I was hacked years ago. I was hosting a test instance of a phpbb for a local club. Work blocked SSH, so I opened up telnet. They either got in from telnet or a php flaw and installed password sniffers and replaced some tools (ps, top) with tools that would hide the sniffer service they installed.

After that, I changed my model. My time lab is for learning and having fun. I’m going to make mistakes and leave something exposed or vulnerable and hackers are going to get in. Under this new model, I need to be able to restore the system easily after a breach. I have a local backup and a remote backup and I have build scripts (ansible) so that I can restore the system if I need to. I’ve had to do this twice. Once from my own mistake and one from hardware failure.

I had a double NAT setup like that. Run a firewall like OPNSense as a Proxmox VM, and give it a WAN interface on the ISP router’s IP range; then run everything else on a different subnet, using OPNSense as the gateway. On the ISP router, put OPNSense’s WAN IP in the DMZ. Then, do all your hardening using OPNSense’s firewall rules. Bonus points for setting up a VLAN on a physical switch to isolate the connection.

The ISP router will send everything to OPNSense’s WAN IP, and it will basically bypass the whole double NAT situation.

You ever see those Wired videos where they talk about a concept on five different levels ranging from beginner to expert?

The first level answer is likely that, yes, you’re reasonably secure in your current setup. That’s true, but it’s also really simplified and it skips a lot of important considerations. (For example, “secure against what?”) One of the first big realizations that hit me after I’d been running servers for a little while and trying to chase security is the idea of a threat model. What protects me from a script kiddie trying to break into one of my web servers won’t do much for me against a phishing attack.

The more you do this, though, the more I think you’ll realize that security is more of a process than an actual state you can attain.

I think it sounds like you’re doing a good job moving cautiously and picking up things at each step. If the next step is remote access, you’ve got a pretty good situation for a mesh VPN like Tailscale or Netbird or ZeroTier. They’ll help you deal with the CGNAT and each one gives you a decent growth path where you can start out with a free tier and if you need it in the future, either buy into the product or self host it.

This guide can you help you expose your services in a relatively safe way.

The only device that’s truly secure is one that’s turned off, disconnected from the network, encased in concrete, at the bottom of the ocean. Everything else is a tradeoff between convenience and security.

Is my current set up secure, assuming strong passwords were used for everything?

Network security is a complicated beast to manage. If general public can access your services over the internet, that’s a threat you need to mitigate. Strong passwords is a good start on that, but it doesn’t take into account if there’s a flaw or bug on the service you’re running. Also if you have external users, they might reuse their passwords and leak for those might cause a threat too, specially if there’s privilege escalation bugs on the software you’re running.

And so on, it’s a too wide field to cover in a short comment here, but when you’re building your stuff, and what is maybe the most disticntive feature on a good professional between a not so good one, is to think ahead and prepare for every imaginable scenario where something goes wrong. Every time you add a way to access your network, no matter how minuscle, think what happens if that way gets compromised and what it might mean on the very worst case.

Maybe you want to add another access point to your network since your terrace isn’t properly covered. That’s nice to have, but now everyone around 100 meters around your house/apartment might have access to your stuff if they can break your wifi security. Maybe you set up a reverse proxy or tailscale on the stack. Now the whole internet can at least probe your stuff and try to find vulnerabilities, try to use stolen credentials and even try to social engineer their way into your stuff. Or maybe you made an mistake and left something open that shouldn’t be.

I’m not trying to scare you off out of anything. Go ahead and play with your stuff, break things, learn how to fix them, have fun while doing it. Just remember to think ahead about worst case scenarios, weigh their risks, think ahead and then go on. Learn about DNAT, reverse proxies, VPN and network layers and whatever you come across on your adventure but keep in mind that shit will hit the fan at some point. And learn to accept that, learn from your mistakes and do better next time.

The proxmox server is connected to a router attached to a fiber ONT.

If you want to be extra secure, there’s no reason the server needs internet connectivity/exposure at all (it should be safe as-is). Put it on its own VLAN with only specified ports open to your home LAN. That would be one extra layer from the internet - if admin/remote ports can’t be accessed via the internet connection LAN, then no way for an outsider to get into it (you’d have to provide other ways of accessing the server to admin it, either KVM, or a machine on that VLAN, etc).

You DO NOT need to do this, just adding an idea about how to make stuff more secure.

Depends on your threat model, but you’re probably fairly secure from remote unauthorized access right now.

Given that I’m American, I would put the *arr stack behind a dedicated VPN container like gluetun and set Gluetun up using a “no logs” VPN.

For remote access, Tailscale can probably get around that double NAT. If you have it on your devices as well as your server, you won’t necessarily need to expose anything publicly.

If that’s not an option, you could set up an external VPS to run a reverse proxy (Caddy perhaps) and use the Tailscale connection to connect the VPS to your home server. There are fully self hosted ways to do this (Headscale comes to mind), but Tailscale is how I personally would solve this.

You can run nginx in a docker container and define reverse proxies there. That will only require your to open up 443 in your router if you use SSL (which I highly recommend and is simple with Let’s Encrypt)

Then I’d recommend connecting to your arrs and torrent client in Nzb360 paid edition to manage everything in there.

As far as safety, well nothing is bulletproof. If they want to get in, they will. Best thing I can recommend is to run your arrs / indexers through a different IP address than your torrent client. But if they want to find you, they’ll find you. Thing is they probably won’t come after you if your ISP doesn’t report you uploading terabytes a day. SSL helps and keeping your arrs behind complex passwords (use a password manager) will keep the server itself relatively safe.

Unless of course, ISPs in your country suddenly start to crack down on illegal downloading hard.