nftables: Modern Linux Firewalling
iptables is being phased out. nftables is faster, cleaner, and already the default on modern Linux. Here's how to actually use it without wanting to quit.
Tag: security
All the articles with the tag "security".
Suricata vs Snort: Network Intrusion Detection That Actually Works
Snort invented network intrusion detection. Suricata multi-threaded its way past it. Here's how to set up real IDS/IPS on your home lab and actually understand what it's telling you.
SBOMs and Supply Chain Security
A Software Bill of Materials tells you exactly what's in your software. Syft generates one, Grype scans it for CVEs. Together they're your supply chain paper trail.
Container Security: Scan and Sign Your Images Like You Mean It
Pulling unscanned images onto your server is a gamble. Trivy finds the CVEs. Cosign proves the image hasn't been swapped out. Here's how to add both to your workflow.
Falco: Catch Container Attacks at Runtime
Falco watches every syscall your containers make and screams when something sketchy happens. Like someone exec'ing a shell inside your nginx container at 3am.
Cloudflare Tunnels: The Zero-Port-Forward Guide to Exposing Your Services
No port forwarding, no DDNS drama. Cloudflare Tunnels advanced config: multiple services, Access policies, origin TLS, and what Cloudflare can actually see.
Trivy + Cosign: Scan and Sign Your Images
You're pulling container images from strangers on the internet. Trivy scans them for CVEs. Cosign proves they haven't been tampered with. Use both.
Fail2ban vs CrowdSec: Blocking the Bots Actually Smartly
Fail2ban bans IPs that attack you. CrowdSec bans them before they attack you, using community threat intelligence. Here's how to set up both and why you might want both.
Tailscale Deep Dive: Mesh Networking That Actually Works
Tailscale takes WireGuard's speed and wraps it in a control plane that handles key exchange, routing, and ACLs automatically. Here's everything beyond 'tailscale up'.
2FA for SSH and sudo via PAM
Adding TOTP to SSH and sudo takes 10 minutes and makes password spray attacks useless. Here's the setup that won't lock you out of your own server.
WireGuard vs OpenVPN 2026: It's Not Even Close
OpenVPN is the battle-tested workhorse. WireGuard is everything VPNs should have been from the start. In 2026, here's which one you should actually use.
SSH CA: Finally Ditch authorized_keys
Managing authorized_keys across 10 servers is how you lose track of who has access to what. An SSH CA lets you sign keys and revoke access without touching every server.