Webtop - an impressive remote access tool

 I've been looking for a while for something that allows me to remotely access my home systems. I can't use a VPN, or RDS to connect back to my systems, so it had to be something useful via a web interface. Finding an option that allows for a Remote Desktop in a web interface isn't easy. I tried a few different options and had very little success, which was annoying and required quite some time to get things to work. Until I stumbled on webtop! You can find it here: https://docs.linuxserver.io/images/docker-webtop/ and it's worth having a look at.

I'm running it in docker, and I used this https://github.com/linuxserver/docker-webtop to set it up. The process is relatively straightforward and I'm running it in a Linux container. I've found with my server that 4vCPUs, 6GB of RAM and a 30GB disk have proven adequate for my daily computing needs via the webtop system.

It's an immutable file system, so any changes you make will be rolled back on restarting it. Instead, to add more software, you must use the Proot method - this makes the software stick. My needs are relatively simple, so I've installed Obsidian and a different browser. It wall works very acceptably, is fairly quick and usable. I also use the built in Office system LibreOffice for spreadsheets and files. The Documents/Downloads etc folders are not immutable and these retain your changes which is handy. I've had it manage some very sizeable spreadsheet files and it was fine to use. 

One of the great things about using Webtop is having a foothold outside of the office, so if I'm doing pen testing, or vulnerability scanning I can do it from outside the production network and see what I can find. It also allows me to access different websites than what I can see in the office. For example, if we have a class of websites blocked, like AI ones, but I'd like to read about Claude Mythos I can't at work, no matter how important it is for actual work. So I can use webtop to do that research without waiting until I get home. 

It's handy also, because you can drag stuff to the webtop page and upload it into your desktop or file system. As an exfiltration system it could be very good, so I made sure our DLP was up to the challenge - and it proved an interesting test system to verify that the DLP rules were working and firing when they were supposed to. 

I haven't go screenshots for you to see - instead go and check out the developer's site and spin it up in a docker container. It won't take long and the outcome is a great tool for work and play. 

TheHive - an excellent case management tool for Digital Forensics!

 In my work in cybersecurity, I've been quietly using TheHive made by Strange Bee https://strangebee.com/thehive/ for the last few years. Initially I was searching for something to analyse forensic data and stumbled on this project. It's got both an Open Source and a paid version, and I've had great value from the community version. Paired with Cortex, TheHive is a powerful tool for the cybersecurity professional. Cortex is the system that does the analysis of your artefacts and then reports back into TheHive. This isn't the only integration that TheHive supports. You can push new cases into it from both MISP and from Wazuh, and then run triage and analysis from within TheHive. It will push details back into MISP so when you review an alert or report, then you can classify it in TheHive once, and it will update it back into MISP which is pretty neat.

Here is what a couple of entries on the Dashboard looks like:

The dialogue box to create a case is below 

And this is what the case page looks like:

Typically, I'll do the following:

• Create a case, choosing the appropriate level of severity
• Add at least one task to the case - usually "Review Observables" which is TheHive talk for artefacts associated with the case - and these can be all different types
• Add the observables - of which there can be many types as seen in this screenshot: 
  
  
  
  and with the "Type" sorted out:
  
  
  
  Here is where TheHive and Cortex shine together. The observable type is linked to analytics that Cortex runs for you - you'll have to set it up, but the good news is, it's quite straightforward and can all run on a single server. Cortex will run the analysis of your observable and then report back. For example, you might configure Cortex to query Google DNS for bad websites, VirusTotal for known bad artefacts, AbuseFinder is handy, and so is Urlscan.io. Here is an example of what a couple of bad IP addresses look like after Cortex has analysed them:
  
  Red is bad, Orange is suspected bad and green is... well Cortex either isn't sure or the results are inconclusive. 

Cortex requires some grunt to run, so when you read that TheHive + Cortex needs 16GB of RAM and at least 8 CPUs you can understand why - with many concurrent analytics being performed against the observables, and doing it in a timely manner. I run it on my Proxmox server and it gets along quite adequately. 

When you're working through the case, I use the Tasks to capture what I'm seeing, and use the "Comments" to report on my findings. These can be timestamped (which you should always do) and if you happen across an observable or a similarity to another case, TheHive will automatically link it through. Then you can begin the next phase of action, whatever that may be, and track the case to its finale. In the example above, we saw significant attacks on our Web Application Firewall and blocked the addresses, fixing the problem from a known bad (at the time) IP address. It may have been fixed since, and that's why it is important to re-analyse observables. Hijacked sites/IPs or similar can be recovered and I always want to give my fellow cyber security and IT pros the chance to fix their systems without needlessly blocking anyone. 

TheHive has nice reporting (I don't have an example that doesn't have sensitive data in it), and I've found as a system for managing what I am seeing and being asked to respond to, it has been excellent. I use the Community edition - I don't get a lot of cases through work, but I do get a few when I'm helping out people outside of the office and TheHive is great for supporting that community work. I've had several interactions with their team and they've been generally very good, so thank you StrangeBee members!

I've meant to write about TheHive for a while - it's a great tool, and I think that if you've got a forensic element to your work it can really add value to that work. 

Taking notes with Bookstack

 I've been looking to use a different note taking tool than Confluence - only because I want to have my stuff self-hosted, so I've been poking around at a few different options. I've played with rwMarkable, Trillium, Notion and others. Suffice to say, I've been down a rabbit hole on this... and I've ended up on Bookstack.

You can find the website here: https://www.bookstackapp.com/  Self-hosted is very attractive to me at the moment. I really don't have a lot of love for having my data out there with anyone else - especially US based companies. There's a bit of uncertainty out there with the behaviour of the US government, so I'd prefer to repatriate my data where possible.

So I needed somewhere I could punch a heap of written data, with some features, a nice editor and not too hard to manage. Happily, I discovered Bookstack.

Under Proxmox, I set up an LXC (Linux Container) and then using a script from https://community-scripts.github.io/ProxmoxVE/scripts?id=bookstack I installed my instance fairly simply! It's running with 1 vCPU, 1GB of RAM and 4GB of disk space - it's hardly the biggest VM I'm running (ah the beauty of the LXC in all it's glory!). Even with these modest specifications, I've found it to run very efficiently, easily uploading images and managing some quite sizeable documents.

Here's a screenshot of what my page looks like:

I have two "Shelves" and each Shelf has multiple books in it. I won't show them - there's secret stuff in there :-)

While it's hosted on my Proxmox server internally, I've used Cloudflare tunnels to provide me with a nice Zero Trust way to access my own systems from anywhere. MFA + Conditional Access all courtesy of the Cloudflare's free tier. Additionally, and I can't shout this out enough - I used Cloudflare for all my DNS which means that managing tunnels and published applications is that much easier. It's a lovely way to do things and I'm praying that we don't get a bunch of enshittification take place. For the moment, it's a wonderful way to do things.

But onto Bookstack - it's a nice WYSIWYG interface. I'm using the dark theme and it looks like this: 

Now, here's a tip - up until about 2 hours ago, it didn't quite look like this. Make sure in the .env file that you have the correct URL or things won't work properly - drafts won't save, the scroll bar won't work, and the text on the dark page will be black not white. Easily fixed by up sorting out the .env file and then running the php update command. 

Bookstack is a nice, lightweight application and works very well. Combined with the easy Proxmox backups, I have found it to be an excellent system for keeping my documentation together. Try it out!

Experiences with Jellyfin

 I've been running Jellyfin for a while now - I tried Plex but it didn't gel for me. Jellyfin was pretty straightforward and just seemed to work really easily. So here's their website: https://jellyfin.org/ 

There are a few different ways to run Jellyfin - install it on a system running on bare metal, or a virtual machine, or even in a container (either a Proxmox LXC or a docker container). I messed around with it a bit, and decided to take a straightforward route - install it onto a virtual Ubuntu Server running on one of my Proxmox servers. 

The set up was pretty straightforward - there's some good details here: https://jellyfin.org/downloads/server and it was easy to set up the repositories and get the thing going. The initial configuration is fairly simple, and for me it required a few components:

• a server to run Jellyfin
• a link of some type to where all my media (TV and Movies) live

I have a NAS with plenty of disk space so I set up an NFS link and hooked the two servers up together. This was pretty easy, and for this install, I gave Jellyfin read/write access to the different directories - so if Jellyfin was downloading images or metadata I had a chance to keep it all neat and tidy together. The security is simple, but reasonably OK - it won't keep anyone determined out, but it's not critical data.

So after the initial install and set up of Jellyfin - there are some great guides out there so it's worth finding one and getting into it - I added the TV and Movie folders to Jellyfin and kicked off the initial scan. There's a fair bit in those folders - I've spent a small fortune on DVDs and digital media over the last few years, so this took a while to complete. Then there was the work to go through and make sure that the Movies were properly identied. Gran Turino never seems to be detected properly - but it's reasonably straightforward to fix it up. The data flows between servers got fairly intense for a while but eventually settled down.

There are some tuning options in Jellyfin - go to the three lines in the top left, and then Dashboard:

Plenty of things to touch and play with in there :-) It's worth reading through some of the documentation to make sure you pick the best options. I typically will enable a few extra plugins:

These are to get the box sets of TV series right, and the images / identifiers correct for files. Choose your own adventure. 

I had been watching Jellyfin via iPad or via a web browser, and it wasn't until I was poking around a bit that I found an app for the Apple TV - Swiftfin! This was a game changer in our house - we had used a media PC for all our TV and movie watching and now we could just use the Apple TV which is great! 

With a relatively slow internet connection (25/5Mbps) I had been downloading only low res stuff - otherwise it took forever to get and wasn't great for fast movie viewing. This was fine - I was running Jellyfin on a server with Xeon 4114 Silver processors - which are great for compute and server stuff and absolutely crap for video decoding. As the Australian NBN network was upgraded and I managed to get a fiber upgrade to 100/20 speeds and then, almost unbelievably a free upgrade to 500/50 meant all of a sudden those high res, much nicer looking downloads were in my reach! So excitement!

But with great speeds (and resolutions) come great encoding and decoding requirements. Dual Xeon processors don't cut it (especially when they are server CPUs) so I have a little problem - the load on the CPUs is huge and it takes a long time to sort out the video to deliver it. To fix this, I lashed out and picked up an Nvidia Tesla P4 server GPU - and wow what an impact this has made. The load on the CPUs has dropped to a negligible level and the responsiveness of the video playback is excellent - virtually real time which is fantastic!

Settings look like this (so I have a record if Jellyfin dies):

It's really worth the $130AUD that I spent on it - gotta love second hand gear off eBay! Really worth it. 

I've had very little trouble with Jellyfin - it's been a solid bit of software to work with. If you combine with the *ARR servers, then it becomes a thing of great beauty - but more on that later!

Review: Lenovo Legion 5i Gaming Laptop

 I picked up a Legion 5i at Officeworks on special before the end of the financial year here in Australia, and now that I've messed around with it for three months, I wanted to write something nice. Yes, nice - it's been a really lovely laptop to use. First of all it looks like this:

And my model has the following specs:

• 13th Gen Intel Core i7-13650HX (2.60GHz) - 14 cores!
• 16GB of RAM
• 500GB SSD
• NVidia GeForce RTX 4050 GPU

It cost me about $1300 AUD - it was marked down from $1800 and then had a further 5% reduction because it had been returned - the purchaser quote "didn't like the operating system", because there are a lot of preinstalled options to Windows 11 these days. At any rate, I picked it up for a song - potentially because it's a previous model - but who cares? It's got a 16" screen that supports 2560x1600 and it's really lovely to behold. The backlit keyboard with it's cascading light show is a nice touch too. 

From a use case perspective, I've been using this laptop for gaming, regular work stuff, a bit of Ollama AI work and movies. I've played Baldur's Gate 3 and Fortnite on it most extensively and mostly used the Mistral model when using local AI. The games have been snappy and great, with lots of effects on and no real slowness which has been nice, and the AI has worked fairly quickly. The limitations of what you can do on an RTX4050 with 6GB of RAM are well known. It's nice to have a machine that can actually drive the thing though and I've had some real fun. It's important to note that like most Lenovo laptops, the keyboard is great to use for extended typing - and with extra little bumps on important keys (not just your home keys, but also the home keys for gaming) it's been pleasant to use - far more so than the Dell I use for work, which has an overly soft key press and much poorer tactile response. 

The newer versions have i9 processors and a better GPU but appear to have much the same form and appearance. I'm very happy with it - the Windows 11 install doesn't have too much bloat so that's a good thing, and the Lenovo update system works pretty well as usual. Altogether I can recommend this laptop - it you want a nice mid-range gaming machine, or a big solid work laptop that can give you pretty much a desktop replacement with it's big monitor. Although I purchased it as a tax deduction and I've used it for a *lot* of work related activities (particularly stuffing around with locally hosted AI), I've been pleased with it's gaming capabilities too - perfect for the lad and I to get into a bit of FPS action. 

Further adventures with Immich - external access

 Astute readers and users of this software will note that when self-hosting access is naturally limited to whatever you've got on your personal, home network. While this is great, I'd like to still back my photos up to Immich when I'm out and about.

I use Cloudflare tunnels for access to other handy bits of software like The Hive (for digital forensics) and BookShelf (for documents etc). So setting up a Cloudflare tunnel for Immich seems like an easy thing to do. Except of course when it comes to authentication. You do not want to implement a tunnel without authentication and I really prefer to use Zero Trust wherever possible. I am a child of the X-Files after all, so trusting no-one is par for the course.

I found an excellent guide to help by Thomas Wilde on Youtube here: https://www.youtube.com/watch?v=J4vVYFVWu5Q and this really got the party started. Configuring the service token and getting it into the Immich app is quite straightforward and Thomas explains it well.

I then changed the app to sync as soon as the phone is plugged into power and voila! It all works brilliantly. 

OK, so we've solved the external access trickiness, and that's great. Keeping up with the updates is a bit of a challenge - Immich is being *very* actively developed so there's frequent updates. I usually try to update the docker image about once a fortnight and that seems to be manageable cadence.

It's worked so well that I have now moved my wife and daughter's images across. My child takes many many photos so I'm working with her to understand that the crap ones really need to be deleted - I don't want gigabytes of crap everywhere.

And of course, I snapshot the server before upgrading via Proxmox and backup using my Proxmox backup server. A restore of my Immich server was quite successful after a poorly executed attempt to change some settings for another project - oops! Thankfully, it was quick and relatively straightforward to get back to where I was, with only 18 hours and no data lost.

I still recommend this excellent app - you will need to learn some docker and some general systems admin skills. I would not recommend opening it up to the world - and why would you when you can make use of Cloudflare tunnels, or failing that - Twingate which I discovered and have been playing a bit with - more on that later. Enjoy your computing!

Adventures with Immich

With the implementation of my Proxmox server it's now time to play with some new applications - and we'll start with Immich, a replacement for Google Photos. What is Immich according to their website: 

You can find the delightfully comprehensive website at https://immich.app/ 

Now a quick note of care - Immich's website states that you should not use this as the only way to store your photos and videos - it's under *active* development and does occasionally break stuff. So with that in mind, let's get into it and have a play.

To implement Immich in my environment I definitely had some options to explore. I could install it using Docker, the All-In-One Community installation, TrueNAS (oh I don't have that yet) or Unraid (dang I don't have that either). I decided to go with the Portainer installation - that would give me a nice interface via the Portainer container management, and some stats and stuff later on. Installing Portainer means that I can't use a Proxmox container - it's not recommended, and I was keen to not screw this up. So here's the quick and nasty installation activity:

• Create the VM in Proxmox
• 4 vCPU
• 4GB of RAM (I really should have gone 8GB and now I'm updating it)
• 500GB of disk space on two brand new Corsair SSD's (both 1TB for plenty of headroom)
• Install Ubuntu 24.04LTS Server
• Install Docker from here: https://docs.docker.com/engine/install/ubuntu/ 
• Install Portainer following the instructions from here: https://docs.portainer.io/start/install-ce/server/docker/linux

Before I set up Immich I noticed that my install of Ubuntu Server hadn't used the entirety of the 500GB disk. So I found this handy command to fix it:

lvextend -l +100%FREE -r /dev/mapper/ubuntu--vg-ubuntu--lv

Right, now we'll get onto the installation of Immich and get into it here: https://immich.app/docs/install/portainer 

The long and short is, set up a Stack so that all the Immich bits and pieces sit under it and then off we go. The guide is quite good so follow it and there are plenty of resources. The stack ends up looking like this: 

From the Portainer home page it looks like this:

Happily it's all running. Now here's the thing - this is the third time I've tried to get Immich to work and previously it was busted and wouldn't work properly - no access to the website and it appeared that the immich-server component wouldn't launch properly. I think that there was an issue with the database server not running properly with a previous version of the docker image. This time around, it all worked as advertised and it's running better. 

So now we're onto the use of the system and here's where I got really impressed. On the initial upload of photos it started to pick out faces, locations and organise things neatly according to the age of the photo. It here I discovered some of the photos had a wildly inaccurate timeframe assigned to them. Bugger - this means I've gotta manually fix things up, but it was pulling the images in, working through the metadata and putting it together into a nice timeline.

Here's the impressive part, there's a mix of photos of my kids that I uploaded started with my child almost at birth and all the way through to 13 - and the machine intelligence detected her face correctly the whole way through to now! From a cute little squishy baby face to the perpetually annoyed teenage face Immich got it right nearly every time on the full frontal face images. Really impressive stuff.

Here's a little snip of what my system looks like (hiding most of the evidence): 

The menu is nice, easy to manage and gives you all the stats. I'm still building this system out, but here's a few things I've found:

• uploading photos to the system was easy - via the file upload, and you can do bulk but not folders
• uploading photos is VERY CPU intensive - I had the 4vCPU's maxed out during the upload and for a while afterwards as the system processed - it was cracking along and the server's fans were making a real racket.
• it's much better to do the upload via ethernet than Wi-Fi - it's quicker (on my network anyway)

Once I finished the upload from our computers and other servers in the house, I installed the app on my phone (the Pixel 7 Pro) and started the upload. There was a difference in the experience - the upload from the computer detected and skipped duplicates while the phone upload did not and I had to do this manually (over 600 dang it). Happily now, I've got a backup of my phone (although it's definitely still not recommended to only have the two copies - remember 3 is 2 and 2 is 1 and 1 is none from a backup perspective. 

After a couple of days playing with Immich, and running an upgrade via Portainer, I'm delighted with it. What a great piece of open source software. Get around it if you're looking for a nice image management system.