Great guide, thanks!
not quite sure
any plan on including selinux in the guide? I found it annoying on Fedora but it could be usful for this. Debian has support but it's isn't installed/enabled by default
I just switched from windows to Linux about 2 weeks ago. Oh man I was missing so much. I went from Ubuntu 12.10, then Mint 14.1, now i'm looking to switch to security oriented desktop Distro.
This guide has helped me a great deal, so thank you sorcerer's apprentice!
The way I see it is that there are 4 types of users.
1. Privacy: On two USBs: one for TAILS, and other for data. (Just like Applebaum suggests)
Use Tails off-site -> communicate/data -> get out
2. Offensive: Kali
Use Kali off-site -> exploit -> get out
3. Server Encryption then (Defend Router, OS and services)
4. Desktop Encryption then (Defend Router, OS and Browser and Applications)
Which Distros are recommended for server and desktop? Maybe 3 each.
Full Disk Encryption:
/boot/ and grub vulnerable. I like the USB solution, did it work for you?
Why not a fail-safe password that would just delete the HDD? So that if forced/tortured, you can give them the password that wipes the HDD. (yes, torture is pretty popular nowadays)
Why not after boot, create 99 of these fail-safe password/key and put them in memeory along with real one. When cold-boot happens, the guys will see 100 keys, so now instead of 100% they have 1% chance of getting in and 99% of wiping the HDD.
Storage of key in CPU rather than memory?
Firewall configuration for router after installing dd-wrt or openwrt?
theres alot more needed for snort, tiger, tripwire
A security oriented congyrc, with connections(in/out), processes, maybe snort alerts, CVEs etc...
In ICMP Settings you have one line that repeats.
thanks for your reply.
3): I would suggest OpenBSD/FreeBSD/Debian.
4): I don't really know what you want to get at with "desktop encryption". If you stick with #!/Debian and this guide (and/or others of course) you will reach a high security desktop environment. But to name three: Debian/Gentoo/*BSD. It all comes down to configuration - so it is not very helpful to appoint any distro to be more secure than another. Debian can be hardened quite a bit - same with Gentoo and a lot of others. If you absolutely surely know what you're doing and are well aware of latest bugs and exploits you could even run Arch as a secure system.
The idea with the fail-safe passwords on boot is cool. But you don't need to delete the drive. It is enough to destroy the key. But anyway - are you going to implement this?
DD-WRT firewall configuration -> coming up.
Snort/Tiger/Tripwire configuration -> coming up.
Security related conky is a great idea. But my knowledge of conky is rather slim. So don't expect anything the like soon - or help build it.
UFW -> UFW/GUFW just controls iptables. I will at some point include some more detailed iptables know-how - but for now ipkungfu is strong enough. Iptables stuff is coming up on the DD-WRT update anyway. BTW: It is much more important to set up your router-firewall correctly - so that in theory - almost nothing else unwanted reaches your machine in the first place.
ICMP-rules: Could you tell me which one?
Ah didn't see the copyright, doesn't mean we can't add some concepts mentioned in it! I am following your guide but I often had to jump from one thing in the guide to another. For example, further securing data with truecrypt should be at the end, I really don't need to know this if I haven't even setup my OS.
Unfortunately I have to eventually reinstall OS, because: Should we use seperate partition for / /home /tmp etc? Instructions for USB solution?
I created a security.text file and structured it as follows: (many things are missing, because I didn't get there yet)
I think we should start router, OS, Applications, audit, IDS, SeLinux/apparmor/grsecurity, upkeep, and finally notification systems.
Wired vs Wireless
Open Source firmware: dd-wrt, openwrt, tomato
Disable UPnP, ping
BIOS password: USB solution for full disk encryption, changes bios setting recommendations for USB booting?
Choosing OS: Consider computer role, security needs of each data handled, trust relationships, uptime requirements, minimal needed software packages and net access. (Part A of the checklist)
Download from trusted source
Install from trusted media (Section B1 of the checklist)
Install while not connected to the internet (Section B2 of the checklist)
Use Seperate partitions (Section B3 of the checklist)
Full Disk Encryption
/boot on usb?
Minimize/Uninstall services and packages you might need: (Part D in the checklist)
Find out which services are running that you don't need.
common ones are CUPS, Samba, Avahi-daemon, dnsmasq
Update and Upgrade
Check integrity of installed packages
Setup a shutdown scheme that wipes memory fast and clean, to deal with cold boot
Email / Encryption
Communication: Jitsi, pidgin/otr
Encrypted data: truecrypt, etc
SELinux, AppArmor, grsecurity?
Daily, weekly and on-demand operations
Automate what you can
Last edited by cyberhood (2013-04-01 04:10:51)
Last edited by Jajetz (2013-04-15 14:23:35)
Jajetz and Cyberhood,
thanks for your contributions. I have been a bit busy lately. I will update the guide with your recommendations asap, i.e. in the next few days.
As far as a different structure is concerned I'm O.K. with that but will need some time to implement it.
I will reply with a more detailed comment soon. Just to let you know that I'm still around.
Thank you, sorcerer's_apprentice! Really great guides. There are many useful things that I'll start doing right now.
Last edited by wilde_wurst (2013-04-17 11:27:44)
@sorcerer's_apprentice: Thanks for this great guide ! Lots of stuff to read and keep one busy for days
@wilde_wurst: So the pragmatic approach would be to copy anything you do not trust to a texteditor of your choice and verify the content, right ?
Thanks to everyone on this thread for info.
Look at static ARP tables to prevent ARP spoofing/poisioning MITM .
Last edited by cyberhood (2013-05-25 03:25:04)