Thank you @DrHeat and @xMAXIMUSx for the clear explanation.
I know that this could be a question for new topic, but how can I know if I am in a scenario you described?
Which tools I could use to sees if my network is secure and there are no botnet or other malwere running?
Oh that is a huge topic you probably should research on your own. It will take a while as itâs a deep rabbit hole with no clear cut solution. Itâs really up to your research, expertise, and patience to go as deep as you are willing to. Itâll be a fun journey for sure!
Itâs really easy pay some Pentesters to inspect your network. I doubt you will have the same level of skills as them, obviously nothing stopping you going to town with Kali linux.
You are totally right 
What can I read about the argument?
because - maybe I am unlucky - but 90% of the times I find an useful information in tons of garbage.
Also I looked in the public library, but here, the only book I found about network used Windows NT for the examplesâŚ
@DrHeat & @neogrid
I thought that there were specific tools - to use from inside and from outside the network - that automatically looking for vulnerability and present a report (to simplify like an antivirus or antimalware do)
Sure there are lots of tools look up Kali linux and security onion, if you can master them you can answer your questions.
There are specific tools, but thereâs like tons of them. From intrusion detection systems to intrusion prevention systems, to pentesting tools, to antivirus solutions, to hardened operating systems and thatâs just starting to scratch the surface. Thatâs why I said itâs a topic that can be researched and experimented with for years.
As to where to look for quality information, hereâs my recommendation for starting out:
Youâll notice I listed 2 Youtube channels that are a veritable trove of amazing information that should provide enough pointers to get you started on your journey.
Iâve also listed ChatGPT. While some may find this a bit controversial, I found itâs an amazing tool to quickly summarize whatâs available on a specific topic. Donât ask it for a solution, instead ask it for topics that you can follow up on your own.
Hope this helps.
There is no security through obscurity on the open web. If you expose a service to the internet it is detectable and this detection is automated. No-one can fly under the radar
Cloudflare tunnels are cool but I donât think that in and of themselves they are as secure as they are being portrayed - effectively they are still a reverse proxy exposing a service on your LAN just remotely removed - for instance, that service would still need to sit in a DMZ or on a segregated network to prevent lateral movement. Some of the YouTube Videos have been describing exposing whole subnets on your homelab LAN without addressing this which I donât think is terribly secure.
Cloudflare Tunnels are part of their Zero Trust offering so maybe there are additional security controls that are available - Iâm not so familiar with their product range but the basic tunnel doesnât seem to me to be significantly more secure than a port forward or reverse proxy.
In this case Iâm surprised no-one is suggesting and overlay/mesh VPN like Tailscale or Zerotier - even less of an attack service than a traditional VPN as you donât even need to expose a port for a VPN server on your network
I am here to learn, I will be happy if on this post will born good discussion with all pro and cons of all the tech we have
@Louie1961 & @InvisibleJim
that was my first idea, since everything can live inside of container, in a separate network, etc.
But I was worried about Cloudflare itself, because of their policies, example they can block the service a video is detected (from what I have understood, but maybe I am wrong), if so, I donât know if even a security camera stream can cause their block.
also, - correct me if I am wrong - these services will only move the entry point from you router to their server, if an app has a vulnerability like in the nextcloud example of @DrHeat ,the problem is still there
Cloudflare updates their terms of service and non-HTML content like videos is allowed on most of their services although not on the CDN unless sourced from a CDN customer. https://blog.cloudflare.com/updated-tos/
As far as your last question, I think it will protect you. An attacker only ever sees the public IP of cloudflare. They never reach the public IP of your home (router, firewall, etc.) If they do find your home IP, you have opened no firewall ports for this service. So I am not sure how anyone would be able to attack the installation of nextcloud sitting on your server. This assumes you use proper access control and 2FA on Nextcloud.
Look into reverse shells. So long as they can access a vulnerable site through Cloudflare and can drop a reverse shell on it, the shell will call home initiating a connection from your vulnerable server to their command & control center. Most common firewalls under typical configurations you may have will let that connection pass through unchallenged since it originates on your LAN. Also a multitude of different attacks can be carried through Cloudflare or a reverse proxy.
You may feel secure with no ports open, but so long as your internal sites are accessible through any means and vulnerable thatâs all thatâs needed.
I am very happy you understood the point I was trying to make. Thatâs exactly it! Neither a reverse proxy on your server nor Cloudflare are protections for this type of security issues.
Zerotier is also good, if you donât feel like setting up a VPN, and donât mind relying on a 3rd party service. Since youâre very interested in learning perhaps you should research Zerotier a bit.
It is really up to you, it can in theory be more secure than a VPN since 0 ports are open to the outside world. On the other hand itâs a somewhat newer technology and if their servers are compromised or different attacks against the protocol are discovered youâll be wide open. Itâs a balancing act: who do you place your trust in? A question only you can answer.
Reverse shells? How the heck does someone drop a reverse shell on my site if they canât even log in? I only open my Nextcloud to limited users, and require/enforce strong passwords and 2FA.
The zero ports argument is not the strongest in my opinion. Having wireguard listen on some random UDP port is hardly a threat surface. It wonât respond to failed attempts and given it is UDP the attacker would have no idea the service is running on that port. Plus it is all key based. The overlay stuff does make sense to me if you are double NATed or want to push the easy button. But pushing that button isnât without some degree of risk on itâs own. Iâd rather not trust somebody if I donât have to.
If Nextcloud (or any other application) has a remote code execution vulnerability for instance, the attacker can drop and execute a script onto the server via http(s) without needing to log into the application. A reverse shell script in this case would give the attacker a shell on your server and they go from there
hello again,
forgetting all the possible issues/vulnerabilities that an exposed service could have, do you think that a solution like this can really increase the security of a service like cloudflare tunnel and its zerotrust?
Or is it just increases the network complexity?
I think in this case, the additional controls donât necessarily help with the scenario where the Portainer app is compromised via something like an RCE vulnerability (although the IDS/IPS might help some.)
I would think that the exposed service (Portainer) would be more likely to be compromised than the Cloudflare container (which is not available publicly) and if Portainer is compromised, it has access to the internal LAN - He does of course say that you shouldnât expose Portainer to the web, so perhaps it was an odd choice for this demo - A stand alone app like a Wordpress website, which can be micro-segmented into its own DMZ.
Proxies could add additional security controls such as acting as an authentication or zero trust gateway which could help in some use cases - like your family Nextcloud where it only needs to be accessible to a select number of people.
The other control that is probably absent in most home labs is security monitoring - even if you have something like Security Onion, these can be quite labour intensive and specialised to operate. Difficult for one person
yes, even to me expose portainer had sounds strange, at this point he could directly expose its server ipmi.
What is gives me some doubts is the use of the IDS/IPS services, since the traffic is encrypted by the ssl can Snort/Suricata/etc access and check the packages and notify me if something is wrong?
Because even internally most of the services uses ssl with self singed certsâŚ
I am not totally confident on that so correct me if I said something wrong
In the video, he has http from the Cloudflare container to Portainer so the firewall HIDS/IPS can read the traffic.