Operating a VPS at Hetzner is a bit like moving into a rough neighborhood: the moment you’re online, the unwanted guests start knocking. Bots, scrapers, script kiddies—the internet is a village, and unfortunately, not all neighbors have good intentions.
After migrating my VPN to Tailscale, I knew my remaining HTTP traffic for Immich, Paperless, and my portal needed a bouncer that doesn’t take prisoners.
Why CrowdSec? (Or: All for one, all against the bots)
Fail2Ban is decent, but it fights alone. CrowdSec is like a global neighborhood watch on steroids. If a server in Tokyo gets attacked, my server in Germany knows about it seconds later and raises the drawbridge. It’s a true community effort against cybercrime.
The Architecture: Blocking before it hurts
I don’t mess around. My setup operates at Layer 3/4:
- Security Engine: My Ubuntu host scans the Nginx Proxy Manager logs in real-time for suspicious patterns.
- Firewall Bouncer: If the engine spots an attacker, the bouncer slams the door shut (via
nftables). Malicious traffic is dropped before it even tickles my Docker containers. This saves valuable CPU resources on the Hetzner server.
My Personal Blacklist Elite
In addition to local log analysis, I’ve subscribed to four strategic blocklists to filter out the “background noise”:
- Firehol Greensnow: Filters the general noise of mass scans and generic attacks.
- Firehol BotScout: My personal shield against login bots targeting my portal.
- Firehol Cybercrime Tracker: Blocks IPs linked to known malware distributors.
- CrowdSec Community List: Real-time data firepower from the global CrowdSec network.
Verdict: Full protection, zero stress
Is it overkill for a personal site? Maybe. But I sleep much better knowing that my digital bouncers are intercepting scammers right at the curb.