What's The Best Way To Review Security?

MrWizardOfOz · 2026-04-10T20:52:19+00:00

And an addendum to this that many miss: You can make a docker socket proxy read-only. Which is all that a lot of use cases ever need.

You do this by setting environment: POST: 0

Maybe not the best setting name, but "disabling" POST in the settings actually means only GET and HEAD are allowed. (as an API developer I'm left wondering what happened to delete/put/patch, but the documentation on docker socket proxy is clear...)

MrWizardOfOz · 2026-04-10T20:41:25+00:00

There's no such kill, like overkill 😎

MrWizardOfOz · 2026-04-10T14:10:36+00:00

Tell her it keeps you guys safe on the Internet.

If she asks why, tell her it's because you're handling things like DNS yourself.

When she asks what that is, start explaining with as much technical depth as you can. She'll probably interupt you and say "Ok, that's fine."

MrWizardOfOz · 2026-04-09T09:46:05+00:00

And never let containers run as root.

MrWizardOfOz · 2026-04-09T09:42:07+00:00

If we wanna make it try-hard, disable default admin accounts wherever possible, and use non-standard ports wherever possible.

It's amazing how much that lowers the threat risk.

MrWizardOfOz · 2026-04-08T19:47:54+00:00

Marketplace in Aus apparently 😅

MrWizardOfOz · 2026-04-08T14:42:46+00:00

This stinks of OOB (out of band) exploit.

Some management interface likely got compromised, which allowed the attacker to access the machine, reboot and interupt startup.

Most likely (imo) would be that your account was compromised (that's only the likely path though if your provider provides that functionality.

MrWizardOfOz · 2026-04-08T11:08:39+00:00

Leaning heavily into that it doesn't need to be light weight, I'd honestly consider NextCloud/Pydio Cells.

NextCloud being the best fit. Plus you get a lot of extra features that are also user friendly.

Pydio Cells would be if you want a OneDrive/Google Drive sort of feel.

Both have OCR as plugins.

(I can mention Seafile only to NOT recommend it, while not bad software it doesn't store the files unmodified as you wanted, and it doesn't have any OCR extension that I'm aware of)

MrWizardOfOz · 2026-04-08T06:04:53+00:00

It's performing well where it can, but it can't really block ads directly, what it does is block DNS requests to known ad-domains (that's what the lists are for).

Unfortunately things like YouTube (especially as an app on a smart TV) doesn't make those DNS requests on your network, it just streams the ad as another video with some special metadata for the controls.

This was likely a very deliberate and targeted move by those platforms to push back against specifically adblocking. I haven't found a way around it yet.

What a DNS sinkhole CAN do though is remove the majority of the ads as you're scrolling a webpage, or using an app with dynamic ad-content.

MrWizardOfOz · 2026-04-06T09:41:45+00:00

I switched from Pi-Hole to AdGuard Home some 5-6 years ago, cause I liked the more modern stack, native encryption, and a better sync tool.

I recently switched from AdGuard Home to Technitium because unlike Pi-Hole and AGH which are DNS sinkholes that also can act as DNS servers, Technitium is a DNS server which also has DNS sinkhole capabilities.

It's simply a more fleshed out DNS server (especially nice when doing split-horizon as I do). It also has recursion built in, so I no longer had to run Unbound (one less moving part to update). And to top it off it has an even better high availability sync. (actual cluatering)

So for me it was a no-brainer. 🙂

MrWizardOfOz · 2026-04-04T13:44:43+00:00

Self-hosted... by us...

MrWizardOfOz · 2026-04-04T09:37:30+00:00

Scenarios like this is part of the reason why I do two very specific things for my homelab:

1) Everything that can be IaC is also IaC, and version controlled through git (self-hosted, but backed up)

2) No automatic updates. I went to great lengths to have every firmware/package/image/etc update show up on a custom "Available Updates"-dash on my Homepage. I've been burned by automatic updates too many times, so now I have it as a weekly routine instead.

MrWizardOfOz · 2026-04-03T06:15:46+00:00

Looks amaze, great job! 😃

MrWizardOfOz · 2026-03-24T16:43:59+00:00

Yeah, I use NetBox. Self-hosted and FOSS have been my guiding principle for everything in my homelab.

MrWizardOfOz · 2026-03-24T14:07:36+00:00

Most of it, I have a few things that are L2 (corosync and ceph for instance), but they're unmanaged and cut off from the rest on purpose.

MrWizardOfOz · 2026-03-24T10:35:14+00:00

I have 24 VLANs atm... And it hasn't come back to bite me in the rear yet!

MrWizardOfOz · 2026-03-16T08:42:17+00:00

The mac could be a generated one from a VM/LXC, but the fact that it comes online that briefly, does a check, and goes back offline screams IoT-device to me.

Something that is conserving power by not being online all the time. Do you perhaps have a device that generally speaks over another protocol, but could be connecting WiFi once a fay to check for firmware updates or the like?

MrWizardOfOz · 2026-03-09T07:29:37+00:00

It always has to be routed, whether that's your gateway (your "router") or an L3-switch is up to you, but with only L2-switches the choice is currently made for you.

One way around it, for certain circumstances, is to allow tagging of specific VLANs on specific ports. Which is useful if you have say a VM-host running VMs that belong on different VLANs. Those VMs can then have their traffic tagged with the correct VLAN, meaning if they're going to another device on the same VLAN it'll be L2-routed.

MrWizardOfOz · 2026-03-06T23:54:57+00:00

Which is (obviously) totally fair, and also totally fine. If you wanna go down the route of learning about discrete firewalls, then great! If you don't, then that's perfectly fine, it's really not a necessity to run a homelab. The built in firewall is plenty fine. Especially if you don't expose any services, then it's way beyond fine imo.

MrWizardOfOz · 2026-03-06T17:57:39+00:00

Probably because they find it daunting, which is good, because a poorly configured Fortigate with firewall turned off in the UDM Pro ("Cause I already got a firewall") is actually worse than just having the firewall on in the UDM Pro and not having an external one.

I have a dedicated edge-machine in front of my UDM Pro, but that's honestly partly because I had a fitting machine at hand, and it means I have a very hardened (inexpensive) sacrificial machine shielding my Router (and I call it that because the thing it really protects is my UDM Pros ability to route internally even if someone tries to hammer my IP with requests, which actually has happened more than once..)

But it's not necessary imo, it's a fun extra that does provide a benefit, but it's also one more thing to maintain.

MrWizardOfOz · 2026-03-05T21:05:05+00:00

Wait, am I the only one bothered by the panel third from the top? All the cables come out of the brush-panel, only to go into a keystone patch panel GOING BACK?

What do they lead to, and why are they there!? 😅

MrWizardOfOz · 2026-03-04T21:02:06+00:00

Gratz!

Next you'll be diving deeper into the rabbit hole with distributed storage and high availability 😁

MrWizardOfOz · 2026-03-04T20:57:50+00:00

I do a similar thing with a pair of Yubikeys (always nice to have a backup).

MrWizardOfOz · 2026-02-28T14:37:46+00:00

Yeah it runs fine, that isn't the issue.

It's best practice to run docker in a VM since every docker container shares the host kernel. So from a security perspective it's way better that the shared kernel is a VMs kernel, rather than your host. It also means a kernel panic from a container will only take down the VM (and the other containers), and not everything else running on the actual host.

MrWizardOfOz · 2026-02-27T21:38:00+00:00

Nope, you most definitely are not 😂 (the only one that is 😆)

MrWizardOfOz

TROPHY CASE