Homelab Setup 2026

C.M's Ultimate Homelab

A homelab is a personal, self-contained IT environment set up in your home to experiment with, learn, and test various technologies. It acts as a "tech playground" or a sandbox where you can build and break systems without the fear of impacting a real-world production environment.

Broadband: Fibre 1Gbps Down/Up

Gigabit PoE+ Switch/SFP: 8 Port Gigabit PoE+ Switch with 2 Uplink & 2 SFP 1000Gbps

SFP Network Card: ipolex 10Gb Network Card, 1x SFP+ Port, 10GbE NIC

SFP Modules: 10Gtek [2 Pack] 1G SFP SX LC Multimode Modules

Fiber Patch Cable: 10Gtek Fiber Patch Cable - LC to LC OM3 10Gb/Gigabit Multi-Mode Jumper Duplex

TP-Link 8-Port Switch: (Managed)

GeeekPi 12-Port Patch Panel: with Coloured Cat6 Keystone Jacks

Router/Firewall: N150/8GB RAM/128GB SSD running pfSense 2.8.1 FreeBSD

Asus AX: WiFi6 Access Point

Raspberry Pi 5: 8GB/128GB SSD running Ubuntu 24.04 noble powered by PoE+ Switch

Lenovo M910Q: Intel i5/8GB RAM/128GB SSD running Windows 11 Pro 64-bit

KVM Switch: 4 Port with Hotkey 4K 60Hz 18Gbps Share

TecMojo: 9U 10" Cabinet

TecMojo: 3-way PDU

Kenable PDU: Power Distribution Unit 12-way PDU

Custom made: 3D Printed Lenovo M910Q 1U 10" Rack Mount

Custom made: 3D Printed TP-Link 8-Port Switch 1U 10" Rack Mount

120mm Case FAN: with 3 modes

Temperature: Digital Display

Homelab UPS: BPC 600va/360w Managed

GamingPC UPS: Armour 2000va/1600w Pure Sine Wave

pfSense: Nut UPS, pfBlocker, DNSBL

RDP: Remote Desktop

SSH: Secure Shell via Ubuntu Server

COM/RS232: pfSense Router Terminal

Apache2 Server: Websever by C.M

MySQL: SQL Database

Webmin: Admin Panel Webpage

ViewPower: UPS Battery Management

Apache Tomcat: UPS Server

RP5i: Pi-hole

The core purpose of pfSense is to provide an open-source, enterprise-grade firewall and routing solution that is flexible enough to run on standard computer hardware. It is designed to replace expensive, proprietary network equipment with a secure, highly customizable platform that can be managed through a user-friendly web interface.

Its primary functions include;

• Stateful Firewalling: It filters network traffic based on predefined rules, tracking the state of connections to identify and block sophisticated attacks.

• Routing and NAT: Acts as a high-performance router, directing traffic between different networks (like your home LAN and the internet) and using Network Address Translation (NAT) to share one public IP across multiple devices.

•Secure Connectivity (VPN): Built-in support for protocols like WireGuard, IPsec, and OpenVPN allows users to create secure remote access tunnels or connect separate office locations.

• Network Optimization: Features like Traffic Shaping (Quality of Service) allow you to prioritize critical traffic, such as video calls or gaming, over less sensitive data like background downloads.

• Extensibility via Packages: The core software can be expanded with third-party packages to add advanced features

Intrusion Detection/Prevention (e.g., Snort or Suricata).

Ad and Malicious Site Blocking (e.g., pfBlockerNG).

Advanced Monitoring (e.g., ntopng).

Common Use Cases;

• Home Users: For those seeking better security and control than a standard ISP-provided router can offer.

• Businesses: Deploying it as a perimeter firewall to protect internal data and provide secure VPN access for remote employees.

• Educational Institutions: Managing complex networks for students and faculty while often working within tight budgets.

Hardware: Can range from a single Raspberry Pi or an old laptop to repurposed enterprise-grade server racks.

Virtualization (Hypervisors): Software like Proxmox VE, VMware ESXi, or Docker for containers to run multiple virtual machines on one physical device.

Networking Gear: Managed switches, routers, and firewalls (such as pfSense) to create complex network topologies.

Storage: Network Attached Storage (NAS) solutions using software like TrueNAS or Unraid.

A bastion host is a dedicated server designed to withstand cyberattacks and provide secure access to a private network from an untrusted source, such as the Internet. It is strategically positioned at the network perimeter, often outside a firewall or in a demilitarized zone (DMZ).

SSH (Secure Shell) is the primary method to connect, manage, and troubleshoot Ubuntu VPS servers remotely. Because it provides administrative control, securing SSH is critical to protecting your server from unauthorized access and attacks. The default settings of SSH prioritize accessibility, not security. Attackers often target these defaults through automated tools and brute force attacks. This guide will walk you through advanced, step-by-step SSH hardening on Ubuntu VPS for maximum protection, including detailed explanations of each security improvement.

The Risks of Default SSH Settings

With out-of-the-box settings, SSH is straightforward but exposes several security weaknesses:

• Anyone can scan for open port 22 and attempt frequent logins using common usernames and passwords.

• Direct root access simplifies an attacker’s job—if the root password is guessed, they gain full control immediately.

• Password-based logins are susceptible to brute force attacks where millions of potential passwords are attempted by bots.

• Allowing all users to attempt logins widens the attack surface if weak or unused accounts exist.

• No protection against repeated failures allows relentless attackers to keep trying indefinitely.

Hardening your SSH means progressively shutting down these attack pathways while ensuring you stay in control of your VPS.

Complete Guide to Hardening SSH on Ubuntu VPS

Change the Default SSH Port

Moving SSH away from well-known port 22 is a basic but effective step. While it won’t stop determined attackers, it helps avoid widespread automated attacks targeting the default port.

Step 1: Open the SSH configuration file with your preferred text editor:

sudo nano /etc/ssh/sshd_config

Step 2: Locate the line #Port 22. Remove the # and change 22 to an unused port above 1024 (for example, 2222):

Port 2222

Choose a port number not used by other services, but avoid ports below 1024 as they require root to bind.

Step 3: Save and exit the editor.

Step 4: If you use UFW as your firewall, permit the new port:

sudo ufw allow 2222/tcp

Step 5: Restart the SSH service:

sudo systemctl restart sshd

When connecting next time, specify the new port, for example:

ssh -p 2222 user@your-server-ip

Important: Test a new SSH session on the new port before disconnecting your existing session to avoid locking yourself out!

Disable SSH Protocol 1

Protocol 1 is outdated and insecure. Ensure only SSH Protocol 2 can be used.

Step 1: In /etc/ssh/sshd_config, add or edit:

Protocol 2

Step 2: Save, exit, and restart SSH.

Disable Direct Root Login

Direct root login poses a huge risk. Force all users to log in as a regular account and use sudo for administrative privileges as needed.

Step 1: Edit the SSH configuration:

sudo nano /etc/ssh/sshd_config

Step 2: Find or add the line:

PermitRootLogin no

Other useful options include PermitRootLogin prohibit-password (blocks password logins but allows public key logins for root) or PermitRootLogin without-password on older Ubuntu versions.

Step 3: Save, close, and restart SSH.

Warning: Before disabling root, ensure your non-root user is in the sudo group. You can check and add them with:

sudo usermod -aG sudo yourusername

Enforce SSH Key Authentication and Disable Passwords

Password-based logins are inherently weak. SSH keys use public key cryptography and are nearly impossible to brute force. After keys are set up, you can disable passwords for all users.

Step 1: On your local machine, generate an SSH keypair. For extra security, use the ed25519 algorithm, or rsa -b 4096 for compatibility:

ssh-keygen -t ed25519 -C "your_email@example.com"

Step 2: Upload your public key:

ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 2222 youruser@your.server.ip

If ssh-copy-id isn’t available, manually append your ~/.ssh/id_ed25519.pub contents to ~/.ssh/authorized_keys on the server.

Step 3: Edit /etc/ssh/sshd_config to enforce keys and disable passwords:

PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication no UsePAM yes

Step 4: Save, restart SSH, and test key login.

Important: Always ensure your private key is protected by a strong passphrase. Do NOT share it. Backup keys securely and never store on internet-facing devices or in email.

Limit SSH Access to Specific Users and Groups

By default, any user account can try to log in via SSH. Restrict logins to only necessary users or groups.

Step 1: To allow only specific users:

AllowUsers adminuser developer

Or, to permit only a group (add users to “sshusers” group):

AllowGroups sshusers

Step 2: Save and restart SSH.

Use Two-Factor Authentication (2FA/MFA)

Adding a one-time code (such as from Google Authenticator) makes stolen keys or passwords useless by themselves.

Step 1: Install the needed module:

sudo apt install libpam-google-authenticator

Step 2: For each user, run:

google-authenticator

This will provide a QR code to scan with your authentication app and offer backup codes. Answer prompts to secure the setup.

Step 3: Configure PAM to require the authenticator. Edit /etc/pam.d/sshd and add AT THE TOP:

auth required pam_google_authenticator.so

Step 4: In /etc/ssh/sshd_config, set:

ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive

This means both a valid SSH key and the one-time code are needed to connect.

Step 5: Save, restart SSH, and test with your authenticator app and private key.

Restrict SSH by IP Address with a Firewall

Allowing SSH only from fixed/trusted IP addresses prevents most attackers from even seeing your SSH service.

Step 1: Allow SSH from your IP (replace 203.0.113.4 and 2222 respectively):

sudo ufw allow from 203.0.113.4 to any port 2222 proto tcp

Step 2: If you have a dynamic home IP, consider using a secure VPN and only allow that IP or VPN subnet through UFW.

Step 3: Deny general SSH access by ensuring the more general rule sudo ufw allow 22/tcp is removed.

Step 4: Enable UFW if not already enabled:

sudo ufw enable

Step 5: To check active rules:

sudo ufw status numbered

This setup ensures that only devices from trusted networks or locations can attempt to access your server through SSH. For users with dynamic IPs, consider using a VPN or a jump server with a static IP as your entry point.

Enforce Additional SSH Hardening Settings

• Disable Empty Passwords: Edit /etc/ssh/sshd_config and set:

  PermitEmptyPasswords no

• Change the Login Grace Time: This limits the time a user has to log in (for example, 30 seconds):

  LoginGraceTime 30

• Limit Simultaneous Connections: Prevent flooding with too many attempts by setting:

  MaxAuthTries 3 MaxSessions 2

Monitor and Audit SSH Access

Regularly check your server’s authentication logs for suspicious access attempts or unauthorized logins.

Step 1: View the log:

sudo cat /var/log/auth.log | grep sshd

Step 2: For live monitoring:

sudo tail -f /var/log/auth.log

Look for patterns like repeated failed logins, new unknown users, or logins from unfamiliar IP addresses.

Keep SSH and System Software Updated

New vulnerabilities are found regularly. Ensuring your SSH server and system packages are up to date is crucial for security.

Step 1: To manually update packages:

sudo apt update && sudo apt upgrade

Step 2: Consider enabling automatic security updates:

sudo apt install unattended-upgrades sudo dpkg-reconfigure --priority=low unattended-upgrades

Backup Your Configuration

Before making significant changes in /etc/ssh/sshd_config, always make backups so you can easily restore if something goes wrong:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

Conclusion

Hardening SSH on your Ubuntu VPS is essential for system security and peace of mind. Start by changing the default port, disabling root login, and enforcing SSH key authentication. Layer your defenses by restricting user access, applying two-factor authentication, and using firewall rules to limit exposure. Set up Fail2Ban to automatically ban suspicious sources and keep a close eye on your logs for any abnormal activity. Always keep your server updated, back up your config files before changes, and retain a backup SSH session when changing critical settings to avoid lockouts. With thorough SSH hardening, your Ubuntu VPS will be well-defended against both automated and manual intrusion attempts.

A well-structured homelab gives you hands-on experience with many of the same tasks you'll find in a production environment. You can explore infrastructure planning, system configuration, automation, and troubleshooting in real time.