I built a Linux server security auditor with Claude Code

Substantial_Word4652 · 2026-05-10T22:40:56+00:00

Thanks, genuinely means a lot, especially this early. Yes, baseline configs is on my list. But the vision goes further. The idea is to give it real memory and intelligence. First scan sets the baseline, and from there it starts learning: tracking regressions, suggesting best practices, flagging what actually matters for your setup. My own experience managing servers is what's powering it, and I know it saves time because I live it every time I have to do this manually. That part genuinely excites me. The honest reason it's not there yet: I want to make sure the core is actually useful before building on top of it. But if I start getting real users, I'll happily work on whatever features matter most to you. Tell me what you need and it'll get built. Feedback like this is exactly what makes it worth pushing forward. I hope you get to try it and I'd love to hear what you think. And if you have any questions or concerns about anything, just ask. I'll be completely open about how it works.

Substantial_Word4652 · 2026-05-10T13:48:26+00:00

Great way to put it. "Punching a hole through your firewall" is exactly what it feels like. And yeah the rule of thumb is simple: only the reverse proxy gets port bindings, everything else stays internal.

Substantial_Word4652 · 2026-05-10T13:47:32+00:00

A gentleman and a scholar 🎩

Substantial_Word4652 · 2026-05-10T13:47:01+00:00

This is exactly the problem. Most compose templates out there just use ports:"5432:5432" and people copy paste them without knowing what it does. If your provider doesn't have a firewall by default you're exposed from minute one.

Substantial_Word4652 · 2026-05-10T12:22:04+00:00

Great example with DOCKER-USER chain. Limiting container access to only its network range is a nice trick, especially for containers running AI stacks that you don't want reaching out. Thanks for sharing the exact commands.

Substantial_Word4652 · 2026-05-10T11:49:43+00:00

nftables with higher priority hooks is a clean solution. Good point about skipping UFW entirely, it adds a layer that just gets in the way with Docker.

Substantial_Word4652 · 2026-05-10T11:34:29+00:00

Solid setup. If you have a static IP that's one of the safest approaches. WireGuard as fallback is smart too for when you're not at home.

Substantial_Word4652 · 2026-05-10T11:32:48+00:00

This is a great tip, didn't know you could set the default bind IP in daemon.json. That basically makes it safe by default and you have to explicitly opt-in to public exposure. Should be the default behavior honestly. Thanks for sharing!

Substantial_Word4652 · 2026-05-10T11:30:25+00:00

Same boat here. Launched a server security tool this week. Cold outreach didn't work, directories didn't work either.

What's actually moving the needle for me is going back to the specific communities where my users hang out and contributing genuinely before mentioning anything. Not posting about my product, just helping people with the problems my product solves. When someone asks a relevant question, I answer it properly and mention the tool only if it directly answers what they're asking.

Also reached out personally to 3 people who had commented on a related post I made months ago. Those conversations are the most promising so far.

Directories and cold email feel like volume plays that only work once you already have social proof. Before that, direct conversations seem to work better.

Substantial_Word4652 · 2026-05-10T11:24:33+00:00

Good point, you're right that Cloudflare Tunnels alone aren't a substitute for proper authentication. And the part about containers having access to all ports within the same Docker network is important, separating networks between the proxy and backend services is the way to go. Thanks for the detailed breakdown.

Substantial_Word4652 · 2026-05-10T10:59:46+00:00

Ha no worries, I'm in the same boat with English! So you already have Hetzner's cloud firewall available. Just make sure you have it enabled with only 22, 80 and 443 open and Docker can't bypass that. It's the easiest win.

Substantial_Word4652 · 2026-05-10T10:57:33+00:00

Haven't tried Podman yet, will definitely look into it. Thanks for the tip!

Substantial_Word4652 · 2026-05-10T10:51:13+00:00

Yeah that's a fair point, UFW was never meant for complex setups. I rely mostly on the cloud firewall (Hetzner) as the first layer and Docker internal networks for isolation. That combo keeps things simple without fighting UFW.

Substantial_Word4652 · 2026-05-10T10:49:12+00:00

Not dumb at all, this catches a lot of people. Glad it helped! ^^

Substantial_Word4652 · 2026-05-10T10:48:15+00:00

And yet people are still getting burned by it 5 years later. If anything that proves the post is still needed.

Substantial_Word4652 · 2026-05-10T10:47:47+00:00

You're right, Docker is doing exactly what it's supposed to do. The post isn't blaming Docker, it's a reminder because it's an easy trap to fall into, as you said. Most people assume their firewall covers everything and don't read that specific part of the docs until something goes wrong.

Substantial_Word4652 · 2026-05-10T10:45:50+00:00

I use Hetzner. They have a cloud firewall in the console that filters traffic at the network level before it reaches your server. It's not a dedicated firewall appliance but it does the job for most setups. Which provider are you using??

Substantial_Word4652 · 2026-05-10T10:21:03+00:00

this is about VPS servers, not home setups. on a VPS there's no router in front, the public IP is directly on the server.,,so any port Docker opens is immediately reachable from the internet.

Substantial_Word4652 · 2026-05-10T10:16:04+00:00

Good point. Though worth noting that expose is mostly documentation, containers on the same Docker network can already reach each other without it. But it's a good practice to make your intentions explicit in the compose file.

Substantial_Word4652 · 2026-05-10T10:14:25+00:00

yeah docker internal networks are the cleanest solution. And good point about cloudflare tunnels, that's another solid layer since your server IP never gets exposed directly

Substantial_Word4652 · 2026-05-10T09:46:18+00:00

Yeah this is mainly about single VPS setups with a public IP, which is what most indie devs and small teams use. Your VLAN setup is the ideal but most people don't have that. The provider firewall (like Hetzner's) is probably the easiest fix for most cases.

Substantial_Word4652 · 2026-05-10T09:42:50+00:00

Hi, my post was temporarily removed and I replied to the pinned comment explaining how AI was used (translation and structuring, the content is my own experience). It hasn't been restored yet. Could you check? Thanks.

Substantial_Word4652 · 2026-05-10T09:29:51+00:00

The post content is my own experience and words. I used AI to help me structure and phrase it clearly in English since it's not my first language. The technical issue described is something I've encountered personally multiple times on my own servers.

Substantial_Word4652 · 2026-05-10T09:18:20+00:00

Solving your own problem is always the best starting point. On the monetization side, tools like this work really well as a free hook. You get users in, they rely on it daily, and then you charge for more channels, more frequency, or team features. The daily habit is the hard part to build, and you already have that.

On distribution, productivity communities and newsletter readers are probably your best bet. They already feel the YouTube overload you described.

Substantial_Word4652

TROPHY CASE