I don't think so dude. Sorry. I'm not playing that game.

I'll make you a deal... you define "Reasonable Security" and I'll define "Extra Security".

1 members found this post helpful.

Yes, well, I guess on Ubuntu, maybe. I think it would be better for Ubuntu to change, rather than having to do extra to keep it secure.

Reasonable security to me is:
1) Use strong passwords (not anything in a dictionary or a name).

2) Firewall (can be on a router, although usually not as configurable, or regular netfilter/iptables).

3) Disable any service that uses a port that you don't need, especially remote login.

4) Scan with rkhunter, chkrootkit, and maybe clamav.

5) If you use sudo, make sure you configure it in a sane manner, unlike Ubuntu.

6) Checksum packages (probably automatic).

I would think that on a non-Ubuntu desktop, this is reasonable security.

Now, on a server, you can and should do more than this.

P.S. I also know the motto of the Security forum: Too much security is never enough. This is also why I seldom reply to anything here.

1 members found this post helpful.

Being a security freak, here is my setup, from power on:

bios password
(bootloader password when i need to edit or change something)
LUKS password
default boots to init 3
log in using standard user, then to root to init 5 if needed (most of the time I do)
log in standard user for gui

as far as scanning my system, I have cron scripts set up for both clamav and rkhunter
for firefox, I have noscript, redirect remover, adblock plus, ghostery, betterprivacy, user agent switcher, plus a few other tools and dev tools I use.

there is a lot more to my system, including my IDS (snort), and real-time alerting on my desktop via conky, as well as system stats through conky. I have screenshots in the "post your desktop" thread. I have a lot going on, and I love it. But once again, I am a security freak.

also to add - i am running a custom kernel, and custom iptables setup which drops everything that I don't initiate.

I'll share a quick story with you all...

I've been hacked once. It was years ago when the scripts for password guessing were first getting hot on the Internet. I used to have an account on my system called "guest" and the password was "guest" so visitors could get on and use my computer. It was guessed (imagine that?) and the person tried to install a spam relay with a PHP script. The visit was short and he didn't get anywhere. The IP was from Romania.

I was compromised but the damage was minimal because I was generally doing other things that were quite effective. Strong passwords for other accounts, the file system was reasonably locked down, I was running a firewall, services I didn't need were not running, etc. I know more now than I did then. But even in that case I had enough security for my system. Clean up didn't take very long.

So I learned not to keep that guest account anymore. I keep learning. There are even a few ideas I've gleaned from people's responses here. I love Luks to protect my mobile file systems. It's awesome and it works well. IP tables, awesome. I was able to write scripts to minimize and block those repeated attacks from script kiddies.

10 years ago things were not as good as they are now. We have tons of tools and things to help us out and make it easier. In addition, distros are generally doing better default installs than they used to. Nowadays it's easier for users to follow a few good guidelines and have a fairly secure system. It's really hard to exploit a Linux system. And even if that's successful, it's often not very useful to do so. Compare that to Windows. Our lives are way better than the common computer user.

The point of monitoring is to limit damage when prevention fails, and it appears to of saved you once before. There certainly isn't anything wrong with focusing on preventing attacks. However, there is something wrong with completely ignoring detection. Monitoring will always play a role in security, because there will always be residual risk.

As Bruce Schneier said, monitoring is the first thing you should do to determine what attacks you face, so you know what countermeasures to implement. It also lets you trust your computer by verifying your preventative controls are working.

OlRoy, are you aware that I maintain a monitoring and detection package? I hardly consider that ignoring.

I guess I'm sometimes disgusted with people just shooting their mouths off. I quit Slashdot years ago because of this. I mean this in all sincerity, go back there. We simply don't do that to people here.

I agree with the statement that there is something wrong with ignoring detection. I guess that's why I maintain that Samhain build. Did you really mean to direct it towards me? I'm really sorry to pounce on someone if it was simple misspoken language.

Yes, it was directed at you. However, I didn't notice you maintained Samhain so I guess I misinterpreted some of what you said. No need to get your panties in a bunch.

Ahhh nooo. Hell no. These panties are totally wrecked.

From H_TeXMeX_H:
I think you might be on to something with this.

No hard feelings OlRoy.

This is how I feel. Not from a paranoid angle but just because of how things are these days and the likely direction they will keep going in.

Edit: Plus it is fun to learn about security. There is so much it never gets dull.

So, how is that ? How are things these days ?

Here are a couple of things.

The fact so much user data/profiles/browsing history/etc is stored online by various companies and others alone is reason enough. And with Cloud computing it will get much worse (I have never been a fan of Cloud Computing anyways.) Not to mention the lack of concern many have about sharing personal information or clicking anything (flash games, Java Games and so on.) Facebook, MySpace are perfect examples of this. And some companies not caring about user privacy and even selling user information or having it "Accidentally Exposed," somehow.

Privacy is not the same thing as security, so if you're concerned about privacy, may want to start a new thread. For privacy, you mostly have to customize firefox to block all the BS they throw at you. I don't have flash installed, I download the mp4 instead from youtube.

For FF I have the very much needed Adblock, NoScript, Greasemonkey.

I also stay far away from Google and the Cloud (of doom).

I disagree. Privacy and Security can go hand and hand. For example the information that was stolen from users can help someone get a profile of that person, their habits, where they live, etc. Then it goes from privacy into security. If a person's privacy is at risk or stolen then someone could easily try and hack into that persons computer, which goes back to security. With all the information being stored on users habits and some actually giving it away freely, it has the potential of getting real messy, real fast.

Edit: My FF list is: NoScript (a must,) Redirect Remover, Adblock Plus, Better Privacy and Ghostery.

I can't speak for all "Cloud" (I hate buzzwords) solutions, but I use the Amazon Cloud in a business and it absolutely rocks! For those who don't know this latest, mindless technology cliche, Clouds are just virtualized instances for sale, at least as Amazon is provisioning it. There are other interpretations. Let's not fret over a word that is meant to be intentionally vague.

I would think the people here would generally embrace the cloud because they are generally provisioned as Linux instances and their default security preferences are better than most distros out of the box. Amazon has the majority of the Cloud market right now and the majority of those are running Linux. It's cheap and it can scale.

I also have a Slack box I've colocated for years, but that was before the Cloud was available. I still have it and I'll keep it out there for now, but cost wise, it is making less and less sense. I wouldn't go out and buy the hardware now. But that was then and now there are other options. When it dies, I'm going cloud with that box too.

If guys like the paranoid schizophrenics on this forum are administering it, I'd think it would be a pretty safe option. Cloud or not, companies misuse and mistreat customers. From a technology standpoint, the Cloud is awesome. You just get don't get to get out of doing the admin work that always goes a long with managing any Linux system. You get a free pass on hardware, initial investment, scaling, network infrastructure, and you get some handy dandy extra tools provided by Right Scale.

You should try it before you knock it. For the most part, it's just same Linux we have come to know and love. It's a really cheap way to run a server on the Internet.

Well, that's where I draw the line with privacy. I'm never using any cloud apps, I want my data to stay on my HDD. I'm not quite as paranoid about privacy as many on here, but I do know that they plan on turning computers into terminals, with your data being stored on their servers.

I also don't think the Cloud is anything but vaporware being marketed as a wonder of technology, with a diabolical scheme in the background. I have no use for the cloud.

I've also had enough of this thread.