Originally posted here by HTRegz
I don't think you need grsec... I don't think any daily usage, surf the net machine needs grsec... If you want to play with it sure... but it's not necessary... I also don't think an iptables script is needed... If you're behind a NAT device (home router) then the script is useless... secondly you don't want to rely on a firewall to protect you.... What you should do is determine what services you'll require (Do you want a web server, or ssh, or postfix (which generally runs by default on Ubuntu)..if you don't want it... disable it from starting)...

Besides disabling unnecessary services and installing the updates, out of the box you're generally pretty good to go....
So what happens if somebody gets an 0day and uses it on one of his open (fully patched and updated) services?

With grsec he'd have an unexecutable stack, so a good 60-70% of 0days just fail automatically.

Just because you don't need an iron lock on your door doesn't mean you should choose to use it...


until you regret having your house broken into...


But yeah, hosts.allow and hosts.deny is awesome and you should learn to use it, aswell. And I disagree with HTRegz, you do need a firewall to protect you. Sure you can have only one or two services up, but will they automatically drop requests from a certain IP after it somehow detected some sort of malacious activity? I don't think those features are built into sshd, or httpd - however a firewall is made specifically to monitor weird traffic. So use it.

If you're really paranoid, build your own router/NAT. or at least put one inbetween the internet and your network.