What I want to achieve is:
- Minimize damage done if laptop is stolen
- Minimize damage done if laptop is tampered with while away from it
- Minimize chance of being compromised while system is running
- Maximize chance of detection if system is compromised
- Maximize anonymity on the internet
Security is a tradeoff. Having a more secure system has costs. This text is for those willing to incur some costs in order to be more secure.
SSH server
Only allow your own user to login. Disable password authentication and force public key authentication.
In /etc/ssh/sshd_config
you should add:
AllowUsers <username> (remove <>)
PasswordAuthentication no
PermitRootLogin no
Full disk encryption
Disk encryption ensures that files are always stored on disk in an encrypted form. The files only become available to the operating system and applications in readable form while the system is running and unlocked by a trusted user. An unauthorized person looking at the disk contents directly, will only find garbled random-looking data instead of the actual files.
For example, this can prevent unauthorized viewing of the data when the computer or hard-disk is:
- Located in a place to which non-trusted people might gain access while you're away
- Lost or stolen, as with laptops, netbooks or external storage devices
- In the repair shop
- Discarded after its end-of-life
In addition, disk encryption can also be used to add some security against unauthorized attempts to tamper with your operating system. For example, the installation of keyloggers or Trojan horses by attackers who can gain physical access to the system while you're away.
Preparation
Fill drive with random data to prevent recovery of previously stored data. It also prevents detection of usage patterns on drive.
$ dd if=/dev/random of=/dev/sda bs=1M
Full disk encryption using dmcrypt + LUKS
$ cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sda2
$ cryptsetup luksOpen /dev/sda2 root
$ mkfs.ext4 /dev/mapper/root
$ mount /dev/mapper/root /mnt
$ mkdir /mnt/boot
$ mount /dev/sda1 /mnt/boot
Edit /etc/mkinitcpio.conf
and add encrypt
and shutdown
hook to HOOKS. Place
the encrypt
hook directly before filesystem hook.
And dm_mod
and ext4
to MODULES.
Edit /etc/default/grub
and add GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root"
Swap space
No. Buy enough RAM.
BIOS
Set a BIOS password. This prevents cold boot attacks where RAM is immediately dumped after a reboot. It has been shown that data in RAM persists for a few seconds after downpowering.
USB attacks
When a USB device is inserted, the USB driver in kernel is invoked. If a bug is discovered here it may lead to code running:
$ system("killall gnome-screensaver")
Or it may slurp up all the memory and cause the linux out-of-memory-killer to kill the screensaver process.
USB driver load can be disabled in BIOS. Or you can:
$ echo 'install usb-storage : ' >> /etc/modprobe.conf
USB automounting attacks
Lesser beings willing to allow the USB driver to load should atleast disable automounting. Allowing filesystems to automount causes even more potentially vulnerable code to run. E.g. Ubuntu once opened the file explorer and showed thumbnails of images. One researcher was able to find a bug in one image library used to produce thumbnail. He just inserted USB drive and the exploit killed the screensaver.
Screensaver
Set a screensaver with password lock to kick in after one minute. Create keyboard shortcut to lock screen and manually lock when temporarily leaving system. Power down for longer absences.
File integrity
To detect compromised files, file integrity tools can store hashsums of them and let you know if they suddenly change. Obviously, malware can also modify the hashsums. But it helps in cases where malware do not. For the extra cautious, you could store the file integrity hashsums offline or print them out.
AIDE (Advanced intrusion detection environment)
$ aide -i
$ mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
$ aide -C
rkhunter
Rootkit Hunter additionally scans system for rootkits.
On a clean system update the system properties
$ rkhunter --propupd
$ rkhunter --check --rwo -sk
There probably are a few false positives. Edit the /etc/rkhunter.conf.local
and add exceptions for them.
Here is my crontab for these two programs:
[email protected]
[email protected]
30 06 * * 1 /usr/bin/rkhunter --cronjob --rwo
35 06 * * 1 /usr/bin/aide -C
VPN
Use a trusted VPN to make ISP unable to see your traffic.
To prevent traffic from accidentially flowing via real physical network interface, you should only allow outgoing traffic to be UDP on port 1194. Also for DNS and DHCP, port 53, 67, and 68 outgoing must be allowed.
Simple stateful firewall
Drop everything in INPUT. Then allow already existing connections. Also allow all to loopback interface.
$ iptables -P INPUT DROP
$ iptables -P FORWARD DROP
$ iptables -P OUTPUT ACCEPT
$ iptables -A INPUT -i lo -j ACCEPT
$ iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o enp2s0 -p udp -m udp --dport 53 -j ACCEPT
$ iptables -A OUTPUT -o enp2s0 -p udp -m udp --dport 1194 -j ACCEPT
$ iptables -A OUTPUT -o tun0 -j ACCEPT
$ iptables -A OUTPUT -o enp2s0 -p udp -m udp --dport 67:68 -j ACCEPT
Save rules into file and have it loaded on boot:
$ iptables-save > /etc/iptables/iptables.rules
$ systemctl enable iptables
If your VPN does not support ipv6, then drop all outgoing traffic on ipv6:
$ ip6tables -P OUTPUT DROP
And add ipv6.disable=1
to kernel line to prevent loading of ipv6 module.
DNS
Do not use your ISP's DNS server. Unless you want them to see the domains you are visiting.
https://www.ipredator.se/page/services#service_dns
Put this in /etc/resolv.conf
nameserver 194.132.32.32
nameserver 46.246.46.246
Preserve DNS settings by adding the following to /etc/dhcpcd.conf
:
nohook resolv.conf
MAC address
To randomize MAC address and keep vendor prefix:
$ macchanger -e interface
After boot, set a random MAC address.
Here is an example systemd service which you put in
/etc/systemd/system/[email protected]
.
[Unit]
Description=Macchanger service for %I
Documentation=man:macchanger(1)
[Service]
ExecStart=/usr/bin/macchanger -e %I
Type=oneshot
[Install]
WantedBy=multi-user.target
Then to enable it:
systemctl enable macchanger@enp2s0
Firefox
Sandbox
Sandfox runs programs within sandboxes which limit the programs access to only the files you specify. Why run Firefox and other programs in a sandbox? In the Firefox example, there are many components running: java, javascript, flash, and third-party plugins. All of these can open vulnerabilities due to bugs and malicious code; under certain circumstances these components can run anything on your computer and can access, modify, and delete your files. It's nice to know that when such vulnerabilities are exploited, these components can only see and access a limited subset of your files.
Create a sandbox with sandfox:
$ sudo sandfox firefox
Do not install flash or java. Disable webrtc to prevent local IP discovery.
For registration forms use a pseudorandom identity and throwaway email address.
Make firefox prefer cipher suites providing forward secrecy.
Extentions
Many SMTP and IMAP servers use TLS. Not all do. Email is decrypted at each node. End-to-end encryption makes email secure. The most widely used standard for encrypting files is the OpenPGP standard. GnuPG is a free implementation of it.
A short usage summary is:
$ gpg --gen-key # generate keypair
$ gpg --detach-sign --armour file.txt # signature
$ gpg -r 7A2B13CD --armour --sign --encrypt file.txt # signature and encryption
TLS gotchas
If not all HTTP content is served over TLS, an attacker could inject javascript code which extracts your password. Or simply sniff the session cookie before or after.
The bridge between plaintext and TLS in HTTP is a weak point. The HTTP HSTS header mitigates this particular threat.
If not a ciphersuite with perfect forward security is used, then an attacker can at a later point use the server's private key to decrypt historically captured traffic.
Other stuff
Do not allow other users to read your files
$ chmod 700 $HOME
Some people tend to use the recursive option (-R) indiscriminately which modifies all child folders and files, but this is not necessary, and may yield other undesirable results. The parent directory alone is sufficient for preventing unauthorized access to anything below the parent.
Put tape over webcam.