| > Intrusion prevention via fail2ban and rootkit detection via rkhunter. Semantics, semantics, but rkhunter is intrusion detection, not prevention. I don't know what rkhunter would do to stop an intrusion, and fail2ban stopping a brute-force on your SSH login is hardly the likely intrusion vector for a server running this many services. These tools still require a huge amount of systems administration work before it really counts as a "personal cloud". rkhunter looks for some basic rootkits but will not really protect you from emerging threats, other than to tell you you have a file integrity mismatch on a common file such as /usr/bin/login. Since this is installing everything, it seems wise to add better host-based intrusion detection/file integrity checking across all services and configurations, via AIDE[1] or Samhain[2], which you could do with this type of automated setup. Both can then use the local MTA to alert you directly to your mail client if something is compromised, plus you gain the security of your configuration files for these services not having been tampered with. What about running unattended-upgrades[3] for security patches to things like Apache et al? Given the adversaries expected here, I assume that we aren't worried about false packages, etc. as a risk. [1] http://aide.sourceforge.net/ [2] http://la-samhna.de/samhain/ [3] https://launchpad.net/unattended-upgrades |