danw1979 4 days ago

The only time I have ever had a machine compromised in 30 years of running Linux is when I ran something exposed to the internet on a well known port.

I know port scanners are a thing but the act of using non-default ports seems unreasonably effective at preventing most security problems.

▲

rainonmoon 4 days ago | parent | next [-]

This is very, very, very bad advice. A non-standard port is not a defence. It’s not even slightly a defence.

	▲	danw1979 3 days ago \| parent \| next [-]
		Did I at any point in my previous comment say that using non-standard ports was my only line of defence ? Its security through obscurity, which puts you out of view of the vast majority of the chaos of the internet. It by no means protects you from all threats.
	▲	bostik 4 days ago \| parent \| prev [-]
		Correct. From what I understand, Shodan has had for years a search feature in their paid plans to query for "service X listening on non-standard port". The only sane assumption is that any half-decent internet-census[tm] tool has the same as standard by now.

▲

tonyplee 4 days ago | parent | prev | next [-]

If you do any npm install, pip install ..., docker pull ... / docker run ... , etc in linux. It is very easy to get compromise.

I did docker pull a few times base on some webpost (looks reasonable) and detect app/scripts from inside the docker connect to some .ru sites immediately or a few days later....

▲

jraph 4 days ago | parent | prev [-]

I do this too, but I think it should only be a defense in depth thing, you still need the other measures.