SEARCH

Enter your search query in the box above ^, or use the forum search tool.

You are not logged in.

#151 2013-10-25 22:52:16

k0s
Member
From: AlexVa
Registered: 2013-08-31
Posts: 26

Re: The paranoid #! Security Guide

testMYorgansLIMITS wrote:

Anybody tried attacking their setup cb using this threads instructions from their local network or a virtual machine or user based? smile

yup ...hammered away at this config from my work environment (/deb/kali/ob) and it has twice scored higher than any configuration in category Ive tested. Disclaimer: no brute force attacking and barring distro's built on/for security and/or anon use.

But let me apply the breaks on that point. Ive been following this thread from the moment it was posted. And I have been a loyal #!er and daily follower of the forum for years. I dont surface for many reasons but this thread has become very important, and I'd like to make a few points.

@SA -> you have mail

(/edit/01/18:54)

@SA -> No private messaging? Well, send me one so I can send you one.

(/edit/02/19:13)

@SA -> delivered

Last edited by k0s (2013-10-25 23:15:55)

Offline

Help fund CrunchBang, donate to the project!

#152 2013-10-25 23:13:30

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

k0s wrote:

@SA -> No private messaging? Well, send me one so I can send you one.

Just sent you one and re-enabled messaging.

Offline

#153 2013-11-17 06:27:55

HELPME
#! CrunchBanger
From: the holley land
Registered: 2013-11-15
Posts: 100
Website

Re: The paranoid #! Security Guide

I have a question
if I dont connect crunchbang to my router can somebody hack my computer through my wireless card that has antennae sticking out of the back of my pc?

I plan on never connecting crunchbang to the internet but I would also like to know if its possible to download all of the updates/packages onto my other operating system and then transfer them by usb to crunchbang and install the files from there? I know nothing for terminal commands about this I only know sudo apt-get install stuff needs the internet

or am I being tooo overly paranoid? ubuntu has that system load indicator app and the network bar has
http://oi39.tinypic.com/21or600.jpg
why are there yellow bars in there if there is no internet access? is it possible to install system load indicator for crunchbang with openbox? then I can be even more paranoid  neutral

Offline

#154 2013-11-17 12:12:15

wuxmedia
wookiee madclaw
From: Back in Blighty
Registered: 2012-03-09
Posts: 1,447
Website

Re: The paranoid #! Security Guide

most people have problems with getting online and you want to be disconnected - sheesh smile
I would think the yellow shows trying to connect activity.
doesn't the #! default conky (the writing on your screen) show if there's a connection.
a simple;

ping -c5 8.8.8.8

should show if you're connected or not.

if you want to be ultra paranoid physically remove the wi-fi card, and unplug the ethernet.
Then build a small faraday cage around your computer (or your building, saves on tinfoil tongue )

Last edited by wuxmedia (2013-11-17 12:14:51)

Offline

#155 2013-11-17 13:17:53

HELPME
#! CrunchBanger
From: the holley land
Registered: 2013-11-15
Posts: 100
Website

Re: The paranoid #! Security Guide

wuxmedia wrote:

I would think the yellow shows trying to connect activity.

but I wasn't trying to connect at the time and waited a minute for it to settle after disconnect

wuxmedia wrote:

doesn't the #! default conky (the writing on your screen) show if there's a connection.
a simple;

ping -c5 8.8.8.8

should show if you're connected or not.

I havent tried messing with conky yet and dont know how to yet I have only just installed recently and am using crunchbang for the first time
no my default conky doesn't show what you described

wuxmedia wrote:

if you want to be ultra paranoid physically remove the wi-fi card, and unplug the ethernet.
Then build a small faraday cage around your computer (or your building, saves on tinfoil tongue )

this must happen


I have finally decided to connect to the internet and read everything in the first post of this thread but everything I wrote in my post above is my eventual goal to remove the internet access completely from this crunchbang system and use my other systems for the internet incase anything goes wrong

I have some questions

snort

I typed

sudo apt-get install snort

and got to the Configuring Snort screen where its asking me for my "Address range for the local network:" and gives examples such as "192.168.1.0/24 for a block of 256 addresses or 192.168.1.42/32 for just one"
I found cidr which kind of explains the last number that comes after the slash but I still dont know what to put there because I think I only have one address

I was in for more than I bargained for when searching for answers and I am still searching
so far I need to find my subnet cidr and netmask
this says to use ipconfig
the second answer says something I can understand
but then I found this which shows me my ip as google does when I search for "what is my ip"
I will probably take a look at this one day but right now its giving me quite a headache
although I have just found some linux that can potentially do it for me if I can wrap my head around how to make it work for me

so which ip should I use? the one that google tells me or the one from ipconfig? in ipconfig eth0 doesnt seem to have what I am looking for so my only real options there are wlan0 and lo
I am using wifi so I think its wlan0 but not very positive since lo also has inet addr and mask
but if its the one that google gives me then should I use the one that this one gives me? In the results section "Network Address:" gives me the xxx.xxx.xxx.xxx/xx layout
actually now I think that site just gives me xxx.xxx.xxx.xxx/32 by default  hmm

I feel so dizzy now

okay I will give one more attempt at thinking this through before making my post
I have thought about it and think the  ifconfig option is the one and to use wlan0 not lo
but I'm not sure and I will use it anyway so hopefully I dont stuff this snort thing up and hopefully I can change it afterwards?

looking back at the headache causer I found "a command-line tool called ipcalc" so I type this

$ sudo apt-get install ipcalc
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  ipcalc
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
E: Could not get lock /var/cache/apt/archives/lock - open (11: Resource temporarily unavailable)
E: Unable to lock directory /var/cache/apt/archives/

and something has gone torribly wrong  sad
but this will not stop me here now!!!!!!!!!!!!!!!!!!!!

nah I am just as confused now because ipconfigs wlan0 gives an inet addr that is really very similar to what I would use to get into my router but they are both different so I am not sure about anything anymore and help is supremely appreciated

Last edited by HELPME (2013-11-17 15:34:02)

Offline

#156 2013-11-17 14:22:53

wuxmedia
wookiee madclaw
From: Back in Blighty
Registered: 2012-03-09
Posts: 1,447
Website

Re: The paranoid #! Security Guide

working mostly backwards;
hopefully in a logical order.
ipconfig shows you Your computers IP. wlan0 or eth0, whichever's (or both ) is enabled, or 'up'
The IP is given to you by DHCP ( running on your modem/router)
Lo is the loopback - it's pretty much always 127.0.0.1 - this is, mostly, so you can run a webserver on your computer.
Range;
The router normally determines the range.
this is the netmask usually  255.255.255.0 this means the first 4 are locked and the last one changes for you network, not generally being 255 computers on one home network, I think you can lock it down by using the /xx

whatsmyIP is showing you your routers IP as given by the ISP. these can change but are generally in a range owned by the ISP (at that time)
your router is also a NAT box (my prefered name) this means it protects your home computers by allocating IPs that aren't 'real' or inaccessible to the outside world, unless you want it too.

I haven't used snort, if you want to use just one address I would imagine you need the one given by ipconfig.
I have big trouble with cidr. big_smile
oh your install error is simply that it's being used by another process, perhaps synaptic is open?
or you are apt-getting something else?

Last edited by wuxmedia (2013-11-17 14:26:48)

Offline

#157 2013-11-17 16:50:52

HELPME
#! CrunchBanger
From: the holley land
Registered: 2013-11-15
Posts: 100
Website

Re: The paranoid #! Security Guide

thanks I retried the sudo apt-get install ipcalc and it worked this time so now I sudo apt-get remove --purge snort and then sudo apt-get install snort and entered the correct details this time so now smooth and hippy snailing with snort  angel

I have since found this all about snort read all about it here

I skipped ahead to the browser-relation stuff and found out that HTTPS Finder "add-on has been removed by its author."
although it can still be found traces of it here and there
I also found this interesting
especially the part about "Quantum physics makes me so happy. It's like looking at the universe naked."

I recommend the collusion plugin now renamed to lightbeam
Gary Kovacs: Tracking our online trackers (T.E.D. talk)
I found collusion again  big_smile

Last edited by HELPME (2013-11-18 05:37:33)

Offline

#158 2013-11-18 02:32:01

Paranior
New Member
Registered: 2013-11-18
Posts: 1

Re: The paranoid #! Security Guide

Hello All!

I just wanted to post saying how awesome this thread is. I've learned a ton. I'm loving the switch from windows to something way more secure. I have a ton of questions.

What I've tried to do with my computer and network is get it generally more secure than most. I'm running the latest stable Debian (i have crunch bang on another partition, love it). I've done basically everything on this tutorial. I'm not a TOR user. I just want privacy and security to watch youtube videos and some skin flicks with good story lines big_smile. I am setting up a VM just to use for flash and java stuff that might be sketchy.

I'm having a hell of a time with my DNS requests. The first thing is that I can't get DNScrypt running because libsodium isn't properly being added to my libraries. The command that the libsodium readme calls for associates libsodium into debain. I get the error in terminal when making and installing DNScrypt that libsodium isn't found. The readme calls for "On Linux, don't forget to run `ldconfig` if you installed libsodium from source." ldconfig has me confused... Anyways.

Next problem with my network is that my ISP is using transparent DNS proxies. Every DNS request I send from my DHCP settings in DDWRT ends up being force fed, without my permission, to some DNS server I've never heard of. I now use DNSmasq to direct my dns entries network wide to OpenDNS. When I ping non existant domains I now get openDNS. What confuses me is if I encrypt my DNS will this make it impossible for them to even see those DNS entries? let alone hijack them?

I also have a dynamic IP. This also throws a monkey wrench in the equation because the pages for openDNS at DD-wrt explains that when my IP changes, OpenDNS will not work. Thats why they have this DNS-o-matic service. Makes no sense. If I'm using DNSmasq in my router to handle it, shouldn't that handle my DNS requests no matter what my IP changes too? is this for domain blocking at the DNS level? 

Another thing, With a VPN on Debain, I don't have an automatic kill switch if the VPN goes down or if my IP changes. This might be something that could be looked at as well. The OpenVPN client I was using on windows had this feature. I've seen only one solution like this for linux, and I can't find that package again. The VPN settings in Network manager also call for DNS servers and Name servers... Is this something that needs to pointed at DNSmasq or to the servers at openDNS?

Currently, my router is bridged through my ISP's modem/router. I have no access to the ISP's modem/router. It's currently sitting in an ammo can so its antenae doesn't sit there and snoop my internal network. Should I go ahead and buy a router/modem to take this out of the equation as well? I'm fairly certain that this isn't helping anything. I've been warned that if I turn in that modem it will take 3 days to get my new modem online. I also will give up the option of a static IP. 

So, Thanks way ahead of time if you guys can throw me a bone. SA has done a great job, I generally understood everything for being tech illiterate.

Last edited by Paranior (2013-11-18 02:59:02)

Offline

#159 2013-12-31 05:35:08

paranoidandroid
New Member
Registered: 2013-12-31
Posts: 1

Re: The paranoid #! Security Guide

This is a fantastic thread. Many thanks to the OP.

I just wonder if implementing these steps can somehow mark us out/put us on the radar as being privacy conscious? Can the ISP for example tell which DNS servers we are using?

Also I really need help with a good way to read RSS feeds anonymously. I'm following a policy of owning no or minimum data. Store nothing.

Offline

#160 2014-01-01 15:22:16

dot|not
#! Junkie
From: /dev/null
Registered: 2013-09-05
Posts: 278
Website

Re: The paranoid #! Security Guide

I just wonder if implementing these steps can somehow mark us out/put us on the radar as being privacy conscious? Can the ISP for example tell which DNS servers we are using?

We had a discussion on the IRC about this about a week ago. Somebody used the browser that came with the "tails-distribution and wondered why scored not as good on tests like Panopticlick as other users with more typical browser setups did. Basically because he was very different to the masses.


Slothkrew | Blog | Github | Zerobin | Crunchbang Ratio: 321.00
Acer C720 | Arch Linux | Openbox

Offline

#161 2014-01-02 23:15:20

k0s
Member
From: AlexVa
Registered: 2013-08-31
Posts: 26

Re: The paranoid #! Security Guide

well...think of it like this.

Determine the threat (actual and what you perceive as a threat)

a) intrusion
b) target of advertising
c) surveillance (run of the mill national security concerns)
d) surveillance (warranted and/or unwarranted and/or because you deserve to be)

What realistically can you control and it not occupy all of your time monitoring.

a) & b)

Follow the amazing work contributors have made to this thread, go on about your day, and create and/or learn something amazing.

Lets not let the hoopla and pestilence the recent security craze has alarmed people to disengage you from the fact that you are here... now... #!ing ...and IMO: already ahead of the ”target-audience” curve. 

if= /above/c) & d) of=/they/concern/none .....then you have nothing for them to profit from. So let ‘em dig.

as to the question of fingerprinting / low profile is good to aid in efforts concerning a) & b).
concerning as a deterrent to c) & d)... I’ll just say... uhm, I’ll illustrate a simple overlooked fact of surveillance.

-TinTime-

Remember when they pushed learning home-row way back when in your introduction to computing, and like EVERYONE, you payed consistent text rate no attention? well hunt and peck sends a very unique fingerprint. that “e,f,g” and “r,e,a” that you can type without looking at the board and has a significantly different text rate than any other three letter combination in your logs. =almost an as identifiable fingerprint as your actual prints on file. 

So / keep out what you can but don’t allow efforts to occupy brain power better spent changing the world.

Offline

#162 2014-01-03 02:00:17

pdc
#! Member
From: America
Registered: 2013-12-03
Posts: 52
Website

Re: The paranoid #! Security Guide

Well said, k0s.


Anything that doesn't take years of your life and drive you to suicide hardly seems worth doing.
-Cormac McCarthy

Offline

#163 2014-01-04 18:41:27

Brembel
New Member
Registered: 2014-01-04
Posts: 1

Re: The paranoid #! Security Guide

Hey there, hope this question does fit in here.

My question is about a comparison between the three following TOR projects; with all three you would create an anonymizing TOR proxy using an Raspberry Pi.

1)Onion Pi
2)grugq's P.O.R.T.A.L. of Pi(see the first comment from "thegrugq") + PORTALofPi
3)Whonix Gateway on Pi (Instead of running the Gateway in a virtual machine, you run it on Pi)

All three force all the traffic from your operating machine through TOR.
But what about Whonix's claim

DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP.

Is this true for 1) as well or has Whonix extra configurations which you wouldn't have with 1) alone?
And what about

The reason that PORTAL runs on a physically separate device and exposes no administration interface (except via physical access), is to prevent a targeted attack (or just malware) from disabling the Tor routing.

Would an attacker have access to 1) in a way he hadn't with Whonix or the PORTAL?

So, I am gratefull for everyone who can help me get the differences, especially regarding the resulting anonymity and security, between these projects.

Offline

#164 2014-01-30 19:39:18

stillchimp
New Member
Registered: 2014-01-30
Posts: 2

Re: The paranoid #! Security Guide

Hi, I'm new to CB... this is a great post/thread, I've been trying to implement it for a few days for the 2nd time (tried much of it on another machine already).

Got it mostly working, but have a problem with snort installation that I can't find any answers to...
I only use wifi on this pc, so I changed /etc/snort/snort.debian.conf like this: DEBIAN_SNORT_INTERFACE="wlan0"

Here's what happens during boot:
Starting Network Intrusion Detection System : snort (wlan0 ...ERROR: interface not available) failed!

I guess my wifi isn't ready yet when snort is starting up. And afterwards if I "ps -ef | grep snort" it's not running.

How best to resolve this, I want the snort daemon to be running?

Any help appreciated! Thanks...

Offline

#165 2014-02-08 20:35:32

cloverskull
#! CrunchBanger
Registered: 2013-10-26
Posts: 216

Re: The paranoid #! Security Guide

Why not initialize the daemon in your autostart?

Offline

#166 2014-02-08 22:36:34

stillchimp
New Member
Registered: 2014-01-30
Posts: 2

Re: The paranoid #! Security Guide

Hi, thanks for replying.

I'm a bit n00by on this...

Edit: There's a snort script in init.d : so I guess that's where the boot message is coming from, right?
Following your suggestion, where would I put it so that it's in "autostart"?

cheers

Last edited by stillchimp (2014-02-08 22:51:07)

Offline

#167 2014-02-10 00:46:04

smeagol
New Member
Registered: 2014-02-09
Posts: 2

Re: The paranoid #! Security Guide

I have read a lot and used a lot of tools. One thing that amazes me is how people reuse passwords and usernames at different websites. One gets cracked and down comes the kingdom. It is important to remember that with the exception of perhaps banks most web passwords are not terribly secure and millions get stolen each year. My suggestion for anyone that is security concious is

1) Create a very strong root password.
2) Do not reuse passwords AND usernames
3) Get Keepassx - password vault - use it and change passwords at least anually. Let it pick the passwords and set the tightest rules possible. One of the nice things about Keepassx is that it has windows, Linux, OSX and Android versions. They can all read the same pswd file. I just carry mine on a USB stick. Take care not to get database skew.
4) Get GPG - key generator
5) Get Truecrypt - encrypt files, volumes etc.
6) I heard a security researcher say the vast majority of attacks are through the UI. Minimizing the attack surface is key to strong security. Browsers are a high value target.



The 3 tools above are pretty powerful and can secure things quite well with some common sense. I have used all three for a long time with no or minimal problems. A word of caution though. If you forget your passphrase tough luck!

Last edited by smeagol (2014-02-10 15:40:16)

Offline

#168 2014-02-10 23:03:07

smeagol
New Member
Registered: 2014-02-09
Posts: 2

Re: The paranoid #! Security Guide

Here's a suggestion. I would write it but my scripting skills are not the best and I am just starting to scratch the surface on the Linux security side.. In the windows server world they write scripts that list all the processes, their memory sizes and other relevant static info. They baseline a machine and put the results in a file and then everyday run a script that will rebaseline and compare the results to the known baseline. They do it using a file comparison function. When a significant difference is found between the two files  it kicks off an alert. I am not good enough with scripts yet to do this.

Offline

#169 2014-02-15 11:16:14

feralfae
New Member
Registered: 2012-07-26
Posts: 6

Re: The paranoid #! Security Guide

Newcomer to the forums here - I might have posted a self-intro a couple of years ago, but wouldn't expect anyone to remember now.  I just wanted to say this is an excellent post/discussion.

I recently signed up for an Ostel account on the recommendation of the Guardian Project   https://ostel.co/ch
I'm not enough of a techie to know how secure the encryption is, but it certainly looks like a better bet for privacy than Skype.  But as with everything else I've tried setting up for myself - PGP, Bitmessage, Retroshare, etc, it's only any use if enough other people sign up as well.

I know this might be going slightly off topic, but has anyone found any good strategies for convincing their friends to try out open source, privacy-friendly alternatives?  Because I'm getting tired of sharing links/articles (on Facebook, to my shame) and feeling like I'm just being dismissed as that lone mad cat woman who goes on about boring security stuff.

Offline

#170 2014-02-20 08:28:35

tradetaxfree
#! CrunchBanger
Registered: 2011-03-05
Posts: 122

Re: The paranoid #! Security Guide

If you're paranoid about security & run any internet facing services (web / mail / vpn / tor etc...) - some notes here for isolating the services with LXC & an Alpine Linux Guest (which has Grsecurity & Stack Smashing Protection built in). Alpine is also a rock solid host for Xen.

Offline

#171 2014-02-21 16:19:09

Dosenbrot
New Member
Registered: 2014-02-19
Posts: 6

Re: The paranoid #! Security Guide

Wow, thank you very much for this guide.

I really learned something today  glasses

Offline

#172 2014-02-22 07:26:19

Jajetzu
Member
Registered: 2013-06-17
Posts: 11

Re: The paranoid #! Security Guide

...

Last edited by Jajetzu (2014-02-22 18:00:46)

Offline

#173 2014-02-28 06:19:18

pandroidanaroid
New Member
Registered: 2014-02-22
Posts: 3

Re: The paranoid #! Security Guide

About sandfox, when I try to do this:

gpg --keyserver keys.gnupg.net --recv-keys 7977070A723C6CCB696C0B0227A5AC5A01937621

It says:

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key 01937621 from hkp server keys.gnupg.net
gpg: keyserver timed out   
gpg: keyserver receive failed: keyserver error

Please advise.

Also, not a joke- but a serious request. I did all the tweaks recommended in the Firefox about:config and now my favorite porn tube sites like Youjizz.com don't load right (I can't see the thumbnails). How can I get Youjizz.com to work again?

Last edited by pandroidanaroid (2014-02-28 07:58:21)

Offline

#174 2014-03-01 16:27:28

dot|not
#! Junkie
From: /dev/null
Registered: 2013-09-05
Posts: 278
Website

Re: The paranoid #! Security Guide

That means the keyserver is not reachable. Try another one, pgp.mit.edu should be reachable.


Slothkrew | Blog | Github | Zerobin | Crunchbang Ratio: 321.00
Acer C720 | Arch Linux | Openbox

Offline

Be excellent to each other!

#175 2014-03-14 18:39:12

alvariole
New Member
Registered: 2014-03-11
Posts: 3

Re: The paranoid #! Security Guide

sorcerer's_apprentice wrote:
The paranoid #! Security Guide
Firefox-Sandbox: Sandfox

Easy init script :

sandweasel.sh

#!/bin/bash

if [ ! -f /tmp/sandweasel-init ]; then
	touch /tmp/sandweasel-init
	sudo echo "" > /dev/null
	(sudo sandfox firefox > /dev/null 2>&1) &
else
	(sandfox firefox > /dev/null 2>&1) &
fi

Link it in /usr/bin

sudo ln -T sandweasel.sh /usr/bin/sandweasel

To open firefox/iceweasel, simply :

sandweasel

It will ask your password just the first time and you can continue working with your current terminal session
wink

Last edited by alvariole (2014-03-14 18:40:47)

Offline

Board footer

Powered by FluxBB

Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.

Debian Logo