New Customers Exclusive - Get a Free 240gb SSD at Micro Center: micro.center/0ef37a (paid)

This set up is far more secure than any company I've worked for.

Security professional here. Thanks for making this video! I'll be recommending folks view this video. You've described everything I suggest folks with home-labs do. The only minor disagreement I have is with setting up the proxy authentication after everything else is working. Set it up from the start and apply it to all services behind the proxy. You're in a much better spot if everything on your home-lab requires authentication on the proxy. Even if it means logging-in twice (to the proxy and the back-end service). This drastically lowers the attack surface. You can later exclude any services you'd like to remain public. Also, use some type of split DNS; where you serve the internal IP of the proxy to all internal clients. That way you can skip the hop to Cloudflare internally. And you can still access all your home-lab services if your internet connection goes out.

You should make a video of home lab hosting from square 0 if you were to start from nothing (or start over) and how to set it up. Episode one: bare necessary hardware and how to set up Vlans. Episode two set up server (old pc), setup docker, and setup backups. Etc

Are we not gonna talk about the awesome illustration using those stickers or cardboard!, this video is amazing end to end, awesome visuals, clear, cuts to the chase. I really like this and have enjoyed every bit. Would be awesome if you can showcase the process of setting some of these stuff you mentioned in separate videos. Would love to see that and again awesome job 🙏

*looks over at Self Hosting video I just posted with disappointment* Wooooo Microcenter sponsorship! Let’s Go!!! I’m digging the style of this vid.

Would actually appreciate if Linode would sponsor a series on your channel with topics of your choosing that compare and contrast and shows how to run services remotely for distributed friends and family

As a tenured engineer (over 10 years in networking, security, and more) this was video was a fairly comprehensive guide to the extent of touching on different layers of protection for self-hosted solutions. Major kudos and for sure a sub from me. I'd say the only "aspect" missing is the time to do all this, aside from your job (if you have one). This has been the biggest thing for me. I host things internally, just not exposed to the Internet.

I'm a sysadmin specializing in security and I block countries at work. It saved us a ton from exploit scans and from attempted exploits that we've previously patched. Our firewall can detect and block exploits and there is tons coming from a handful of countries. Also, it may have also saved us from being exploited on one occasion when an exploit attempt came from Russia going to an unpatched Pulse VPN appliance. There is a possibility that other measures would have caught it as well, but it was an excellent first layer of security in this instance. I highly recommend blocking Countries. I highly recommend blocking Russia, China, Ukraine, Crimea, and North Korea. You are correct that most attacks that I see originate from the US, so a layered security model is important but this one rules kills about 60% of all exploit and exploit scanning activity.

You have no idea how much knowledge I gained from this video/tutorial. I have watched a few of your videos including the "Put SSL on everything" but this was by far my favorite. Appreciate the effort that went into this. Subbed

I'm starting my journey into the world of servers with my first homelab and I've already watched this video a thousand times. Amazing content! It's very difficult to find accessible documentation that helps you understand why each step is necessary. I'm not a computer layman, but it's very difficult to get all the pieces to work together with the certainty that I'm not doing anything crazy. Thank you very much for the video, my friend!

Love it Tim! Although you say it is for a home lab, your excellent account, and all the great comments elaborating on it, will be an inspiration to improve the setup at my workplace. Thank you from a Dutchman!!

Your video quality just keeps on improving. I really enjoy your work and you do a great job representing the self hosting community with a lot of polish and enthusiasm.

I am windows system engineer and I have been thinking about self hosted services for sometime now (around 2 years) somehow your video motivated me to start I have just started with the hardware and I am using your videos as a guide and inspiration and ideas to achieve what I want. Keep up the good work and the nice ideas

This video was amazing! Having the big picture (the visuals were perfect!) helps pull all these concepts together. I've watched a lot of videos of the self hosted pieces but without understanding how they fit together and the why, I felt lost.

Great video, thanks! The production value is also really nice, it's obvious you're making great progress and you are by far my favorite homelab/tech youtuber. It's easy to recommand such a great channel. Thank you for everything you're doing and I hope to see many more of your content.

Cool video! Using pictograms makes it so easy to visualize :) For containers, running them with the least privileges possible (preventing privilege escalation), using specialized socket proxies for the services needing it (ie Traefik, Watchtower, Portainer...) and segmenting their networks to the lowest possible level is also a good idea

Happy to see you doing a security video, I just got my domain setup with cloud flare.. really cool to see that I can host public services without exposing my public IP.

Dude I'm learning so much from your videos! I got wireguard up and running recently and have only been hiding behind that, but this video is an awesome roadmap for me to up my selfhosting game. Def earned my sub, looking forward to learning more from you

WOW, This is by far one of the best self hosting videos on KZbin! Excellent stuff Tim!

Great overview. To summarize home lab architecture this thoroughly in 18 minutes is downright impressive! I would just suggest adding a quick comment or addendum to the guide somewhere that Cloudflare proxies alone can't be depended on for blocking external attacks, even with IP allow lists. You'll also need to setup MTLS, otherwise another Cloudflare account could proxy malicious traffic to your account through to your servers.

This videos are just getting better every day, keep it up.

Hi Tim! I love your tutorials and homelab. Would be great to see a dedicated Pfsense video with VLAN setups including a managed router.

Great video as always! Your concise, easy to follow and straight to the point videos are at this point kind of therapeutic to me! Like a few others have already suggested, I would also like to suggest making this video the start of a series of other videos, each of which goes into the actual set up of the main steps mentioned in this video. It would ultimately make for a very nice play list on home-labbing best security practices, and how tos!

super good and I think you should update these every few years. I know not much may have changed. But it will be worth what has.

Dude we need a updated version of this golden topic

Really helpful in terms of networking, however I missed a bit of endpoint hardening, configuring the OS firewall, hardening docker, kernel hardening, file permissions, etc. Although its kind of a rabbit hole to get into that lol

Excellent video Tim, you covered quite a bit. One thing i might add (which would fall into permissions) is to make sure UNC (known as backdooring) is turned off. This makes it harder for an attacker to easily spread ransomware/malware throughout your network.

Your videos are getting better every time, you're doing a great job. Not easy to explain and put all this together. Thanks

Didn't realise that I should do conditional port forwarding. Just got Cloudflare's IP ranges added to my router. Excellent. Now to learn about VLANs as that's really the only other thing I don't have configured. Cheers Techno Tim!

commenting just to say that microcenter is the best, and every machine I've ever built has come from them

Noooo.. The purple ambient lighting is gone! 😄 Thanks for your awesome videos. They are amazing and I learn so easily with you explaining it all.

Thanks for this detailed and wonderfully illustrated explanation. Before coming across your video, I had read and watched many guides on self hosting that were not very clear on security steps (if they mentioned security at all). Your video is a gem of a resource!

Thanks for another great video.m!! Your first advice is great: just don’t open up your home. As a non-professional have learned this the hard way a couple of years ago. Thanks for not forgetting to put in that advice!

This is sooo good!! Many years wondering what I would need to do to self-host stuff without putting myself at risk and you just told me everything in less than 20 minutes. Thanks a lot!!!

i just wanted to search more about this topic! and the you come whit this video!

Thanks for the tip of NATing only Cloudfflare IPs. That's one thing I've been missing and it really helps a lot with my conscience! :D

Great video! First one I've seen so far to talk about the most basic, firmware updates.

This was such a great video. You covered so much with simple explanations. Thanks!

Great video! Your public speaking skills are impeccable! Learned heaps!

Mannn, I'm such a visual learner and these little dynamic icons/symbols you're using give me a good basis to follow along with.

I've watched this so many times - but I keep coming back to it when I need to check over my security measures and see if there's something I need to change/implement. Best security video for self-hosting!!

I really wish that there was a "latest-stable" tag like how there are LTS versions of operating systems. This way you could have a patching cycle that just checks for and applies the latest stable patch.

Textbook quality educational content in the form of a video, one of the finest creations I've ever come across, in any category.

Another fan here from the Netherlands! I'm learning so much from your videos!

YESSSSSSS. I'm researching this subject recently! THANK YOU

These are really great advices that you learn even in CCNA, so, good stuff. But the aspect of the host itself, about containers, os, virtualization, and updates it's something you don't see teached around often. Probably because is a market that's always changing, but it would be great to have an in-depth video about this part!

Excellent video Tim. Now I don’t have to explain it to anyone anymore, I just point them here. By the way: greetings from The Netherlands 😉

Great video. Can you make a series following up this video how to setup all your advice?

I would add to this that you can make use of Qualys (self hosted) in order to scan for vulnerabilities in your Home lab. They have a free version for up to 16 devices !

Once more a great video and another excellent source of inspiration. Totally love the little paper icons. You are good dude! I have to say that your channel has become my favorite one when it comes to IT related content. I am surprise that you haven't got more than 1 million subscribers considering the quality of your videos. It will be soon I am sure. This video comes just when I was considering rehosting some customers websites, perfect timing.

These illustrations are really cool. I'm creeped out the most about my personal machine being compromised, because of the local cluster.

Thanks!

Thanks!

The Cloudflare setup can also be done with Cloudlfare tunnels from their zero-trust product. The dashboard can be a bit confusing. The advantage is, it doesnt rely on router and port forwarding configurations. This also means, the server is somewhat portable and can be deploy fast at a different location in another network.

Great video - if I was to host at home, I would add a second router behind my first router/firewall - so I have somehting like a DMZ - or go the VLAN path...

Any chance of a tour of how your network is laid out? From the modem to your servers? Maybe a how to of how you have your stuff setup? Perhaps a video series/playlist? I would like to redo my home lab to do a better job of segmenting things out.

Brilliant video! How you’ve not got more subscribers is mental!!

The visuals here made the content easy to understand, along with your expert explaination. Thanks!

I have to say I am loving the paper items and the shuffling off them - very cool. Dutch crew reporting in

Thank you very much 🙏 I had no idea on how to secure my home server, without putting my family at riskt 😅 This Video gave me a good idea on what I had to do and look for ❤

I think that for some odd reason SSH Bastion Hosts are strangely overlooked idea on the self-hosted environments. Servers on DMZ (behind the firewall on their own logical network, isolated from rest of the end devices) + Securely hardened Bastion host for server management access limits the attack surface to minimal as possible. Same goes to any intermediary device management portals etc...

this is great guideline for start self hosting security. If you need some kind of inspiration for the video, you might split this one into few yt videos and describe each section in details, giving some basic explanation for newbies on each topic, maybe using more examples and advices, or even setting this kind of server hosting from scratch giving examples on options within each layer of security. I've got this idea watching this section: 9:32, so it may be good starting point

I had to go Light Mode on this one 😎

Love Techno Tim insanely helpful videos about sorting our digital life.

This really comes down to the use case, some times integrating 3rd party services by them self could actually cause more damage than setting up everything local only.

This is such a good video, keep it up bro, I can already feel the 100k subs

Bro Thank you so much for the Conditional Port Fowarding Advice, it makes so much sense!

I love how you make so easy to understand thank you Tim.

Good work covering supply chain attack from dodgy containers.

Your hoodie is insane, regards from Germany

I love the props explanations in this video. Good job

I recognize that "thank you" sign, that's awesome

Great to see cloudflare getting recognition. There are only a handful of videos that I've seen that stick to using cloudflare for firewall. They may sell data, and had an outage recently but for a inexpensive firewall, dns record management, and more, I recommend them. Been using them for almost two years now.

I had to go Light Mode on this video 😎

How does using cloudflare the way you outlined in this video compare to cloudflare zero trust tunnels? What are the pros and cons of each?

What would change if I config my server into DMZ instead of port-forwarding it (in the modem/router)? I know that the DMZ opens all the ports available for one machine, but it’s isolated from the rest of the network, does it make it more safer?

Setup CrowdSec the other day to block IPs in iptables on my reverse proxy VM (since it's the machine requests get forwarded to).

So much to think about now. A lot to work on now that I'm changing my network stack around.

the video was PERFECT! , on the other hand the thumbnail made me avoid the video several times in my recommendations

dude, I love the graphics! great Job.

Such a great use of pictograms! Awesome video, much appreciated. Cheers from the Netherlands :)

"Hey, that MicroCenter looks familiar." Howdy neighbor, keep up the great work!

Damn, this is such a nice tutorial. Thank you for making this very accessible :)

Great video, thought it should be pointed out that it is possible to allow a group of ingress IP's within UniFi by creating a firewall rule and apply it before predefined rules. The action should accept, then create an IP and port group for the source (this will be the cloudflare IPs that you created a rule per IP block for) and the destination should then be the machine to forward to. This does require 1 (ONE) port forward rule setup the way that you have setup, and then exclude the ingress IP used in the port forward from the cloudflare group. It's a bit of a hacky solution but it works.

Just as a quick note for your UDM: You can add cloudflares IP ranges as a group (at least in the legacy ui) :) Will look a bit better

An additional method of protection I use when it comes to Cloudflare is ASN blocking. I've spent a lot of time collecting a lot of webhost and VPN providers network ASNs to effectively block a lot of potential bad traffic. I find this blocks A LOT of "bad actors" especially when attackers often rent multiple IPs from the same host. Simply blocking the hosts ASN will effectively block every possible IP that hosting provider owns, without necessarily having to block IP ranges themselves.

Very good info and well explained, thanks! But what was most impressive was aaall those little papers manually coloured!😅

Re: USG repetition... You can automate all Unifi USG via Ansible. Even learning Ansible for a simple connection and a quick loop to set all of those forwarding rules is a great way to quickly pickup and learn Ansible for a small simple task.

Great job on the video. I'm glad I found your channel. Keep up the good work!

Incredible job ! Thanks for sharing !

Your the man Tim. 1. I like the hat. Maybe the ladies like those foofie locks... But not me. 2a. Those illustrations were awesome. (seriously) 2b. The humor and creativity are fantastic 2c. But you have to understand it does open you up for some trouble. You color those yourself? 😉 (I actually kinda wanna know) 3. This was a great overview. This is exactly what I am wanting, and exactly the path I would love to head down. If you would walk through this step-by-step it would be fantastic. IMO Thanks again! I'm a noob... But this noobs a big fan, thanks!

Thanks, Tim. The weekend project.

I really gotta get my IOT devices on thier own vlan, I went down that route a while back and broke all the mobile functionality.. Im sure its something on my part.

Thanks for the tip about the cloudflare IP ranges

7:32 latest can also have breaking changes if it starts pointing to a major version release and may need hands on involvement from you. Already had this happen once and that will be the last time because I went ahead and changed all my containers to refer to specific release. Some projects have tags for major releases so I point to those instead if available (like a 5.0 tag pointing to the latest 5.0 release)

Thanks Tim.... As always very clear.... Maybe you can make a step by step how to series to achieve this?

Another really informative and clearly presented video! Thank you for the time and effort you put into the channel.

Are yoh referring to Cloudflare Zero-Trust/Tunnels in this case? Or is this again, just a reverse proxy? It would increase latency in any way, but also security.

THIS is a epic good video ! NICE WORK TIM !!!