Mikelius

I’ve just use iptables rules which default block all docker containers any network access. I assign static ranges to those I permit access, though. It does occasionally throw me off when adding new services and not understanding why sometimes they don’t work right away, but I prefer it that way.

My response to the other person kind of explains some of the things I do to keep my devices secure. As for what it means to me: being able to control everything to be able to define level of access. I try to treat every device on my network as though it’s already compromised. How can I block the scope of the devices from spreading on the network? How can I limit the scope of damage for what’s available on the compromised device to a minimum? Heavy firewall configurations help limit the devices spread to. Encrypting private data such as contracts, government docs, etc into their own containers or partitions helps limit leaks. Alerts and dashboards on unexpected changes of any devices allows me to react quickly, of automation hasn’t already reacted for me.

You’re right in the fact I’m not going to look at millions of lines of code for many tools and such I use. It doesn’t mean I don’t look though. Being given the option to look at what I’m running is always better to me than not having it, in my opinion

I have template iptables/nftables rules on my devices on the network that I can just copy and paste to a machine to have a firewall that works (with tweaks specific to that device). With it I can tell it to send all logs of my choice through syslog-ng to my server just by installing it and telling it the destination, allowing me to have (already made) alerts and dashboards on every device on my internal network. My router runs Linux (openwrt) and allows me to do something other routers can’t do because I’m able to add a module into the kernel: permit switch-level firewall access. What this means is I don’t need (but do still have) VLAN to restrict traffic between devices. I can block firewall access completely at the router level before a device is tweaked to also add additional security (e.g. helps prevent my smart tv from probing every device on my network to gather information. Or if I purchase a malicious hardware online, it won’t know the rest of the network exists because the router doesn’t tell it unless I say it’s okay).

That’s firewall stuff. System security: can compile and modify the kernel to just the modules and such I want, lowering the scope of issues from a kernel level vulnerability. I can be very granular with file and directory permissions with a single command in the terminal. I can easily track file metadata changes down to just about anything you can think of with simple tools, like aide. Python scripts through cron and inotify can help me monitor when something sus happens on my machines.

Most of all this being done on Windows or Mac would require extra effort to work correctly, and not to mention probably cost money for software that can do the same but isn’t free. Also not entirely sure a router can be setup on either of those OS.

“I hate when people keep repeating the myth that Linux is more secure than X OS without any understanding of how much Linux gets exploited.”

Very few operating systems are secure out of the box. It’s up to the users to make it secure. It just so happens to be that Linux is the easiest to make secure, therefore I’ve always seen it as such when done right. Not to mention, I can know exactly how everything works rather than the blackboxes of Win or Mac.

Having a smart tv doesn’t mean you must use internet to utilize it. Mine is blocked from internet connectivity but connects to my media server on the local network. If anything, I prefer this so I don’t need an extra computer sitting in the living room and can instead use the same single media server my phones and computers do.

I bought a separate laptop and set it up with an encrypted password that both my wife and I know. It contains instructions on everything from my self hosted stuff to anything else related to my personal life that she would need. It’s 100% offline to keep it safe from a network compromise. This whole thing was especially important since I wanted to make sure my family could access all photos, calendar, contacts, etc for the last decade that are stored on my server.

It takes time to transfer everything to it (all in Obsidian) since it’s a brain dump… But it actually benefits me too. I’ve had a few times where I was like “how the hell did I set that up?” and had some instructions on there the helped lol.

Definitely recommend this to others to consider.

Interesting, I’ve never had this problem and have been using the auto upload for many years. I only use it for the photo taking, though. Any time I go through a phone cleanup and delete photos and videos, I’ll look at the folders I backup to on nc and actually go through them carefully to make sure everything was uploaded.

My install comes from f-droid so not sure if that’s something to do with it (unless yours is too).

I’ve got it setup automated on all my external domains, but trying to automate it on my internal-only domain is rather tedious since not only do I NOT want to open a port for it to confirm, but I have 2 other devices/services on the network not behind my primary reverse proxy that share the same cert.

What In need to do is setup my own custom cron that hits the hosting provider to update the DNS txt entries. Then I need to have it write and restart the services that use the cert. I’ve tried to automate this once before and it did not go so smoothly so I’ve been hesitant on wasting time to try it again… But maybe it’s time to.

What would be ideal is if I could allow it to be automated just by getting a one time dns approval and storing a local private/public key to prove to them that I’m the owner of the domain or something. Not aware of this being possible though.

I’d hesitate disabling it altogether, unless you’re absolutely certain nothing will need it. One suggestion I haven’t seen mentioned is looking at the other sysctl options that might be tweaked. Check with netstat how many of those connections are stuck in established, close wait, time waiting, etc. It’s possible you just need to lower the default values of things like nf_conntrack_tcp_timeout_established, for example. https://www.kernel.org/doc/html/latest/networking/nf_conntrack-sysctl.html - naturally, research anything you think you might want to change before you do.

Unnecessary rant: I actually just had to downgrade my 575(?) driver after spending a few days trying to troubleshoot a freezing laptop. One day I walked away when it happen and that actually gave me the logs I needed to find the Nvidia driver was freezing the machine and then spitting logs out after giving up 10 minutes later (but still keeping things frozen). Was driving me nuts, thinking my hard drive was seeing the light, even though all tests for it were passing with flying colors!

I’m hesitant to try this new version since I didn’t see anything in the changelog about freeze fixes lol.

Daily on my Gentoo server, through a Cronjob every morning. It’s a custom script though, so there’s more than just doing an emerge update. It’ll send me ntfy notifications for the update results, if there are new news items, and if there are any time config merge updates to make. A few other things as well but that’s the main stuff.

Other servers, typically weekly or only manually when I ssh into them (for the ones I don’t really feel the need to update frequently).

I use it for my media server and have been for a long time.

Tldr: started so I could learn and understand Linux, still use it since I’m comfortable with it and it’s familiar/fast for my needs.

How it started: I kept going back and forth between windows and Linux, but never truly understood Linux like I did Windows. I eventually decided that I should try to install a Linux distro from scratch and learn the entire process manually so that I could understand it at a strong level. Gentoo has some of the best, if not the best, documentation for this. After spending several days going through the entire install process to finally get that login screen and UI up and running, I had learned more about Linux in those few days than I did the previous 3 years. I wanted to keep going, so I kept it on that laptop and continued to learn and become way more efficient than even Windows.

Why I still use it, specifically for my media server: partly because I understand Gentoo more than any other distro I’ve used, so I’m extremely comfortable with it. But mostly because I know every little thing on my server. I never find things I don’t recognize, because I installed it. I made the explicit decision to all the software I installed on my system. And I truly do feel like I’m in absolute control of the entire thing, in and out. On top of this, it’s truly as high in performance as it sounds.

As I type this, my media server is running 76 docker containers (no, not 76 services), 4 of which are game servers I host 24/7 for friends, and I’m only using 32GB of memory. CPU is rarely, if ever, above 20% (12 core Ryzen). The need to upgrade is really far out there, so that just adds to my reasons to continue using it. That being said, I’ve never run something like a Debian media server with all the same stuff on it… It’s very possible it’s just as good, but I really don’t know. I’m too comfortable where I am to spend time finding out lol.

Add

PATH="${PATH}:~/.local/bin"

To your .zhrc or .bashrc (whatever you use) and either source the file or open a new terminal. Should be as simple as that (assuming +x permissions)

Rather than leave another long reply to read, I’ll leave my thoughts simple: if you have another computer you’re not using, try Linux mint and see if it fits your needs. If it’s too much and you can’t get the time needed to figure things out, 11 might be the choice (for now).

But either way, keep Linux on the second and learn a little bit as you get time to! :)

I’m not familiar with those two… But I’ve always been hunting for the perfect replacement.

I started with Nextcloud Deck and used it extensively until they got rid of my markdown support.

So then I tried taiga and a few others before landing on Wekan. Really great software, but the terrible API, horrible mobile support, and slow outdated UI drove me away…

Now I’m on Vikunja, which ironically doesn’t support markdown text. So I basically returned to square 1 with a better UI lol. I almost stayed on Wekan because of the checklist support, but the faster speeds, nice API, and slick UI in vikunja landed me here… for now.

If you go for btrfs, be careful going backwards on kernel versions.

I had upgraded my kernel on Gentoo, which also happen to include a btrfs update. Booted up and found the latest kernel didn’t like something about my full disk luks encryption with RAID mirror setup (for the root partition, and unrelated to btrfs), so I decided to go back to the previous kernel. Big mistake.

My entire root partition got corrupted to hell. It mounted read only at first so I decided to try to go through regular repair steps. It got worse. Got to an eventual step that someone said could take a few weeks to restore (forgot the commands). This isn’t an option for my server. So with snapshots broken, unable to use the old and now new kernel due to corruption from attempting to go back to a previous kernel, I had to restore with a full partition clone backup I had created prior to the kernel upgrade… Also went back to ext4 again afterwards.

Btrfs treated me really well for a few years, and snapshots and performance are great, but once it hits a hiccup, you might in a world of trouble. Don’t think I’ve ever run into such a thing with ext4 over the years, which is why I reverted to it - not saying it’s immune to such things, but this is just me.

Not sure if zfs would have such a dramatic situation, but maybe something to consider about btrfs if you ever decide you’ll need the ability to go back a kernel version due to whatever reason.

I’ve been using “passwords” on nextcloud for a few years now. Minimal issues with the app, moving apps, and browser extensions. Not perfect, but hey it’s self hosted and reliable.

My personal advice, secure it down to only permitting what needs it, regardless of your trust to the network.

Treat each device as if they’ve been compromised and the attacker on the compromised device is now trying to move laterally. Example scenario: had you blocked all devices except your laptop or phone to your server, your server wouldn’t have been hacked because someone went through a hacked cloud-connected HVAC panel.

I lock down everything and grant access only to devices that should have access. Then on top of that, I enable passwords and 2FA on everything as if it were public… Nothing I self host is public. It’s all behind my network firewall and router firewall, and can only be accessed externally by a VPN.