Linux security

>>60368109
>using security tools
Are you new?

Clamav for scanning remote storage and email attachments for windows malware.

First time I hear about rkhunter, will check it out.

i run nothing as root, install only from known sources, block all ads, don't have flash.

git clone $repo
cd $repo_dir
if [ $(grep -rE "virus|malware|telemetry|eula|EULA" . | wc -l) == 0 ]; then 
    ./configure
    make
    sudo make install
fi

>asking about security
>in a board that preaches linux
>because windows has no security
>but nobody is interested in linux security

this is the /g/meme. nobody gives a fuck about security on this board. too many of these fags complain windows is insecure but then have no desire to learn /sec/.

>>60368109
On my desktops I don't think there is really anything special I need to do, they are behind a router with firewall so they arent open to the world, and I only install from my distro repos and don't run anything as root unless it is required for a reason, and I don't run random scripts from the internet without checking what they do

On basic web servers I got which are exposed to internet I usually setup Fail2Ban to ban brute forcing IP addresses, disable root login to SSH without password if not already disabled by default, restrict access to only specific user through SSH, and of course use strong passwords (which you should do anyway everywhere)

Missing anything necessary?

>>60368109
Antivirus shit is only nesaacary if you're a retard

>>60368109
>install programs only from official repos

That's about all you need to do, if the official repos get compromised there isn't much you can do but hold off on updates.

>>60368184
It's not great.

>>60368109
Nothing because linux is so secure that despite being by far the most used kernel, exploits can virtually never be used and are almost never seen in the wild.

>>60369466
this couldn't be further from the truth. are you saying this ironically or do you actually believe this?

Install a BSD and jails
Write ansible script to bootstrap
Don't carry sensitive data on this OS
Only carry low-level passwords
Scan downloads and only transfer to ssh mount for archiving
Use CLI as much as possible
Check latest security erratta and CVEs on my installed software and rewrite ansible to patch
Reformat and reinstall every month
Install only require packages to work and upload files to the web or for archiving
Use a non gimped bootloader
Write your own architecture for the future

>>60369466
What if Linux users are so fucked they dont know?

>>60369653
>using an os without aslr

>>60368109
ClamAV is only if you're running a mail server that will go to windows computers.

File: 0a79707f7df20bf920f8a18af23f40dcd8f44a6d.png (80KB, 500x354px) Image search: [Google]

80KB, 500x354px

I do not use su or sudo, my user session never goes root.

I log as root on virtual console after sysrq+k only.

>>60369905
an attacker can still do privilege escalation through kernel exploits though

>>60369939
I know.

>>60369514
>>60369679
Sorry Windows guys, Linux is just too solid. I mean if Linux was as easy to exploit as Windows, company's servers would be held at ransom all the time.

>>60370023
while it's not EASY to exploit, 0days are fairly common and found on a semi-regular basis. so you're wrong.

>>60368109
Use this guide https://pastebin.com/5XfDX4wL

Needs to replace grsec for RSBAC and it gets pretty hardcore with each level, but is your choice how much secure you want to get

>>60371397
Has anybody forked grsecurity yet?

>>60368109
I'm lazy so it is Maldet+ ClamAv or ConfigServer eXploit Scanner + ClamAV combined with rkhunter and often ebury checks as that shit spreads like wildfire.