At best. And it’s probably gonna be a <= $2 Google Play Store gift card.

I’ve been looking into crowdsec for ages now and still haven’t gotten around to even a test deployment. One of these days, lol, and I’ll get around to it.

Oooooh. That’s smart. I mostly host apps, but in theory, I should be able to dynamically modify the response body and tack on some HTML for a hidden button and do that.

I used to disallow everything in robots.txt but the worst crawlers just ignored it. Now my robots.txt says all are welcome and every bot gets shunted to the tarpit 😈

I’ve got bot detection setup in Nginx on my VPS which used to return 444 (Nginx for "close the connection and waste no more resources processing it), but I recently started piping that traffic to Nepenthes to return gibberish data for them to train on.

I documented a rough guide in the comment here. Of relevance to you are the two .conf files at the bottom. In the deny-disallowed.conf, change the line for return 301 ... to return 444

I also utilize firewall and fail2ban in the VPS to block bad actors, overly-aggressive scrapers, password brute forces, etc and the link between the VPS and my homelab equipment never sees that traffic.

In the case of a DDoS, I’ve done the following:

• Enable aggressive rate limits in Nginx (it may be slow for everyone but it’s still up)
• Just stop either Wireguard or Nginx on the VPS until the storm blows over. (Crude but useful to avoid any bandwidth overages if you’re charged for inbound traffic).

Granted, I’m not running anything mission-critical, just some services for friends and family, so I can deal with a little downtime.

I used to use HAProxy but switched to Nginx so I could add the modsecurity module and run WAF services. I still use HAProxy for some things, though.

I have never used it, so take this with a grain of salt, but last I read, with the free tier, you could not secure traffic between yourself and Cloudflare with your own certs which implies they can decrypt and read that traffic. What, if anything, they do with that capability I do not know. I just do not trust my hosted assets to be secured with certs/keys I do not control.

There are other things CF can do (bot detection, DDoS protection, etc), but if you just want to avoid exposing your home IP, a cheap VPS running Nginx can work the same way as a CF tunnel. Setup Wireguard on the VPS and have your backend servers in Nginx connect to your home assets via that. If the VPS is the “server” side of the WG tunnel, you don’t have to open any local ports in your router at all. I’ve been doing that, originally with OpenVPN, since before CF tunnels were ever offered as a service.

Edit: You don’t even need WG, really. If you setup a persistent SSH tunnel and forward / bind a port to your VPS, you can tunnel the traffic over that.

So, I set this up recently and agree with all of your points about the actual integration being glossed over.

I already had bot detection setup in my Nginx config, so adding Nepenthes was just changing the behavior of that. Previously, I had just returned either 404 or 444 to those requests but now it redirects them to Nepenthes.

Rather than trying to do rewrites and pretend the Nepenthes content is under my app’s URL namespace, I just do a redirect which the bot crawlers tend to follow just fine.

There’s several parts to this to keep my config sane. Each of those are in include files.

• An include file that looks at the user agent, compares it to a list of bot UA regexes, and sets a variable to either 0 or 1. By itself, that include file doesn’t do anything more than set that variable. This allows me to have it as a global config without having it apply to every virtual host.

• An include file that performs the action if a variable is set to true. This has to be included in the server portion of each virtual host where I want the bot traffic to go to Nepenthes. If this isn’t included in a virtual host’s server block, then bot traffic is allowed.

• A virtual host where the Nepenthes content is presented. I run a subdomain (content.mydomain.xyz). You could also do this as a path off of your protected domain, but this works for me and keeps my already complex config from getting any worse. Plus, it was easier to integrate into my existing bot config. Had I not already had that, I would have run it off of a path (and may go back and do that when I have time to mess with it again).

The map-bot-user-agents.conf is included in the http section of Nginx and applies to all virtual hosts. You can either include this in the main nginx.conf or at the top (above the server section) in your individual virtual host config file(s).

The deny-disallowed.conf is included individually in each virtual hosts’s server section. Even though the bot detection is global, if the virtual host’s server section does not include the action file, then nothing is done.

Files

# Map bot user agents
## Sets the $ua_disallowed variable to 0 or 1 depending on the user agent. Non-bot UAs are 0, bots are 1

map $http_user_agent $ua_disallowed {
    default 		0;
    "~PerplexityBot"	1;
    "~PetalBot"		1;
    "~applebot"		1;
    "~compatible; zot"	1;
    "~Meta"		1;
    "~SurdotlyBot"	1;
    "~zgrab"		1;
    "~OAI-SearchBot"	1;
    "~Protopage"	1;
    "~Google-Test"	1;
    "~BacklinksExtendedBot" 1;
    "~microsoft-for-startups" 1;
    "~CCBot"		1;
    "~ClaudeBot"	1;
    "~VelenPublicWebCrawler"	1;
    "~WellKnownBot"	1;
    #"~python-requests"	1;
    "~bitdiscovery"	1;
    "~bingbot"		1;
    "~SemrushBot" 	1;
    "~Bytespider" 	1;
    "~AhrefsBot" 	1;
    "~AwarioBot"	1;
#    "~Poduptime" 	1;
    "~GPTBot" 		1;
    "~DotBot"	 	1;
    "~ImagesiftBot"	1;
    "~Amazonbot"	1;
    "~GuzzleHttp" 	1;
    "~DataForSeoBot" 	1;
    "~StractBot"	1;
    "~Googlebot"	1;
    "~Barkrowler"	1;
    "~SeznamBot"	1;
    "~FriendlyCrawler"	1;
    "~facebookexternalhit" 1;
    "~*(?i)(80legs|360Spider|Aboundex|Abonti|Acunetix|^AIBOT|^Alexibot|Alligator|AllSubmitter|Apexoo|^asterias|^attach|^BackDoorBot|^BackStreet|^BackWeb|Badass|Bandit|Baid|Baiduspider|^BatchFTP|^Bigfoot|^Black.Hole|^BlackWidow|BlackWidow|^BlowFish|Blow|^BotALot|Buddy|^BuiltBotTough|
^Bullseye|^BunnySlippers|BBBike|^Cegbfeieh|^CheeseBot|^CherryPicker|^ChinaClaw|^Cogentbot|CPython|Collector|cognitiveseo|Copier|^CopyRightCheck|^cosmos|^Crescent|CSHttp|^Custo|^Demon|^Devil|^DISCo|^DIIbot|discobot|^DittoSpyder|Download.Demon|Download.Devil|Download.Wonder|^dragonfl
y|^Drip|^eCatch|^EasyDL|^ebingbong|^EirGrabber|^EmailCollector|^EmailSiphon|^EmailWolf|^EroCrawler|^Exabot|^Express|Extractor|^EyeNetIE|FHscan|^FHscan|^flunky|^Foobot|^FrontPage|GalaxyBot|^gotit|Grabber|^GrabNet|^Grafula|^Harvest|^HEADMasterSEO|^hloader|^HMView|^HTTrack|httrack|HTT
rack|htmlparser|^humanlinks|^IlseBot|Image.Stripper|Image.Sucker|imagefetch|^InfoNaviRobot|^InfoTekies|^Intelliseek|^InterGET|^Iria|^Jakarta|^JennyBot|^JetCar|JikeSpider|^JOC|^JustView|^Jyxobot|^Kenjin.Spider|^Keyword.Density|libwww|^larbin|LeechFTP|LeechGet|^LexiBot|^lftp|^libWeb|
^likse|^LinkextractorPro|^LinkScan|^LNSpiderguy|^LinkWalker|msnbot|MSIECrawler|MJ12bot|MegaIndex|^Magnet|^Mag-Net|^MarkWatch|Mass.Downloader|masscan|^Mata.Hari|^Memo|^MIIxpc|^NAMEPROTECT|^Navroad|^NearSite|^NetAnts|^Netcraft|^NetMechanic|^NetSpider|^NetZIP|^NextGenSearchBot|^NICErs
PRO|^niki-bot|^NimbleCrawler|^Nimbostratus-Bot|^Ninja|^Nmap|nmap|^NPbot|Offline.Explorer|Offline.Navigator|OpenLinkProfiler|^Octopus|^Openfind|^OutfoxBot|Pixray|probethenet|proximic|^PageGrabber|^pavuk|^pcBrowser|^Pockey|^ProPowerBot|^ProWebWalker|^psbot|^Pump|python-requests\/|^Qu
eryN.Metasearch|^RealDownload|Reaper|^Reaper|^Ripper|Ripper|Recorder|^ReGet|^RepoMonkey|^RMA|scanbot|SEOkicks-Robot|seoscanners|^Stripper|^Sucker|Siphon|Siteimprove|^SiteSnagger|SiteSucker|^SlySearch|^SmartDownload|^Snake|^Snapbot|^Snoopy|Sosospider|^sogou|spbot|^SpaceBison|^spanne
r|^SpankBot|Spinn4r|^Sqworm|Sqworm|Stripper|Sucker|^SuperBot|SuperHTTP|^SuperHTTP|^Surfbot|^suzuran|^Szukacz|^tAkeOut|^Teleport|^Telesoft|^TurnitinBot|^The.Intraformant|^TheNomad|^TightTwatBot|^Titan|^True_Robot|^turingos|^TurnitinBot|^URLy.Warning|^Vacuum|^VCI|VidibleScraper|^Void
EYE|^WebAuto|^WebBandit|^WebCopier|^WebEnhancer|^WebFetch|^Web.Image.Collector|^WebLeacher|^WebmasterWorldForumBot|WebPix|^WebReaper|^WebSauger|Website.eXtractor|^Webster|WebShag|^WebStripper|WebSucker|^WebWhacker|^WebZIP|Whack|Whacker|^Widow|Widow|WinHTTrack|^WISENutbot|WWWOFFLE|^
WWWOFFLE|^WWW-Collector-E|^Xaldon|^Xenu|^Zade|^Zeus|ZmEu|^Zyborg|SemrushBot|^WebFuck|^MJ12bot|^majestic12|^WallpapersHD)" 1;

}

# Deny disallowed user agents
if ($ua_disallowed) { 
    # This redirects them to the Nepenthes domain. So far, pretty much all the bot crawlers have been happy to accept the redirect and crawl the tarpit continuously 
	return 301 https://content.mydomain.xyz/;
}

Weird. Other than how it used to choke when there were conflicts (and all uploads stopped until that was fixed) I haven’t had any issues like that. Guess I’m just lucky.

I’ve had pretty good experience with Nextcloud’s instant upload. The only time I’ve had it shit the bed was ages ago when it would occasionally get stuck on a conflict, but that hasn’t happened in a long time. Pretty much all of my image folders (camera/DCIM, Screenshots, Downloads) get synced. The only annoying thing was when apps would suddenly change where they download to and I’d have to reconfigure yet another sync folder, but I can’t really fault NC for that.

Mine is set to upload and keep a local copy and only do a one way sync (phone to NC). Not sure if that causes less issues than a 2 way sync or deleting the local copy after upload?

I tried a true dumb phone but was breaking out my laptop too much for everyday tasks (dumb phones these days can do hotspot).

The flip phone I have runs Android 11, so I have the bare minimum necessary chat apps, email, GPS maps, and such. The main draw is that those work well enough, but anything more than that is possible but very frustrating. That’s kind of what the Minimal is about: e.g. yeah, you can watch YouTube videos on it, but you won’t want to.

Then, when the detox period is up and you’re fully off the addiction, you can get the standard phone back.

That’s kinda what I did. I used my flip like a true dumb phone for 30 days as a challenge and then un-dumbed it a little bit back to where only my basic needs were met and nothing more. I assumed I’d have rushed back to my old smartphone, but after breaking a bunch of habits, I found I didn’t really want to. Plus, I really missed T9 texting as weird as that sounds lol.

Yeah the marketing for it was lost on me. I already digitally detoxed last year when I switched to the flip phone I’m currently using, so I ignored the sales pitch and just looked at it from the cool hardware perspective and mostly reasonable price.

Credit where it’s due, though: I tried unsuccessfully to just uninstall the time sink apps from my regular smartphone and always ended up just reinstalling them. It took using a device that couldn’t feasibly run those (plus a weaning-off period) for me to fully let go. Seems like that is what the marketing is trying to target.

I honestly don’t think they’d tell me, but I’d also be interested to know. Fingers crossed they have some stock on hand for the occasional replacement.

It does have a physical keyboard, too. Sadly can’t give it much of a review given the circumstances, but it does have a good feel and seems like it would be pleasant to type on.

Yeah, I have a ticket in with support but haven’t heard back yet. I did ask specifically about the turnaround time for a replacement. Hopefully that’s a reasonable amount of time. I definitely don’t want $400+ tied up until the next batch ships in September.

Mostly the e-ink display and the QWERTY keyboard.

By its nature, it’s not great for doom scrolling, TikTok, or videos (the major time sinks with most phones). Those aren’t my use-cases anyway; I’m more of a reader than a watcher so I figured this would be like a supercharged version of my Kobo (which I love) that has a physical keyboard (which I have missed terribly in smartphones).

Edit: Plus, its 4:3 e-ink display and keyboard just scream “install Termux on me!” Also planned to use it as a nice portable SSH terminal like I used to have back when smartphones had slide-out keyboards.

I’m rocking an aging Cat S22 Flip right now and have been trying to figure out what to replace it with. The Minimal Phone seemed like exactly what I wanted. Sad that it arrived DOA and am probably not going to bother replacing it; waiting weeks for something that arrives DOA is a hard thing to recover from.

Well, I don’t even know what to say to that. Except that in Puerto Rico, a McFlurry it’s called a Señor Flurry.

Yeah, I found that out when I was using my old phone with T-Mobile. It was listed as supported, and it mostly worked, but there was at least one LTE band it didn’t support.

T-Mobile uses multiple bands in the same area: one higher frequency, higher bandwidth, lower range one for fast data and a lower frequency, lower bandwidth higher range one to fill in the gaps. My phone didn’t support the lower frequency one so I would lose coverage if I was too far away from a window in my house (despite living close to 3 towers).

Not to mention, they can and do reallocate spectrum periodically so while you may be fine for a while, if they reallocate and the device doesn’t support the new bands, you may suddenly lose service.

TL;DR: If it’s listed as Verizon-incompatible, treat it as such.

It should work, technically, but there’s no guarantee. While Verizon shut down their CDMA network in 2023 and everything uses 4G/VoLTE now, it may have other limitations that prevent it from working as expected.

You’d need to make sure the LTE bands it supports are used by Verizon in your area. If it doesn’t support the bulk of Verizon’s bands, you may find yourself (artificially) without coverage.

Verizon may also refuse to allow it if it’s not on their compatibility list (though you can possibly SIM-swap into it from an already activated device). It’s been a while since I dealt with them, but from memory, they’re pretty strict about what devices they allow on the network.

I rarely go to Walmart. This is from the local Kroger (grocery store).

Good. May other retailers and grocery chains follow.

I hate those things - they treat you like a thief by default. I rarely use them and prefer to wait in line for the 1-2 cashiers, but I did the other day because I only had a few bottles of water to check out, and it was unsurprisingly horrible.

Scanned and bagged all my stuff. More slowly than I’d have liked, but otherwise uneventfully. I unpocket my wallet to get my shopper’s card and debit card out. “Oh no, you didn’t!” the machine said as it called for backup. Cue waiting 3-4 minutes for the attendant to get to me.

The machine asked the attendant if I was stealing and showed a replay of what it assumed must be me trying some Ocean’s 11 level of grand larceny. In the video? It was me getting my wallet out to pay.

Absolutely no time was saved. Nothing was more convenient, and to top it off, I was once again accused of stealing by a bathroom scale with delusions of grandeur.