Magiilaro

If you want to take that from my text then feel free.

Tinkering, in my personal definition, would mean installing third party repositories for the package manager (or something like the AUR on Arch) or performing configuration changes on the system level… Just keep away as most as possible from accessing the root user (including su/sudo) is a general a good advice I would say.

My Arch Linux setup on my desktop and my servers are low-maintenance. I do updates on my servers every month or so (unless some security issue was announced, that will be patched right away) and my desktop a few times a week.

Nearly anything can be low-maintenance with the proper care and consideration.

For your constraints I would use just use Debian, Alma Linux or Linux Mint and stick with the official packages, flathub and default configuration on the system level. Those are low-maintenance out of the box in general.

I only bind applications to ports on the Internet facing network interfaces that need to be reachable from outside, and have all other ports closed because nothing is listening on them. A firewall in this case would bring me no further protection from external threats, because all those ports have to be open in the firewall too.

But Linux comes with a firewall build in, so I use it even if it is not strictly needed with my strict port management regime for my services. And a firewall has the added benefit to limit outgoing network traffic to only allowed ports/applications.

Yeah, that’s why I am against Microsoft Keys on my systems

I fail to see the positive side of that…

Loading BPF code from user space is, I hope, only possible with root access to the system. That would mean that an attacker needs root access to exploit BPF, but if an attacker has root access what stops him/her to do anything they want? At this time the system is lost anyway.

Or am I missing anything?

Yes I can. But I am a Linux system administrator with 20 years of experience. This should not be the level of measurement for stuff like this. 😉

What I meant was: Don’t put a Microsoft master trusted authority in the Kernel, unless one chooses to install a Microsoft distribution. And don’t go the SSL/TLS way with the huge number of default authorities that get installed on every system. It would be a pain to be forced to always build my own Kernel again just to keep Microsoft or any other institution/company that I find untrustworthy out of it.

I hope we will learn from the SecureBoot debacle and not give Microsoft the primary signing keys and infrastructure for this again.

Making errors and analysing them to figure out what went wrong and why is a huge part of learning. You can only learn so much from theory, some things can be learned best by trial and error and the experience gained from it.

When I started with Linux I did choose to use Gentoo Linux because it was the most complex and complicated option, so I had the most opportunities to learn something by ducking up!

Makes me feel like home 🥰

Me, reading the topic while playing Morrowind: “Yeah, that seems correct!”

Solar System objects for my local network and names of extra solar objects for my offside servers. With all the moons and named trans neptunian objects in the solar system I so far had no issues finding a hostname candidate.

My one year old Dell Latitude with a fast SSD needs about 8 minutes every morning to boot windows and start all that security crap that company IT has put on there.