Any tips on hardening Umbrel’s PI security? Can I use UFW and if so what ports does Umbrel need open? Fail2ban? My umbrel is behind a router in a LAN with no ports open on the router to it; nevertheless I am in the habit of hardening pi’s whenever I use them.
None of those are necessary for Umbrel.
All traffic is behind Tor, so no ports need to be open in your router/machine.
Tor is using onion addresses for each Umbrel app (like being a port) without need of any port.
Only in special cases if you really want to use reverse proxy Tor-to-clearnet, will be necessary more changes, but those are mostly for BTCpay, LNbits and are guides dedicated to that.
But for normal use as a BTC/LN node is enough and you can connect all your mobile apps using Tor onion address.
Thanks for reply and it is understood that using onion addresses requires no open ports on router, but what about on node/pi. While UFW may not be necessary for Umbrel while using the onion addresses, if I have some other apps running where UFW would be helpful for security, I just wanted to make sure that by using UFW, I wouldn’t accidently prevent umbrel from working. So, the question is: would blocking ports via UFW on my umbrel node (not on the router) in any way hinder umbrel from working?
the simple answer is NO.
You can play with UFW as much as you like and if you know what are you doing.
Just in case, to not use some of the other apps ports from Umbrel, open your Umbrel from local IP and open the apps, one by one. You will see for each which port they are using.
So note those ports NOT to be used for other of your apps you install on that machine and NOT to be open in UFW (only if you really want it).
Actually you just gave me an idea to add to my Umbrel guides a list of all ports used.
Thanks. A list of all ports used by Umbrel would be perfect for helping us avoid any conflicts with other apps.
Yes, I am planning to extend this getting started guide for Umbrel to a larger manual. I will add there the ports for apps.
@DarthCoin One more request if possible for your “getting started guide”. I am wondering about the best ways to share my umbrel node with family and friends. I am aware of Spectre Desktop which allows me to create other user accounts for cold/hardware wallets. But my question is regarding on chain hot wallets (not the Lightning wallets). Can I allow friends to use the Wallet connect info for a specific wallet to use my node for checking for on chain transactions? Is it a security risk or could it cause confusion for my transaction records? I am assuming hot wallets are just connecting to the umbrel node to watch for transactions and confirmations, but are not saving info on the umbrel node. Is this correct for all those wallets available in the connect wallet area?
Here you have another 2 guides that you can use: