[wiradikusuma]

Honest question from a developer perspective: Why there isn't any "best practice/hardened by default" wizard-style configuration, something people can do right after they install their OS? E.g.:

Welcome to Best Practice Linux. Click Next to continue. Which http server you want (httpd/lightttpd/...). Click Next to continue. (you get the idea).

Something like apt-get but with best-practice defaults.

[AgentME]

Apache doesn't default to acting as an open proxy. It already has safe defaults! He specifically configured it this way.

[hackaflocka]

This would be a really really good idea.

However, in my experience (as an Apache noob), the Apache community consists of experts who are so far ahead of the noobs that they can't see the issue from the perspective of noobs.

When I configured my first web box, I couldn't believe that in 2 days it was hacked open and taken over (by some hackers in China apparently -- those guys are scary good). My host (DO) couldn't provide any advice / support on what exactly had happened. I reset everything and set it up again, and again, 2 days later, the box was completely taken over (again by peeps in cn).

Finally, I did a couple of tiny tweaks in how I logged in (I disabled root login, and configured SSH keys to log-in, and changed the log-in port), and I was never hacked again. If these 3 little tweaks could be made defaults, there'd be a whole lot less hacking going on.

[bryogenic]

Something link this might be a start:

https://github.com/hardening-io/ansible-os-hardening

[newjersey]

This discussion about otto (from the makers of Vagrant) has some ideas about why people think a one-size-fits-all "default" is a bad/good idea.

https://news.ycombinator.com/item?id=10291778

[snuxoll]

Something that proper config management already solves, the default apache module for puppet places sane defaults on everything, from there it's your responsibility to know what you are doing.