Sascha's Toolbox
5 min read
Security HomeLab Infrastructure Networking Jellyfin

The Home Lab Security Audit: You are your own worst sysadmin

The Home Lab Security Audit: You are your own worst sysadmin

I spent my teenage years in a dark basement, smelling of solder and ozone, trying to bend a series of beige boxes to my will. Back then, “security” was a simple concept: keeping my parents away from the folder containing cracked ISOs and IRC logs. We were edgy, nerdy, and blissfully unaware that our “DMZ” settings—which we toggled just to get a Quake II server visible to the world—were the digital equivalent of removing the front wall of our house.

Today, the Home Lab has evolved from a hobbyist’s sandbox into a vital act of digital reclamation. As we flee the “Rental Economy,” we are building sophisticated, private stacks. But there’s a recurring failure in the field: Everyone wants to be a builder, but nobody wants to be the SysAdmin.

The Foundation of Sand: The ISP Gateway Paradox

Let’s address the elephant in the rack: the ISP-provided modem. If you’re in the DACH region, you likely have a FRITZ!Box. It’s a respectable piece of German engineering that handles DSL/Fiber training better than most, but it’s still a “Provider Edge” (PE) device.

The problem isn’t just the firmware; it’s the Topology of Trust. Most ISP units utilize TR-069 (CWMP). This protocol gives your provider a permanent, unauthenticated back door for “configuration management.” For a builder, this is an unacceptable breach of sovereignty.

The Engineering Fix: Put that box in Bridge Mode. If your ISP is one of those that locks the Bridge toggle, it’s time to look into SFP+ ONT modules or Mac-spoofing to bypass their CPE entirely. Your perimeter should begin at a device you flashed—ideally something running OPNsense or a hardened Debian build with a proper stateful firewall.

Segmentation: The “Chatty Cathy” Problem

In the enterprise world, we don’t let the vending machine talk to the domain controller. At home, we often fail this basic test. That $15 “Smart Bulb” pulling 300MB of data a day isn’t just uploading your sleep patterns; it’s an unpatched Linux kernel sitting on your primary subnet.

A real home lab requires a strict VLAN Hierarchy:

  • VLAN 10 (MANAGEMENT): No internet. Out-of-band management only (iDRAC, ILO, Pi-KVM).
  • VLAN 20 (SERVER): Strictly regulated. This is where your Jellyfin instance lives.
  • VLAN 30 (IOT_UNTRUSTED): Isolated. No cross-VLAN talk. Deny-all by default.
  • VLAN 40 (GUEST): Client isolation enabled.

A Technical Tangent: Internal BGP?

If you really want to go down the rabbit hole, consider running an internal BGP mesh with something like Bird or FRR. It allows for elegant failover between nodes and “Anycast” DNS across your local cluster, but it also means you’re now debugging routing tables at 2 AM. Use with caution—once you start peering with your own switches, there’s no turning back.

Reclaiming the Media Stack: Jellyfin over Plex

We need to talk about the “Plex Trap.” Plex was once the builder’s darling, but it has succumbed to the “Rental” rot. It requires a cloud login to access local data, collects telemetry on your viewing habits, and constantly pushes “ad-supported” content you didn’t ask for.

If you value sovereignty, you switch to Jellyfin. It is 100% FOSS, requires zero phoning home, and doesn’t care if the internet is down. But here’s the kicker: Jellyfin requires you to actually understand FFMPEG transcode paths and Intel QuickSync/NVENC passthrough in Docker. It’s harder to set up, but that’s the price of ownership.

The VPN Fallacy: Stop Opening Ports

Opening port 32400 (Plex) or 8096 (Jellyfin) to the world is an engineering sin. In 2026, the only port open on your WAN should be a high-numbered, non-standard port for WireGuard.

Better yet, use Tailscale (built on WireGuard) for a mesh-VPN that handles NAT traversal without a single open port. If you aren’t using a Radius-backed VPN or a Zero-Trust overlay, you aren’t “remote accessing”—you’re “exposing.”

RAID is Not a Backup (The Magnetic Truth)

Let’s have a talk about the “B-word.” A RAID-Z2 array is for uptime, not backup. If a PSU fries your backplane, or a stray rm -rf hits the wrong mount point, your RAID won’t save you.

The 3-2-1 Rule is non-negotiable: 3 copies, 2 media types, 1 off-site.

I’m still a believer in LTO (Linear Tape-Open). Magnetic tape is the undisputed king of archival longevity. While an SSD might lose its charge after two years in a drawer (cell leakage is real), an LTO-9 tape is rated for 30+ years.

  • Hard Hit: Magnetic tapes are physically air-gapped once they leave the drive. Ransomware cannot encrypt a tape sitting on a shelf.

The “Oh Shit” List: Top 5 Overlooked Sins

  1. The Default Credential Zombie: That managed switch you got on eBay for a steal? I bet you $5 it still has admin/admin on the management IP.
  2. mDNS Reflection: If you’ve enabled mDNS across your VLANs so your phone can find the Chromecast, you’ve likely punched a hole in your isolation. Use an mDNS Repeater with strict filtering.
  3. Unmonitored UPS: If your UPS isn’t talking to nut (Network UPS Tools) to trigger a graceful shutdown, you are one power flick away from a corrupted ZFS pool.
  4. The Abandoned Docker Container: We’ve all pulled a “cool” image from Docker Hub and forgotten about it. If it hasn’t been updated in 12 months, it’s a CVE waiting to happen.
  5. DNS Over HTTPS (DoH) Hijacking: You think your DNS is secure, but many “Smart” devices now hardcode 8.8.8.8 over HTTPS to bypass your Pi-hole. You need to sinkhole DoH traffic at the firewall level.

Final Thought: The Sovereignty Tax

Reclaiming your data is a noble goal, but it comes with a “sovereignty tax.” You are the CISO now. If you don’t spend the time to harden your environment, you’re just trading a corporate rent-seeker for a script-kiddie.

Go buy a proper router. Flank your ISP gateway. And for the love of all that is holy, stop opening ports.

Builder’s References

  • The 3-2-1 Backup Strategy: Data Backup and Recovery 101. (CISA.gov).
  • LTO Longevity Metrics: LTO Program Media Shipment Report. (LTO.org, 2024). Confirms 30+ year shelf-life.
  • TR-069 Security Analysis: CPE WAN Management Protocol Risks. (OWASP).
  • WireGuard Performance: Whitepaper on Next-Generation Kernel VPNs. (Jason A. Donenfeld).
← Back to all posts