@adangerbartels I used to have all my machines on static addresses and only firewalled on the machines themselves.The worst that happened was I stupidly installed Windows 2000 and didn't install SP4 quick enough, and it became a spam relay for a few hours Nowadays my router is an old server running OPNsense, which has some firewall rules, and everything else is on a DMZ with 1:1 static NATs (annoyingly - my ISP won't give me a proper subnet).Because most of my servers run web servers, I run a script that searches the logs for obvious script-kiddie type stuff (eg requests for "../../", "/admin" (when I don't have an admin page etc).The unique addresses get stored in a text file which is web-accessible, and then OPNsense picks up these files from each web server every few minutes and adds them to a block list, so all my devices are protected.Atm, most of my servers have picked up a few hundred IPs, but right now, my Mastodon server has flagged 24k, erk!! I'd better check that out now .I also download the @stratosphere blocklists daily, and I have manually blocked some IPs (like Metas IPv4 and IPv6 scanners).So far so good, I have been doing this for over 3 years, and I have been fine.I used to expose SSH to the internet, but not any more - I just use Wireguard (which is built into OPNsense) first before I connect to any admin interfaces using the internal addresses.If you wanted to try doing a security scan, you could try this: https://openvas.org/I've not used it for a while, but it was good, and the free version was enough for me to check for "low-hanging fruit".I hope that helps. Feel free to ask me questions
