Home network security with limited budget and using existing hardware only

[trinketsecurity]

I'm new to SNBforums, and I am a university student that have studied some networking and network security courses. I know some things about system hardening, VLANs, subnetting, security configurations to benchmarks/best practices and some more.


Due to some unforeseen circumstances, I feel like my threat environment has expanded to targeted attacks by hackers in my community. This is likely due to my interactions in real life with actual hackers in my city. After receiving some creepy phone calls and getting hit by a zero-day on my apple products, I have since been trying to rebuild my home network with security in mind.

What I have done so far:
- bought an Asus RT-AC68U router
- installed Asuswrt-Merlin
- installed Skynet + diversion
- changed router's username and set an extremely long and complicated admin password
- WiFi password is also set the same way
- placed IOT devices on to guest network (need guidance here: one way comms has blocked some functionality)

What I want to do:
- Raspberry Pi 4 with Pi-Hole and an OpenVPN set up as securely as possible
- Some sort of alert notification sent to me over to my phone if anything happens to my network (sort of like pfsense + snort + zabbix)
- been very busy so haven't researched yet but: zabbix, grafana or prometheus?
- System hardened MacBook air for logging into bank accounts ONLY (if possible) (maybe BootCamp to windows for this)
- IDS?
- I'm very open to suggestions! I love to learn, I spent over 15 hours straight playing with the router since I got it, and fell asleep at 7am on a Sunday morning.

Budget:
100 USD (maybe more later)

Hardware:
Desktop PC
Asus RT AC68U
Raspberry pi 4 (2x)
Netgear R7800 (unused)

I'm fairly certain I need guidance. I'm open to criticism, and any documentation and guides or whatever that needs read in order to understand. Any keywords will be googled.

Thank you in advance and I hope to contribute around in this community more!

 

[OzarkEdge]

I'm new to SNBforums, and I am a university student that have studied some networking and network security courses. I know some things about system hardening, VLANs, subnetting, security configurations to benchmarks/best practices and some more.


Due to some unforeseen circumstances, I feel like my threat environment has expanded to targeted attacks by hackers in my community. This is likely due to my interactions in real life with actual hackers in my city. After receiving some creepy phone calls and getting hit by a zero-day on my apple products, I have since been trying to rebuild my home network with security in mind.

What I have done so far:
- bought an Asus RT-AC68U router
- installed Asuswrt-Merlin
- installed Skynet + diversion
- changed router's username and set an extremely long and complicated admin password
- WiFi password is also set the same way
- placed IOT devices on to guest network (need guidance here: one way comms has blocked some functionality)

What I want to do:
- Raspberry Pi 4 with Pi-Hole and an OpenVPN set up as securely as possible
- Some sort of alert notification sent to me over to my phone if anything happens to my network (sort of like pfsense + snort + zabbix)
- been very busy so haven't researched yet but: zabbix, grafana or prometheus?
- System hardened MacBook air for logging into bank accounts ONLY (if possible) (maybe BootCamp to windows for this)
- IDS?
- I'm very open to suggestions! I love to learn, I spent over 15 hours straight playing with the router since I got it, and fell asleep at 7am on a Sunday morning.

Budget:
100 USD (maybe more later)

Hardware:
Desktop PC
Asus RT AC68U
Raspberry pi 4 (2x)
Netgear R7800 (unused)

I'm fairly certain I need guidance. I'm open to criticism, and any documentation and guides or whatever that needs read in order to understand. Any keywords will be googled.

Thank you in advance and I hope to contribute around in this community more!

I think you should proceed to experiment and learn... great stuff. However, if personal computing security were as complicated as you are making it, most of us would not enjoy safe computing.

First thing I would do is stop the activity that you feel compromised your network and devices.

Did you lose data... a working backup scheme alone could exceed your budget?

This recent thread here might interest you... by no means exhaustive of the subject: How do you protect your home / small business from email-based threats? | SmallNetBuilder Forums (snbforums.com)

OE

 

[cptnoblivious]

I'd start with the following:

1. Identify your threat surface - meaning: What are you trying to prevent against / what is exposed that could be an attack surface. Examples: Wifi - someone could get on your network. Exposed ports inbound - how will the exposed services be protected. Online activities - how will you prevent the download / execution of malicious code from sites
2. Document your plan for each item above, do research for how to harden your install
3. General advice: Backup your data, test those backups regularly. Store your most critical items offsite. Utilize 2FA (non-SMS based) wherever available for services you care about. Utilize defense in depth, i.e. use firewalls on all systems internal as well as external. Ensure your patching is up-to-date. Identify generally risky activities (downloading and installing unsigned software etc). and stop that.

Finally, learn from what happened before: How did someone exploit holes in your security.

Good luck.

 

[airgap]

I would rather know what is your real goal in that? You're at home. What are you trying to protect yourself against? What are the threats?

If you know that then you know what you need and what to do and even the cost

Sure if you work for a intelligence agency or some kind of hidden state related "organisation" then you should protect yourself.

But you're only a student aka "normal" person. That is the beauty of being young. You have a lot of energy and motivation to do a lot of stuff.

When you get older then you realize you were hunting a ghost and no need for all that and you whish you had focused on other important things of life.

But just go ahead. If it's what you want now then you have to do it.


But besides that:

- go and dig deep into unix/linux firewalls and hardening
- layer 7 protections (proxies, dns filter, using tor services etc.)

that will cover most of the threats. Good password policy etc. is a no-brainer and no need to mention it.

 

[cptnoblivious]

OP: If you really want to go deep, start working through this

The Hitchhiker’s Guide to Online Anonymity

The Hitchhiker’s Guide to Online Anonymity

anonymousplanet.org

And I say that because you say that you're being targeted. If you're targeted, they know who you are. So, step one, understand how 'they' could track you

Happy reading and exploration!

 

[trinketsecurity]

I would rather know what is your real goal in that? You're at home. What are you trying to protect yourself against? What are the threats?

If you know that then you know what you need and what to do and even the cost

Sure if you work for a intelligence agency or some kind of hidden state related "organisation" then you should protect yourself.

But you're only a student aka "normal" person. That is the beauty of being young. You have a lot of energy and motivation to do a lot of stuff.

When you get older then you realize you were hunting a ghost and no need for all that and you whish you had focused on other important things of life.

But just go ahead. If it's what you want now then you have to do it.


But besides that:

- go and dig deep into unix/linux firewalls and hardening
- layer 7 protections (proxies, dns filter, using tor services etc.)

that will cover most of the threats. Good password policy etc. is a no-brainer and no need to mention it.

The mentor that was training me in pentesting had an actual mental breakdown and hacked everyone who joined his vpn network (for the training). He is at the level where he develops his own exploits, and has attained several offensive security certificates.

Also, thats a perspective i had not considered,but yes i could think of protection in all 7 layers of the osi model. I'll do my research in that regard.

Also i would love to delve deeper in blue team stuff more, as its my interest and it'll develop my career skills.

 

[trinketsecurity]

OP: If you really want to go deep, start working through this

The Hitchhiker’s Guide to Online Anonymity

The Hitchhiker’s Guide to Online Anonymity

anonymousplanet.org

And I say that because you say that you're being targeted. If you're targeted, they know who you are. So, step one, understand how 'they' could track you

Happy reading and exploration!

He was my pentest mentor at the company i work at, he knows me personally and hes a good friend. I suppose he hasn't taken care of his own mental health in the past few years.

 

[trinketsecurity]

I think you should proceed to experiment and learn... great stuff. However, if personal computing security were as complicated as you are making it, most of us would not enjoy safe computing.

First thing I would do is stop the activity that you feel compromised your network and devices.

Did you lose data... a working backup scheme alone could exceed your budget?

This recent thread here might interest you... by no means exhaustive of the subject: How do you protect your home / small business from email-based threats? | SmallNetBuilder Forums (snbforums.com)

OE

Its only complicated because i have not grasped the concepts and that i have no experience. Both of which will require time and summoning my small talent in. Any data i have lost is not worth anything, but i will do the 3 2 1 back up from now on.

 

[airgap]

The mentor that was training me in pentesting had an actual mental breakdown and hacked everyone who joined his vpn network (for the training). He is at the level where he develops his own exploits, and has attained several offensive security certificates.

Sadly most brilliant brains have some sort of "disfunction" . No offense just saying that sometimes very intelligent people have neurological short-circuit - well not literaly but you know what I mean

If I had a mentor like him and would be friends with him - I would beg him to hack me anytime and my task would be to prevent it

Man that would a steep learning curve beyond imagination!

 

[trinketsecurity]

Sadly most brilliant brains have some sort of "disfunction" . No offense just saying that sometimes very intelligent people have neurological short-circuit - well not literaly but you know what I mean

If I had a mentor like him and would be friends with him - I would beg him to hack me anytime and my task would be to prevent it

Man that would a steep learning curve beyond imagination!

I believe its an early onset of dementia... in his thirties. He's brilliant, and the nicest person in the industry. He's totally the opposite of a gate keeper, which is rare.