NetSec

This is a guide to the tools and practices I actually use, ordered from things anyone can set up in an afternoon through to running your own server infrastructure. Each section builds on the last. Start wherever makes sense for where you are — but don't skip the basics because they seem simple. The basics are where most people leak the most data.

There is a common idea that if you have nothing to hide, you have nothing to worry about. That idea is wrong — and it is worth understanding why before you read the rest of this page. Read the full argument here.

Basic Safety Beginner

Before any tools or software, the most important thing is understanding what you are protecting and from whom. Most people do not need to defend against nation-state actors. What they need is to stop leaking data to corporations, advertisers, and opportunistic attackers who profit from carelessness.

Use a password manager — every account should have a unique, generated password. If you reuse passwords, a single breach compromises everything.
Enable two-factor authentication — on email, banking, and anything that matters. Use an authenticator app, not SMS.
Check your exposure — Have I Been Pwned will tell you which of your accounts have already been leaked.
Review app permissions — your phone apps do not need access to your contacts, microphone, and location to show you the weather.
Opt out of data brokers — services like JustDeleteMe help you remove yourself from sites that sell your data.

This is not paranoia. This is the digital equivalent of locking your front door.

Counter-Surveillance Beginner

Counter-surveillance is not about hiding — it is about understanding who is watching, what they can see, and how to reduce what you give away without thinking about it.

Your ISP sees everything — every domain you visit, when, and how often. A VPN stops this. Without one, your entire browsing history is logged and in many countries sold.
Your phone is a tracking device — it broadcasts your location constantly via cell towers, Wi-Fi probes, and GPS. Turn off location services for apps that do not need it. Use aeroplane mode when you do not need to be connected.
Social media is surveillance by consent — every like, share, scroll, and pause is tracked and profiled. The platform is free because you are the product.
Metadata matters more than content — who you called, when, for how long, and from where tells more about you than what you said. Encrypted messaging protects content but metadata often leaks.
Smart devices are microphones you pay for — Alexa, Google Home, smart TVs with voice control. These record ambient audio and send it to servers you do not control.

The goal is not to disappear. The goal is to make surveillance expensive, incomplete, and not worth the effort for anyone who is not specifically targeting you.

Your Browser Beginner

The browser is where almost all of your data leaks. Every site you visit can fingerprint your browser — a combination of your screen resolution, installed fonts, GPU, timezone, and dozens of other signals that together uniquely identify you even without cookies. A VPN does not stop this.

Brave: Blocks ads and trackers by default, spoofs your fingerprint, ships with a built-in VPN and Tor option.
If you prefer Firefox, pair it with the arkenfox user.js hardening config.
uBlock Origin: Free, open-source ad content blocker. Install it and set it to hard mode.

Enable HTTPS-only mode in your browser settings. There is no good reason to send unencrypted traffic in 2026.

A VPN Beginner

A consumer VPN encrypts the traffic between your device and the VPN server, hiding it from your ISP. Your ISP can see that you are connected to a VPN, but not what you are doing inside it. This shifts trust from your ISP to the VPN provider. Choose one that has been independently audited and does not log traffic:

Mullvad: Accepts cash, does not require an email address.
ProtonVPN: Solid and open source.

Consumer VPNs have one weakness: your ISP can see that you are using a VPN. In most countries this is not a problem. In some it is. The solution to that is further down this page.

DNS Filtering with Pi-hole + Unbound Intermediate [pi-hole.net]

Every time you visit a website, your device asks a DNS server to translate the domain name into an IP address. By default, that request goes to your ISP's DNS server — which means your ISP has a complete log of every domain you visit, even if you use HTTPS.

Pi-hole: A DNS server you run yourself. Blocks ad and tracker domains at the DNS level. Every device on your network gets the filtering automatically.
Unbound: A recursive DNS resolver that talks directly to root DNS servers instead of forwarding queries to Google or Quad9. Validates responses using DNSSEC.

I run Pi-hole in Docker, backed by Unbound. Combined, Pi-hole handles the filtering and Unbound handles the resolution. No third party sees your queries.

Firewall (UFW) Intermediate [docs]

UFW (Uncomplicated Firewall) controls what traffic can reach your server. The correct default is: deny all incoming, allow all outgoing, then explicitly open only what you need.

SSH — open only from LAN and Tailscale VPN subnet.
DNS on port 53 — from LAN only.
WireGuard on 51820.
Docker container port range — nothing else.

Every rule is a conscious decision about what is allowed in.

SSH Hardening + fail2ban Intermediate [fail2ban.org]

If your server is reachable from the internet, it is being scanned constantly. Automated bots probe SSH ports 24 hours a day looking for weak passwords.

Use key-based authentication only — disable password logins in /etc/ssh/sshd_config with PasswordAuthentication no.
fail2ban: Watches auth logs and bans any IP that fails authentication more than five times in an hour.
Whitelist your LAN subnet so you cannot lock yourself out.

Between key-only auth and fail2ban, SSH becomes a very dull target.

Self-hosted VPN with WireGuard Advanced [wireguard.com]

A self-hosted VPN means you control the server that your traffic exits from, rather than trusting a commercial provider. WireGuard is the protocol — fast, modern cryptography (Curve25519 keys), and a much smaller codebase than OpenVPN.

Server runs at 10.0.0.1, listening on port 51820/UDP.
Each client gets a unique keypair and an IP in the 10.0.0.0/24 subnet.
All traffic routes through the tunnel to the home network — then out through Pi-hole and Unbound.

All filtering and DNS security follows you when you are away from home.

DPI Obfuscation with Cloak Advanced [github]

A standard WireGuard connection is identifiable by deep packet inspection — ISPs and network operators can see that you are running a VPN even if they cannot see inside it.

Cloak: Wraps WireGuard traffic inside what looks like ordinary HTTPS.
From the outside, your VPN traffic appears to be a regular encrypted web session to a legitimate domain.
Legitimate requests to that domain are proxied transparently. Only authenticated Cloak clients are routed to the WireGuard tunnel.

Deep packet inspection sees HTTPS and moves on.

Threat Intelligence with CrowdSec Advanced [crowdsec.net]

CrowdSec is an open-source intrusion detection system that watches your logs and detects attack patterns. Unlike fail2ban, CrowdSec participates in a shared intelligence network.

When it bans an IP, that ban is shared with the community. Bans from other servers flow back to you.
The bouncer integrates directly with UFW — detections become firewall rules immediately.
Collections enabled for SSH brute-force, web CVE exploitation, SQL injection, and Linux system anomalies.

CrowdSec sits upstream of fail2ban — one provides rate limiting, the other provides community threat intelligence. Together they cover both reactive and proactive protection.

Monitoring with Prometheus + Grafana Advanced

Prometheus: Scrapes metrics from your services every 15 seconds — CPU, memory, disk, DNS query rates, WireGuard tunnel throughput, CrowdSec alert counts.
Grafana: Turns those metrics into dashboards you can read.
Alertmanager: If a service goes down, disk fills up, or SSH failures spike, you get a notification.

The point of monitoring is not to watch numbers all day — it is to know immediately when something changes. A sudden spike in SSH failures means someone is probing. An unusual DNS query pattern can mean something on your network has been compromised.

Packet Analysis with Wireshark Advanced [wireshark.org]

Wireshark: Captures raw network traffic and lets you inspect it at every level of the stack.
Filter by protocol, follow TCP streams, see exactly what a device on your network is sending and to whom.
Use it to verify your VPN is encrypting traffic, confirm Pi-hole is blocking what you expect, investigate suspicious activity.
Command-line version: tshark -i eth0 -f "tcp port 443" for scripting captures on a headless server.

Self-Hosting

All of the tools above except the browser and commercial VPN run on a server — in my case a home server running Ubuntu. Running your own server means you own your data, you control your services, and you are not depending on a third party to keep them private or online.

A full write-up on setting up a home server from scratch — hardware, OS, Docker, and the infrastructure above — is on the blog. Read: Getting Started with Self-Hosting →

Sebastian Fisher