[dlisboa]

There's a lot more to running your own server than that. I set up a Hetzner VPS just for play one weekend. I forgot all about it and came back a couple days later: it had already been compromised and was being used to mine crypto coin. All because I left something running (related to Docker) which I don't even remember starting.

Hardening your servers, ensuring proper port exposure, ensuring upgrades and security patches, is thought and time you need to spend. It's hard to keep track of all vulnerabilities in all software. That'd before even talking about zero-downtime deployments and all of that.

Running NGINX and Postgres is not the difficult part that people are avoiding. There's a good reason these services exist.

[steve_adams_86]

I’ve got a lot of dumb little things living out on the internet deployed this way, and I don’t think I’ve ever been compromised. Maybe you were just especially unlucky?

There are some things I’ve deployed without much care and yet they’re always as I left them.

I’m not saying there’s nothing to worry about. I’m just not sure it’s all that difficult with some rudimentary (but sane) security practices.

[re-thc]

It is a common theme. Bots and others scan ports and IP ranges all the time. Looking at server logs I always see random server connections trying to get to things like wp-login.php to look for an exploit.

If you put it out there and don't actively secure it it's bound to get compromised - just a matter of when.

[dijit]

Maybe I'm blind to something because I've been in server administration for 15years; but my -really old- IRC network requires about 3 hours of maintenance a year; I have 10 machines and they're constantly being "attacked" (as per logs) but the only time I've ever been compromised was when I was trying to overcomplicate things with fancy tools to make administration easier

[re-thc]

That's like saying it's outrageous that a consultant charges $xxxxx for a 5minute fix. You've said it - you've got 15years of experience in server administration. That's what people are paying for.

Having said that I never said it was "hard" - just something needs to be done. I responded to a comment that took it for granted that you'd automatically be safe on the Internet.

[dijit]

Yeah, but most adminsys people are autodidacts; thus there was a time when they did not have 15 years experience and were running systems on the internet.

I'm not saying there can't be a problem, but it's so easy and the alternatives (cloud+terraform+ansible+packer et al.) are so complicated in comparison that it beggars belief that people are choosing an "easy" path here.

[beginnings]

Yeah, it's actually crazy just how much every open address gets spammed. You freak out like why are there thousands of attempts to login to my server that I haven't advertised at all, then you Google it and find out it's just the normal state of the internet.

[beginnings]

Set up fail2ban then good luck to anyone to anyone trying your address, it's very simple. Ensuring upgrades and security patches is literally running sudo apt update and sudo apt upgrade. Should be a piece of cake for anyone who has been running Linux for a few years.

[8n4vidtmkvmk]

even that is not so trivial. you'll have downtime during the upgrade and it might not come back up again.

which is why i switched to kubernetes