Crowdsec Counter and Stats Reset

I have cleaned and regenerated the website today. Since my own testing sessions had distorted the data, I performed a full statistics reset.

A new “Attack Counter” has been integrated into the header. This tracks requests that managed to bypass the initial filter lists. I estimate that CrowdSec already blocks approximately 60% of all malicious attempts beforehand. Nevertheless, 48 attacks have been recorded at the time of this post.

Operating a VPS at Hetzner is a bit like moving into a rough neighborhood: the moment you’re online, the unwanted guests start knocking. Bots, scrapers, script kiddies—the internet is a village, and unfortunately, not all neighbors have good intentions.

After migrating my VPN to Tailscale, I knew my remaining HTTP traffic for Immich, Paperless, and my portal needed a bouncer that doesn’t take prisoners.

Why CrowdSec? (Or: All for one, all against the bots)

Fail2Ban is decent, but it fights alone. CrowdSec is like a global neighborhood watch on steroids. If a server in Tokyo gets attacked, my server in Germany knows about it seconds later and raises the drawbridge. It’s a true community effort against cybercrime.

Hosting has been a focus of mine for a long time, and I kept running into the same problem: How do I make my data securely accessible from the outside without leaving my home network wide open?

The Problem: The IPv4 Dead-End

To make a server reachable from the outside, you need a unique address – the IP address. This is where the trouble starts:

• IPv4: The old standard (e.g., 138.199.205.5). Easy to handle, but addresses are scarce.
• IPv6: The modern successor (long and cryptic). Theoretically infinite, but practically often limited by DS-Lite (my ISP).

My issue: My home connection lacks a public IPv4 address. When traveling—especially in foreign networks or restrictive Wi-Fi—my home server is often simply unreachable via IPv6.

I am pretty much done with the broad strokes of the current infrastructure migration.

What’s New?

The website now features two clearly separated areas:

1. Public Portal: The main entry point at elgrundo.de.
2. Protected Area: A password-protected internal portal (intern.elgrundo.de), secured via Nginx groups.
3. Open Statistics: In the spirit of Open Source, I am granting access to the visitor statistics (powered by Umami).

Security Roadmap

The next major project is the deep integration of CrowdSec into the web stack. Some might call this setup “overkill” for a personal site, but it is an excellent exercise for professional security concepts.

Hey folks,

Glad you’ve found your way into this little corner of the web. Hello!

This is an expansion project of my homelab. What started as a small Corona project is increasingly getting out of hand. Since I’ve always wanted to understand how to host a website… tadaaa!

All of this is made possible with CachyOS, Docker, Nginx, Hugo, and PaperMod. As you can see, I’m pushing for open source all the way.