Before getting into my containers and reverse proxy, I decided to do some basic steps to secure the pi. This isn't an expert tutorial for homelab security, its just a list of links in case I ever have to start from scratch again.

Ideas implemented

1. New Accounts and Set up SSH keys
   https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
   Luckily, the rest of my homelab was already set up for SSH keys. There is a DietPi specific gotcha here, you need to edit /etc/ssh/sshd_config.d/dietpi.conf to disable public key access to ssh. Login to the default accounts is absolutely forbidden.

2. Argon40 fan control
   https://github.com/iandark/argon-one-daemon
   This has worked better for me than the official code from Argon40, especially if you are not running raspbian.

3. Firewall

   https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server

   https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands

   https://chrisapproved.com/blog/raspberry-pi-hardening.html

   For my secondary Pi Zero 2w the firewall is basic, all ports are closed except for a management ssh port and web admin, and those are local only. This is done with the default iptables available on DietPi (and raspbian).
   The web server pi can be very restricted too, but the web ports have to be forwarded.

   Most things here will be forwarded through Authentik, but be aware that Dietpi puts some local management apps (like the dashboard and portainer) on strange ports so look up what you need to allow locally.

4. fail2ban

   https://pimylifeup.com/raspberry-pi-fail2ban/

   https://blog.fernvenue.com/archives/ufw-with-fail2ban/

   Setting up a jail for UFW is covered in the second link, and rsyslog is not installed by default with DietPi. Looks like this defeats some of the point DietPi made with the ramlog system but this is covered in their documentation.

Ideas left on the back burner, again.

1. Antivirus

   • https://pimylifeup.com/raspberry-pi-clamav/

   • https://linuxfun.org/en/2020/11/17/raspberry-pi-4-clamav-realtimescan-en/

   • https://medium.com/@aashutosh9881/realtime-malware-protection-using-clamav-clamonacc-daemon-dc076d65fbab

   • https://tcpip.wtf/en/clamav-scan-only-new-modified-files.htm#:~:text=You%20can%20simply%20do%20that,into%20a%20clamscan%20scan%20command.&text=That's%20basically%20it%20%2D%20put%20it,last%202%20days%20are%20scanned.

   • https://serverfault.com/questions/479922/how-to-scan-only-last-24-hours-files-with-clamav

Running antivirus on a cron job turned out to be a bad idea after all, it's too taxing on the Pi4 and would easily take longer than it's 24 hour schedule. I wouldnt even want to run it on demand for all new files becuase I store a lot of documents on my file share and uploading pdfs would cripple the Pi. Luckily I found some instructions on how to scan only new files and hopefully that will run a little bit easier and at an opportune time.

2. Wuzah Monitoring

   https://medium.com/@henrion.frn/get-your-home-network-secured-with-raspberry-pi-wazuh-2023-edition-c7ac2044df3e