Homelab Security Basics: What You Need to Lock Down
The practical security checklist for homelabs: what actually matters, what's overkill, and what most guides skip entirely.
Most homelab security guides either scare you into building a fortress for a home network, or hand you a ten-step hardening checklist that reads like a corporate compliance doc. Neither is useful.
Here’s what actually matters for a typical homelab — the threats that are real, the mitigations that are worth the effort, and the things that are overkill for a home environment.
The Actual Threat Model
Your homelab isn’t a bank. You’re not protecting credit card transactions or medical records (probably). But you do have things worth protecting:
- Your credentials — Vaultwarden, your server logins, your admin panels
- Your private files — documents, photos, anything you’ve self-hosted
- Your network — a compromised homelab device can pivot to other things on your network
- Your exposure — anything publicly accessible is potentially a target
Most homelab security incidents fall into three categories:
- Default credentials on exposed services — Someone found your admin panel on the internet because a port was open, and the default password was still set
- Outdated software with known vulnerabilities — An old version of a web application with a CVE that’s been public for months
- Weak passwords and no 2FA — Straightforward credential attacks
The mitigations for all three are basic. You don’t need a SIEM, a WAF, or network traffic analysis for a home setup. You need to do the fundamentals correctly.
Don’t Expose Services to the Internet (Directly)
The simplest security improvement you can make: nothing on your homelab should be directly accessible from the internet unless it specifically needs to be.
This means no port forwarding on your router for Jellyfin, Nextcloud, Uptime Kuma, Portainer, or any other homelab service. Access them via Tailscale or WireGuard instead. Both create encrypted tunnels that let you reach your homelab from anywhere without opening ports.
The Tailscale setup guide takes about 15 minutes and requires no port forwarding at all. If you prefer to run your own VPN server with full control over the infrastructure, the WireGuard setup guide covers wg-easy on Docker. After either is set up, you access everything via your VPN from anywhere. Nothing is exposed to the internet.
If you do need to expose something publicly (Nextcloud for family members, Vaultwarden for mobile sync), put it behind Nginx Proxy Manager with a legitimate SSL certificate and only expose that proxy — not the underlying service port directly.
Change All Default Credentials
Before deploying any service:
- Change the default admin password to something strong and unique
- Store it in Vaultwarden (or your password manager of choice)
Default credentials for most self-hosted software are publicly documented on the project’s GitHub. A scanner hitting your network doesn’t need to be sophisticated — it just needs to try admin/admin on port 8080 and see what happens.
Common services with defaults to change:
- Portainer — set a strong admin password during first setup
- Grafana — change from admin/admin immediately
- Pi-hole — set
WEBPASSWORDbefore deploying - Any service with a first-run setup wizard — do it before the container is reachable
Enable Two-Factor Authentication
Enable 2FA on every service that supports it:
- Vaultwarden — TOTP authenticator app
- Grafana — TOTP or OAuth
- Portainer — TOTP (under Settings > Users)
- Proxmox — TOTP (under Datacenter > Users)
- Nextcloud — TOTP or hardware key
2FA doesn’t matter much if your services aren’t internet-exposed (a VPN is better protection). But if anything is publicly reachable, 2FA is the last line when a password gets guessed or leaked.
Keep Software Updated
Outdated containers are how most homelab security incidents happen. A service running a version from 18 months ago likely has documented CVEs that automated scanners specifically target.
Watchtower handles this automatically — the Watchtower guide covers the setup. Alternatively, make a monthly habit of updating your containers manually.
For services that manage authentication or sensitive data (Vaultwarden, Nextcloud, Authelia), update promptly when security-relevant releases come out. Subscribe to their GitHub release notifications.
Separate Your Homelab Network (Optional but Good)
If your router supports VLANs, put your homelab on a separate VLAN from your main devices. This way, if something in your homelab gets compromised, it can’t directly access your laptops, phones, and other devices on the primary network.
This is more effort than the other items on this list and less critical if your services stay off the internet. Worth doing if you’re already comfortable with your router’s network configuration.
A simpler version: give your homelab server a static IP and use your router’s firewall rules to restrict what that IP can initiate connections to. Most home routers can do this even without VLAN support.
SSH Hardening (If You SSH Into Your Server)
If you’re using password-based SSH to log into your server, switch to key-based authentication:
# Generate a key pair on your local machine (if you don't have one)
ssh-keygen -t ed25519
# Copy the public key to your server
ssh-copy-id user@your-server-ipThen disable password authentication on the server:
Edit /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yesRestart SSH:
sudo systemctl restart sshNow SSH requires your private key. Brute-force password attacks against SSH become irrelevant.
While you’re in sshd_config, also set:
PermitRootLogin noNever SSH in as root. Use a regular user and sudo when needed.
Don’t Run Containers as Root
Most well-maintained Docker images run as a non-root user by default. For those that don’t, add a user: directive in your compose file to specify a non-root UID.
Running a container as root means that if the application inside the container has a vulnerability that allows code execution, the attacker starts with root privileges inside the container. That’s not instant game-over, but it’s worse than non-root.
The Jellyfin guide on this site uses user: "1000:1000" for this reason.
Regular Backups Are Security Too
If your homelab gets ransomwared, infected with crypto miners, or a container gets corrupted — your recovery path is your backups. Security incidents are another reason (beyond hardware failure) why backups matter.
The backup strategy guide covers the setup. The short version: daily config backups locally, weekly off-site, and test restoring them periodically.
What’s Overkill for a Homelab
Things I see recommended in homelab security discussions that are more effort than they’re worth for most setups:
- Fail2ban on every service — Useful for internet-exposed SSH. Less necessary if SSH is key-only and services aren’t internet-exposed.
- IDS/IPS (Suricata, Snort) — High maintenance for marginal home benefit. Worth it as a learning project, not as practical security.
- Crowdsec — Interesting tool, but adds complexity. Evaluate after you’ve got the basics solid.
- Full disk encryption on the homelab server — Protects against physical theft (unlikely) at the cost of requiring manual entry of a passphrase after each reboot (annoying for a server you want to restart automatically).
Get the fundamentals right first. Tailscale for remote access instead of exposed ports, strong unique passwords on everything, 2FA where it matters, keep software updated, use SSH keys. That covers the real threat surface for a homelab.