If you insist on using passwords, make sure you at least install something like fail2ban or denyhosts to block the compromised machines which are hammering your server trying to guess passwords. Clients can see which authentication methods are allowed so they know which machines to attack (i.e., yours, if you allow passwords).
I use a gpg smartcard to log into SSH. That way I don't need a password (technically, the smartcards reader wants the PIN, but the computer sees no PIN) and the key can't be stolen easily.
One can simply start an openssh-server on localhost with some unused port for testing. There is no need for the internet, other computers or let alone other computers from somebody else over the internet for that.
Yeah I'm sure they are running linux. Actually just have them build openssh from source first. Much easier then signing up for GitHub and following their guide to do a test push for a litmus test.
Yeah, it is security through obscurity, I do it anyway on my Internet facing systems because then I don't have to bother with most automated SSH Scanners.
The general advice I've seen is to not host your own server. But I think it would be a great learning experience. If you cover the basics, is your server still extremely vulnerable?
Yep, you should definitely host your own server. And build your own Linux distro. And your own computer. Then weave your own cloth, sew your own clothes, cobble your own shoes. Build a car. Buy some land. Build a house. Move to the country. Raise chickens. Till and sow land. Get off the grid. Abandon the modern world.
It's perfectly possible to drive a car without building one, or to become technically proficient without hosting your own server. If you DIY something, you may learn a lot about it, but it won't make you any better at the thing you actually wanted to do with it.
It is not about learning everything by doing it yourself from scratch. Hosting a service yourself on your own server is becoming simpler and simpler by the day. Capable hardware is cheaply available in the form of single board computers and projects like Freedombox[0] and Yunohost[1] make the hosting part simple for the services they preconfigure.
I don't know why you write such a confrontative comment. Hosting your server is important to have control over your data. You don't need to build your own Linux distro for that...
Yup, I have an Odroid X running Ubuntu (I couldn't find a Debian that was set up to run on it). It's my mail server, apache server, has an outward facing SSH server, and acts as a sensor data logger. It's pushed pretty much as far as it will go, for a little system like that, with a fairly high load average at times.
Recently had a power cut that killed the system, but rather than reinstall I poked around for a few hours until I discovered the bootloader's zImage had been corrupted. Copied another over from the original install image, and away it went.
When I find myself a decent job, I'll dedicate a more powerful system to the task, maybe virtualize a few of the servers.
Fun projects, although there are many head-hit-keyboard moments in setting it up.
I have an A20-Olinuxino-Micro with a battery, so the device can cleanly shutdown when power is lost.
I strongly recommend only buying devices that are compatible with Debian main, or mainline Linux at least. Usually I just check if it's compatible with Debian main, and if it's not, I move on. The latest shiney SoC is not worth the software pain caused by uncooperative manufacturers.
First of all, it wasn't a confrontational comment, it was irony.
And no, self-hosting does not help you control your data. Control would imply some kind of access control or lock, which all hosted services provide. Privacy would imply encryption, which you should be applying to your self-hosted service's files anyway, and can also apply to a hosted service.
It came off as confrontational to me..., and I don't see the irony (may be poor choice of word on that though, reductio ad absurdum perhaps?)
I would think someone working in marketing at American Apparel or some fashion magazine or something could get something useful in weaving their own cloth or sewing their own clothes. Similarly towards someone reading Hacker News and running their own server.
It was confrontational because you ridiculed a point of what I said by extremely overdoing it.
Even the part you ridiculed — which wasn't the main point — is important. Learning and figuring stuff out by doing it yourself is very important. One doesn't need to go to the absurdly extreme like you ironically promoted.
I host my own server and virtually only I have access to it. Clearly, that gives me privacy to a large degree.
Not host your own hardware or not get a dedicated server? Whether you host your own hardware in your home or rent a dedicated server, you are still responsible for proper security. Renting a VPS is a different story, you are relying on the hosting company to properly setup security for the guests. At least when you can run on bare metal, you can audit yourself. If I need to be able to quickly scale and do other "cloud computing" things, running EC2 or similar instances is pretty much the only way but if I need some real security, hosting on my own is the best option.
You can make a very secure system by hosting it yourself. Do you need a very secure system? Or do you just need to know that you need a firewall, and to manage your credentials securely, and to segregate applications' security domains, and do filtering of inputs, and blocking of brute force attacks?
You probably just need to learn about security, and learning to host yourself is not the same thing.
And now, here's containerization and complicated awk commands!
I get that it's Chapter 9 in a book, so there is missing context. But I'm also wondering why users and groups seem to be getting intro'd in Chapter 9. And why the author thinks that a person who is learning about users and groups is in any position to consider containers.
A minor nit, I suppose. Formatting of cli commands has mangled them to the point they cannot be used. For example
# dpkg — list
will not work. The correct command is
dpkg --list
I suppose I'm particularly sensitive to this because I ran into a problem copying some commands from a terminal window into a Google Document and then copying/pasting them back to the command line. Google Docs had changed some of the spaces to something that looked like a space (both in the doc and in the shell) but was not and caused inexplicable error messages.
Anyway... I prefer stuff where I can copy/past directly to a terminal window and have it work as the author expected.
One of the things that I'm super happy about is that for basic stuff I don't need to manage servers (static sites / web apps hosted on S3 etc., FaaS for basic Code) and when I do need to have full on servers, I can use something like GKE/EKS/AKE to just deploy containers and not manage the underlying infrastructure.
It's super awesome when working on personal projects! (although in a way I did enjoy doing all that in the first place)
I am so glad nowadays to get websites for my hobby projects going, I just have to do a Github page, and don't have to worry about all that stuff (and don't have to pay, either). Github pages + Static content generators are among the best advancements in the recent years.
In my experience shared hosting was looked down upon (and still is) not because we were high-and-mighty better-than-thou you-know-nothing toffee-nosed snobs about the entire idea[1], but because of the many (the majority?) of hosts who were absolutely terrible at security (and stability, and performance both generally & through silly levels of over-selling, and everything else, but security is most important).
In this case the hosting is by a company with the technical skills and infrastructure to properly secure and support the service, not some inexperienced kid living with his parents who thinks a simple cPanel installation (that never gets updated for some reason he doesn't notice or can't be bothered to diagnose) is a great almost-zero-effort way to sell hosting to make a bit of extra pocket money over the school/college/other holidays.
Also the lack of control made using certain things impossible, you were usually held back on an old version of mySQL & PHP, and little else to if you wanted to use postgres or python or anything other you were stuck. That is the same here of course: this probably gives you even less control because it is not trying to be shared hosting it is a hosting-platform-as-a-service.
[1] I may actually be a high-and-mighty better-than-thou you-know-nothing toffee-nosed snob, but that is beside the point here!
Years ago someone I used to know ;-) used to upload php scripts to traverse the ".." dir to shared hosts. You can do that with 9 out of 10 smaller shared hosts. It was hillarious.
There is a whole lot less of attack surface when it comes to static content generators.
