 Welcome to the homelab show episode 112 open source homelab security Our goal today is to talk about tools that you can use methods You can use this to open source do different things you can download We're not gonna be talking about any specific paid or commercial tools here So I want to just scope that out right in the beginning to get people knowing that yes I talk about commercial tools occasionally on this channel But this is very specifically to help people out in the homelab And we're gonna cover some of those topics about how to lock things down in general And then a couple specific tools that are fun to play with which we're gonna include security onion Linus LYNIS not the tech tip person or creator of the Linux kernel You'll find all these in the show notes and I'll give a wazoo a mention because I think it's a pretty neat tool as well But all of these are things that you can download before we get into that We're gonna think a sponsor of the show and that is Linode. Oh, I'm sorry. Akamai Did that kind of on purpose in case you didn't know who Akamai was Akamai has Merged into with well Linode has merged into Akamai should say there's a better way to phrase it It is still the great system For hosting a lot of the things we talk about here Maybe you want to put things in the cloud because that's a convenient place to put them rather than trying to run them on Your connections, especially if you're stuck behind things like cgnat They have a great store where you can go and deploy these things get things set up fast Or follow all the tutorials that Jay does over on learn likes TV and get things deployed yourself It's a great place to host things we thank them for being a sponsor the show and we thank them Also, this is where we host the homelab show itself for any of the downloads you have We have an offer code down below with the homelab show to get you started with the node and thank you Yep, we appreciate it. All right. Well Akamai. She said Akamai at the end. I'm I'm getting closer It's habitual at this point Yeah, we engage with them and we see them wearing sometimes the Linode swag still because they have it So it's fun when you talk to him like hey get your Linode hat on They know they're all it takes time We're let's talk about some security things and one of us just don't open all the ports right cover the simple stuff Yeah, there was another high vulnerability in QNAP and I talked about this as people say hey Is it secure to open next cloud to the world QNAP? Synology each one of those and there's always going to be risks The problem we have is how tested are these products? We don't necessarily know and sometimes new zero days can be found So you just have to have a plan to mitigate the risk if you plan to open it But always think very consciously before you open it How bad do you need? something not to be behind some type of VPN or you know I've talked about cloud flare tunnels before which technically they're a reverse proxy relying on cloud flare They have a free version so I guess it kind of falls within a category of something for your open source lab, but really think Havily of what do you need exposed? I know it is greatly convenient to expose to expose next cloud to share files VPNs aren't that inconvenient Especially split tunnel when you have specific IPs that go through it rather than everything which I think is a mistake a lot of people might make Yeah, and so I we start with the principles of least privilege What are you offering privileges to you know? And that is where the attack surface begins and where you can stop a lot of it where you could just go Okay, maybe I shouldn't expose all these things, but we're gonna go forward and assume you are still doing some things It's still part of hosting and you may be exposing them So we'll get into some of those tools down the line, but right Jay What do you think about firewalling things inside your network behind your firewall? Well, I have a lot to say about that, but before I do I want to mention just a quick aside to piggyback on what you mentioned Don't assume that your Linux distro from a fresh install has nothing listening you'd be surprised install your distribution Factory default settings you might find some things listening So I don't want anyone to be of the mindset that well, I haven't opened anything at all So I'm okay. Well, even if you haven't there still might be something listening So there's commands you can run net net stat or the SS command for example to find out what's open But I think everyone should just audit every now and then especially on a initial install But then continually just have a look every now and then see what's listening and close anything that doesn't have a purpose for being open More yes point. So firewalls I think we get a lot of questions about firewalls and Right now. I'm not really talking about hardware firewalls Although this probably does apply to that as well Where should you firewall? What should you firewall? I think that's something that comes up now That might sound like a no-brainer I have pfSense. I'm good and that might be true if you have only the local local things And you don't have a split cloud you have some things on the cloud I meant to say hybrid cloud if you do then you have some things out in the cloud You might have a cloud provider that has a firewall service I think they all do at least all the ones. I looked at recently have one Akamai. I'm pretty sure digital ocean number of others AWS if you're if you're into that has a firewall built in as well Then you have UFW which you can install yourself to manage your firewalls And you could also just use IP tables for example So there's different ways to go about this and then the question might be should I have one firewall to firewalls? That's something I wanted to talk a bit about here So one thing that I like to and this these are all my opinion. I mean there's different Mindsets with this and I'll think anything is wrong. If you have a good security hygiene You have a good security hygiene doesn't mean it doesn't matter how you accomplish that But my mentality is if you're using a cloud provider I think it makes sense to use the firewall service that the cloud provider provides. It's right there in the GUI You could use Automation tools to hook into it so you can automate the setting up of that firewall as well There's nothing wrong with using UFW instead of that or IP tables I think the first consideration is you need a firewall You need at least one if you have two there might be some value in there Although it might be harder to maintain especially if they're stomping on each other But one mindset is that firewalls are not just there to open or close ports You can open and close a port by stopping a service that is open on a port then it's closed There's nothing listening on that port, but What I like to teach people is to view a Firewall as a traffic cop and there was an IP cop firewall. We were kind of talking about old firewalls recently That is like this person that just says no you're not going to pass through here. You got to go that way For example, and then put this all into context. Let's say you have a Plex server and you have a web server Do they need to talk? Well, there's no link between the two or no reason for them to talk to each other Then it might make sense to create a firewall rule to where they can get out to the internet And maybe your workstation can access each of them, but they can't access each other And the reason why you might want to do that is if someone breaks into your Plex server Then they don't have an easy entry way into your web server lateral movement If they get into one system within your realm then they might be able to just go around and get to others But if you have a firewall on you know, for example, ufw or ip tables that's blocking one server from another That might make more sense. And yeah, it's a lot more work But it's a lot more secure at the same time You're going to have some servers that do need to talk to each other Maybe have a wordpress instance and then you have a database server That's separate from the wordpress instance the wordpress instance needs to access this database And you certainly don't want a database server to be open to the internet for any reason I have yet to hear a good reason if someone knows of one let me know But usually the best way to do it is your database server Can only talk to the servers that it you know, is the background database for And nothing else. So they obviously need to talk But if there's no functional reason for two servers to talk to each other It might make sense just to make sure that they can't and that also you as the admin can get in But you want to make this, you know harder As much as you possibly can for a threat actor if someone does venture into your network You don't want to, you know, give them a free pass to everything Which I feel like is one of the main things that a firewall does for you Yes And a perfect example of this is I really like uptime kuma. It's a really great tool Nice pretty monitoring page, but how does it monitor my critical infrastructure? Do I just say hey uptime kuma you are allowed to talk to critical infrastructure On the other side of the network because this is not critical therefore It's in a different segment of my network The solution I have is I have a very specific rule that says the IP address of uptime kuma Is allowed to use ICMP over to my critical network. That's it. So any protocol passing back and forth So in order for someone to take over the uptime kuma and then use it as a pivot point This is just a theoretical example They would have to figure out a way to make that data transport over ICMP So they'd have to take over that device then find a way to get ICMP To do something nefarious over on the other server So you've upped the game because if you have a allow Everything rule now you would just allow whatever happens to my uptime kuma just in case it was a pivot point But you think about this for each device and say do I need these rules talking to other for example my web server The internal stuff I do For example like a zen orchestra. It's going to talk to the reverse proxy. What else does it need to talk to nothing? I never go to it my IP address So there's a rule that says allow just the reverse proxy So if you were to scan the network and look for the devices Let's say you were on that critical infrastructure network You would find it not responding on any of the web listening ports Because unless you're the reverse proxy It doesn't talk to you These are just some of the principles you can really think about because I always ask the question Is people really get worried about iot? It's not the biggest attack factor It's definitely a lot of crappy stuff on there definitely put on another network But when you think about well the bigger attack factor is your computer and for example If i'm not going to zen orchestra by IP address It shouldn't respond. So the most likely scenario is someone getting on my computer What does my computer respond to what if I firewalled off and you know choked all the way down to some type of thing Like a jump box. So maybe I have ssh open But I don't want to ssh for my computer That way because that was the first thing someone would try So now I only got to figure out how to make sure authentication between my computer and a jump box is solid Not my computer and other places You just kind of think about all the principles of each of the genes and you start just locking them down So they can be on the same network But there's restrictive rules that only allow them to talk to only the things they need to do And that's it I'm not sure if this is true This is kind of a theory of mine, but you know, someone might ask why is the mindset just click allow on things you trust And sometimes I wonder if that has to do with the windows xp service pack two days where the firewall was You know, all of a sudden built into the operating system around that same time I think zone alarm was probably the most popular Software firewall at least that I know of and the same thing if something's trying to access the internet or something You'd be click allow and instead of like Choosing what it can talk to it's the oh, I trust that app allow. I trust that app allow And I think what ended up happening is you have some people and I'm not saying anyone in our audience is like this or anything Um, and it's also about education. There's nothing wrong with it. Everyone learns I just wonder if the mindset became click allow on the things you trust And then that's what a firewall is it allows or disallows only access to everything or nothing Like it's an all or nothing kind of thing and firewalls aren't an all or nothing thing You can get down to like you were saying the ports you you want to allow ssh But only from this server not from every server and you especially probably don't want ssh between two different servers If they have no reason for that, obviously if you have a situation where we have to rsync something over ssh I get it But if that's not the case or don't have a functional reason then I think the mindset should shift to just What and where and you know try to um, you know nail that down basically Yeah, and I I think one of the things you can also consider is egress filtering This is the extreme side of it and be prepared because that is not easy That's not easy. You're going to find a lot of things break But I have had some people tell me well, can't I just set up an apt cache server for example because maybe they're running proxmox This was a discussion I had on with a few security people and completely makes sense You build an apt cache. There's some instructions how to do that you can certainly find and then you say No, I'm not letting my virtualization host talk to the internet. They themselves don't talk They only but they need updates. Please don't stop updating things Right, so you then point them at the apt cache so they can pull from the apt cache And provided nothing the fairest gets on the apt cache and pivots But you know, I've seen this done in environments and that's another way you can do it But just be careful. Uh, make sure you have time allotted to do things because you really need to make sure Especially if you're dealing with virtualization host time synchronization is one of the things you'll see them call out to all the time So make sure to point it at a local time server because it is imperative that they keep in sync if you want your host to work properly So you have to really think about egress filtering. It's not like well, they only the internet when they need updates Well, the minimum is actually going to be updates and at time And maybe some dns and you have to then look at that product and say does that product have a problem? If I shelter it from the internet does it try to do other things because it's expecting to do this You just got to really look at the connections and start sorting them out It's not a bad way to do it because this way you're stopping the potential for Many threat actors are going to have a command and control server when they get in And you're stopping the potential connections to that command and control server And before you think well, don't you have a block list of all the c and c servers? Yeah The block list is a reactive list we find them and then the block list gets bigger But someone found it and that's uh, so that's one of the things you really have to think about it um And someone I see someone in the comments here. I don't know that there's any Specific tools for micro segmentation. It's more just policy and planning. There's right. Yeah, I mean when you build it out You just think about what does it need to access and build the rules there? I mean, of course, you could build this all with ansible build your firewall rules and ansible But you should really just map out like jay's example is perfect of the database versus WordPress when you're looking at enterprise database and running WordPress or because you've now separated the things Make sure that it can only talk to the things so you build upwards from what it can talk to not Let it talk and go. Oh, yeah, I guess we probably shouldn't so I'm not really any tools as much But if you think about it from the planning stages, it works really well Yeah, and someone asked about the firewall in our comments. They asked about the firewall feature in proxmox It's great. I think it's a great solution and I feel like that's on the layer of the cloud provider Even though technically it's not you're running that locally It's a built-in solution for the platform and in my opinion it makes sense to use it I don't yeah, I don't know of very many that you can't automate So if that's the question you could still do that I I think it you know the tools are there You may as well use it if it's the cloud provider or the virtualization solution The developers went through the work of integrating it So you may as well benefit from that work and use it I think But this is one of those things where someone might disagree and it's totally fine because everyone has his or her own way of managing these things So um, there's no right or wrong way to do it the wrong way being not to do it as long as you're not You know not doing it then you're you know fine So just keep in mind that the platform tools are usually more integrated But things like ufw and ip tables are not as integrated because they're not going to show in the GUI of the cloud provider But they might still have value if you want to segment one layer from the cloud or platform firewall and then use the You know something like ip tables or ufw to do further You know restriction within that that's also valid. So that could work too And as far as scanning from the outside in this question comes up There's plenty of tools out there if you google forum that are like I think one's called can you see me? And you can tell it's a look at some of your ports GRC has their shields up that's been around for a long time GRC.com go to the tools that they have on there the Reality is just in case there's something that you're providing my people locking I always try to just look at the firewall itself, you know, if you're familiar with the firewall you're using I'm very familiar with pf sense and with pf sense go to the wan rules. Is there something open? It's it's going to be in the wan rules as simple as that and if you've going I've got a lot of things open here start narrowing it down to what you need or if you have no wan rules Essentially worth anything open you're safe and you're good The pf sense is a solid tool for that because there's no Weirdness or hiddenness about things they don't open things on the back end on your behalf They they are a fully locked down out of the box firewall You have to implicitly open things on it as people ask people what should I change from the defaults? And I've heard this is said by the pf sense team if there were better defaults We'd make them the defaults so they'd lock it down Which is ideal this is the way any firewall should be done There's been a problem to pass for some companies where they wanted to be a little bit too easy for people I think and they left a few things open Which has led to some of the security probabilities because people don't often change your defaults So I think companies should always lead with lock it down and force the user to go through some steps to open it up So if you didn't open up your firewall, you should be good Yep, absolutely Now we want to mention Linus. Is it? Yeah, I think it's a good time to mention that We were asked about in our chat room about a tool you can use to scan What's open Linus does much more than that, but I do want to just mention you could use again that stator ss man Oh, yeah, to find out what ports are open you can get a list there Um Linus will do that too, but sometimes I think it's better just to get a small little list at first Yeah, we can give a shout out to our sponsor. You can spin up an akamai cloud instance and scan yourself You can use some scanning tools like nmap and Go into the cloud look back at your ip from the cloud and then you're getting visibility yourself and detailing out what you can or cannot see Absolutely now Linus is something I covered on the channel. We've talked about it on the podcast before and if anyone's joining late or Fast forwarded through the intro. It's ly nis is the it's a software a piece of software you can download It's a package you can download in your linux distro There's a community version. They have a paid version an enterprise version I go over all of that in the video, but to summarize it Linus will look through your system and let you know about potential concerns and It will tell you about a lot. I don't care how good you are It's going to find stuff It finds a lot and that's its job But just because it finds something doesn't mean you have to action it it might Find something that could be egregious But it doesn't really apply to you or it might be something that could be an industry best practice But doesn't really have much in the way of security benefit for example The message of the day you should probably have that but you know I'm not sure how many threat actors look at that and decide not to break in because I saw the message of the day I think it's more of a legal thing for companies But there's going to be all kinds of things and some of it you're going to care about some of it You won't but it gives you a report you can even get an html report even from your You know server and have that you just have a script that forwards it over to your email or something and gives you a You know a health check so to speak of your security now I don't want to Claim any one solution is and is the only thing you need because even though linus is great Nothing is 100 he should have more than one tool and we've covered some of these tools But linus is a great place to start after you check the open ports Because linus will just go deep and I mean it's not uncommon to find like a hundred things on the list I mean, it's crazy how much how many things it finds and you go through the list You choose what's relevant for you if it's a machine that's locked down from the internet It might not Matter some of the things that come up But then again, it's worth trying you install it and then you run an audit And you can just install the free one and run the audit locally There's an enterprise account if you want that kind of thing that ties everything into a dashboard But we're homeland people we could probably just make our own dashboard from the html things that exports Because we're cool like that, but linus is a really cool piece of software. I recommend everyone install it I mean every now and then you might want to just run the report and see where you're at I think it's a great thing to try Yep Now I will before we jump into the next couple things which is going to be securing and in wazoo I will mention There so if you download files Honestly virus total is probably one of your best places to check the integrity of those files People asking about different av softwares and things like that I really look at virus total you can even upload files to it. You can say let me download this Let me upload virus total to get a double check on this double check the hash of the file that you download to make sure It's the right one. There's other mitigations now for open source. There is clam av If it's still out there is still being updated and maintained So that's still an option if you want to do some local scanning But honestly uploading your virus total is going to your best bet if you're if you're downloading and finding shady files And curious about them if they contain something Next is going to be for windows Honestly, I I actually got to meet over the last week the people in charge of windows defender from microsoft had a great conversation Only has published a new book that I think many of you might be interested in because it really talks about the ins and outs Of pulling data out of some of the microsoft back end. So if you're into security, it's a good security book You know, you don't have to like defender You'll get a good understanding though of windows and how these events come out But I still think it's probably one of the better ones to use I don't trust any more like I would have 10 or 15 years ago any of those different free av solutions not to be some type of As we've discovered sometimes spyware itself That's just looking at different ways to sell you data. So I don't have any recommendations for like any free av and there's besides clam av I'm not aware of any open source ones but at least flows out there as method methods in terms of virus total as that's a free service and tools in terms of clam av But security onion that's a fun topic there and If you want to get into full-on cyber security threat hunting that you can run in my In your lab Security onion is one of the most complete big awesome tools out there to do this. It's not just wazoo or any particular feature It's all the features when you start looking at everything that they packed in there the way they can build the monitors It is a really impressive project We dove into it in episode 42 ways days. I may do a tutorial on how to get it going It's there's some complexities with it. By the way, this is like a good weekend project This is not a I'll set it up and have it running in two minutes project There's a lot to learn there's a lot that goes on on the back end But you can take and do things like port mirroring and start feeding all of your data directly to it So this is kind of designed to be a dedicated Hardware system. You can do it virtually It's just it's a little bit more challenging And if you start looking at the specs if you have a high speed network It ramps up really quick because to ingest the volume of data on your network It's going to be a pretty hefty lift on that server Plus you have to decide how much of that data you like to keep because yes It actually has that option to do full capture of all the traffic and if you're like, oh, but I download a lot I said, well, so will your security onion. So you'll have to make decisions and concessions on there Right. Yeah, so it and you can bridge. I see the question comes up is I assume you cannot bridge the router you set up as a firewall No, you can actually bridge all the different ports So you actually there's some trickiness to doing it They have instructions on how to do that and it's going to vary by what type of switches you have So if you have multiple v-lands, you may want to bridge each one of those And then do a port mirror so you can dump all the data into security onion It can capture all that data the challenge, of course now is what to do with it Processing it and this is where securing and gives you a tons of tools to pivot kind of trace through all the connections that went through your system This is a manual process. By the way, this is not some automated security tool It's going to have some baseline signatures in there and it may find things But it is going to be up to you to action on it And by the way security onion isn't necessarily an action driven tool It is a monitoring tool to give you this data like oh look I found a connection that goes and matches this particular threat It tells you that information now It is up to you to make a determination of what to do with that information and actually action on it. So those are Um, it's a great tool, but please note. This is not a set it and forget it tool In the same thing, I guess I could mention seracotta snort. Those are really popular But once again, I've just did a recent video on snort. I've been older one seracotta, but the rules, you know Hasn't changed that much you still have to monitor it You still have to manage it You still have to chase out the errors that come in with each time There's a rule update of whether or not something matches on something that's a false positive And you have to make that termination. Is it actually a real threat or a non real threat? Now let's get over to wazoo because there's been a few of my friends doing videos on this most recently John Hammond and he did a great video on wazoo. I watched it And it seems to be prompting more and more people to ask about it I think it's great that wazoo is open source and free. I think it's also an incredible learning tool Now wazoo is more about agent based security So you you're going to build a wazoo server wherever you want the server to live It's open source so you can build this on a bunch who have it live within your network somewhere And then you start loading the agents the agents across platform You got windows and linux agents and then you got a variety of them for different distributions to linux And of course windows you build off these agents. It's pretty easy to deploy some copy and paste code John Hammond's video is accurate on there And Even though he did a sponsored video I have not done a sponsored video with wazoo So I have no Tainted opinion if you will or bias other than I will tell you I actually like the product I think they've done a good good thing with it. I've used oh second to pass And that's what wazoo is a fork of But I like that John Hammond really showed you how much work goes into tuning all the xml files How much work goes into changing things? This is not like I just set it up and it magically monitors my network But they do have some cool plugins for example back to virus total You can do and you can do the free api Which has some limits you have to sign up for an account to get an api key with virus total Or you can pay for more and it can do things like file integrity monitoring and file hashes and determine If those hashes match something that's in the virus total once again That has a cost to it because you have to pay virus total So the thing you pay to wazoo but wazoo is only as good as the information you feed it The nice thing is it is a nice tool to have to get all that information together So with wazoo you're going to be able to Put things in there like file integrity monitoring monitoring commands that were run So you can get this great history for example You're doing this on a bunch of you and you want a full command history of what was done because that's the question Have I been attacked did something happen? It's crashing weirdly now Being able to go through the logs and have that data to know to look for something and you go wait a minute I wasn't logged in at three in the morning, but someone sure was and here's all the commands they ran Hey, look they ran a curl command to pull something from a website Because it's agent-based and it's sending that data to wazoo constantly even if they do a log clear You will have the logs that they cleared This is this is where things like wazoo are amazing. But once again, it's still a reactive tool but that's not a bad thing because we Always have to have a plan. I think that's the part a hammer through the most with cyber security is Do you know if you were hacked? What is your plan? What was run and if someone I don't know they cleared the logs is the answer Well, now I don't really know the full scope of the damage is done Did someone just crash your Apache or engine x server did they actually pivot and get a shell and run commands? Have they been on your box for a little while and you didn't notice until now But then you need to kind of trace back there So things like wazoo are really great for especially that security monitoring side of it So you have all these logs locked down somewhere in to some extent wazoo compared to gray logs just comes up a lot wazoo is really diving into the command structure and More of a what they refer to as a sim tool versus gray log is just pumping six log over both are Something that can coexist in your environment. You can do these things simultaneously But your syslog data is not necessarily the same data as what commands were run on assist So wazoo is going to give you more insight into that and it's very focused on that particular way of looking at things yep so that's uh probably the Tool sets that I think will cover here for the homelab show There's those are like the big popular ones out there once you get into the commercial tools that I talk about a lot The price goes up substantially and things like that first what I'm aware of that's really available popular Because the other ones I've looked at over the years have really Kind of fallen out. There was a couple different other security tools out there that They're I would say our mixed bag today because they've kind of been taken over by commercial and sometimes they're not getting the love They deserve but at least with wazoo and security and those are two very well maintained security tools out there Yep, absolutely Um, but you know what let me pull up the name. I know it's by green bone networks Um, there is vulnerability scanning you can do This is uh One of the tools they have it spy It's a green bone net. I want to make sure I had their website right I didn't have this on my list But I'll at least mention you this is a security tool that is uh able to do some scanning of your Things to try to figure out what versions are running and try to help you with some of that So that is kind of an extra security tool. It's just making sure you're up today Honestly, if you're patching really well and all your systems patch you're doing pretty good But if you do if you are looking for something and go, hey, I wonder what versions these are There are tools like open source tools that from green bone that have some scanning options To be able to look at that but honestly your best defense is making sure all of your systems are constantly up to date That's the right. That is the huge one that you really need to do Yep, absolutely Uh, do you have a video on unattended upgrades j I think you do I have so many videos sometimes I go to maybe start writing a script for a video and realize I've already done it I think so, um, I just don't remember if it was standalone or part of my Or one of another video, but what I will say is it might be in the every server video that I've done Which should be in the description of most of my videos if I'm not mistaken But if you look for a thumbnail like do this on every server It's the one and I'm pretty sure that's on there. If not, then, you know, maybe I have a little bit of gap in my Content list. Yeah The um The unattended upgrades is not a thing where you I'm saying upgrades should be unattended It is actually apt to get install in the debbie and world of unattended upgrades So you can and then you can tune it to tell it to auto update your things auto patching will just save you so much trouble um I know there's just going to be some people going well But tom doesn't it potentially create problems because something patched and now something's work. Do you want something? Broken from a patch or do you want something broken from a third party that got in remotely to your system? That's the those are that's the balancing act. We always keep Uh, it is a challenge the same thing with windows updates. It's windows kind of I've seen a lot of people disabled updates Please don't do that. That is right It's it's the pain if you plan to run windows I'm sorry, but this is the pain you have to deal with is it windows has a pretty steady onslaught of problems that need to be patched and Yep, you got to do it. It's it's unfortunate It's it is the challenge on the business side of what I do You know, we have thousands and thousands of computers that we maintain patch levels for This is no small task and it is a painful one, but uh, that's why we have a team to deal with it Yeah, absolutely. I mean could something happen if you update. Yes, it something could happen Could something happen if you don't update something will happen if you don't update So it's better to have you know, protect the will happen than the could happen Because if you don't patch, it's just a matter of time. So both scenarios have potential bad things, but Um, not updating is always worse. Yeah, not updating is worse And you can look in tools like synologies an easy example. Synology has an option you can turn on I can't remember if this is on by default. I'd have to look on a new synology because I always turn it on on mine is uh, you can tell us auto load security patches and You can tell it's all alone. I think all the patches But I think maybe now on by default, but if not double check yours because this is one of the challenges Even though it's on default new synology Maybe yours is an older one that's been around for a while and you didn't turn this on But you can tell like sounds you do auto patches This is going to vary a lot from system to system on whether or not they have that as an option Yep Yeah, and I seen someone say the more frequently you update the small the smaller the likelihood of an impact and update Yes, major version upgrades, especially when you haven't updated things in a very long time You find out about all the stuff I use an example of like for There was some problems with postfix and they gave me plenty of warning every time I updated I said this will soon you have features that will soon be deprecated They warned me every time I patch for they let me know for six or seven months before I finally said Yeah, I should probably figure out what come what is deprecated in my config. So Um, eventually it would impact me But if you if you're regularly patching most of these places if you have a deprecated function There's usually some notices. So if you take the time to read the errors and yes, that's uh, that's a helpful thing Absolutely. Yes. All right. You'll find links to things we talked about down in a description below and thanks for joining us See you next time. Appreciate it