SEARCH

Enter your search query in the box above ^, or use the forum search tool.

You are not logged in.

#76 2013-03-15 14:10:59

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

Offline

Be excellent to each other!

#77 2013-03-16 12:52:15

Bradi
#! CrunchBanger
From: Poland
Registered: 2013-01-21
Posts: 119

Re: The paranoid #! Security Guide

Offline

#78 2013-03-16 15:01:24

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

Offline

#79 2013-03-19 20:40:36

foxtrot
Member
Registered: 2013-03-19
Posts: 15

Re: The paranoid #! Security Guide

Great guide, thanks!


yikes not quite sure

Offline

#80 2013-03-19 21:21:16

JLloyd13
#! Member
Registered: 2012-08-08
Posts: 83

Re: The paranoid #! Security Guide

any plan on including selinux in the guide? I found it annoying on Fedora but it could be usful for this. Debian has support but it's isn't installed/enabled by default

Offline

#81 2013-03-20 00:35:09

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

Offline

#82 2013-03-21 07:36:47

Jajetz
New Member
Registered: 2013-03-17
Posts: 6

Re: The paranoid #! Security Guide

I just switched from windows to Linux about 2 weeks ago. Oh man I was missing so much. I went from Ubuntu 12.10, then Mint 14.1, now i'm looking to switch to security oriented desktop Distro.

This guide has helped me a great deal, so thank you sorcerer's apprentice!

The way I see it is that there are 4 types of users.
1. Privacy: On two USBs: one for TAILS, and other for data. (Just like Applebaum suggests)
Use Tails off-site -> communicate/data -> get out
2. Offensive: Kali
Use Kali off-site -> exploit -> get out
3. Server Encryption then (Defend Router, OS and services)
4. Desktop Encryption then (Defend Router, OS and Browser and Applications)

Which Distros are recommended for server and desktop? Maybe 3 each.

Full Disk Encryption:
/boot/ and grub vulnerable. I like the USB solution, did it work for you?

Why not a fail-safe password that would just delete the HDD? So that if forced/tortured, you can give them the password that wipes the HDD. (yes, torture is pretty popular yikes nowadays)
Why not after boot, create 99 of these fail-safe password/key and put them in memeory along with real one. When cold-boot happens, the guys will see 100 keys, so now instead of 100% they have 1% chance of getting in and 99% of wiping the HDD.
Storage of key in CPU rather than memory?

Firewall configuration for router after installing dd-wrt or openwrt?

theres alot more needed for snort, tiger, tripwire

A security oriented congyrc, with connections(in/out), processes, maybe snort alerts, CVEs etc...

UFW rules?

In ICMP Settings you have one line that repeats.

Offline

#83 2013-03-22 15:42:11

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

Jajetz,

thanks for your reply.

3): I would suggest OpenBSD/FreeBSD/Debian.

4): I don't really know what you want to get at with "desktop encryption". If you stick with #!/Debian and this guide (and/or others of course) you will reach a high security desktop environment. But to name three: Debian/Gentoo/*BSD. It all comes down to configuration - so it is not very helpful to appoint any distro to be more secure than another. Debian can be hardened quite a bit - same with Gentoo and a lot of others. If you absolutely surely know what you're doing and are well aware of latest bugs and exploits you could even run Arch as a secure system.

The idea with the fail-safe passwords on boot is cool. But you don't need to delete the drive. It is enough to destroy the key. But anyway - are you going to implement this? wink

DD-WRT firewall configuration -> coming up.

Snort/Tiger/Tripwire configuration -> coming up.

Security related conky is a great idea. But my knowledge of conky is rather slim. So don't expect anything the like soon - or help build it.

UFW -> UFW/GUFW just controls iptables. I will at some point include some more detailed iptables know-how - but for now ipkungfu is strong enough. Iptables stuff is coming up on the DD-WRT update anyway. BTW: It is much more important to set up your router-firewall correctly - so that in theory - almost nothing else unwanted reaches your machine in the first place.

ICMP-rules: Could you tell me which one?

Offline

#84 2013-03-30 04:59:33

Jajetz
New Member
Registered: 2013-03-17
Posts: 6

Re: The paranoid #! Security Guide

Offline

#85 2013-03-30 11:46:58

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

Offline

#86 2013-03-31 22:33:27

Jajetz
New Member
Registered: 2013-03-17
Posts: 6

Re: The paranoid #! Security Guide

Ah didn't see the copyright, doesn't mean we can't add some concepts mentioned in it! I am following your guide but I often had to jump from one thing in the guide to another. For example, further securing data with truecrypt should be at the end, I really don't need to know this if I haven't even setup my OS.
Unfortunately I have to eventually reinstall OS, because: Should we use seperate partition for / /home /tmp etc? Instructions for USB solution?
I created a security.text file and structured it as follows: (many things are missing, because I didn't get there yet)

I think we should start router, OS, Applications, audit, IDS, SeLinux/apparmor/grsecurity, upkeep, and finally notification systems.

Router:
    Wired vs Wireless
    Open Source firmware: dd-wrt, openwrt, tomato
    Configuration:
        MAC-filters
        Disable UPnP, ping
        Firewall: ??

BIOS password: USB solution for full disk encryption, changes bios setting recommendations for USB booting?

Encryption:
    Software
    Hardware
    Attacks:
        Software
        Hardware
    Solution

OS:
    Choosing OS: Consider computer role, security needs of each data handled, trust relationships, uptime requirements, minimal needed software packages and net access. (Part A of the checklist)
        Offensive: Kali
        Privacy: TAILS
        Desktop
        Server
    Installation:
        Download from trusted source
        Checksum
        Install from trusted media (Section B1 of the checklist)
        Install while not connected to the internet (Section B2 of the checklist)
        Use Seperate partitions (Section B3 of the checklist)
        Full Disk Encryption
            /boot on usb?
    sudo/sudoers
    Minimize/Uninstall services and packages you might need: (Part D in the checklist)
        Find out which services are running that you don't need.   
        common ones are CUPS, Samba, Avahi-daemon, dnsmasq
    ICMP settings
    DNS settings
    Anti-virus
    Firewall

    Update and Upgrade
        Trusted /etc/apt/sources.list
        Check integrity of installed packages

    Setup a shutdown scheme that wipes memory fast and clean, to deal with cold boot

Applications:
    Browsers
    Email / Encryption
    Communication: Jitsi, pidgin/otr
    Encrypted data: truecrypt, etc

Security Audit:
    nmap
    tiger

IDS:
    snort
    chkrootkit
    psad

SELinux, AppArmor, grsecurity?

Upkeep
    Daily, weekly and on-demand operations
    Automate what you can
    Logs

Notification systems:
    conkyrc
    email notifications

Offline

#87 2013-03-31 23:12:02

Jajetz
New Member
Registered: 2013-03-17
Posts: 6

Re: The paranoid #! Security Guide

Offline

#88 2013-04-01 04:06:57

cyberhood
Member
Registered: 2012-07-19
Posts: 45

Re: The paranoid #! Security Guide

Last edited by cyberhood (2013-04-01 04:10:51)

Offline

#89 2013-04-06 05:59:48

Jajetz
New Member
Registered: 2013-03-17
Posts: 6

Re: The paranoid #! Security Guide

Offline

#90 2013-04-15 06:02:31

Jajetz
New Member
Registered: 2013-03-17
Posts: 6

Re: The paranoid #! Security Guide

Last edited by Jajetz (2013-04-15 14:23:35)

Offline

#91 2013-04-15 11:00:24

sorcerer's_apprentice
#! Junkie
From: oblivion
Registered: 2013-02-09
Posts: 293

Re: The paranoid #! Security Guide

Jajetz and Cyberhood,

thanks for your contributions. I have been a bit busy lately. I will update the guide with your recommendations asap, i.e. in the next few days.

As far as a different structure is concerned I'm O.K. with that but will need some time to implement it.

I will reply with a more detailed comment soon. Just to let you know that I'm still around. wink

Offline

#92 2013-04-17 10:34:53

xaris
Member
Registered: 2013-04-17
Posts: 33

Re: The paranoid #! Security Guide

Thank you, sorcerer's_apprentice! Really great guides. There are many useful things that I'll start doing right now.

Offline

#93 2013-04-17 11:25:39

wilde_wurst
New Member
Registered: 2013-04-17
Posts: 2

Re: The paranoid #! Security Guide

Last edited by wilde_wurst (2013-04-17 11:27:44)

Offline

#94 2013-04-18 09:46:11

Darksoul71
New Member
Registered: 2012-03-07
Posts: 9

Re: The paranoid #! Security Guide

@sorcerer's_apprentice: Thanks for this great guide ! Lots of stuff to read and keep one busy for days  big_smile

@wilde_wurst: So the pragmatic approach would be to copy anything you do not trust to a texteditor of your choice and verify the content, right ?

Offline

#95 2013-04-19 08:53:26

wilde_wurst
New Member
Registered: 2013-04-17
Posts: 2

Re: The paranoid #! Security Guide

Offline

#96 2013-04-20 23:31:33

Jajetzo
New Member
Registered: 2013-04-20
Posts: 1

Re: The paranoid #! Security Guide

Offline

#97 2013-05-22 16:07:58

aphextwin
New Member
Registered: 2013-05-22
Posts: 2

Re: The paranoid #! Security Guide

Thanks to everyone on this thread for info.

Look at static ARP tables to prevent ARP spoofing/poisioning MITM .

Offline

#98 2013-05-23 03:31:39

cyberhood
Member
Registered: 2012-07-19
Posts: 45

Re: The paranoid #! Security Guide

Last edited by cyberhood (2013-05-25 03:25:04)

Offline

#99 2013-05-26 01:49:24

aphextwin
New Member
Registered: 2013-05-22
Posts: 2

Re: The paranoid #! Security Guide

Offline

Be excellent to each other!

#100 2013-05-26 06:25:24

locknlol
New Member
Registered: 2012-03-01
Posts: 4

Re: The paranoid #! Security Guide

Awesome thread, thanks for the great insight to linux security. (Yay first post!)

Last edited by locknlol (2013-05-26 06:25:37)

Offline

Board footer

Powered by FluxBB

Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.
Server: bleh

Debian Logo