Blog

Practical homelab security writing. CVE deep-dives, hardening checklists, monthly review routines, and honest thoughts on the tools that actually work.

• CUPS exposed on your LAN — the September 2024 CVE chain2026-06-01

  Four chained CVEs in cups-browsed turn an unauthenticated UDP packet into RCE. What the chain actually does, who's exposed, and how to check your homelab.

• Container breakout in homelab Proxmox — CVE-2024-21626 explained2026-06-01

  The Leaky Vessels runc CVE turns a hostile container image into host root. What it actually does, why Proxmox LXC users care, and how to verify your fix.

• The libwebp problem — when one bundled library breaks a hundred apps2026-06-01

  CVE-2023-4863 is the textbook bundled-library CVE. One bug in one library, hundreds of patches across Chromium, Electron, Home Assistant, Plex. What every homelab missed.

• Home Assistant security checklist — hardening before you expose the smart home2026-05-27

  Twelve hardening checks for self-hosted Home Assistant — auth, network exposure, integrations, supervisor add-ons, backups, secrets. Exact commands and what Noxen flags automatically.

• Pi-hole security checklist — admin panel, DNS exposure, and update hygiene2026-05-27

  Pi-hole sits on the trust path between every device on your LAN and the internet. Ten hardening checks for the admin UI, DNS resolver, blocklist sources, and update cadence. Exact commands and what Noxen flags automatically.

• Proxmox security checklist — VE web UI, cluster comms, and storage hardening2026-05-27

  Proxmox sits below every VM and container in your homelab — compromise it and the rest of the fleet is dust. Twelve hardening checks for the web UI on port 8006, cluster encryption, storage permissions, and update cadence.

• Vulnerability scanner false positives are a UX bug, not a feature2026-05-11

  Why most vulnerability scanners fail at the trust step. The five sources of scanner false positives, the diff-first fix, the honest tradeoffs of cutting noise, and what "the scanner earns its second run" actually means.

• Before you expose a service to the web — the non-negotiable Linux server hardening checklist2026-05-10

  Eight checks for the decision point — not general hardening, but what changes the moment a Linux service becomes reachable from the internet. SSH, TLS, exposed admin panels, package CVEs, and why drift detection matters more than the one-time pass.

• Ubuntu 22.04 LTS hardening checklist — 12 SSH and TLS audits before April 20272026-05-01

  Ubuntu 22.04 hits end of standard support in April 2027. Twelve audit-ready SSH, TLS, and package-policy checks every Jammy homelab box should run before then — exact commands, what to fix, and what Noxen flags automatically.

• CVE-2024-3094 (xz/liblzma backdoor) — what homelabs had to fear and how to check2026-05-01

  The 2024 supply-chain backdoor in xz-utils targeted sshd via liblzma. What it actually did, which distros shipped affected versions, the one-line check to run today, and what supply-chain hygiene a homelab can realistically practice.

• regreSSHion (CVE-2024-6387) — what every homelab operator should know2026-04-29

  The OpenSSH signal-handler race that landed pre-auth RCE on glibc Linux. What it is, who's exposed, how to detect a vulnerable sshd, the per-distro fix versions, and what defence-in-depth actually buys you.

• EPSS explained — when CVSS isn't enough2026-04-29

  EPSS is the Exploit Prediction Scoring System: a 0–1 probability of a CVE being exploited in the next 30 days. How it's built, how to combine it with CVSS and KEV for triage, and where it falls short.

• How to triage CVE findings: critical, high, medium, and "ignore for now"2026-04-25

  The practical homelab guide to triaging CVE findings without becoming the kind of person who patches everything immediately. CVSS, KEV, EPSS, exposure context, and the decision matrix.

• Exposed admin surfaces: the #1 homelab compromise vector you're not scanning for2026-04-25

  Why most homelab compromises start with an exposed Grafana / phpMyAdmin / Pi-hole. The 70+ services to check, and why default-credential testing is the wrong remediation answer.

• The patching gap: why monthly cycles aren't enough for self-hosted services2026-04-25

  apt upgrade doesn't touch Plex, Grafana, Pi-hole, or your *arr suite. The patching gap is where modern homelabs get compromised — and how to close it without becoming a full-time updater.

• CVE, CVSS, CWE, CPE: a plain-English glossary of security acronyms2026-04-25

  13 vulnerability and security acronyms decoded in plain English — what each one means, who maintains it, and when it actually matters.

• Continuous CVE scanning vs periodic patching: which one wins?2026-04-25

  Patching alone misses what scanning catches — third-party software, EOL packages, config drift. Why the right answer is both.

• Agent vs agentless security scanning: which is right for your fleet?2026-04-25

  The architectural choice behind every CVE scanner — coverage, ops burden, blast radius, trust. Why agentless wins for homelabs.

• A 30-minute homelab security baseline (no enterprise tools required)2026-04-25

  From "nothing in particular" to a defensible baseline in half an hour. Patch, harden SSH, close ports, authenticate admin surfaces.

• The Mac-native homelab vulnerability scanner

  Agentless over SSH. One-time purchase. No Docker, no SaaS. Built for people who run their own boxes.

• 10 homelab security quick wins to knock out in an afternoon

  Ten practical hardening steps you can apply across your homelab in a single Saturday.

• The monthly homelab security checklist

  Ninety minutes, coffee, and a checklist. The monthly routine that keeps a homelab from drifting.

• How often should you scan your homelab for vulnerabilities?

  Daily, weekly, monthly? A practical answer about scan cadence and alert fatigue.

• SSH key hygiene: what's in your authorized_keys?

  Find the keys you forgot, audit the ones you kept, and rotate without locking yourself out.

• TLS certificate expiry on self-hosted services

  Stop your services from going down at 3am because a cert expired.

• Why your Raspberry Pi's OpenSSL is out of date (and how to fix it)

  Find unpatched CVEs on your Pi and fix them in one command.

• CVE-2022-3602 and CVE-2022-3786 in your homelab

  The OpenSSL X.509 email-address buffer overflows. How to find affected hosts across your fleet.

• Pareto Security for your whole fleet

  Pareto audits your Mac. Noxen extends the same idea to every remote box you own — agentless, over SSH.

• Nessus alternative for Mac homelabs

  Tenable Nessus is excellent for enterprises. It's overkill for a home rack. Here's a right-sized alternative.

• Agentless SSH host inventory

  What "agentless" really means, what it costs, and where it fits a homelab perfectly.

• Why Noxen flags exposed admin panels but never logs in

  Default-credential testing is explicitly out of scope. Here's why that's a product decision, not a limitation.