Threat model in one breath

Ask: Who might attack me, with what effort, and what do they want? A random bot scanning the internet cares about weak SSH and default passwords. A targeted adversary is a different game. Most home users need good hygiene: updates, unique passwords, 2FA on email and router admin, and minimal exposure.

Baseline habits

• Updates for router firmware, NAS, and OS — most compromises are unpatched known bugs.
• Segmentation: guest Wi‑Fi for untrusted devices; IoT on a VLAN if your gear supports it.
• Disable UPnP on the router unless you truly need it; it punches holes without you noticing.
• SSH / RDP: key-based auth, no default ports exposed to the world, or use a VPN home instead.

HTTPS / TLS (why the padlock)

TLS encrypts bytes in transit and helps prove you reached the server you think you did (via certificates). On the public internet, HTTPS is standard. On a trusted LAN, some homelabbers use HTTP internally and TLS only at the edge — but anything crossing untrusted networks should be encrypted.

Tools like Let’s Encrypt automate certs for public hostnames; local setups often use self-signed certs or internal CAs until you wire a proper domain.

Prefer VPN over “naked” ports

Instead of opening a dozen services to the internet, many people run one VPN (WireGuard, Tailscale, etc.) into home, then access internal IPs as if they were on the LAN. Fewer attack surfaces, same convenience when done right.

Course recap

1. Module 1 — Home server & home cloud; owning data; Ethernet; Coffee Home overview.
2. Module 2 — LAN, IPs, DHCP, DNS, NAT.
3. Module 3 — Storage, sync vs backup, 3-2-1, encryption basics.
4. Module 4 — Ports, static HTTP, APIs, proxies, launcher metaphor.
5. Module 5 — Security mindset and safe exposure.