My current favorite VM architecture is Proxmox because it is LXC and KVM/Quemu as well as building solid front ends for Ceph, ZFS, and other very nice network abilities. And for personal use, it is free (with a nag notice). and built on top of Debian. I have been really liking spinning up containers for experiments.



On Sun, Jul 11, 2021 at 7:36 PM Keith Smith via PLUG-discuss <plug-discuss@lists.phxlinux.org> wrote:

Thanks!!

On 2021-07-11 14:54, James Mcphee via PLUG-discuss wrote:
> Just as general advice.  Keep everything private, except the very
> minimum you need otherwise.  Keep everything disposable, except for
> what you absolutely need to persist.  Keep everything isolated, except
> exactly what communication you need.  Doing this will take a LOT of
> learning about the systems and how they work, but you should consider
> it the base starting point to avoid turning into a host for various
> bad actors.  Until you feel you won't expose more than you should, you
> should probably keep everything locked up in a private network on vm's
> that you don't mind recycling on the regular.
>
> On Sun, Jul 11, 2021 at 12:54 PM Keith Smith via PLUG-discuss
> <plug-discuss@lists.phxlinux.org> wrote:
>
>> Thank you Michael for all your replies and for this one!!
>>
>> I hear ya.  It may take too much time....
>>
>> Let me ponder your reply.
>>
>> Thanks!!
>>
>> On 2021-07-11 12:15, Michael Butash via PLUG-discuss wrote:
>>> On Sun, Jul 11, 2021 at 11:23 AM Keith Smith via PLUG-discuss
>>> <plug-discuss@lists.phxlinux.org> wrote:
>>>
>>>> I am talking about a virtual PHP host running Ubuntu LTS, LAMP,
>>>> Let's
>>>> Encrypt, BIND, Postfix, Dovecot, and possibly some webmail app.
>> Not
>>>>
>>>> sure of anything else I would need. Is there more?
>>>>
>>>> We can throw in learning Apache SPF and NGINX.
>>>>
>>>> 1) First question is this a reasonable idea or am I crazy?
>>>
>>> For learning and tinkering, it's a good idea, production for
>> yourself
>>> probably not.  I set all that up some 10-15 years ago, thought it
>> was
>>> cool, then got tired of upkeep.  If you plan to maintain it right,
>> you
>>> probably will too.
>>>
>>> These days any internet-facing service needs almost religious zeal
>> to
>>> upkeep, lest some jackass use a 0-day to cryptolocker your
>> system(s),
>>> and if you watch security lists for those, they are still pretty
>>> frequent I'll bet.  Or you could just pay
>> gmail/orfice365/rocketmail,
>>> or any other and let all that patching and upkeep be automated by
>>> them.  I used godaddy mail for a decade, later gmail, and I really
>>> don't mind not managing my own email or dns servers ever again
>> since.
>>>
>>>> 2) 2nd question is what skills would I need?
>>>
>>> The ability to google your ass off mostly.  I've not read a how-to
>> or
>>> protocol or certification-type book in 20 years, trust me it's not
>>> terribly practical, and I fifo from my brain quickly.  Searching
>> how
>>> to's and troubleshooting as you do is how you learn.  If you must,
>> I'd
>>> recommend linux academy, udemy, or other online class-type
>> courses, as
>>> most can be had cheap around holidays with sales, mostly what I do
>>> these days to learn if not just searching.
>>>
>>> Email is email and hasn't changed much in 20 years.  Understanding
>>> encryption, authentication (ie. 2fa), use of SPF/DKIM with DNS,
>>> certificates (openssl, letsencrypt, build your own CA).  Security
>> in
>>> general is pretty key more than knowing how email protocols work.
>>>
>>> Web stuff is again more about security imho, redirect all
>>> non-encrypted to encrypted (tcp/80->443 redirection), proper
>>> certs/encryption standards (enable tls1.2, disable rest, strong
>>> ciphers).  Some vhosts, proxy redirection if needed, etc is
>> helpful.
>>> If you want to scale, add load-balancing via apache/nginx proxy or
>>> appliances (F5, AWS ALB, Netscaler, etc) across multiple hosts.
>>>
>>> System security is key too.  Securing SSH, disabling unnecessary
>>> services, local firewall in/out, log monitoring, networking, file
>>> system/service integrity, etc.
>>>
>>> I am not a dev or a sysadmin, more a network guy that ends up
>>> troubleshooting systems more than their owners do when they blame
>> my
>>> network, or just tinkering for myself.  IMHO with above, but YMMV.
>>>
>>> -mb
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
> --
> James McPhee
> jmcphe@gmail.com
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss


--
A mouse trap, placed on top of your alarm clock, will prevent you from rolling over and going back to sleep after you hit the snooze button.

Stephen