Incessant tinkerer since the 70’s. Staunch privacy advocate. SelfHoster. Musician of mediocre talent. https://soundcloud.com/hood-poet-608190196
I’ve run CassaOS briefly just to test it out. I’ve never run ZimaOS tho. ZimaOS looks like they have a larger app store for addons. It doesn’t seem like ‘a lot of work’, especially utilizing CTOZ, but ‘a lot of work’ is subjective I guess.
https://www.zimaspace.com/docs/zimaos/casaos-to-zimaos-migration
There is a distro (not totally open source) called SELKS, which sets up suricata, elastic and some other tooling (kibana) in a commonly-used setup.
I did not know about SELKS. I will definitely check it out. Thank you for the tip.
but suricata will not automatically correlate primitives into actual alerts from different vlans without transforms, which are cpu-intensive for what they do.
It is possible to offload the correlation to a downstream SIEM or log aggregator like Wazuh or ELK. Again, it’s something I’m currently trying to spool up on. I know it can be done, I’m just trying different things until I do get it right. I appreciate any input.
How did you monitor your vlans with suricata?
At present I only monitor the VLAN serving the ‘computer room’ which includes the servers. It’s where all the ‘stuff’ happens so I figured I’d start with the most important. However I am in the process of learning how to SPAN (Switch Port Mirroring) where you configure your managed switch to copy traffic from specific VLAN port or all VLANs ports to a dedicated ‘monitoring port’ where a micro server is running Suricata. The mirrored traffic will retain their VLAN tags and Suricata can parse these tags.
Those are the lofty plans. LOL I’m still fiddling around with it and Suricata because you have to actually set Suricata up to be able to do that. It doesn’t right out of the box.
So, I have a standalone pFsense box running Suricata (IDS/IPS) on WAN & LAN, pfblockerng (filtering), unbound, ntopng (traffic analysis), and Tailscale as an overlay on the firewall. The servers are on their separate VLANs, IoT, phone, laptops and other devices are also isolated. On the server I run Cloudflare Tunnels/Zero Trust, UFW, Tailscale as an overlay, and Fail2Ban. Everything is ‘default deny until something complains’. I’ve never run oPensense so I can’t speak to their software, but pFsense has been rock solid for me for years. I utilize Lnav to review logs. It’s lean, easy to install, and it just works.
To be quite honest about updates like Docker container updates, I wait until all the early adopters work out all the bugs for me and update when I feel comfortable. Updates to Ubuntu Jammy are usually straight forward and I can’t say I’ve had many issues over the years with Ubuntu Jammy updates. There may be a rare occasion, but nothing really stands out at this moment. The only issue I can think of here recently is when Docker updated but Portainer hadn’t caught up, but that was about a 30 minute fix.
It took me a while to get everything lined out from the modem to the servers, but my track record makes me feel pretty comfortable with how I have everything set up. In fact, literally most of the time, I just enjoy the set up and scout for the next project.
I recommend what works well for me. I assume others are doing the same. It’s a big umbrella. We can all coexist.
Welcome to the club, bro. Pleasure to meet your acquaintance. Sounds like you’ve done your homework. Better than how I started. I just dove in and whacked my head against a wall until something worked. First real Linux server I ever stood up online got taken down in short order. So I went back and did some learning, and took note of what others did/do. Now I’m no pro at it by far. Lots of very knowledgeable people in here. Stick around, pay it forward. good group to hang out with.
With the niceties out of the way, let’s get right down to the the real issues: What are your thoughts on AI? /s
OP, if you ever decide to go the Cloudflare Tunnels/Zero Trust route, I’ve got a set of instructions/notes that have helped a handful of people deploy Cloudflare Tunnels/Zero Trust. I’d be more than happy to share them.
Technically, using Cloudflare tunnels for Jellyfin is a ToS violation. You’re only allowed to do so if you have an enterprise account, which is quite expensive.
I’ve heard people say this, and I’ve heard people say you can’t stream music. Tho I do not run the 'arr stack or Jellyfin, I do run Navidrome almost 24/7/365. But it’s something to keep in mind.
ETA: I am the sole user
Well, you could do network segmentation:
Utilize UFW rules. Mine are:
sudo ufw default deny incoming
sudo ufw default allow outgoing
Anywhere ALLOW IN 192.168.1.0/24
22 ALLOW IN 192.168.1.0/24
22 on tailscale0 ALLOW IN Anywhere
22 (v6) on tailscale0 ALLOW IN Anywhere (v6)
Also:
So now I have SSH capability locally and through Tailscale installed on the server and this prevents the server from initiating connections to other LAN devices. You can do alot with UFW and Fail2Ban in conjunction with Cloudflare Tunnels/Zero Trust.
Have you considered Cloudflare Tunnels/Zero Trust. When you use Cloudflare Tunnels/Zero Trust, you don’t need to fiddle with NAT, open any ports, in fact you don’t need any open ports. You just install Cloudflare Tunnels/Zero Trust on your server, connect to your Cloudflare Tunnels/Zero Trust account, and Cloudflare does the rest. To deploy Cloudflare Tunnels/Zero Trust you will need a domain name. Cloudflare will sell you a domain name but I think most get something cheap from NamesCheap or Pork Bun. When you have secured a domain name, switch the nameservers to the ones that Cloudflare assigns you. Jacks a doughnut, Bob’s your uncle.
ETA: Obviously you’ll need port 22 for administration.
sudo ufw default deny incoming
sudo ufw default allow outgoing
But my qualms and scruples are not your problem
Me being uncomfortable with how you do it is immaterial
I hope as a community we can start to just say “No thank you” when we are offered something that’s done in a way we don’t like
anyone who is not doing that needs to analyse why they feel entitled to shit on someone else’s project.
We goin’ to church today. Preach it my brother! Can I get an amen?
I’m the one who has to die when it’s time for me to die, so let me live my life the way I want to. ~ Jimi Hendrix
Don’t let 'em give you shit about your ponytail bro.
Well, I’ll certainly keep it in the back of my head.
The Homarr (dashboard) team delivered on their promise to decrease the app’s unusually large memory footprint after receiving public complaints a few months ago
Noticed.
Thing is, if I were going to do in house AI, I’d want to do it up right and from what I can gather, a system like that is going to cost me some jack.
I’ve got a drawer full of various models I’ve picked up here and there, mostly used that people were selling. I stumbled across a yard sale once where a guy and his son were selling a lot of computer equipment to raise money for his son to get some newer stuff for college. There was a whole box of them, maybe 10+ and I paid $100 for all of them. I use them from time to time for different projects. Good little learning boards.
But I got bad habits
Yeah, they’re my bad habits
LOL Never heard of FIDLAR.
What if I enjoy my bad habits?
I would concur: ‘When used correctly’.
You’ll get a mixed reactive crew here. Probably 70% pro/30% con with the 30% quite vocal that they shadow the 70% at times. Pay no attention to the grumps or their down votes. LOL