I admin a handful of cloud-based (VPS) servers for the company I work for.

The servers are minimal ubuntu installs that run bits of LAMP stacks / inbound data collection (rsync). The data is large but not personal, financial or anything like that (ie not that interesting)

Clearly on here people are forever asking about configuring firewalls and such like.

I use a bunch of approaches to secure the servers, for example (but not restricted to)

• ssh on non standard ports; no password typing, only known ssh keys from known ips for login etc
• https, and restricted shells (rssh) generally only from known keys/ips
• servers are minimal, up to date and patched regularly
• use things like rkhunter, cfengine, lynis denyhosts etc for monitoring

I have extensive experience of unix sys admin. I'm confident I know what I'm doing in my setups. I configure /etc files. I have never felt a compelling need to install stuff like firewalls: iptables etc.

Put aside for a moment the issues of physical security of the VPS.

Q? I can't decide whether I am being naive or the incremental protection a fw might offer is worth the effort of learning / installing and the additional complexity (packages, config files, possible support etc) on the servers.

To date (touch wood) I've never had any problems with security but I am not complacent about it either.