Security
Practical defensive security for homelab and small-scale environments — hardening systems, detecting threats, and keeping your infrastructure clean.
Articles
- WireGuard VPN — fast, modern VPN server setup with client management and LXC notes
- nginx: ModSecurity WAF + CRS 4 — build the connector module, install the Core Rule Set, and tune from DetectionOnly to blocking
- nginx: Rate Limiting — protect login endpoints with limit_req, calibrate with dry-run, handle proxies correctly
- nginx: Block Direct IP Access — catch-all default_server with ssl_reject_handshake to stop scanners and domain leaks
- Spamhaus DROP: nftables — daily-synced firewall blocklist that drops known criminal netblocks for every service on the host
- Spamhaus DROP: Cloudflare WAF — sync the DROP list into a Cloudflare IP list via API, works on the Free plan
Scope
This section focuses on defensive and operational security. Offensive techniques are out of scope.