Published 2026-04-14 · 8 min read

The monthly homelab security checklist

Saturday morning, ninety minutes, coffee. This is the monthly routine that keeps a homelab from drifting into the "we'll get to it" swamp. Print it, bookmark it, set a recurring calendar event — whatever makes it actually happen.

Patching

• [ ] Every Debian/Ubuntu host: sudo apt update && sudo apt upgrade.
• [ ] Every RHEL/Fedora host: sudo dnf upgrade.
• [ ] Every Alpine host: sudo apk update && sudo apk upgrade.
• [ ] Container hosts: docker image pull every tagged image you run; restart services.
• [ ] Router / managed switch firmware: check vendor portal.
• [ ] IoT firmware: skim the major brands' release pages (TP-Link, Unifi, Home Assistant core).

CVE status review

• [ ] Run a fresh vulnerability scan against every enrolled host.
• [ ] Read the diff since last month — focus on HIGH/CRITICAL items.
• [ ] Cross-check against the live per-distro CVE trackers — Ubuntu 24.04, 22.04, Debian 13, Debian 12, AlmaLinux 9, Rocky 9. Anything in the "top recent critical" bucket that you don't have a remediation for is a follow-up for this month.
• [ ] For each unresolved finding: either patch, accept the risk with a note, or flag for hardware retirement.

SSH

• [ ] Review authorized_keys for every user on every host. Remove orphans.
• [ ] Verify sshd_config: PasswordAuthentication no, PermitRootLogin prohibit-password.
• [ ] Rotate your primary SSH key once per year — if that's this month, schedule it.

TLS

• [ ] Any cert expiring in the next 60 days? Renew now, don't wait for the auto-renewal edge case.
• [ ] Any TLS 1.0 / 1.1 still enabled? Disable.
• [ ] Weak signature algorithms (SHA-1, MD5)? Re-issue with SHA-256 or better.
• [ ] Any self-signed cert you forgot about? Either trust-pin it or rotate to a CA-signed one.

Firewall and exposure

• [ ] nmap your public IP from an off-net connection. Any port open you didn't explicitly forward?
• [ ] Audit the router's port-forward table. Any rule for a service that's no longer running?
• [ ] uPnP disabled or explicitly allowed only where needed.
• [ ] Admin UIs (Grafana, Portainer, Kibana, phpMyAdmin) are LAN-only or behind a VPN — never public.

Backups

• [ ] Latest backup timestamp < 7 days for anything you care about.
• [ ] At least one backup is off-site (B2, S3, Borgbase, rsync.net — anywhere not in your house).
• [ ] Restore a file from a backup. Actually do it. "I haven't tested my backups in months" is the canonical homelab admission.

Secrets

• [ ] Any .env, config.yml, or kubeconfig in a Git repo that's readable without auth?
• [ ] Any hardcoded API token in a public script or Dockerfile?
• [ ] Database default passwords (root/empty, postgres/postgres) still present anywhere?

Hardware + power

• [ ] Battery UPS: run a self-test if the unit supports it.
• [ ] Disks: smartctl -a /dev/sdX. Any reallocated sectors, pending, or uncorrectable counts? Plan replacement.
• [ ] Temperatures: sensors / Proxmox dashboard. Anything hotter than last month?

Documentation

• [ ] Update the "state of the homelab" notes file with anything that changed this month.
• [ ] List the services currently running. Anything you've forgotten about that can be retired?
• [ ] Write down the credentials needed to recover from a total loss — laptop, router, ISP account, domain registrar. Store in your password manager.

The meta-rule

The monthly checklist doesn't need to be perfect. It needs to happen. Ninety minutes of consistent attention beats six hours every six months, because the stuff in the list is easier to fix when there's one month of drift to undo, not six.

Noxen automates most of the scan-and-diff parts of this list nightly, so the monthly review becomes "read the diff report, apply the patches, check the boxes." That's the intent — less maintenance, more actual reviewing.