Topic
Security
Threat models that match how you actually work, not airline-grade compliance checklists. SSH the right way, firewalls that aren't theater, TLS without the foot-guns, secrets that don't end up in git, and authn/SSO patterns that scale from "me" to "the family WiFi." If your security plan starts with "it's behind WireGuard" — fair, but read these anyway.
110 articles in this topic.
Featured posts
-
Zeek for Home Lab Forensics
Zeek (formerly Bro) turns network traffic into structured logs you can actually query. The IDS that doesn't shout — it documents. Setup and use in a home lab.
11 min read -
ModSecurity vs Coraza WAF
ModSecurity 3 is end-of-life and Coraza is the open-source successor — Go-native, faster, and friendlier. Here's the migration story and what actually changes.
11 min read -
SOPS + age: Secrets in Git
Stop the .env-in-1Password dance. SOPS encrypts secrets per-key, age provides modern crypto, and git stores them safely. Here's how to ship it without footguns.
12 min read -
WebAuthn & Passkeys for Sysadmins
Passkeys finally killed passwords for real users. Here's what WebAuthn actually is under the hood, and how to roll passkeys out on your self-hosted services.
14 min read -
Owntracks + Home Assistant: Private Location Tracking
Stop feeding Google your daily commute. OwnTracks + MQTT broker + Home Assistant gives you real presence detection without the surveillance capitalism overhead.
10 min read -
Claude Code + SearXNG: Private Web Search
Wire a self-hosted SearXNG instance into Claude Code via a Bash wrapper for private, scriptable web search — and when to use it vs the built-in tool.
10 min read
All Security articles
- Zeek for Home Lab Forensics
- ModSecurity vs Coraza WAF
- SOPS + age: Secrets in Git
- WebAuthn & Passkeys for Sysadmins
- Owntracks + Home Assistant: Private Location Tracking
- Claude Code + SearXNG: Private Web Search
- ZFS Encryption vs LUKS
- Syncthing vs Resilio vs Seafile
- Boundary vs Teleport
- Advanced UFW Techniques: Enhancing Firewall Security
- Stop Putting Passwords in Docker ENV
- Immich vs PhotoPrism: Escape Google Photos Without Losing Your Mind
- Install Caddy reverse proxy via Docker
- LinkedIn Is Searching Your Computer
- Linux Home Lab Security: Planning for the Unexpected
- Open Source Security: Scanning Your Dependencies Before They Scan You
- OpenConnect vs AnyConnect
- Proxy Chains and Anonymization: What Actually Works and What's Just Theater
- SSH keys and secure file copy
- Reverse Proxy SSL: The Cert Chain Mistake Everyone Makes
- stunnel vs spiped
- Suricata vs Snort: Intrusion Detection for the Paranoid Home Lab Owner
- The Role of Antivirus and Endpoint Detection and Response Systems
- The Zero-Trust Home Lab
- UFW Basics: Setting Up Your Linux Firewall
- Wireguard VPN Server in Docker
- Container Escape: How to Stop It
- Cosign Keyless: Sign Without Keys
- age vs GPG: Modern File Encryption That Doesn't Make You Cry
- Sysbox vs gVisor vs Kata
- Trivy vs Grype vs Docker Scout
- Beyond Akismet: Spam Protection for 2026
- Authentik vs Authelia: SSO for Your Self-Hosted Stack
- Sec-Fetch & UA Client Hints in 2026: What Actually Leaks
- Blog Comments: Self-Host or SaaS?
- CrowdSec Collections & Bouncers: fail2ban for 2026
- Incident Response for Self-Hosters
- CVE-2026-31431: The 9-Year Linux Root Bug
- OpenCanary: Honeypots for Your Home Lab
- Pi-hole vs AdGuard Home: Block Ads for Your Whole Network
- nftables: Modern Linux Firewalling
- Suricata vs Snort: Network Intrusion Detection That Actually Works
- SBOMs and Supply Chain Security
- Container Security: Scan and Sign Your Images Like You Mean It
- Falco: Catch Container Attacks at Runtime
- Cloudflare Tunnels: The Zero-Port-Forward Guide to Exposing Your Services
- Trivy + Cosign: Scan and Sign Your Images
- Fail2ban vs CrowdSec: Blocking the Bots Actually Smartly
- Tailscale Deep Dive: Mesh Networking That Actually Works
- 2FA for SSH and sudo via PAM
- WireGuard vs OpenVPN 2026: It's Not Even Close
- SSH CA: Finally Ditch authorized_keys
- Wazuh: Open Source SIEM for Your Home Lab
- LUKS Full Disk Encryption on Linux
- Rootless Docker: Run Without Root
- Linux Privilege Escalation: The Defensive Playbook
- Linux su with custom shell
- De-Googling: Self-Hosted Replacements for Google Apps
- dotenv Files: The Mistakes That Leak Secrets
- Using AI to Find Security Bugs in Your Code
- Private Docker Registry with Harbor
- TLS 1.3: Modern Encryption Without the Existential Dread
- Let's Encrypt Without Certbot
- Cloudflare WAF: Free Tier Firewall Rules
- Certificate Pinning: The Nuclear Option for TLS Security (Use With Caution)
- .gitignore Entries Every Project Actually Needs
- Vault vs Infisical: Secrets Management for Teams Who've Learned the Hard Way
- Open Source Licenses Explained: What You Can and Can't Do With Free Software
- mTLS Explained: When Regular TLS Isn't Paranoid Enough
- Port Knocking: Simple Obscurity for SSH Access
- SSH Keys in 2026: Ed25519 Is the Standard
- Why Your VPN Isn't Routing What You Think
- DNS Over HTTPS and TLS: Encrypt Your DNS Before Your ISP Sells It
- tcpdump Basics: Capture Traffic Without Wireshark
- AppArmor vs SELinux: Mandatory Access Control Without the Existential Dread
- Your Server Doesn't Know What Random Means (And That's a Problem)
- Caddy Advanced: Automatic HTTPS, Plugins, and Config That Doesn't Make You Cry
- Auditd & Audit Logging: Know Exactly Who Touched What on Your Server
- HashiCorp Vault: Stop Hardcoding Secrets Like It's 2012
- VPN Kill Switch and DNS Leak Prevention: Paranoia, Justified
- Plausible vs Umami: Privacy-Friendly Analytics That Won't Creep Out Your Users
- nmap for Your Own Network: What You Should Be Scanning
- Vaultwarden Organization Sharing: Password Management for Your Whole Household (or Team)
- Linux Capabilities: Drop Root Without Breaking Everything
- Docker Security Hardening: 15 Things You're Doing Wrong Right Now
- UFW Advanced: Rate Limiting, Logging, and Rules That Actually Make Sense
- DDoS Mitigation: Teaching Your Server to Say No Politely (Then Impolitely)
- SSH Hardening: Lock Down Remote Access Without Locking Yourself Out
- Vaultwarden vs Bitwarden: Own Your Passwords Before Someone Else Does
- Linux Audit Log: What's Really Happening on Your Server
- The sudoers Mistake Everyone Makes Once
- Why Your TLS Certificate Isn't Trusted
- Certificate Expiry: Monitor Before the 3 AM Call
- The Firewall Rule Order That's Breaking Your Setup
- Sticky Bit, Setuid, Setgid: Linux Special Permissions Explained
- Is fail2ban Actually Working? Here's How to Check
- SSHFS: Ditch SCP & Access Remote Files
- SSH Agent Forwarding: How It Works
- Why Your SSH Connection Keeps Dropping
- SSH Multiplexing: Stop Reconnecting Every Time
- The SSH Config File: The Shortcut You're Not Using
- The umask You've Been Ignoring
- Running Docker Containers as Non-Root (And Why You Should)
- Disabling Discord’s Activity Tracking
- Certificate Pinning: A Secure Connection Guide
- Understanding the regreSSHion Vulnerability in OpenSSH
- How to securely deploy Cloudflare Tunnels
- SSH Tunneling: A Secure Conduit for Your Data
- User and Group Management in Linux
- Ed25519 ssh keys