I agree with your questions to be asked if an attack succeeds but...
> ufw/iptables/nftables won't stop local binaries from opening outbound connections
Wait... Of course iptables/nftables can be used to prevent anything local from opening outbound connections. You can, say, easily have a firewall which only allows "NEW" traffic to be inbound traffic on either port 22 or 443.
They're called stateful firewalls for a reason.
For example on Debian you could configure the firewall so that the only user allowed to emit new traffic to get updates is the (/nonexistent:/user/sbin/nologin) user "_apt".
And for all those (not you) talking about the "cattle vs pet" thing, all this can be automated by hardening scripts you run exactly once, once you set up the server.
It's not because there are guides out there that every step in these guides have to be done manually, each time you configure a new server.
> ufw/iptables/nftables won't stop local binaries from opening outbound connections
Wait... Of course iptables/nftables can be used to prevent anything local from opening outbound connections. You can, say, easily have a firewall which only allows "NEW" traffic to be inbound traffic on either port 22 or 443.
They're called stateful firewalls for a reason.
For example on Debian you could configure the firewall so that the only user allowed to emit new traffic to get updates is the (/nonexistent:/user/sbin/nologin) user "_apt".
And for all those (not you) talking about the "cattle vs pet" thing, all this can be automated by hardening scripts you run exactly once, once you set up the server.
It's not because there are guides out there that every step in these guides have to be done manually, each time you configure a new server.