Geoff Galitz wrote: > Making the bar higher, even in little increments, is a basic tenant of > systems security. Never dismiss the power of baby steps. Keep in mind diminishing returns with those baby steps.. Of the ~500-600 systems I've worked on over the past 10 years the only ones that were confirmed to be compromised were ones that were placed directly on the internet(not by me), and wasn't kept up to date with patches. I think I worked on 3 such systems. - keep up to date on patches - if on the internet, lock ssh down to ssh key auth only, try to run a tight firewall on other ports. - don't allow untrusted local accounts - Run only well tested programs(especially when it comes to webapps) with a good track record wherever possible - If at all possible do not put any server directly on the internet (98% of my systems reside behind load balancers, which is a form of firewall since only ports that are specifically opened are allowed through) To-date I haven't needed things like NIDS/HIDS (too many false positives), or things like SElinux(PITA). After this long, and so many systems I don't think luck plays a big role at this point. The servers I manage for my employer receive roughly 2 billion web hits per day. If you can manage those things, the chance of being compromised is practically zero, barring some remote evil organization that has bad guys specifically out to get you. nate