How much security is sensible?

[Noose]

Hi guys,

My experiences with Linux are few - I ran Crunchbang off an old server while my main machine was out of order, and I managed to install Arch on an old laptop. So as long as documentation exists, I can manage.

Now, I've got my hands on a Core 2 Duo notebook that I plan to use for work related stuff, as well as online banking. Basically I want to move anything that could be considered sensitive to there. Since I also want it to be fairly snappy, Gentoo with OpenRC seemed like the obvious choice. After chewing through a good bit of the Handbook, it looks like LVM encryption will be the easiest. I want to only have to put in my password once, and creating an initramfs has the added benefit of not requiring a separate /boot with ext2 on it.

The problem is - I don't really know what I'm going to need to run a safe Linux. Some swear by hardened kernels and others may just run a firewall and nothing else. If I'm going to use the notebook to access various WLANs, is it sufficient if I use encryption to protect my data in case of theft, and a firewall to protect my system while it's running? Assuming everything is properly configured and I cherry-pick those programs that access the internet in the first place?

Cheers.

[NeddySeagoon]

Noose,

Welcome to Gentoo.

In simple terms, it all depends on your level of paranoia how much security is enough.

More realistiacally, you need to exame your perceived threats, then take measures to guard aganst them.
The first measure is to not run services you don't need.

Public WiFi is insecure, think of it as wide open. Set up a VPN or tunnel everything ovel ssh if you need to use public WiFI.
Your own WiFi is not much better.

You may not need a firewall. If there are no listening services, what will it do?
You can set up a firewall to stop nasties phoning home if they do get in but most firewalls are set up by default to allow all outgoing traffic.

If you run sshd, use key based logins.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[Hypnos]

You're ahead of the game if you do the following:

1) Apply all security updates -- Gentoo makes this easy by marking GLSA's in Portage.

2) Don't run unnecessary services -- this is easy to do in Linux, and especially so in Gentoo since your building the OS yourself.

3) Protecting authentication tokens (e.g., passwords) is trickier. If you have a single user machine with no network servers running, a sufficiently complex password (no simple words, non-keyboard) is probably enough; if you need remote login capability, use key-based authentication with ssh as Neddy says. If you need to support multiple users or other services, there's a lot more that should be done ...

One amusing exercise is to run Wireshark on your home network -- you might be surprised by what you see.
_________________
Personal overlay | Simple backup scheme

[Noose]

Thanks guys.

It's a rather simple set-up, pretty much a 'consumer device' notebook. It's just going to connect to the internet, either through a home WLAN, friends' WLAN or occasionally a public one. So I'm thinking a free VPN might be the way to go, since that is fairly straightforward to set up. My other machine doesn't run Linux and neither do my employers - nowhere that I'd need access to, anyway - so I probably won't need ssh.

Wireshark eh? ...it's gonna make me paranoid, isn't it. Damn you.

[NeddySeagoon]

Noose,

Just because you are paranoid does not mean that they are not out to get you.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[jonathan183]

[Roman_Gruber]

well.

genkernel intiramfs => for getting luks and lvm (that will provide you with something that ask you to enter hte password and if correct it will boot up the box) assuing you have 512mb ext2 /boot partition for kernel and initramfs from genkernel with options. grub2 for booting ..

hardened is a bit overkill because => no more gaming afaik. skype and other junk will probably not work.

luks is nice, but remember that the hardware has its limitations. (too much to tell now).

basically luks is enough regarding the flaws of these days.

Next installation I will do a hardened box when gaming will work (I may be wrong, it may work now, but i doubt that the binary nvidia-driver will work wiht hardened..)

You may also know that bios are insecure and closed firmware.
keyloggers are available
the user is the biggest risk
hardware has its limitations ... data is recoverable from unencrypted areas like RAM.
and i am sure much more other jokes which may be known or not

and thats why I think luks with amd 64, ordinary profile is enough ...

[Noose]

I'll probably do a separate /boot after all. I'm just not seeing the advantage to encrypting that too, compared to the hassle of setting it up. As for hardware limitations.. I did a cryptsetup benchmark and found, to my surprise, that serpent-xts was the fastest on a C2D with about 170MB/s both ways, which should exceed the harddrive speed by a fair bit. I assume 'iterations' relates only to the benchmark and isn't any kind of performance indicator, right?

I know about BIOS issues and Intel microcode and all that, but at the end of the day we're only trying to get an operating system to run here, and I don't have the cash to shell out thrice the money for LibreBoot. Those guys might as well be living on the moon for how relevant they are these days.

[Buffoon]

Encrypting your filesystems does not help at all if there is an virus/trojan/net-attack. It helps only if your box is stolen, it prevents the thieves from accessing your data.