undefined | Better HN

0 pointsunregistereddev3y ago0 comments

On a trivial level I agree, but only on a trivial level. Most developers will not set up a server in the most secure, maintainable manner. They're going to miss important things:

- Disable password-based auth for ssh (require key-based auth) - Enable fail2ban or similar to slow down brute-force login attempts - Configure firewall - Install monitoring tools, antivirus, possibly backup daemons, etc - Setup a sane swapfile for your use case, and configure monitoring tools to alert when memory pressure gets too high - Setup disk mounts, configure monitoring tools to alert when disk space is low, and consider a cron job to automatically clean up tempfiles - Either set up automated updates (typically excluding kernel upgrades), or have a standard schedule for manually applying updates

...and probably other things that I'm forgetting because I'm a developer, and it has been years since I've been a sysadmin.

0 comments

olddustytrail3y ago

I've done the sysadmin, DevOps, SRE journey.

A couple of others spring to mind:

- if you're not regularly testing your backups, you don't have backups

- monitor SSL certs for expiry. It's amazing how many outages I've seen because this was missed.

- are you allowing direct connection to your server from the internet, or do you want to go through a bastion host. Do you need 2FA on this, say because you need to meet ISO27001.

- do all the above through CM (like Ansible or Puppet) for obvious reasons.

P5fRxh5kUvp2th3y ago

I have a rant here about security being mostly bullshit. Not even sysadmins can setup a server "in the most secure, maintainable manner".

You don't hire a dedicated sys admin because they know some voodoo magic developers don't, you hire a sys admin because they have the _TIME_ to watch for security updates. And you _PAY_ a company like RedHat to ease that burden.

A dedicated sysadmin will typically do a better job than a non-dedicated developer, but if that developer cannot do a passable job, that's a gap in their skillset.

I may not be a network engineer, but I damned well understand DNS, MPLS, networking, gateways, and the like. Any developer who doesn't has gaps.

j / k navigate · click thread line to collapse