Security

Automating Docker Updates: Watchtower vs Diun vs Manual Strategies Your homelab is running smoothly. Twenty containers, all humming along. Then a CVE drops for one of your images, and you realize you haven’t updated anything in three months. Docker containers don’t update themselves. Unlike desktop apps with auto-update prompts or Linux packages with apt upgrade, containers stay pinned to whatever image you pulled at deploy time. Without a strategy, your self-hosted stack slowly drifts into a graveyard of outdated software. ...

The Complete Self-Hosting Security Stack: Fail2Ban + CrowdSec + Authelia Running self-hosted services on the open internet without a security stack is like leaving your front door unlocked in a busy neighborhood. Individual tools help, but real protection comes from layering defenses so each one covers the gaps of the others. This guide builds a complete security stack using three open-source tools: Fail2Ban — reactive log-based banning for brute-force attacks CrowdSec — community-powered threat intelligence and behavioral detection Authelia — authentication portal with single sign-on and multi-factor authentication Together, they give you intrusion prevention, shared threat intelligence, and access control. All running in Docker, all free. ...

The Complete Self-Hosting Security Stack: Fail2Ban + CrowdSec + Authelia Running self-hosted services is great — until someone else discovers them. The moment you expose a port to the internet, bots start probing. Brute-force SSH attempts, credential stuffing on web apps, vulnerability scanners — it never stops. No single tool solves this. You need layers. This guide walks through building a complete security stack using three open-source tools that complement each other perfectly: ...

Linux Server Hardening Checklist for Self-Hosters You spun up a server, installed Docker, and deployed a dozen services. Everything works. But your SSH port is open to the world with password auth, you’re running everything as root, and your firewall is… what firewall? Most self-hosting guides skip security entirely. This one doesn’t. Here’s a practical, ordered checklist to harden your Linux server without breaking the services running on it. Who This Is For Anyone running a self-hosted server — whether it’s a Raspberry Pi on your desk, a mini PC in the closet, or a VPS at Hetzner. You don’t need to be a sysadmin. You just need a terminal and 30 minutes. ...

Running Authentik vs Authelia: SSO Comparison for Self-Hosters (2026) You’re tired of logging into every self-hosted service separately. You want single sign-on. You’ve narrowed it down to two options: Authentik and Authelia. Both are open-source, both work with Docker, both solve the “too many logins” problem — but they take fundamentally different approaches. Authentik is a full identity provider. Authelia is a lightweight authentication portal. Choosing between them depends on what you actually need. ...

Docker makes self-hosting easy. It also makes it easy to accidentally give an attacker root access to your entire server. Most self-hosting guides skip security entirely — here’s what they don’t tell you. 1. Never Run Containers as Root (When Possible) By default, processes inside Docker containers run as root. If an attacker escapes the container, they’re root on the host. Fix: Use the user directive: services: myapp: image: myapp:latest user: "1000:1000" Or in the Dockerfile: ...

One of the most common security mistakes in self-hosting is accidentally exposing services to the internet. That Redis instance you spun up for testing? It might be listening on 0.0.0.0 with no password. Your database? Possibly reachable by anyone. Let’s fix that. Why Exposed Ports Matter Every open port is a potential entry point. Some services — like databases and cache servers — were never designed to be exposed publicly. They often have no authentication by default. ...

Your self-hosted server is humming along — but is it actually healthy? Disk filling up? Docker containers silently unhealthy? SSH config wide open? SSL certs about to expire? selfhost-doctor answers all of that with one command. Quick Start curl -fsSL https://raw.githubusercontent.com/bird/selfhost-doctor/main/selfhost-doctor.sh | bash That’s it. No installation, no dependencies, no API keys. Just a clean diagnostic report in your terminal. What It Checks selfhost-doctor runs through 7 categories of health checks: ...

Your self-hosted server is exposed to the internet. Bots, brute-forcers, and scanners hit it constantly. Fail2ban helps, but it only learns from your own logs. What if you could tap into threat intelligence from thousands of other servers? That’s CrowdSec. It’s like a community-powered immune system for your infrastructure. What Is CrowdSec? CrowdSec is an open-source security engine that: Parses your logs (Nginx, SSH, Traefik, WordPress, etc.) Detects attack patterns using behavioral scenarios Blocks attackers via bouncers (firewall rules, Nginx deny, Cloudflare API) Shares threat intel — when you block an IP, the community benefits and vice versa Think of it as Fail2ban + community blocklists + modern architecture. ...

If you’re running multiple self-hosted services, you’ve probably noticed the login fatigue. Nextcloud has its own login. Portainer has another. Grafana, Gitea, Jellyfin — each with separate credentials. It’s a mess. Authelia solves this by acting as a single sign-on (SSO) gateway with built-in two-factor authentication (2FA). Put it in front of your reverse proxy and every service gets enterprise-grade authentication without touching the service itself. What is Authelia? Authelia is an open-source authentication and authorization server. It works as a companion to your reverse proxy (Nginx Proxy Manager, Traefik, Caddy) and provides: ...