Being connected to the internet has always been slightly dangerous, but in the age of automated analytics and AI, this has never been more true. Network security is something that many assume their router will handle on its own, if they think about it, but the myth that it’s too small to be worth targeting is long over. You should have a firewall for protect your network from external and internal threats, and it was one of the first things I put in place when creating a new home network .
And while setting up VLANs and other advanced networking tools is helpful, it doesn’t matter if you haven’t properly secured your network. I like to stop threats before they become a problem and put this trio of rules and tools in place as a first step. They stop traffic from known bad actors, reduce the threat of devices on my home network betraying me, and prevent automated scripts from breaching my defenses. The best part is that they take minutes to set up, so you can start from a position of strength while you set up the rest of your home network.
I stopped my devices from bypassing my DNS server with a firewall rule
Stop them dead in their tracks.
Why do you need a firewall on your home network?
It’s a scary place, the Internet
If you didn’t already know that your ISP router is garbage, consider this your pearl of wisdom for the day. And I nasty trashwith a slow update cadence, vulnerabilities that are not always patched, default settings that can be inferred from the MAC address, and much more. They are barely suitable for running your Wi-Fi, let alone keeping you safe on the Internet.
You don’t have to build your own router and firewall, but that’s another thing to think about, just like adding window locks or a deadbolt makes the physical entrances to your home more secure once installed. The best ones also function as an alarm system, letting you know that attackers have searched but not entered, so you can decide what other methods to add to the security setup.
I’ve used many firewalls, but my current firewall is from UniFi
I’ve made DIY firewalls, consumer firewalls, and prosumer firewalls, and operated without them before I knew better. Currently I’m using a UniFi Dream Machine Pro Max because after so many recommendations from everyone, I tried one and fell in love. Well, as much as anyone can love a shiny, closed box.
The software is easy to use, offers tons of monitoring features that I don’t need to spend time finding or installing, andit just works. The usability of networking equipment has generally improved over the years, and UniFi is a big part of why. Integrating NVR capability for network cameras adds another layer to my home security, and I would need a separate box to do that with most other routers.
Install Fail2Ban
Stop credential stuffing attacks before they spread
Here’s what you need to understand. Hackers don’t care about you, only your data, or that of others. They don’t even spend any time hacking you, so forget the outdated image of 90s hacking movies. They spend all their time finding exploits they can plug into automated scripts and let those scripts do all the work for them. Once these scripts find an attack surface, they will continue to search the exposed IP addresses to find a way through.
And we live in an age where almost everyone’s personal data has been leaked at least once. Username and password associations are common enough that credential stuffing attacks work a dismaying percentage of the time, and that’s why you need Fail2Ban.
Whether it’s your router’s package or the UniFi script I use, this plugin monitors your firewall logs for unusual patterns, then automatically bans any external IP addresses behaving strangely. This prevents bots and other annoyances from running automated password tests on your network, and they will eventually move on.
Please stop exposing your IoT devices to the Internet; your intelligent light could betray you
If you’re not careful, your IoT devices could give an attacker access to your home network.
Place all IoT devices on their own VLAN and refuse all outgoing calls.
They don’t need to call home, that’s why I’m running Home Assistant
IoT devices must be on their own network segment so that you can control the information they send from your network. Not all of this data is inherently bad, but cloud services have already been taken over and IoT devices are a favorite of hackers who like to create botnets. This isn’t really due to a problem with the devices per se, but they tend not to have a lot of storage space for security features, so you have to provide them.
Instead, you can connect them to Home Assistant for local control, and then you’ll have a smart home that works for you, without the risk of it working against you in the future.
I built a firewall that prevents my IoT devices from calling home
My bulbs don’t need internet access and they never should
Add geoblocking of known hostile regions
Inbound attacks usually come from known sources
I have been using MaxMind GeoIP lists for a long time to block entire countries, allowing you to stop traffic from North Korea, Africa, Thailand, or any other country known to host spammers and hackers. I was very happy to see that it’s natively integrated with UniFi software in the Firewall and Security section, because if these countries can’t scan your IP address, they don’t know what else to go on.
I created an SSH honeypot and the internet is a scary place
Don’t try this at home.
These rules keep your network secure without you knowing it
These three rules keep your home network secure, while running in the background and silently recording their progress. Of course, there are dozens of other useful firewall rules to consider, but these three are proven and known to work.