From the guy that has been accused of going overboard on security measures, I use both. It just depends on your setup tho. On a low resource server, I would pick crowdsec as it covers more ground than F2B. Running two log parsers does use more resources. ~ my 2 cents

As you probably know the crowdsec bouncer doesn’t directly parse logs or do checks like F2B filters. It queries the crowdsec LAPI for decisions and applies them. The “allowed” or “whitelisted” IP logic is handled at the Security Engine or LAPI level, not by the bouncer itself.

You can whitelist an ip in /etc/crowdsec/whitelists.yaml or even whitelist decisions in the whitelist.yaml as such:

name: private-ips
description: Whitelist local and private IPs
whitelist:
  reason: "Allow local and private IPs"
  ip:
    - "127.0.0.1"
    - "192.168.1.0/24"
  cidr:
    - "10.0.0.0/8"

Then issue sudo systemctl reload crowdsec. Kind of the same concept as F2B’s ignoreip option. If you are using Tailscale to administer the server, then it’s easier to whitelist. IIRC, you can use cscli decisions add --type whitelist --ip 192.168.1.100 --duration 1y but it doesn’t add them to the whitelist.yaml. Instead it keeps them in crowdsec’s database managed by LAPI. To undo: cscli decisions delete --ip 192.168.1.100 --type whitelist

https://docs.crowdsec.net/u/getting_started/post_installation/whitelists/

You dared to ask a question and the tools to explore answers are readily available.

Right, however, before I go ‘test’ and screw things up, why not dare to consult with more knowledgeable sources? Maybe I have not taken into account other things that could be negatively affected by said testing? I mean, if you came to me and said ‘Hey bro, I’m thinking about learning how to play the guitar (something I’ve been doing for 65 years). What guidance could you offer a guy just starting out? What about equipment, type strings, etc’? Sure, you could easily go out and buy a cheap, sub $100 guitar only to have it wear your wrists and fingers out and then quit because it’s too painful to practice. Or, you could ask the guy who has been playing the guitar and other stringed instruments for virtually all his life, what guidance he could give. 😀

I appreciate your input greatly, and as I said, 25 years of experience does speak for itself.

Thank you

past 25 or so years that’s been fine.

Well, two independent sources with 25+/- years of experience say leave it alone. It sounds to me like I should leave it alone.

but that’s been my experience after ~25 years of using Linux daily.

Certainly, 25 years of experience speaks for itself. If I may ask a follow up question.

I run Portainer, and in Portainer you can adjust Runtime & Resources per container. I am apparently too incompetent to grasp Dockge. Currently everything in Runtime & Resources is unchanged. Is there any benefit to tweaking those settings, or just let 'em eat when hungry?

To me, it’s always nice meeting the face behind the software. I have never used copyparty, but if I had a use case, it would be high on the list just based of the volume of detailed instructions. I think that is probably the most detailed selfhosted piece of software I’ve seen at GitHub…gotta be something good going on with that. And…and replete with pictures of the UI in a variety of scenarios. That’s just top drawer in my book. If a need ever arises, I have bookmarked it, because that’s where I’ll start. Awesome job my man, and thank you for your dedication to the craft.

Hey, man you talkin’ back to me?

I have used the free Bitwarden now for untold years. It not only houses passwords for personal applications, I use it to keep track of my business account passwords as well. The only problem I’ve had with Bitwarden is their recent UI retool which ended up causing a huge ruckus among the user base to the point where they gave an option to switch back.

There is a certain level of trust for whatever option you choose. If you use Bitwarden free, then you have to trust that Bitwarden will keep your data is safe on their servers. If you self host, the onus of trust lies in you’re ability to secure your server, and to the extent that you trust your host as well. The latter option leaves me a bit queasy, so I do not selfhost my passwords in a selfhosted vault.

Others may have more trust in their security skills than I do. LOL There’s just a lot of sensitive data I have housed within Bitwarden free. Selfhosting it would keep me up at nights.

Social Media Reactions

Interesting article.

I have not tried Traefik, tho looking at what it does, it’s pretty amazing. Caddy seems to fit what I do, and as OP stated, Caddy is pretty easy to master, even tho it took me an embarrassingly long time to get it through my dim brain. Traefik does seem like a very polished app tho and is very integrated in with docker.

You gotta keep em separated!

I actually used raindrop.io for a long while. Tight little app. It’s too bad it’s not selfhostable

I use Readeck for ‘read it later’ type articles, things of interest. The downside of Readeck is that there is no one-click-easy way to back up your database if you want to move it to another server. You can, however go to /volume1/docker/readeck/ and download all the db files there manually which will allow you to move to another server. Make sure to grab the config.toml in the same directory. It has a Firefox extension as with most of these apps in it’s genre. Probably has a chrome extension but I avoid chrome.

I use Karakeep (Hoarder) for stuff I’ve looked up to try to solve issues, such as pages from Grok where I have inquired about certain problems I may have been having.

These little mini-racks are cool. I’ve seen a lot of them here of late.

works for everything–not just web traffic. SSH, file transfers, databases.

Yup. I use it for sftp, ssh. I’ve never used in relation to a database. Is that for remote db? I am working on routeing mail through tailscale to a relay, since my host, for whatever reason, blocks mail ports and charges to have them turned on. I just wanted alert emails from a couple apps.

I meant that I’m special as in incompetent, not that the app was special.

May have to chown /var/lib/radicale/collections as well:

ls -ld /var/lib/radicale/collections

If the directory doesn’t exist, create it:

sudo mkdir -p /var/lib/radicale/collections
sudo chown radicale:radicale /var/lib/radicale/collections

sudo chown radicale:radicale /var/lib/radicale/collections
sudo chmod 750 /var/lib/radicale/collections

At least that’s what my notes say.

YUNOhost

Early on sometime, I deployed Yunohost. At the time there were apps, but the catalog was sparse. I happened upon it again in a search for something else about a week or so ago. Wow! The devs have been really developing it at a cyclical rate. I was impressed. For someone just starting out and trying to get their toes wet, I could see Yunohost being a good starting point.

dockge

Not knocking Dockge, but I have to say I was underwhelmed coming from Portainer. It obviously works for a lot of people, so I might just be ‘special’.

if you don’t incorporate a backdoor

I’ve often thought about this, and since it has come up in convo, I’ll ask: If you were to implement a backdoor to your server, how would you go about that? Currently I have 3 vps and one rack in the closet. It is the vps I’m interested in the most. Only one vps offers a rescue ssh, and yes I can confirm, if you are not exceedingly careful on my setup, you can lock yourself right out. I run tailscale on everything and I often wondered if I could incorporate tailscale as a emergency backdoor.