Tag: security

Zeek (formerly Bro) turns network traffic into structured logs you can actually query. The IDS that doesn't shout — it documents. Setup and use in a home lab.

ModSecurity 3 is end-of-life and Coraza is the open-source successor — Go-native, faster, and friendlier. Here's the migration story and what actually changes.

Stop the .env-in-1Password dance. SOPS encrypts secrets per-key, age provides modern crypto, and git stores them safely. Here's how to ship it without footguns.

Passkeys finally killed passwords for real users. Here's what WebAuthn actually is under the hood, and how to roll passkeys out on your self-hosted services.

Native ZFS dataset encryption vs LUKS under your pool — which layer to encrypt at, performance trade-offs, key management, and raw send/recv.

Zero-trust access for SSH, k8s, and databases — HashiCorp Boundary vs Teleport compared on identity, session recording, and self-host fit.

Go beyond basic UFW rules — rate limiting, geo-blocking, application profiles, logging, and before.rules tricks for serious firewall hardening.

ENV bakes secrets into layers visible in docker history. Use BuildKit --secret, runtime vars, or .env files.

LinkedIn scans every visitor's installed extensions and sends the data to third parties without consent. Here's what they're looking for—and how to stop it.

Harden your home lab against real threats — SSH hardening, fail2ban, network segmentation, backups, and preparing for when things go wrong.

Scan your containers and dependency trees with trivy, grype, syft, and osv-scanner. Generate SBOMs and catch CVEs before a supply chain attack catches you.

OpenConnect replaces the bloated AnyConnect client on Linux. Run ocserv for a self-hosted Cisco-compatible VPN server — no 200MB installer required.