irmadlad
Incessant tinkerer since the 70’s. Staunch privacy advocate. SelfHoster. Musician of mediocre talent. https://soundcloud.com/hood-poet-608190196
- 6 Posts
- 35 Comments
I’ll probably get boo’d but NetData covers just about everything I could want to monitor, and then some. If you don’t want to hook up to the mother ship, you can use the /v3 switch in the url on your homarr dash, or equal like:
https://netdata.mycoolserver.duckdns.org/v3Also, as has been mentioned, ntopng is pretty awesome as well.
2·27 days agoso if any questions here seem dumb
Not dumb. I say the same, but I have a severe inferiority complex and imposter syndrome. Most artists do.
1 local backup 1 cloud back up 1 offsite backup to my tiny house at the lake.
I use Synchthing.
Don’t ever install WordPress, just let it die
I’ve never run wordpress, but it always fascinates me at the number of daily exploits that get released for WP. It seems to me that the core WP is solid, but it’s all the plugins that open up unintentional attack surfaces.
Hey bro. I apologize for getting back to you so late. Did you ever get this resolved? I’m not hugely knowledgeable about the intricacies of nginx. I went with Caddy, but there is probably some commonality between the two. lmk
From the guy that has been accused of going overboard on security measures, I use both. It just depends on your setup tho. On a low resource server, I would pick crowdsec as it covers more ground than F2B. Running two log parsers does use more resources. ~ my 2 cents
As you probably know the crowdsec bouncer doesn’t directly parse logs or do checks like F2B filters. It queries the crowdsec LAPI for decisions and applies them. The “allowed” or “whitelisted” IP logic is handled at the Security Engine or LAPI level, not by the bouncer itself.
You can whitelist an ip in
/etc/crowdsec/whitelists.yamlor even whitelist decisions in the whitelist.yaml as such:name: private-ips description: Whitelist local and private IPs whitelist: reason: "Allow local and private IPs" ip: - "127.0.0.1" - "192.168.1.0/24" cidr: - "10.0.0.0/8"Then issue
sudo systemctl reload crowdsec. Kind of the same concept as F2B’signoreipoption. If you are using Tailscale to administer the server, then it’s easier to whitelist. IIRC, you can usecscli decisions add --type whitelist --ip 192.168.1.100 --duration 1ybut it doesn’t add them to the whitelist.yaml. Instead it keeps them in crowdsec’s database managed by LAPI. To undo:cscli decisions delete --ip 192.168.1.100 --type whitelisthttps://docs.crowdsec.net/u/getting_started/post_installation/whitelists/
Hey, man you talkin’ back to me?
Social Media Reactions
Interesting article.
You gotta keep em separated!
For every technology there exists an equal, yet undoing technology.
Nothing. It’s just the whack way I like to keep things separated.
I use Readeck for ‘read it later’ type articles, things of interest. The downside of Readeck is that there is no one-click-easy way to back up your database if you want to move it to another server. You can, however go to /volume1/docker/readeck/ and download all the db files there manually which will allow you to move to another server. Make sure to grab the config.toml in the same directory. It has a Firefox extension as with most of these apps in it’s genre. Probably has a chrome extension but I avoid chrome.
I use Karakeep (Hoarder) for stuff I’ve looked up to try to solve issues, such as pages from Grok where I have inquired about certain problems I may have been having.
These little mini-racks are cool. I’ve seen a lot of them here of late.
works for everything–not just web traffic. SSH, file transfers, databases.
Yup. I use it for sftp, ssh. I’ve never used in relation to a database. Is that for remote db? I am working on routeing mail through tailscale to a relay, since my host, for whatever reason, blocks mail ports and charges to have them turned on. I just wanted alert emails from a couple apps.
May have to chown /var/lib/radicale/collections as well:
ls -ld /var/lib/radicale/collectionsIf the directory doesn’t exist, create it:
sudo mkdir -p /var/lib/radicale/collections sudo chown radicale:radicale /var/lib/radicale/collectionssudo chown radicale:radicale /var/lib/radicale/collections sudo chmod 750 /var/lib/radicale/collectionsAt least that’s what my notes say.
If a container uses Postgresql, you can’t auto update.
That’s interesting. I certainly will keep that in mind.
WATCHTOWER_LABEL_ENABLE=false
I am running Portainer 2.21.5, and the latest version is 2.27.4.
The rest:
These are the Watchtower logs so far. https://pastes.io/watchtower
I didn’t see anything remarkable other than the error for Netdata but I got that fixed:
NFO[30906] Found new netdata/netdata:latest image (6376ffeda44a) INFO[30940] Stopping /NETDATA (a18a3e3409f3) with SIGTERM INFO[30942] Creating /NETDATA ERRO[30942] Error response from daemon: the container-wide MAC address must match the endpoint-specific MAC address for the main network, or be left empty
How about a remote VPS?