How do you test your home network security?
As I'm exploring the idea of hosting my data at home (with offsite backups), I would like to better understand how to test my home network for security vulnerabilities.
I have run basic Nmap scans and confirmed that there are no open ports. I've confirmed that users have access to what they need but nothing else, and that guests using the network for web access don't have any sort of access to data. All data is encrypted so someone stealing the physical hardware shouldn't have access to the contents, either. But that's about as far as I know what to do.
What else could and should I try? How do you pentest your home network?
I feel I'm ok with my understanding of how to set things up so that everything is relatively secure. But I have very little idea how to actually test the setup.
Edit: Added a sentence about encryption.
I agree that a vuln scanner is a must. Nessus Essentials is free for up to 10 assets, has better vuln coverage, and IMO is a little more user friendly than OpenVAS, so I’d probably recommend that if the 10-asset limitation isn’t an issue.
Do credentialed vuln scans, too. If, gods forbid, a bad actor gets access to a host or service, it’s good to know what damage they might be able to do from there.
Locking down ports and user privs is critical, but bear in mind that a bad actor’s whole thing is finding a way to work around those restrictions. Even if port 22 is perfectly locked down and secure, a bad actor can e.g. try to exploit Apache from the web interface and gain shell access to the
www-useraccount and then continue to escalate privileges from there. Credentialed scans will help you find locally-installed software that might be vulnerable.Nessus can also run industry standard security audits like CIS for hosts and services, so you can use those to help with your security baseline in addition to the vulns.
If you really want to get in the weeds, check out the Win- and LinPEAS scripts. They’re fabulous tools that help quickly highlight common privilege escalation methods for penetration testers. Always fun to run this in your homelab and then facepalm for the rest of the day about that “temporary” file containing a root password that you saved to a hidden directory that you had every intention of deleting before you got sidetracked.
Also, it can be easy to fall into the trap of “oh I’m just a lil’ homelab, who is going to target me?” There is some logic to this, but I will never forget when I set up a mail server for just my private accounts and within 10 minutes of opening the ports, I was getting hit with malicious traffic from dozens of random IPs. These are not advanced, targeted, or persistent threats, but you leave low-hanging fruit, it may still be found. Sounds like you’ve got the right mindset if you’re thinking about it at all, so I’m sure you’ll do fine!
FWIW The one reason I suggest OpenVAS is merely that it's a continuation of the open Nessus before they went closed source. Don't disagree with your assessment though.
My story here is the time I was screwing with PAM settings on an internet-facing SSH server, and accidentally configured it to accept any non-empty password as long as you had a valid username. Most of my users had common Western first names as their usernames, which meant everyone wound up using the first one alphabetically, with whatever their brute force script tried as its first password.
Several weeks later, I discovered that many people in China were using my server as a proxy around their firewall. Honestly felt kind of bad for cutting them off, but I'm sure they quickly found another.
Arbitrary thoughts in no particular order. I'll update if I think of more.
SSH Audit to validate your SSH settings.
Make sure uPNP (automatic port forwarding) is turned off...manually open all ports in your router.
Run a vulnerability scanner.
In addition to running my own internal vulnerability scans, I also set up a Shodan Monitor to keep tabs on the external exposure of my home network as well as various cloud servers. It doesn't get super deep, but will send me an alert if the port status of a monitored IP changes.
I also use Tailscale for remotely accessing all of my systems so that I don't need to expose SSH or other ports at all unless I'm deliberately wanting a service to be exposed to the internet.