Silly. I've been self hosting since I degoogled. Never have I regretted not using docker. To imply that you should do this is the kind of hilariously out of touch I expect from developers :).
This guide lacks the most important tools: fail2ban and tripwire. I block on the order of 5,000 malicious requests a day (mostly recon bots) from Russian and China.
To be fair - who gives a shit about 5k requests to mostly non-existent services? Even my dinky RPi can handle thousands of times more load, and the nginx proxy for the cluster is just going to hand back an empty 404.
As long as you aren't doing silly shit (like exposing password based ssh, or running your containers as root, or failing to make backups) then they can knock all they'd like.
They'd have to first find the app you're running, then attack the application to get an exploit, then manage to find a privilege escalation from the container, all for what, exactly?
Send more requests from my network? Break a couple of my services that I don't derive revenue from? I'm just literally not worth the trouble in almost all cases.
It's like 10 minutes to recreate my whole cluster from clean images (20 if we include wiping the OS on the machines).
If you're really concerned - shove the cluster behind tailscale/cloudflare/vps.
I really wasn't bragging about load. Of course 5k requests is nothing. It was mostly to emphasize that those 5k requests would bring at least 5k pieces of malware if I didn't spend the time to stop them.
The guide was missing this which I think cheapens the guide a little to me because security can be a large portion of the cost of a SaaS service you might pay for.
> It was mostly to emphasize that those 5k requests would bring at least 5k pieces of malware if I didn't spend the time to stop them.
I feel like this is confusion on your part - do you have a service/port that they are actually making real requests against where there is risk? Ex: Password based ssh access, or something like phpmyadmin running and exposed?
Basically - if they're just hitting ssh on port 22... as long as your auth is cert based (or better yet, just not exposed publicly at all) who cares?
If they're requesting random paths for wordpress admin sites or something like phpmyadmin... again - who cares? You really don't have to do anything unless you're running those services.
I agree you should keep an eye on the logs - but mostly this isn't as big an issue as people tend to make it out to be. Proper auth on your services (ex: keycloak behind mfa) means the risk is just really, really low - and you really aren't worth the serious effort it takes.
Basically - A malicious request is NOT equivalent to malware. They can make lots of malicious requests - in practice, all of them just fail.
This guide lacks the most important tools: fail2ban and tripwire. I block on the order of 5,000 malicious requests a day (mostly recon bots) from Russian and China.