[garmaine]

> Of course the first-5-minute title is hyperbolic

I don't think it is. I've managed a server directly connected to the internet with a US government IP, and it was being port scanned from a Chinese IP within minutes of being turned on. If you are a target, then there is an adversary out there that is patiently waiting for the opportunity to exploit an unpatched vulnerability in new installs, as if your security is otherwise good it might be how they get their foot in the door on your network.

(In our case I really did have a "5 minute plan" to login as soon as the fresh install was booted, setup a firewall, lockdown the ssh server, and install fail2ban ASAP. I'd then check system logs to see if anyone got in before proceeding. Time was of the essence.)

[tmottabr]

no one in that scenario would not do things manually like in the article.

but if doing it, then at minimum you should use an custom install media with latest packages bundled and all the configuration already backed so you hit the ground with sane defaults and cover the first 5 minutes from this articles during install time.

also in any install i would always do a netinstall to get any updates between media generation and install time, so you should always have the latest and greats at install time.

[garmaine]

That would leave the installer exposed though for the duration of installation. I typically did installs disconnected from the internet for that reason.

[tmottabr]

yeah.. any realistic case that is how you would do it..

but the scenario i was replying was install a server and immediately start it with a public facing IP before updating..

if i had to do that with no other sane option.. that is how i would do it.. custom install media with latatest patches bundle and ore-configured as much as possible..

But i agree, i wold not install a public facing server while it is public facing, i would install it offline or in a private network, update, configure, secure and then expose it..