10 homelab security quick wins to knock out in an afternoon
These are ten practical improvements you can apply across a typical homelab in a single Saturday. None of them require new hardware, paid subscriptions, or deep expertise. They're the difference between "we'll get to it someday" and "I did it and it stuck."
1. Turn on unattended-upgrades
On every Debian/Ubuntu host:
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgradesThat pushes security updates automatically at night. It does not reboot automatically by default, which is fine — running services get patched when they restart, and the rare kernel update can wait until your next scheduled maintenance.
2. Disable password-based SSH logins
In /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin prohibit-passwordReload sshd. Brute-force scripts scanning port 22 become meaningless overnight. If you're going to do one thing from this list, do this one.
3. Audit authorized_keys for every user
Find orphaned keys — from old laptops, former collaborators, that key you made "just for testing" eighteen months ago.
for user in $(cut -f1 -d: /etc/passwd); do
auth=/home/$user/.ssh/authorized_keys
[ -f "$auth" ] && echo "=== $user ===" && ssh-keygen -lf "$auth"
doneDelete any entries you can't justify. If you can't tell whose key it is, it shouldn't be there.
4. Close ports you don't use
Run an external port scan against your router's public IP from
a VPS (or use nmap -Pn from a neighbour's
connection). Anything open that you didn't explicitly forward
is a bug — typically uPnP doing something nobody asked for.
Disable uPnP on the router unless you specifically need it. Disable IPv6 on services that don't use it rather than leaving them dual-stack and half-configured.
5. Get TLS on everything that speaks HTTP
Caddy is the shortest path. One config file, auto-renewing Let's Encrypt certs, no cert ops to remember. For services on RFC 1918 addresses, use DNS-01 challenge so you don't have to expose anything to the public internet:
grafana.home.example.com {
reverse_proxy 10.0.0.7:3000
tls {
dns cloudflare your_cf_token
}
}6. Put Grafana / Portainer / Kibana behind a VPN
Admin UIs on public ports are a standing invitation. Tailscale or WireGuard gets you inside the LAN from your laptop in five minutes. After that, you can bind every admin UI to the LAN interface and still reach it from anywhere.
7. Set a real Redis / MongoDB / Elasticsearch password
Unauthenticated Redis on 6379 is the single most common self-hosted finding we see. If you've ever thought "we'll add the password later, it's only on the LAN" — that's fine, right up until you forward a port to expose Home Assistant and accidentally forward the wrong range.
# redis.conf
requirepass a-long-random-string-from-your-password-manager
bind 127.0.0.1 ::18. Audit ~/.gitconfig and .env files
On every dev box: check your .env files aren't
accidentally committed (git log --all --full-history ".env").
Check that any API keys you use locally aren't being served by a
misconfigured nginx location block.
9. Check for end-of-life OS versions
Ubuntu 20.04 goes ESM-only in April 2025; Debian 11 is end-of-life mid-2026; CentOS 7 is already dead. If you're on any of them, schedule a migration — free security updates stop, and nobody backports CVEs to unsupported distros forever.
lsb_release -a # Debian/Ubuntu
cat /etc/redhat-release # RHEL family10. Run a vulnerability scan and actually read the output
The meta-step. All of the above matters only if you check whether it worked. Run a scanner — Noxen if you're on a Mac, otherwise nmap + Nikto + Trivy — against every host you own. Read the report. Fix the findings. Re-scan.
The failure mode with homelabs isn't "we don't know what to do." It's "I did it eighteen months ago and never checked if it stayed done." A nightly scan and a morning diff report closes that loop.