LAN security

LAN security options for the server:

  • Whole disk encryption (prevents bypassing security by reading the disk with another computer).
  • Dedicated server (reduces exploitable surface area).
  • Automated Linux updates
  • Firewall blocking all but ssh and the Noodle http[s] ports (reduces exploitable surface area).
  • ssh keys (prevents password guessing on ssh).

LAN security options on a network, listed from most to least secure:

  1. Network not (even indirectly) connected to the internet.
  2. Network with only auto upgraded devices only indirectly connected to the internet:
    • Encrypted VPN or better yet a ssh tunnel (use with keys will prevent MITMA from a spoofed wifi or an untrusted ISP or government).
    • Anonymity networks like tor can be used, optionally with ssl or ssh (in practice will prevent anyone, including governments, from knowing what server a user is talking to).
  3. Network only indirectly connected to the internet.
  4. Public network with a firewall or NAT port forwarding blocking all but one port.
  5. Public network.