Nice list of suggestions, but implementing all of them feels a little over-the-top.

I don’t really get the love for fail2ban. Sure, it helps keep your logs clean, but with a solid SSH setup (root disabled, SSH keys enforced), I’m not bothered by the login attempts.

This week, I’ve been trying out caddy + coraza web app firewall. I got it to work, I’m planning to use it for my homeserver.

I’m currently comparing Authentik and Authelia. For me, Authentik was extremely easy to get into. Authelia with its text-based configuration is clearly not as easy for beginners.

I’ve started to setup Authentik this weekend. My goal is to learn more about SSO and have one account for most of my selfhosted services.

The researchers discovered that AMD had been using a publicly available example key from NIST documentation since Zen 1, which allowed them to forge signatures and deploy arbitrary microcode modifications.

I wish these sorts of errors were not that common.

I’m missing the rpi1 in that list. Please fix ASAP.

True. But at least for me, VA-API was not a known abbreviation, that’s why I copied the long form here.

VA-API is Video Acceleration API

I’e seen that some want it to host their own LLM. It’s far cheaper to buy DDR5 memory than somehow getting 100+ GB of VRAM. Whether or not this is a good idea is another question

The amount of legal trouble they face makes me sad.

Imagine being smart enough to reverse engineer a whole train, and then having to deal with lawyers, politics and corruption.

The DNS record must point to cloudflare, not the instance IP

I’m glad that development is getting more stable, the regular updates with breaking changes were not so great.

That’s true, but might not really be a problem for most. Just set the jail time to something short (few minutes, maybe an hour).

There is no way to be 100% sure, but:

• bitwarden and ente have open source clients that ecrypt all data locally in a way that the provider can’t restore data
• nextcloud isn’t optimal, while you can encypt data at rest, the provider might be able to spy on you
• With mail providers it is difficult, but mailbox.org has my (personal) trust by building their business model on data protection and open source

I can and do self host, but I’m not willing to provide these services for free. I don’t want to be responsible for other peoples passwords or family photos.

Thats where good, privacy-respecting services come into play. Instead of hosting for my neighbours, I would recommend mailbox.org, bitwarden, ente or a hosted nextcloud.

The blog post contains an interesting tineline. Apparently, the first fix was not sufficient. So if you have updated Vaultwaren before November 18, update it again.

Copy of the timeline:

• End of October 2024: ERNW assesses Vaultwarden for the customer.
• November 08, 2024: ERNW discloses the vulnerabilities to the Vaultwarden team.
• November 10, 2024: Fix and release of Vaultwarden v1.32.4.
• November 11, 2024: ERNW retests the software and identifies that the fix is not sufficient.
• November 11, 2024: Public merge with fix and request for feedback by the Vaultwarden team.
• November 12, 2024: ERNW acknowledges that the fix is complete.
• November 18, 2024: Release of Vaultwarden v1.32.5.

My HP has a 65 watt CPU built in, when it’s running at full load it is quite loud.

Small, 10 inch rack, with some 3D printed rack mounts.

Maybe try some TLS-based VPN? This should work almost anywhere, because it looks like a standard HTTPS connection.

Wireguard - even on port 443 - is special as it uses UDP protocol and not the more widely used TCP protocol.