Hello Péter, Oh dear. We could have a huge discussion about Linux security in general and ServerPilot in particular, but let's not do that. Just now I have glanced at your items (1), (2), and (12) in your list of 12. Numbers 1 and 2 are pretty standard and reasonable lists of things to watch out for in Linux security. Number 12 is the one you quote, and of turns out to be of particular interest to me.
The author of (12) has transitioned to Netlify. I use Netlify, and I love it! And yes, I would much rather have my own website on Netlify than have to manage my own virtual private server, though the author of (12) over-dramatizes the issues a bit. In fact, when you guys were first looking at transitioning to a new setup, one of my thoughts was, "Oh, cool, maybe I can propose that they just move their production service to Netlify!". But no. As best I can tell (and recall), the full Metamath website blows out all the limits that Netlify places on numbers of files and probably total size. Metamath.org is a humungous website by most standards. You know, all those thousands and thousands and thousands of theorems, plus lots of other stuff. ;-) I don't see any option out there that would serve your needs as well as a virtual private server, or perhaps two or three of them. I have watched how both Norm and David have approached system management, and like I said before, I saw no no problems at all with David's (or Norm's) judgment. FWIW, the three of us discussed server setup off-list and did some experiments with system and web server configuration, e.g. moving to nginx as the web server. Maybe I haven't said it, but I have lots and lots of experience with Linux, with a few years of complete responsibility for mission-critical public-facing 24/7 systems. My last industrial job became working on tools for data center monitoring at Google. It was _not_ a security job, but we were constantly exposed to the workings of Google data centers and it seemed like we interacted with site reliability engineers almost every day. Google uses Linux for everything from desktops to data center servers. What I have seen of ServerPilot does not excite me, meaning to say I doubt it would wind up improving or simplifying your operations. But others might view it differently. My main advice would be to support the people (David, eh?) taking responsibility, while encouraging them to *document* their system management practices, which is also of very real importance. Best regards, Cris On Thu, Mar 24, 2022 at 6:06 AM Mázsa Péter <[email protected]> wrote: > Cris, we can use it with Linode as well: > 1. https://serverpilot.io/docs/how-to-create-a-server-on-linode/ > 2. https://serverpilot.io/docs/how-to-use-linode-longview/ > 3. https://serverpilot.io/docs/how-to-connect-a-server-to-serverpilot/ > > P. > > On 3/24/22, Mázsa Péter <[email protected]> wrote: > > I’m also willing to contribute financially to the serverpilot.io > > service for a sever, because > > "(...) The number one thing that I loathed about managing my own VPS, was > > security. A fully-fledged Linux instance, exposed to the public > > Internet 24/7, is a big responsibility(1). There are plenty of > > attack(2) vectors: SSH credentials(3) compromise; inadequate firewall > > setup(4); HTTP or other DDoS'ing(5); web application-level > > vulnerabilities (SQL injection(6), XSS(7), CSRF(8), etc); and > > un-patched system-level vulnerabilities (Log4j(9), Heartbleed(10), > > Shellshock(11), etc). Unless you're an experienced full-time security > > specialist, *and* you're someone with time to spare (and I'm neither > > of those things), there's no way you'll ever be on top of all that. > > (...)"(12) > > > > (1) https://www.cyberciti.biz/tips/linux-security.html > > (2) > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-common_exploits_and_attacks > > (3) > > > https://cloudsecurityalliance.org/blog/2014/03/05/youre-already-compromised-exposing-ssh-as-an-attack-vector/ > > (4) > > > https://www.cyberciti.biz/faq/howto-configure-setup-firewall-with-ufw-on-ubuntu-linux/ > > (5) https://www.ubuntufree.com/how-to-stop-a-ddos-attack-on-ubuntu/ > > (6) https://xkcd.com/327/ > > (7) https://owasp.org/www-community/attacks/xss/ > > (8) > > > https://encyclopedia.kaspersky.com/glossary/cross-site-request-forgery-csrf-xsrf/ > > (9) > > > https://hackernoon.com/0-day-log4shell-is-serious-but-its-just-the-tip-of-the-iceberg > > (10) https://www.cisa.gov/uscert/ncas/alerts/TA14-098A > > (11) > > > https://securityintelligence.com/articles/shellshock-vulnerability-in-depth/ > > (12) https://greenash.net.au/thoughts/2022/03/i-dont-need-a-vps-anymore/ > > > > P. > > > > On 3/23/22, 'Alexander van der Vekens' via Metamath > > <[email protected]> wrote: > >> I’m also willing to contribute financially to a Metamath server. > >> > >> On Saturday, March 19, 2022 at 6:23:43 PM UTC+1 Cris Perdue wrote: > >> > >>> Hi Dear (Meta)math heads, > >>> > >>> On Sat, Mar 19, 2022 at 3:47 AM Mázsa Péter <[email protected]> wrote: > >>> > >>>> On 3/19/22, Mingli Yuan <[email protected]> wrote: > >>>> > I would like to raise an issue of cybersecurity if any one wants to > >>>> > take > >>>> > charge of any server. > >>>> > We heard of the news that the linux code repository was hacked > >>>> > before. > >>>> > That means we need to patch the server routinely and upgrade the OS > >>>> > at > >>>> > least. > >>>> > >>>> https://serverpilot.io/features/#security > >>>> does this for you (combined with a digitalocean server) > >>>> > >>> > >>> Please try not to worry too much about the details of different > >>> services. > >>> > >>> I have no doubt Linode will be a more than adequate platform. And I say > >>> this as someone with quite a bit of real-world experience running and > >>> managing mission-critical Linux servers. > >>> > >>> It is good to document operational practices including security > >>> practices, > >>> > >>> and I'll bet David and whoever helps him will be glad to do that. Norm > >>> made > >>> a good start toward that. > >>> > >>> About OS upgrades, Linode has a pretty slick system for upgrading your > >>> kernel. You just select your new kernel from a list in their web > >>> interface > >>> > >>> and ask it to reboot your server. The Linux package managers do a great > >>> job > >>> making it easy to update installed packages. > >>> > >>> -Cris > >>> > >>> > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Metamath" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> To view this discussion on the web visit > >> > https://groups.google.com/d/msgid/metamath/c4f114b0-5a22-4e80-8b03-f6bbf384a489n%40googlegroups.com > . > >> > > > > -- > You received this message because you are subscribed to the Google Groups > "Metamath" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/metamath/CAJJTU5oT_FrBty4JhSD5%3D4bEi%3D8buV2dz9Vof6TyNBCYx2WjEA%40mail.gmail.com > . > -- You received this message because you are subscribed to the Google Groups "Metamath" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/metamath/CAOoe%3DW%2BnxuZ7GQM1ths1PKZEg9qaf%3Dwjaa-CRe3g8MnBooAvJw%40mail.gmail.com.
