflection on the administrator of that equipment. Once you start poking holes in it, you are poking holes in them. I think we all need to remind ourselves sometimes, that things can always improve, and having to fix a security oversight does not make you any less competent. But that pride also brings oversharing, which turns to one of the big reasons I’m writing this.
“Techies” like Blogs
I mean, I’m writing here aren’t I? There is not a problem with blogs themselves, but when we overshare it turns into one. I am a security researcher. I’m also an aspiring penetration tester. One of the worst things you can do is overshare sensitive information in the public domain. Open source intelligence is great for an adversary, because it allows them to collect information on you without you ever knowing. Fortunately, “self hosters” love to share their racks, the software stack on them, and a lot of times the exact configurations they are using.
Monitoring these home lab reddits, I often times see posts that someone shared from a personal blog that is hosted at home, sharing configuration settings and “tutorials” on their own equipment. They also post pictures of the rack, and share very specific details about what services are on what ports etc…It’s a common occurrence, and I sometimes make it a game to see how much information they’ve shared on their blogs, and sometimes they might as well have given out their entire network diagram (and in some cases they do). Combined with other sources, some people basically give an attacker everything they need to compromise a server online, and the attacker would never need to scan a port.
Information Adds Up
We don’t realize how much information we truly share. Or maybe it’s that we don’t understand the significance of a small piece of information when it’s combined with several 100 more small pieces. I wouldn’t be writing this without reason, after all.
After someone has screened your blog, checked out your Github, viewed your post/comment history on Reddit, and clicked on every link between, what kind of picture could they paint? I’ve found its usually pretty complete.
A Few Examples
- A picture of your rack on Reddit showing off a clean rack/build reveals all of your equipment, models, used switch ports, hardware firewalls, and often times a nice terminal with a hostname and local IP. Penetration testers often spend hours on LinkedIn trying to scrape an ounce of this type of information on a client. The nice dashboard picture can also show off about every service in your stack, with a domain on top pointing to it.
- The blog post your just posted on your media stack just revealed 5 media services you have running. That includes their ports, and other links on your blog show off your other services, and their ports. The tutorials reveal internal LANs tied to services, internal passwords, usernames, your hypervisor software, and your open source router version. Oh, and it’s being hosted at home, and you don’t have anything masking your home IP. If you did it wouldn’t matter because the game server you are advertising is tied to your home IP anyways.
- The Github profile linked on X social media reveals configuration files you have saved there that contain more sensitive information because “who looks there anyways”. Or, you “committed it out and nobody will look at a previous version”. We see more ports, security configuration, and that broken python service that you run with a gaping security hole.
These are just three areas I’ve seen personally and examples of each. You have already done the enumeration for an attacker. You have presented them with your entire hardware, software stack. IP addresses, and versions in a lot of cases. At that point, all they need is an exploit.
Screen your content
I’m not saying don’t write a blog, just to be mindful of whats out there. When you write, do you really need to consolidate every one of your services in one place. And quite frankly, does anyone really care enough(besides attackers) to risk it? Do people need to know what your hostnames are, your domains, and your service ports? If not, find a way to write them out of public posts and configurations.
And for goodness sake, if you are using an internet facing blog for your internal documentation, stop it.