CybersecurityHome Lab Security

Hardening a Home Lab: The First Six Things

The six changes that move a home lab from exposed to defensible: SSH keys, fail2ban, firewall defaults, unattended upgrades, Tailscale, and backups. Step by step.

March 10, 20262 min read
Home LabHardeningLinuxSecurity

When I stood up my first home lab, it took three days before I noticed 40,000 failed SSH login attempts in the auth log. Exposure on the public internet is immediate. Here's the minimum baseline that shuts most of it down.

1. Disable password SSH

Edit /etc/ssh/sshd_config:

PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes

Restart the service. You should already have a key pair on your laptop and copied the public key with ssh-copy-id before flipping this — if not, do that first or you'll lock yourself out.

2. Install fail2ban

sudo apt install fail2ban
sudo systemctl enable --now fail2ban

Defaults are sane. It watches the SSH log and bans IPs that fail repeatedly. Even with password auth disabled, it reduces noise in the logs.

3. Close every port by default

UFW is the path of least resistance on Debian-family systems:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw enable

Open ports only as you need them. "I'll close it later" is how :3306 ends up listening on 0.0.0.0.

4. Unattended security upgrades

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Security patches install automatically overnight. The risk of a patch breaking something is real but small. The risk of running an unpatched kernel for six months is certain.

5. Put everything behind Tailscale

Once Tailscale is installed, close port 22 publicly and let SSH only listen on the Tailscale interface:

ListenAddress 100.x.x.x

Your SSH surface drops from "the entire internet" to "devices I've authenticated to my tailnet." This is the single highest-leverage change in the list.

6. Backups that you have tested

A backup you haven't restored is not a backup. Once a quarter, pick a file and restore it from your backup target to a scratch directory. If the restore fails, you've learned it now instead of during an actual incident.

What's deliberately not on this list

Intrusion detection, SIEM, log shipping to a central store — these are real controls but they're the second layer. Get the first six right and the second layer has less to do.

Follow Code_Racoon

New guides, benchmarks, and tools.

More in the Home Lab Security series

Reading Dependency Advisories Without Panicking

2 min read

More in Cybersecurity

CybersecurityHome Lab Security

Reading Dependency Advisories Without Panicking

Most CVE alerts in your dependency tree are not actually exploitable in your app. A calm, repeatable process for triaging npm audit and Dependabot output.

Feb 20, 20262 min read
View all Cybersecurity guides

You might also like

Tools & AutomationAutomation

Automating Repo Chores With GitHub Actions

A practical GitHub Actions setup I reuse across every project: lint-on-PR, preview deploys, dependency updates, and scheduled housekeeping — without the YAML sprawl.

Mar 18, 20262 min read
Tools & AutomationAutomation

Shell Scripting Patterns That Saved My Week

Bash patterns I reach for every week: safe defaults, argument parsing without a framework, structured logging, and dry-run mode. Copy-pasteable and tested.

Feb 28, 20261 min read

New here? Start with the essentials