[{"content":"Crowdsec Counter and Stats Reset I have cleaned and regenerated the website today. Since my own testing sessions had distorted the data, I performed a full statistics reset.\nA new \u0026ldquo;Attack Counter\u0026rdquo; has been integrated into the header. This tracks requests that managed to bypass the initial filter lists. I estimate that CrowdSec already blocks approximately 60% of all malicious attempts beforehand. Nevertheless, 48 attacks have been recorded at the time of this post.\nEven on a private website, this highlights the high volume of automated bots constantly searching for vulnerabilities.\n","permalink":"https://elgrundo.de/en/posts/reset/","summary":"\u003ch3 id=\"crowdsec-counter-and-stats-reset\"\u003eCrowdsec Counter and Stats Reset\u003c/h3\u003e\n\u003cp\u003eI have cleaned and regenerated the website today. Since my own testing sessions had distorted the data, I performed a full statistics reset.\u003c/p\u003e\n\u003cp\u003eA new \u0026ldquo;Attack Counter\u0026rdquo; has been integrated into the header. This tracks requests that managed to bypass the initial filter lists. I estimate that CrowdSec already blocks approximately 60% of all malicious attempts beforehand. Nevertheless, 48 attacks have been recorded at the time of this post.\u003c/p\u003e","title":"Reset to Start"},{"content":"Operating a VPS at Hetzner is a bit like moving into a rough neighborhood: the moment you’re online, the unwanted guests start knocking. Bots, scrapers, script kiddies—the internet is a village, and unfortunately, not all neighbors have good intentions.\nAfter migrating my VPN to Tailscale, I knew my remaining HTTP traffic for Immich, Paperless, and my portal needed a bouncer that doesn\u0026rsquo;t take prisoners.\nWhy CrowdSec? (Or: All for one, all against the bots) Fail2Ban is decent, but it fights alone. CrowdSec is like a global neighborhood watch on steroids. If a server in Tokyo gets attacked, my server in Germany knows about it seconds later and raises the drawbridge. It\u0026rsquo;s a true community effort against cybercrime.\nThe Architecture: Blocking before it hurts I don\u0026rsquo;t mess around. My setup operates at Layer 3/4:\nSecurity Engine: My Ubuntu host scans the Nginx Proxy Manager logs in real-time for suspicious patterns. Firewall Bouncer: If the engine spots an attacker, the bouncer slams the door shut (via nftables). Malicious traffic is dropped before it even tickles my Docker containers. This saves valuable CPU resources on the Hetzner server. My Personal Blacklist Elite In addition to local log analysis, I’ve subscribed to four strategic blocklists to filter out the \u0026ldquo;background noise\u0026rdquo;:\nFirehol Greensnow: Filters the general noise of mass scans and generic attacks. Firehol BotScout: My personal shield against login bots targeting my portal. Firehol Cybercrime Tracker: Blocks IPs linked to known malware distributors. CrowdSec Community List: Real-time data firepower from the global CrowdSec network. Verdict: Full protection, zero stress Is it overkill for a personal site? Maybe. But I sleep much better knowing that my digital bouncers are intercepting scammers right at the curb.\n","permalink":"https://elgrundo.de/en/posts/crowdsec/","summary":"\u003cp\u003eOperating a VPS at Hetzner is a bit like moving into a rough neighborhood: the moment you’re online, the unwanted guests start knocking. Bots, scrapers, script kiddies—the internet is a village, and unfortunately, not all neighbors have good intentions.\u003c/p\u003e\n\u003cp\u003eAfter migrating my VPN to \u003cstrong\u003eTailscale\u003c/strong\u003e, I knew my remaining HTTP traffic for Immich, Paperless, and my portal needed a bouncer that doesn\u0026rsquo;t take prisoners.\u003c/p\u003e\n\u003ch3 id=\"why-crowdsec-or-all-for-one-all-against-the-bots\"\u003eWhy CrowdSec? (Or: All for one, all against the bots)\u003c/h3\u003e\n\u003cp\u003eFail2Ban is decent, but it fights alone. \u003cstrong\u003eCrowdSec\u003c/strong\u003e is like a global neighborhood watch on steroids. If a server in Tokyo gets attacked, my server in Germany knows about it seconds later and raises the drawbridge. It\u0026rsquo;s a true community effort against cybercrime.\u003c/p\u003e","title":"CrowdSec: The Digital Bouncer Squad for elgrundo.de"},{"content":"Hosting has been a focus of mine for a long time, and I kept running into the same problem: How do I make my data securely accessible from the outside without leaving my home network wide open?\nThe Problem: The IPv4 Dead-End To make a server reachable from the outside, you need a unique address – the IP address. This is where the trouble starts:\nIPv4: The old standard (e.g., 138.199.205.5). Easy to handle, but addresses are scarce. IPv6: The modern successor (long and cryptic). Theoretically infinite, but practically often limited by DS-Lite (my ISP). My issue: My home connection lacks a public IPv4 address. When traveling—especially in foreign networks or restrictive Wi-Fi—my home server is often simply unreachable via IPv6.\nThe Solution: The Hetzner Server as a \u0026ldquo;Relay\u0026rdquo; I expanded my setup with a VPS at Hetzner. This server has a fixed public IPv4 and serves as my stable anchor point on the web. But how do my phone, the Hetzner server, and my home NUC (\u0026ldquo;elgrundo\u0026rdquo;) find each other?\nMy New Path: The Tailscale Mesh I used to try solving this with tedious manual WireGuard routing. Today, I use Tailscale. While technically based on the WireGuard protocol, it’s \u0026ldquo;on steroids\u0026rdquo; and much smarter in its management.\nThe Mesh Network: I installed Tailscale on the Hetzner server, my home server, and my CachyOS PC. Every device gets an internal 100.x.x.x IP. They are now \u0026ldquo;bros\u0026rdquo; in a private, encrypted network. No Port Forwarding: The genius of Tailscale is that it \u0026ldquo;tunnels\u0026rdquo; through firewalls. I didn\u0026rsquo;t have to open a single port on my router. Security via CrowdSec \u0026amp; UFW: CrowdSec stands guard on the Hetzner server. It scans public web requests and blocks attackers instantly. My SSH access is completely disconnected from the public internet and only reachable via the Tailscale tunnel. Mobile Connection: Instead of a complicated WireGuard configuration, I now simply use the Tailscale app. One login, and my phone is part of the home network—whether I\u0026rsquo;m in the garden or abroad. The Result: Full Access, Zero Stress Since retiring manual WireGuard in favor of Tailscale, the setup finally runs smoothly:\nStable Connection: Thanks to Tailscale, devices always reach each other via the shortest path (Direct Path) or via relay servers if the network gets tricky. Mobile Protection: I can use my home server or the Hetzner server as an Exit Node. This allows me to browse as securely as I do at home, even on hotel Wi-Fi. Central Services: My Nginx Proxy Manager on the Hetzner server securely forwards requests for elgrundo.de through the VPN tunnel to my containers (Immich, Paperless, etc.). A major step for my setup is complete. The manual tinkering is over; logic prevails. If you\u0026rsquo;re still struggling with unstable VPN tunnels: check out Tailscale – your blood pressure will thank you!\n","permalink":"https://elgrundo.de/en/posts/ipv6/","summary":"\u003cp\u003eHosting has been a focus of mine for a long time, and I kept running into the same problem: How do I make my data securely accessible from the outside without leaving my home network wide open?\u003c/p\u003e\n\u003ch3 id=\"the-problem-the-ipv4-dead-end\"\u003eThe Problem: The IPv4 Dead-End\u003c/h3\u003e\n\u003cp\u003eTo make a server reachable from the outside, you need a unique address – the \u003cstrong\u003eIP address\u003c/strong\u003e. This is where the trouble starts:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eIPv4:\u003c/strong\u003e The old standard (e.g., \u003ccode\u003e138.199.205.5\u003c/code\u003e). Easy to handle, but addresses are scarce.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIPv6:\u003c/strong\u003e The modern successor (long and cryptic). Theoretically infinite, but practically often limited by \u003cstrong\u003eDS-Lite\u003c/strong\u003e (my ISP).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eMy issue: My home connection lacks a public IPv4 address. When traveling—especially in foreign networks or restrictive Wi-Fi—my home server is often simply unreachable via IPv6.\u003c/p\u003e","title":"From IPv4 Dead-Ends to the Tailscale Bridge: My Path to Stable Remote Access"},{"content":"I am pretty much done with the broad strokes of the current infrastructure migration.\nWhat\u0026rsquo;s New? The website now features two clearly separated areas:\nPublic Portal: The main entry point at elgrundo.de. Protected Area: A password-protected internal portal (intern.elgrundo.de), secured via Nginx groups. Open Statistics: In the spirit of Open Source, I am granting access to the visitor statistics (powered by Umami). Security Roadmap The next major project is the deep integration of CrowdSec into the web stack. Some might call this setup \u0026ldquo;overkill\u0026rdquo; for a personal site, but it is an excellent exercise for professional security concepts.\nWith Tailscale for the internal mesh network and Nginx Proxy Manager for routing, the foundation is now rock solid.\n","permalink":"https://elgrundo.de/en/posts/network-update/","summary":"\u003cp\u003eI am pretty much done with the broad strokes of the current infrastructure migration.\u003c/p\u003e\n\u003ch3 id=\"whats-new\"\u003eWhat\u0026rsquo;s New?\u003c/h3\u003e\n\u003cp\u003eThe website now features two clearly separated areas:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003ePublic Portal:\u003c/strong\u003e The main entry point at \u003ccode\u003eelgrundo.de\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProtected Area:\u003c/strong\u003e A password-protected internal portal (\u003ccode\u003eintern.elgrundo.de\u003c/code\u003e), secured via Nginx groups.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOpen Statistics:\u003c/strong\u003e In the spirit of Open Source, I am granting access to the visitor statistics (powered by \u003cstrong\u003eUmami\u003c/strong\u003e).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 id=\"security-roadmap\"\u003eSecurity Roadmap\u003c/h3\u003e\n\u003cp\u003eThe next major project is the deep integration of \u003cstrong\u003eCrowdSec\u003c/strong\u003e into the web stack. Some might call this setup \u0026ldquo;overkill\u0026rdquo; for a personal site, but it is an excellent exercise for professional security concepts.\u003c/p\u003e","title":"Update: Network \u0026 Security"},{"content":"Hey folks,\nGlad you\u0026rsquo;ve found your way into this little corner of the web. Hello!\nThis is an expansion project of my homelab. What started as a small Corona project is increasingly getting out of hand. Since I’ve always wanted to understand how to host a website\u0026hellip; tadaaa!\nAll of this is made possible with CachyOS, Docker, Nginx, Hugo, and PaperMod. As you can see, I\u0026rsquo;m pushing for open source all the way.\nMore content will follow – or not ;)\nThanks for stopping by. Linux FTW.\n","permalink":"https://elgrundo.de/en/posts/lets-start/","summary":"\u003cp\u003eHey folks,\u003c/p\u003e\n\u003cp\u003eGlad you\u0026rsquo;ve found your way into this little corner of the web. Hello!\u003c/p\u003e\n\u003cp\u003eThis is an expansion project of my homelab. What started as a small Corona project is increasingly getting out of hand. Since I’ve always wanted to understand how to host a website\u0026hellip; tadaaa!\u003c/p\u003e\n\u003cp\u003eAll of this is made possible with \u003cstrong\u003eCachyOS\u003c/strong\u003e, \u003cstrong\u003eDocker\u003c/strong\u003e, \u003cstrong\u003eNginx\u003c/strong\u003e, \u003cstrong\u003eHugo\u003c/strong\u003e, and \u003cstrong\u003ePaperMod\u003c/strong\u003e. As you can see, I\u0026rsquo;m pushing for open source all the way.\u003c/p\u003e","title":"Let's Start"}]