Bench Notes
Best viewed in landscape · or save & print
Homelab Security Check Reference - Reference #6 Dark Dark landscape homelab security reference with four columns: Audit, Harden, Segment, Recover. >_ HOMELAB SECURITY CHECK For your quarterly security review · Reference #6 FREE SHEETS AUDIT External · Identity · Cleanup nmap your WAN IP From outside the LAN shodan.io Search your home IP Router forwards Delete unknown rules Exposed services Public? Tunnel? Auth? HIBP check Every admin email User audit Old accounts active? * Run before going public HARDEN Passwords · Keys · Patching 20+ char passwords Manager non-negotiable MFA everywhere Admin logins first SSH hardening Keys, no root, fail2ban Patch review Host + containers CF Access Front of admin UIs Disable unused Less attack surface * Less surface, less worry SEGMENT VLANs · DNS · Firewall IoT VLAN Plugs can't see laptop Guest VLAN Visitors stay isolated DNS filter AdGuard or Pi-hole Deny by default Explicit allows only HA own VLAN One-way pinholes RTSP stays LAN Never expose to WAN * Default-deny everywhere RECOVER Backups · Tests · Practice Nightly backup Verify last 3 exist Test restore Pull, mount, read it 3-2-1 rule 3 copies, 1 offsite Encrypted Key stored elsewhere Recovery doc Someone else can run Practice once Simulate host loss * Untested = not a backup benchnotes.net/free · Etsy: HomeLabGuides · Code BENCHFRIEND15 >_ Run this quarterly. The first time will surprise you. · made by homelabbers Homelab Security Check Reference - Reference #6 Print Print-friendly white-background homelab security reference with four columns: Audit, Harden, Segment, Recover. >_ HOMELAB SECURITY CHECK For your quarterly security review · Reference #6 FREE SHEETS AUDIT External · Identity · Cleanup nmap your WAN IP From outside the LAN shodan.io Search your home IP Router forwards Delete unknown rules Exposed services Public? Tunnel? Auth? HIBP check Every admin email User audit Old accounts active? * Run before going public HARDEN Passwords · Keys · Patching 20+ char passwords Manager non-negotiable MFA everywhere Admin logins first SSH hardening Keys, no root, fail2ban Patch review Host + containers CF Access Front of admin UIs Disable unused Less attack surface * Less surface, less worry SEGMENT VLANs · DNS · Firewall IoT VLAN Plugs can't see laptop Guest VLAN Visitors stay isolated DNS filter AdGuard or Pi-hole Deny by default Explicit allows only HA own VLAN One-way pinholes RTSP stays LAN Never expose to WAN * Default-deny everywhere RECOVER Backups · Tests · Practice Nightly backup Verify last 3 exist Test restore Pull, mount, read it 3-2-1 rule 3 copies, 1 offsite Encrypted Key stored elsewhere Recovery doc Someone else can run Practice once Simulate host loss * Untested = not a backup benchnotes.net/free · Etsy: HomeLabGuides · Code BENCHFRIEND15 >_ Run this quarterly. The first time will surprise you. · made by homelabbers
Bench Notes Updates

New guides as they ship

One email when a new guide drops. Free references, paid guides, and what is coming next. No spam, easy unsubscribe.