I ran Matrix for like a year, and pretty much hated every minute. It was fragile, complicated, and incredibly, bafflingly resource intensive. Matrix is an overengineered nightmare in my opinion, and it seems to be quickly distancing itself from self-hosters while pursuing enterprise usage. Neat technology, horrible implementation, misguided company.

XMPP is a breath of fresh air in comparison. Just like we still use email everywhere (even for authentication nowadays, fun!), XMPP is not obsolete simply because it’s older. It’s a solid foundation, plenty extensible, and does almost everything I can imagine needing to do without unnecessary complexity.

Matrix’s bridges are its killer feature, and it’s nice… when it works. But it’s simply not worth the headache of dealing with Matrix, in my opinion.

I don’t want the free petition websites online getting my personal network’s info and sharing or selling it, hence the interest in self hosting.

So either you’re creating a petition with a size of exactly “1” or you’re asking other people to trust YOU with their personal info instead, or you’re asking for a federated solution (extremely difficult to establish a verifiable web of trust framework, and STILL shares your “personal network’s info” whenever it federates or validates its data to dozens of other servers).

None of these scenarios are viable for creating a petition that anyone is going to take seriously (to the extent that anyone takes petitions seriously at all)

fail2ban mainly, but also things like scaling login delays (some sort of option often built into the software you’re running, but just as often not configured by default), or if you’re feeling particularly paranoid account locking after too many failures, and in general just not using default, predictable, common usernames or weak passwords, and honestly it’s even helped a bit by having slow hardware and throttled network bandwidth.

The goal is to make it so that someone can’t run a script that sends 100 million login attempts per second for common or stolen usernames and passwords and your server just helpfully tries them all and obediently tells them none of those worked… until one of them does.

Not only does this encourage them to TRY sending 100 million login attempts per second because your server isn’t refusing it, which is a huge waste of bandwidth and resources, it also makes it really likely that they’re eventually going to guess one right.