Let's talk about computers

I don’t just Wild West it. Kidding I try to make stuff easy enough that people will actually use it. If someone has to turn on a VPN just to open Seerr they won’t use it. So most of the security stuff happens behind the scenes and they don’t even know it.

Traefik’s handling GeoBlock, CrowdSec and some other middleware. Also got Cloudflare doing its thing at the domain level with other security measures. If I need to get into unRAID, Helmarr (iOS like NZB360) or anything admin-side remotely I just hop on my WireGuard VPN at the router level.

Security matters, but so does not annoying my family. The more complicated or over-engineered I make it, the more chances something breaks or frustrates them. And if I’m out of town and can’t fix it? Yeah… that’s how you lose support for the whole self-hosting hobby real quick.

Yeah that looks good then.
I myself am the only user of my servers so its nothing i think much about and just focus on max security.

image1350×605 137 KB

God this is painful to see…

Indeed. I am doing what I can to make sure my current aging rig lasts for at least another couple of years. Should have built last Summer…

Yeah I really dodged the bullet there by building my main pc around summer last year and my servers around august.

Sigh, I think you may also run Huntarr? With your setup where you do have external access i would not use it anymore.

https://www.reddit.com/r/selfhosted/comments/1rckopd/huntarr_your_passwords_and_your_entire_arr_stacks/

https://www.reddit.com/r/selfhosted/comments/1rcmgnn/the_huntarr_github_page_has_been_taken_down/

This is the only alternative I saw but no UI.

Deleted and performed damage control this morning. All API keys changed. Thanks for the heads up.

Unfortunately there are no apps, that I know of, that do what I used it for. Which was to trigger upgrades and missing scans. Never used any of the other features. Bummer because at its initial core it was solid app that handled one task well. Then the dev got all crazy trying to make it an all in one.

Exactly. I am still using it as i dont have anything exposed but yeah…

Perhaps some of these settings could help.
(Note this is copy pasted from reddit.)

Hardening docker containers is also highly recommended. Here are some advices from the top of my head (this assuming docker-compose.yml files, but can also be set using docker directly or settings params in Unraid).

1: Make sure your docker is not running as root:

user: "99:100"
(this example from Unraid - running as user "nobody" group "users"

2: Turn off tty and stdin on the container:

tty: false
stdin_open: false

3: Try switching the whole filesystem to read-only (ymmw):

read_only: true

4: Make sure that the container cant elevate any privileges after start by itself:

security_opt:

• no-new-privileges:true

5: By default, the container gets a lot of capabilities (12 if I don’t remember wrong). Remove ALL of them, and if the container really needs one or a couple of them, add them spesifically after the DROP statement.

cap_drop:

• ALL

or: (this from my Plex container)

cap_drop:

• NET_RAW
• NET_ADMIN
• SYS_ADMIN

6: Set up the /tmp-area in the docker to be noexec, nosuid, nodev and limit it’s size. If something downloads a payload to the /tmp within the docker, they won’t be able to execute the payload. If you limit size, it won’t eat all the resources on your host computer. Sometimes (like with Plex), the software auto-updates. Then set the param to exec instead of noexec, but keep all the rest of them.

tmpfs:

• /tmp:rw,noexec,nosuid,nodev,size=512m

7: Set limits to your docker so it won’t run off with all the RAM and CPU resources of the host:

pids_limit: 512
mem_limit: 3g
cpus: 3

8: Limit logging to avoid logging bombs within the docker:

logging:
driver: json-file
options:
max-size: "50m"
max-file: "5"

9: Mount your data read-only in the docker, then the docker cannot destroy any of the data. Example for Plex:

volumes:

• /mnt/tank/tv:/tv:ro
• /mnt/tank/movies:/movies:ro

10: You may want to run your exposed containers in a separate network DMZ so that any breach won’t let them touch the rest of your network. Configure your network and docker host accordingly.

Finally, some of these might prohibit the container to run properly, but my advice in those cases is to open one thing after another to make the attack-surface minimal.

docker logs <container>

…is your friend, and ChatGPT / Claude / Whatever AI will help you pinpoint what is the choking-point.

Using these settings for publicly exposed containers are lowering the blast radius at a significant level, but it won’t remove all risks. Then you need to run it in a VM or even better, separate machine.

Actually maybe this does work.

image889×509 73 KB

But no UI it seems…

firefox update- new toggle setting that blocks all current and future AI features by default

Thanks for all that. Will take a look this weekend. I’ve actually been working on an app for a few days that stays true to Huntarr original function before it got out of hand. Hoping to release it by Monday. If you want wants I’ve got a few bugs worked out you can take a look at it.

Oh would definitely like an og huntarr alternative. I do assume there will be some more popping up sooner or later though.

https://www.reddit.com/r/hardware/comments/1rfw6oj/hardware_reviewer_geekerwan_possibly_censored_by/

The Chinese hardware reviewer released a video revealing that mobile phone manufacturers have cheated in gaming performance reviews of their phones by doing a few things:

1. Sending specially selected review units which contain “Golden” chips to reviewers. These chips are able to achieve higher gaming performance (6-8%) and lower power usage than the average retail unit, usually a watt lower (20%).
2. Certain review models from Xiaomi force VRS (Variable Rate Shading) on out-of-box to boost gaming benchmarks with no option to turn it off.
3. iPhones are one of the few models with no observable cheating. iPhone retail units in fact performed better than review units in gaming due to operating system updates.

The video in question has been wiped from all Chinese media platforms, including from cloud storages and backups done by other people. Other content creators reacting to the incident had their react videos taken offline by the platforms too. It is very likely that a state level censorship is underway to protect Chinese phone manufacturers.

I’m working on one myself. Would love for you to take a look and your feedback. Saw a few pop up overnight on Reddit. Haven’t announced mine except to a few people.

Nice that you are clear about the vibe coding.

As for feedback, does this support PUID (99) and PGID (100) environment variables? Thats the standard way of doing it especially on unraid. Or if not that then “user: 99:100” on it, or 1000:1000 on other distros.

Oh great catch adding on the dev branch until next merge to main

Added to the built and dropped some other security updates in the newest version. Newest built v2.2.0 is now available.

@Rikudou_Goku Just dropped v2.4.0 super happy with the app as it is. Really just need more feedback. I’m waiting until Friday though to post on r/selfhosted for AI Fridays. Just pushed first build to dockerhub yesterday and already have 469 downloads currently. Not even sure how though. All I’ve done is literally share here and made one comment on someone else’s Huntarr Replacement post.

you can find new docker hub uploads here.

So its not impossible to find new stuff.