The problem is servers can be provisioned a number of ways:
* manually (like this guide)
* via CI/CD using tools like Packer
* Cloned (eg CloneZilla, or cloud snapshot)
* via configuration management (eg Puppet, Chef, Ansible, etc)
* via other initialisation methods such as CloudInit
Aside from the manual option, there’s no wrong way to any of these. And some of these approaches compliment some of these other approaches too. Many of these approaches will have a multitude of different solutions available that differ significantly in set up.
A lot of the time it boils down to preferences as much as it does best practices.
As for why servers aren’t locked down more from the outset. Some distros are. And there’s images of popular distros that have been pre-hardened for you too. Ubuntu isn’t the best for secure defaults but it’s target audience is more diverse than RHEL (Redhat Enterprise Linux). And as I’m sure you’re aware, security is often a trade off between convenience. So Ubuntu takes the approach of being slightly more convenient for the average user at the cost of being less secure by default.
* manually (like this guide)
* via CI/CD using tools like Packer
* Cloned (eg CloneZilla, or cloud snapshot)
* via configuration management (eg Puppet, Chef, Ansible, etc)
* via other initialisation methods such as CloudInit
Aside from the manual option, there’s no wrong way to any of these. And some of these approaches compliment some of these other approaches too. Many of these approaches will have a multitude of different solutions available that differ significantly in set up.
A lot of the time it boils down to preferences as much as it does best practices.
As for why servers aren’t locked down more from the outset. Some distros are. And there’s images of popular distros that have been pre-hardened for you too. Ubuntu isn’t the best for secure defaults but it’s target audience is more diverse than RHEL (Redhat Enterprise Linux). And as I’m sure you’re aware, security is often a trade off between convenience. So Ubuntu takes the approach of being slightly more convenient for the average user at the cost of being less secure by default.