[quesera]

> There is something to be said about the larger centralized services. I’d be hesitant to put any sensitive files on my own server. The larger firms have security departments ready to respond to CVE’s and 0days.

Some people change their own oil, mow their own lawns, fix their own dripping faucets, etc.

Running a secure server on the internet requires different, but not more knowledge and effort, and is less expensive, than changing your own oil.

There's no need to be in thrall to the "larger firms". They have different problems, which you might not be able to solve for them -- but you can often solve your own.

[mdmglr]

I think this is disingenuous. Example: configuring a linux firewall properly is not on the same competency level of changing your oil.

This script doesn’t harden sshd to the level I’d call safe. Disabling root login is minimum. I’d have port change, timeouts, fail2ban, otp via Pam all configured. Only allow specific IP ranges and users to ssh. I’d use ansible to properly configure instead of this script.

In the case of httpd. Id run it in docker or chroot. Again fail2ban, otp, I’d probably put it on a different port have it proxied via Cloudflare and have httpd only allow Cloudflare ips.

All this that are difficult to learn.

Source: I run my families infrastructure. Which spans multiple servers, routers, switches across 7 houses in 3 countries. I also change my own oil.

[bombcar]

fail2bandaid is just a log cleaner. It doesn’t really provide security if you’re using keys correctly.

[sivers]

Great metaphor. Thank you.