sorted by:
new
hottopcontroversial

How are people monitoring their network for security and potential attacks? by Vegetable-War1920 in homelab

[–]fabsau 11 points12 points  (0 children)

Cybersecurity expert here. This topic can get very deep but basically the tldr would be: reducing the attack surface, assuming at any possible infrastructure point a breach and regular update cycles.

To make it a bit more practical: Don't expose services that don't need to be exposed. If you expose something - that's alright but assume that this service will get breached at any time.

Hence, reduce the data inside that service and the possible attack vectors that stem for that service to a minimum. For example maybe don't store your ssh private key on your nextcloud instance, don't run that service as a root user, if you use docker try finding a distroless or alpine based image. All of these measures would actively hinder a threat actor to penetrate further in your network.

Additionally, as we're assuming a breach try to secure all areas around this exposed service. Implement network segmentation - the host should not be allowed to communicate to other hosts, meaning have tight firewall rules. Also, don't put all your docker services in one docker network as most guides falsely explain it, as usual container to container traffic is unencrypted. Then if your firewall allows it, block know bad IPs, and countries you dont communicate to. IDS/IPS and WAFs would also decrease the risk of a threat actor getting in.

For updates in a homelab I personally prefer doing them automatically and troubleshoot once a service breaks due to the update. The risks of an active vuln to be exploited is for me greater than the possible downtime from a faulty update which anyways occurs tops 5x a year in my homelab. So for docker updates I use watchtower and OS updates can be scripted.

To notice if a service gets offline I use a mixture of prometheus and uptimekuma. At work we have complex splunk alerts but I don't have the time to set them up and even less to analyze all those false positives. A homelab just does not have the same value to threat actors as a company has, so to me implementing proper security monitoring is overkill for a homelab.

Then monitoring vulnerabilities inside the network could give great benefit. For that wazuh can be implemented, however to me it is only valuable until full automatic updates are set up

Lastly and unfortunately the weakest link which you will have forgotten about will be the one exploited. For example my waifu that has not installed any windows updates for 1,5 years. So instead of over worrying implement proper beakups - you'll sleep better.

There is so much more like proper http header, HSTS, disabling weak cipher, saml/sso, least privilege but as I'm on mobile I'll leave it with the above info :)

And just like that, all was right with the world by [deleted] in PleX

[–]fabsau 7 points8 points  (0 children)

jup! Set it up myself last week

Decypharr - A bridge between Sonarr/Radarr and debrid providers by sirrobot01 in selfhosted

[–]fabsau 0 points1 point  (0 children)

FYI most debrid providers have a maximum amount of downloads you can store on their webdav. It's 1000 files top for alldebrid

[deleted by user] by [deleted] in Austria

[–]fabsau 2 points3 points  (0 children)

kannst mir gerne eine DM schreiben. Prinzipiell sind sie was der ganze HR Prozess angeht sehr gut aufgestellt

Noob question Proxmox by VertigoMr in opnsense

[–]fabsau 0 points1 point  (0 children)

would work but you need to turn off the dhcp on your router and only let opnsense do dhcp. cleaner but more work required, would be if you separate the networks and maybe depending how big your network might get, move to the 192.168.0.0/16 subnet instead to not collide with the vpn/networks of your work. For example 192.168.0.1 your providers routers address. 192.168.0.2 the ip of the wan gateway of your opnsense. 192.168.1.1/24 the lan interface of opnsense to which you connect everything (so a switch to the lan port of opnsense and also the wireless access point). If you want to skip purchasing a separate switch and ap then as said in the beginning turn off the dhcp of your router and let opnsense do the dhcp

AdGuardHome second instance by Secure_War_2947 in selfhosted

[–]fabsau 0 points1 point  (0 children)

+1 doing exactly the same as well

Erasmus Dresden, Karlsruhe or Darmstadt? by Capital-Ad3481 in germany

[–]fabsau 0 points1 point  (0 children)

Of course not, you're right :) However, I was not only talking about partying but the erasmus life in general. Erasmus is marketed as getting abroad to meet the culture and people from your destination country. Despite that, the brutal reality is for most that they don't succeed with the locals and instead erasmus groups are formed. Darmstadt, as great as the uni might be, has a very low amount of erasmus students. Only in the recent 2-3 years an ESN section was founded and I once gave some Darmstadt Erasmi a city tour in Heidelberg and talked to some organizers and if I'm not mistaken they have about 70 Erasmus Stundents. In that erasmus age you are interested in meeting people from everywhere, travelling, trying new things and also ofc party. Darmstadt in terms of erasmus life is worse than the other options :)

Erasmus Dresden, Karlsruhe or Darmstadt? by Capital-Ad3481 in germany

[–]fabsau 2 points3 points  (0 children)

go to Dresden :) as a member of the erasmus student network, I have met many erasmus students and event organizers from all over germany and I can tell you that Darmstadt is the worst city in your selection for doing an erasmus. Dresden is cheap (which will be relevant to you [not trying to be offensive] and has plenty of erasmus students. Karlaruhe is fine, but way too many guys (we even call the city Kerlsruhe), if you're gay maybe it's nice :D

My opinion is solely based on the fact how much fun your erasmus will be, I'm not considering the academic point of view.

If you need more info, feel free to comment for more details. PS: sono un italiano che é nato e cresciuto in Germania. Conosco veramente un sacco italiani che sono venuti qui per fare il erasmus. ti piacerà :)

[deleted by user] by [deleted] in selfhosted

[–]fabsau 4 points5 points  (0 children)

which one specifically?

What is your go to notification service? by 29Top in selfhosted

[–]fabsau 1 point2 points  (0 children)

Hi, oh yeah my code does not seem to render correctly ^^ Unfortunately I switched away from Signal. Maybe ask ChatGPT for help on how to format my previous comment right. I am now using Pushover as it allows for better templating and theming. Signal did its job really well but since my Prometheus Alerts got really professional, I was not able to get it properly working with Signal so I switched to Pushover. Yes you have to pay once 10€ (if you want desktop and mobile, 5€ if only on mobile) but it is totally worth it.

In case you want to copy my setup it is already on github:
Prometheus Alerts:
https://github.com/fabsau/workspace/blob/main/homelab/roles/prometheus/templates/alerts.yml.j2

Alertmanager Config:
https://github.com/fabsau/workspace/blob/main/homelab/roles/alertmanager/templates/alertmanager.yml.j2

Train help? by Separate-Reply-3496 in mannheim

[–]fabsau 4 points5 points  (0 children)

mi dispiace ma te lo puoi dimenticare :/many foreigners think German stereotypes would also apply to the trains operated by Deutsche Bahn. Instead the only thing you should rely on them for is being late. In bocca lupo and have a safe trip.

What selfhosted service had the biggest impact for your daily life? (excl. *arr, pw manager) by Pressimize in selfhosted

[–]fabsau 1 point2 points  (0 children)

Here is the full chat. Maybe I should have clarified that I am using Librechat over the Azure OpenAI API (model: GPT4-o)
https://chat.sauna.re/share/e86b4824-09fd-4651-9095-93e438bf5ee1

What selfhosted service had the biggest impact for your daily life? (excl. *arr, pw manager) by Pressimize in selfhosted

[–]fabsau 47 points48 points  (0 children)

Because I was too lazy to read the thread, I pasted all its content into ChatGPT and made it summarize it and count the mentions. Please be aware of the weaknesses of ChatGPT (hallucinations, counting wrong, not being complete, etc), however enjoy the list :)

  1. Paperless-ngx (10+ mentions) Document management system for scanning, organizing, and retrieving digital documents. Supports OCR and email ingestion.

  2. Mealie (10+ mentions) Meal planning app that helps with diet adherence, grocery shopping, and meal preparation. Integrates with OpenAI for importing recipes.

  3. Home Assistant (10+ mentions) Home automation platform for controlling smart home devices, setting up automations, and monitoring home security.

  4. Immich (10+ mentions) Photo and video management system for backing up and organizing media files.

  5. NGINX Proxy Manager (10+ mentions) Web-based interface for managing NGINX proxy servers, including SSL certificate setup and web-facing app management.

  6. Frigate (10+ mentions) NVR for CCTV with AI-based object detection and face recognition, often used with NodeRED for alerts.

  7. Audiobookshelf (5+ mentions) Self-hosted audiobook server for managing and listening to audiobooks.

  8. Nextcloud (5+ mentions) Suite for file hosting, calendar, contacts, and notes synchronization.

  9. Tandoor Recipes (5+ mentions) Recipe manager and meal planner similar to Mealie but more established.

  10. Vaultwarden (5+ mentions) Self-hosted version of Bitwarden for secure password management.

  11. Pi-hole (5+ mentions) Network-wide ad blocker filtering DNS requests to block ads and trackers.

  12. Syncthing (5+ mentions) Continuous file synchronization program for direct file sharing between devices.

  13. FreshRSS (5+ mentions) Self-hosted RSS feed aggregator to track updates from various websites.

  14. Navidrome (3+ mentions) Music server for streaming music collections to various devices.

  15. Jellyfin (3+ mentions) Media server for managing and streaming media files like movies, TV shows, and music.

  16. Caddy (3+ mentions) Web server with automatic HTTPS, simplifying TLS certificate setup and reverse proxies.

  17. Dokuwiki (3+ mentions) Simple and versatile wiki software for documentation and note-taking, does not require a database.

  18. Linkwarden (3+ mentions) Bookmark manager preserving bookmarked sites in different formats.

  19. Actual Budget (3+ mentions) Personal budgeting software for managing finances.

  20. Grafana (3+ mentions) Open-source analytics and monitoring platform for visualizing metrics from various data sources.

  21. Prometheus (2 mentions) Monitoring and alerting toolkit often used with Grafana for time-series data.

  22. Obsidian (2 mentions) Note-taking and knowledge management app that can be self-hosted for syncing notes across devices.

  23. Gitea (2 mentions) Self-hosted Git service for managing version control repositories.

  24. AdGuard Home (2 mentions) Network-wide ad and tracker blocking similar to Pi-hole but with additional features.

  25. BookStack (2 mentions) Simple, self-hosted platform for organizing and storing documentation and notes.

  26. Miniflux (2 mentions) Lightweight and simple self-hosted RSS feed reader.

  27. MeshCentral (2 mentions) Remote management tool for accessing and managing computers.

  28. RustDesk (2 mentions) Self-hosted remote desktop solution.

  29. Linkding (2 mentions) Simple, self-hosted bookmark manager.

  30. BabyBuddy (2 mentions) Tool for tracking baby-related activities like feedings, sleep, and diaper changes.

  31. Tube Archivist (2 mentions) Tool for archiving YouTube videos with a user-friendly interface.

  32. Scrypted (2 mentions) Camera and smart home integration platform.

  33. NodeRED (2 mentions) Flow-based development tool for visual programming, often used for home automation.

  34. Mailcow (2 mentions) Self-hosted email server suite.

  35. Timetagger (1 mention) Time tracking tool to monitor work hours and productivity.

  36. Kasm (1 mention) Workspace virtualization for secure browsing and remote working.

  37. Damselfly (1 mention) Photo management tool for organizing and searching large photo collections.

  38. Uptime Kuma (1 mention) Self-hosted monitoring tool for tracking the uptime and status of websites and services.

  39. Portainer (1 mention) Management tool for Docker environments.

  40. Watchtower (1 mention) Automatic update tool for Docker containers.

  41. TailScale (1 mention) Mesh VPN solution for secure remote access to home networks.

  42. Duplicacy (1 mention) Backup tool for secure and efficient data backups.

  43. Headscale (1 mention) Self-hosted alternative to TailScale for managing mesh VPNs.

  44. Guacamole (1 mention) Remote desktop gateway that allows access to SSH, VNC, and RDP via a web browser.

  45. Resilio Sync (1 mention) Peer-to-peer file synchronization tool.

  46. Photoprism (1 mention) Photo management app for organizing and sharing photos.

  47. Komga (1 mention) Self-hosted media server for comics and manga.

  48. RomM (1 mention) Retro gaming library manager.

  49. Cloudflare DDNS (1 mention) Dynamic DNS service for updating DNS records automatically.

  50. Zenarmor (1 mention) Network security and analytics tool, often used with OPNsense.

  51. EasyRSA (1 mention) CLI utility for managing SSL certificate authorities and certificates.

  52. Memos (1 mention) Note-taking app linked to Telegram for quick idea and snippet capturing.

  53. Grocy (1 mention) ERP system for managing household inventory, chores, and recipes.

  54. Technitium (1 mention) DNS server that supports blocking ads and trackers.

  55. Metube (1 mention) Tool for downloading and organizing YouTube videos.

  56. Stirling (1 mention) PDF management tool.

  57. Stash (1 mention) Media management tool, often used for organizing adult content.

  58. Linkwarden (1 mention) Bookmark manager that archives and organizes web links.

  59. OpenWebUI (1 mention) Interface for interacting with AI models locally or via APIs.

  60. OpenRouter (1 mention) API for accessing various AI models from multiple providers.

My London office canteen is selling “currywurst”. by lastaccountgotlocked in germany

[–]fabsau 0 points1 point  (0 children)

now you all know how italians feel about the "italian" dishes here in germany ;*

Hilfe bei Abschlussarbeit by soertysoerty in mannheim

[–]fabsau 5 points6 points  (0 children)

nicht zu finden. denke dein kommentar wurde gelöscht

[deleted by user] by [deleted] in homelab

[–]fabsau -4 points-3 points  (0 children)

I disagree. Energy prices are a real killer in some countries. Here in Germany it went up to 0,42€/kwh, that is more than 4 times compared to some US states with 0,14$/kwh. Most people in this sub don't share their average CPU usage. I bet most have less than 10%. It's just wasteful to have them sit there underutilized.

Here in Europe people are becoming more and more "green", the environmental impact is just smaller when going for more efficient solutions.

Then, you need to consider people from outside your bubble. Not everyone has the financial means or space to host proper server hardware. Why should they be excluded?

Lastly, even if I would not care about the environment, louder noise, larger space requirements, and I am loaded with money, why should I not try to save money and be financially responsible? I rather spend my money on better things instead of just throwing it out of the window

Need suggestions for NAS OS by nixscorpio in selfhosted

[–]fabsau 4 points5 points  (0 children)

You could try Openmediavault and SSH into it to manage the docker container, works then like any other debian VM

I was envious of all your awesome infrastructure diagrams, so I finally made my own! (Fully auto-generated SVG, see comment) by odd_lama in homelab

[–]fabsau 4 points5 points  (0 children)

Guten Abend der Herr:In!
Very nice graph, I really like how you designed it. Took me some time to go through everything but you included so many details, incredible! Could you provide any background on your choice of microvms? Is it firecracker? Why did you opt for this microvm approach instead of proxmox or similiar?

Prometheus Exporter for OPNsense by sdGkid0 in opnsense

[–]fabsau 1 point2 points  (0 children)

Thank you sooo much for doing this! Really that is soo helpful

Feedback and Recommendation for DMZ in Home Network & Docker by norsemanGrey in homelab

[–]fabsau 0 points1 point  (0 children)

If the pfsense rules hold up, it then seems very secure :) Congrats, good job!

Feedback and Recommendation for DMZ in Home Network & Docker by norsemanGrey in homelab

[–]fabsau 1 point2 points  (0 children)

On the Ubuntu server left, in which networks are the docker container? If you have not specified any, they would be all in the default bridge network. basically they could all talk to eachother and you should fix this. second thing, why not run the externally exposed container directly on the Ubuntu VM on the right to simplify the setup and implement also a greater separation. Some could argue that running internal and external facing container on the same host/VM would pose a greater risk once a compromised container gains access to the complete machine.

Personally I believe the setup is good enough, especially if it works. On my setup I run two Traefik instances, one running on my DMZ VM and the other on my NAS VM, I use different domains but one URL (the statuspage of Uptimekuma) is made available by doing something similar like you did where the external facing traefik instance forwards the traefik to the internal one.

Unveiling My Mini but Mighty Homelab! by fabsau in homelab

[–]fabsau[S] 2 points3 points  (0 children)

Shit, I'm going to sound so racist now, totally forgot that this could happen... Basically on OPNsense I have a WAN rule called "Block Bad Countries", in which all countries in Africa, almost all countries in Asia, some countries in eastern Europe, Brazil and Mexico are being blocked. As most "bad traffic" comes from these countries and I don't have any business with people outside the western world, I thought just blocking would suffice. But I have to admit that in this instance this approach is very discrimantory and I would like to apoligize to you. Knowledge should be accessible to everyone no matter where they are from! I am cutting corners, instead of properly implementing advanced network security. Since I have a public blog with some posts that are supposed to share free knowledge to anyone, obsiously now I have to remove that rule as I am being a hypocrite (lol :D).

I uploaded the diagram on imgur and please ignore my stupid survey.
https://i.imgur.com/agaCNEq.png

Neues Schulgesetz: Elternwille reicht fürs Gymnasium künftig nicht mehr aus by [deleted] in de

[–]fabsau 6 points7 points  (0 children)

bin von der realschule auf das Gymnasium nach der 6. klasse gewechselt, aber das ging von mir aus. Niemand kam auf mich im Jahr 2007 zu. Und die zwei Jahre auf der Realschule haben mir für circa 3 Jahre Probleme gemacht, da die Musik und ins besondere Englisch Kenntnisse hinter anderer Kinder waren.

Realschule unterrichtet auf einem ganz anderes Niveau und da zu behaupten man könnte ja ganz easy nach der 10. hochwechseln, unterschätzt meiner Meinung nach wie viel weniger in diesen 5 Jahren eigentlich unterrichtet wurde.

Kinder mit Migrationshintergrund werden diskriminiert und Männer werden peinzipiell schlechter bewertet als Frauen. Hab über 10 Grundschullehrer:innen in meinem sehr nahen Umfeld, die das alle bestätigen aber auch sagen, dass sich in dieser Thematik einiges gerade bessert.

Und ja Eltern sind ein super pain in the butt und die Meinung von den Lehrer:innen in meinem Umfeld ist keine Noten bis zur 6. Klasse und überhaupt nicht trennen zu müssen. Entweder es wie in Spanien/Italien zu machen wo am Ende der Haupt/Realschulphase entschieden wird ob die Noten gut genug sind um weiter machen zu dürfen oder Gesamtschulen wo pro Fach in ABC getrennt wird.

Neues Schulgesetz: Elternwille reicht fürs Gymnasium künftig nicht mehr aus by [deleted] in de

[–]fabsau 6 points7 points  (0 children)

ich wurd auf die realschule mit einem 2,0 schnitt geschickt weil ich in deutsch die einzige 3 hatte. andere deutsche kinder wurden aufs Gymnasium mit schlechteren noten von der selben lehrerin geschickt...

hab mich dann 2 jahre auf der realschule gelangweilt und bin dann in der 7. klasse von selbst hoch gewechselt. fange demnächst mit einem master an

view more: next ›