What I want to achieve is:
- Minimize damage done if laptop is stolen
- Minimize damage done if laptop is tampered with while away from it
- Minimize chance of being compromised while system is running
- Maximize chance of detection if system is compromised
- Maximize anonymity on the internet
Security is a tradeoff between usability and risk. This document is for those willing to sacrifice some usability to lower risk. I suspect the contents of this text will become increasingly more valuable as time goes on.
Specifically only allow your own user to login. Disable password authentication and force public key authentication.
/etc/ssh/sshd_config you should add
AllowUsers <username> (remove <>) PasswordAuthentication no PermitRootLogin no
Full disk encryption
Disk encryption ensures that files are always stored on disk in an encrypted form. The files only become available to the operating system and applications in readable form while the system is running and unlocked by a trusted user. An unauthorized person looking at the disk contents directly, will only find garbled random-looking data instead of the actual files.
For example, this can prevent unauthorized viewing of the data when the computer or hard-disk is:
- located in a place to which non-trusted people might gain access while you’re away
- lost or stolen, as with laptops, netbooks or external storage devices
- in the repair shop
- discarded after its end-of-life
In addition, disk encryption can also be used to add some security against unauthorized attempts to tamper with your operating system - for example, the installation of keyloggers or Trojan horses by attackers who can gain physical access to the system while you’re away.
Fill drive with random data to prevent recovery of previously stored data. It also prevents detection of usage patterns on drive.
dd if=/dev/random of=/dev/sda bs=1M
Full disk encryption using dmcrypt + LUKS
cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sda2 cryptsetup luksOpen /dev/sda2 root mkfs.ext4 /dev/mapper/root mount /dev/mapper/root /mnt mkdir /mnt/boot mount /dev/sda1 /mnt/boot
Edit /etc/mkinitcpio.conf and add encrypt and shutdown hook to HOOKS. Place the encrypt hook directly before filesystem hook. And dm_mod and ext4 to MODULES.
Edit /etc/default/grub and add GRUB_CMDLINE_LINUX=”cryptdevice=/dev/sda2:root”
No. Instead buy enough RAM.
Set a BIOS password. This prevents cold boot attacks where RAM is immediately dumped after a reboot. It has been shown that data in RAM persists for a few seconds after downpowering.
When a USB device is inserted, the USB driver in kernel is invoked. If a bug is discovered here it may lead to code running:
Or it may slurp up all the memory and cause the linux out-of-memory-killer to kill the screensaver process.
USB driver load can be disabled in BIOS. Or you can:
echo 'install usb-storage : ' >> /etc/modprobe.conf
USB automounting attacks
You lesser beings willing to allow the USB driver to load should atleast disable automounting. Allowing filesystems to automount causes even more potentially vulnerable code to run. E.g. Ubuntu once opened the file explorer and showed thumbnails of images. One researcher was able to find a bug in one image library used to produce thumbnail. He just inserted USB drive and the exploit killed the screensaver.
Set a screensaver with password lock to kick in after one minute. Create keyboard shortcut to lock screen and manually lock when temporarily leaving system. Power down for longer absences.
To detect compromised files, file integrity tools can store hashsums of them and let you know if they suddenly change. Obviously, malware can also modify the hashsums. But it helps in cases where malware do not. For the extra cautious, you could store the file integrity hashsums offline or print them out.
AIDE (Advanced intrusion detection environment)
aide -i mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz aide -C
Rootkit Hunter additionally scans system for rootkits.
On a clean system update the system properties
rkhunter --propupd rkhunter --check --rwo -sk
There probably are a few false positives. Edit the /etc/rkhunter.conf.local and add exceptions for them.
Here is my crontab for these two programs:
MAILTOfirstname.lastname@example.org MAILFROMemail@example.com 30 06 * * 1 /usr/bin/rkhunter --cronjob --rwo 35 06 * * 1 /usr/bin/aide -C
Use a trusted VPN to make ISP unable to see your traffic.
To prevent traffic from accidentially flowing via real physical network interface, you should only allow outgoing traffic to be UDP on port 1194. Also for DNS and DHCP, port 53, 67, and 68 outgoing must be allowed.
Simple stateful firewall
Drop everything in INPUT. Then allow already existing connections. Also allow all to loopback interface.
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o enp2s0 -p udp -m udp --dport 53 -j ACCEPT iptables -A OUTPUT -o enp2s0 -p udp -m udp --dport 1194 -j ACCEPT iptables -A OUTPUT -o tun0 -j ACCEPT iptables -A OUTPUT -o enp2s0 -p udp -m udp --dport 67:68 -j ACCEPT
Save rules into file and have it loaded on boot;
iptables-save > /etc/iptables/iptables.rules systemctl enable iptables
If your VPN does not support ipv6, then drop all outgoing traffic on ipv6:
ip6tables -P OUTPUT DROP
ipv6.disable=1 to kernel line to prevent loading of ipv6 module.
Do not use ISPs DNS server. Unless you want them to see the domains you are visiting.
Put this in /etc/resolv.conf
nameserver 184.108.40.206 nameserver 220.127.116.11
Preserve DNS settings by adding the following to /etc/dhcpcd.conf
To randomize MAC address and keep vendor prefix:
macchanger -e interface
After boot, set a random MAC address.
Here is an example systemd service which you put in /etc/systemd/system/macchanger@.service.
[Unit] Description=Macchanger service for %I Documentation=man:macchanger(1) [Service] ExecStart=/usr/bin/macchanger -e %I Type=oneshot [Install] WantedBy=multi-user.target
Then to enable it:
systemctl enable macchanger@enp2s0
Create a sandbox with sandfox:
sudo sandfox firefox
Do not install flash or java. Disable webrtc to prevent local IP discovery
Make firefox prefer cipher suites providing forward secrecy.
Many SMTP and IMAP servers use TLS. Not all do. Email is decrypted at each node. End-to-end encryption makes email secure. The most widely used standard for encrypting files is the OpenPGP standard. GnuPG is a free implementation of it.
A short usage summary is:
gpg --gen-key # generate keypair gpg --detach-sign --armour file.txt # signature gpg -r 7A2B13CD --armour --sign --encrypt file.txt # signature and encryption
The bridge between plaintext and TLS in HTTP is a weak point. The HTTP HSTS header mitigates this particular threat.
If not a ciphersuite with perfect forward security is used, then an attacker can at later point use the server’s private key to decrypt historically captured traffic.
Do not allow other users to read your files
chmod 700 $HOME
Some people tend to use the recursive option (-R) indiscriminately which modifies all child folders and files, but this is not necessary, and may yield other undesirable results. The parent directory alone is sufficient for preventing unauthorized access to anything below the parent.
Put tape over webcam.