Things you do to help secure your OS? - Security & Cryptography

Users browsing this thread: 2 Guest(s)
One of the things I did recently was full disk encryption. Also disabling root login with SSH.

What do you do?
M32
Members
Running every service as a separate user. Once I get FreeBSD going, I'm going to look into Jails.

On my laptop, I'm behind a firewall most of the time, but it uses a VPN when it detects it's not connected to my home network. Each SSH key has a passphrase. Screen-timeout of 2 minutes, auto-shutdown of 30. Don't have a /home/ on my laptop, so I only encrypt /var/ and /etc/

I have all the well-known privacy extensions for Firefox as well.
venam
Administrators
I had this bookmarked for a long time.

Be sure to not be running anything you are not supposed to:
Code:
netstat -tulpen
Also, check the permission of the files and stay up to date with important security patches.
(25-09-2015, 01:27 AM)venam Wrote: I had this bookmarked for a long time.

Be sure to not be running anything you are not supposed to:
Code:
netstat -tulpen
Also, check the permission of the files and stay up to date with important security patches.
Thanks for the link, some good info in there.

(24-09-2015, 07:46 PM)M32 Wrote: Running every service as a separate user. Once I get FreeBSD going, I'm going to look into Jails.

On my laptop, I'm behind a firewall most of the time, but it uses a VPN when it detects it's not connected to my home network. Each SSH key has a passphrase. Screen-timeout of 2 minutes, auto-shutdown of 30. Don't have a /home/ on my laptop, so I only encrypt /var/ and /etc/

I have all the well-known privacy extensions for Firefox as well.
I need to get a VPN, any you recommend?
M32
Members
(25-09-2015, 09:44 PM)October Wrote: I need to get a VPN, any you recommend?
I just use it to connect to either my home connection or my Linode VPS.
dtnt
Members
Quote:I need to get a VPN, any you recommend?
Depending on the level of paranoia: cryptostorm.is
xzyL
Registered
If you are super paranoid boot Tails and get a VPN with Bitcoin.
sagittarius
Members
One tool I use to harden my server and workstations: https://github.com/CISOfy/lynis. This may seems a bit overkill but it gives you a great overview of your host's security.

I'm also using a VPN, but hosted on my personnal server. I use it when I'm not home to access my personnal file and especially encrypt communications. I have a firewall on my laptop because my fellow students can feel like "r34|_ |-|4<|<3Rz" and aim you with silly scripts.

I must say that, even if it is not pure technical security, using a custom minimal window manager is very disruptive for other people. Each time I let people use my computer, I don't have to wait a minute before they need some help. I've seen people trying to open a shell for minutes. Who said security through customization ? That only protects you for few seconds/minutes, but it is an interesting behaviour to observe :) (also applies for different keyboard layouts)

I tend to remove any service I don't need and install only what is necessery. It's easier to install a minimal Linux so you don't have to remove tons of prepackaged crap. I disable ssh root login as well, change the ssh listening port, set up a fail2ban and use public key authentication. I check strange behaviours thanks to logwatch and run rkhunter and clamav regularly.

I use docker when I need to deploy a service (webserver, ftp server or so) on the university network. Not only because it's cool, but also because exposing containers protects my host a bit more than exposing a rotten service (I've seen mates using very weak ftp servers from which you can get root shells in a minute).

Other common security tips are: install security updates and use strong passwords (ideally set an enforced password policy). May seems stupid but you know, humans are lazy.

I used apparmor for a bit. Haven't reinstalled it on my new setup (humans... lazy... you know).

I forgot plenty of things but this is my first shot.

PS: A friend of mine told me he wanted to use this (https://firejail.wordpress.com/) to run google chrome. Haven't tried it yet but it is promising.
Loki123
Members
I have this habit of thinking of security in different ways. From remote access security, such as protecting yourself from attacks on open services, web server and ssh for example and then to protection against local exploits and vulnerabilities. Two things you need to approach in different manners.

For open services such as ssh I suggest reading the link Venam posted. It covers most of SSH, updates and more, there is just one thing you might want to decide really for yourself in there, su vs sudo. Both of them can be great if properly set up, personally I like su better due to the reason that I've always used it, but sudo provides a great alternative if you want to allow multiple (a team) to have access to the root administrator without giving them all the password to the root user. Thus; they would either setup their own sudo password or have the same as their user password. The latter is something I would not recommend as if the password is compromised in one way or another, the attacker has the root password also which is not good. But like I said, if properly setup they are equally as secure, but I don't see the reason using sudo if you are the only person that will have access to the root user.

Fail2Ban is also covered in that link and I surely suggest that you read more into fail2ban as it can do really many things and neat tool.

Now to the part it seems that no one has mentioned. If you want security locally too, I strongly suggest that you take a long look into Grsecurity and the PAX team ASLR. That will provide local security on many different levels from buffer overflow to unknown and not yet patched attacks to some extinct. PAX ASLR has been enabled since 2008 if I am not mistaken in all kernel versions so that at least is there however installing the kernel and protecting it with Grsecurity is a great addition too.

I just wanted to include this somewhere, you can, too, include a two factor authentication for SSH using Google's 2FA and the Arch Wiki covers how to implement it. Think about it this way; Stacking layers of security decreases the chances an attacker has to break into your system. With 2FA + Keys with strong passphrase + IP lock with the firewall or configuration, he has 3 hoops to bypass before it being possible to gain SSH access. That does no way mean that other services are secure and that you can't be rooted but it makes it hell of a lot harder but also a serious case of overkill in security of one service. But possible.
xero
Long time nixers
firewall / ip tables is another simple tip. only open the ports you need, when you need them.
rain1
Members
The biggest thing I do for security reasons is never allow ssh with password logins. Always a key file. It is basically impossible to brute force a key file.

I've been reading about mitigation recently and how ideas from projects like grsecurity can reduce the impact of exploits. Also techniques to isolate processes like chroots, containers, jails.