I've found great success using a hardened ssh config with a limited set of supported Cyphers/MACs/KexAlgorithms. Nothing ever gets far enough to even trigger fail2ban. Then of course it's key only login from there.
yeah my product is awful but have you seen the other guy
Yeah, it's this. I worked at Epic somewhat recently, and I've since worked with former Cerner/Oracle folks too. To Epic's credit, they've never been acquired, and are better for it.
There's a lot of vocational awe across the board, people genuinely trying their best to make the product good. But healthcare is inherently complicated, because people are complicated. Each individual health system needs it customized to their specific needs, and over time this can get hairy to support. Add on to that that regulations and guidelines literally change every year, and it can become really hard to make headway on more meaningful changes when you're just trying to stay compliant.
This leads to burnout on the software support side, Epic churns through new hires like crazy - average tenure has been way down since COVID-19 (you can Google their response to that), so it's a revolving door of 21-25 year olds keeping that ship afloat.
Also, yes, insurance companies are the ones making the big money, by a mile.
Agree with others, Vaultwarden is probably your best bet. I've found the default app to be a little flaky, but ended up using Keyguard, which I've found really good.
I used to use Keypass+Syncthing, but found sync conflicts too often (due to Syncthing support for Android), hence the switch.
I used to drive on State Line past that lot full of Teslas daily, always saw a ton of Cybertrucks just sitting. Once Musk started getting so much (more) hate I figured it was a matter of time before someone torched it.
Also, I always find it funny how it's totally just a road that divides the states, I'd drive to work and be "in" Missouri and drive home "in" Kansas lol
You don't have to do anything else with the domain, it'll work fine for email only.
You could add it to Proton, take your time to migrate all your accounts, then dip. Or you could just go straight to a new provider with the domain, and take your time transitioning accounts to the custom domain over time that way. Assuming Proton's free offering is sufficient, you can always keep it around and set up forwarding to your custom domain.
Regarding domain name setup itself, Proton should provide steps for how to do it correctly, but I found them to be a bit fiddly (might have improved, this was a few years ago) - when I moved to Zoho I found it really easier. If you're using Cloudflare for the domain registration, Zoho can basically do it all automatically (click a few links link and accept the proposed changes).
If you're looking to shake up your email provider in the wake of this, I highly recommend getting a custom domain name, whatever provider you choose. Cloudflare sells domains at cost. Get a not-embarrasing .com of your own, and then you can move email providers in future without losing continuity. Proton allows exporting .eml files, which you can then import into your next provider. Or just keep in cold storage and declare email bankruptcy. Once you have a custom domain, you can use unique emails for all your services by setting up a catchall address. This will at least impede credential stuffing attacks, and let you know who sold/leaked your address if you do get spam.
I personally left Proton a month or so ago after the last bit of drama, in part out of principle, but also because their offering is just really expensive for my use case: I just want email, on a budget, with reasonable privacy. Plus I was tired of not having IMAP support and being locked into their clients. Moved to a Zoho business account (for now) and have been happy for the $12/yr. I already had a domain name, but they typically run <$20/year too.
Ah then I'd recommend keep the existing machine as the server (it sounds like it's serving you well hardware wise), and get a SFF machine for regular desktop use, be that a new build or a used office machine. The trick will be in migrating the server to Linux, and without endangering your data in the process.
In short, I'd recommend option B/C, where you buy used enterprise grade equipment, learn to run Linux, and build out that way. I can't overstate just how good a deal can be had on eBay, even from reputable sellers. This goes for everything, from the computer itself, to disk shelves, to HDDs and SSDs. Plus you're reducing on e-waste! Used HDDs are a great deal if you buy enough to run redundancy (RAID 6 or equivalent), because the seller will often include a warranty (up to 5 years!). I've only had a handful of drive failures and 0 issues with warranty refund/exchanges.
You're running roughly the same services as I do (though a bit more storage), so if it means anything, I've ended up using the following (all purchased used)
::: spoiler spoiler
HP Z440 Workstation (upgraded over time)
CPU: Intel Xeon E5-2698 V4 (20 core)
RAM: 128GB DDR4 2133MT/s
GPU: Intel Arc A380
Storage: Boot SSD + HBA card for bulk storage
2 x Dell EMC KTN-STL3 JBOD
15 x 3.5" bays
Mix of HDDs spread across the two JBODs
7 x 12TB
6 x 14TB
6 x 10TB
2 x 16TB
1 x 8TB
1 x HP QR490A JBOD
24 x 2.5" bays
Mix of SSDs
6 x 3.84TB
5 x 1TB
:::
Broadly, I find the following with my setup:
Pros
Easily expandable storage using a HBA
High reliability (ECC memory, server grade equipment)
Used equipment is cheap
Cons
Running mostly older-gen hardware, not cutting edge performance
Yeah a lot of those look moderately benign (waving away media, for example). Best case scenario it's an unfortunate habit what happens to make him look like a Nazi... At the same time, I'd expect someone to break the habit to distance themselves from it.
I've found great success using a hardened ssh config with a limited set of supported
Cyphers/MACs/KexAlgorithms. Nothing ever gets far enough to even triggerfail2ban. Then of course it's key only login from there.