• 0 Posts
  • 5 Comments
Joined 1 year ago
cake
Cake day: June 9th, 2023

help-circle


  • I keep all my services in one docker-compose yml, and run it from a normal user account added to the docker group.

    I am really conscious of what I expose to the internet though, since I already almost had a security incident.

    I used to run non-standard ssh port to my machine with password authentication enabled.

    Turns out I didn’t know the sonarr/radarr containers came with default users, and a bruteforce attack managed to login to one of them (or something like that anyway,it’s been awhile). Fortunately they have a default home of /sbin/nologin so crisis averted there, but it definitely was a big lesson for me.

    Years later, the current setup is only plex, tautulli, and ombi open to the internet, and to reach everything else I use tailscale. And of course,only key-based authentication.

    Oh and for updates, I run apt upgrade once in a while on the box (Ubuntu server 18.04 LTS) and for the containers, I use watchtower.