View previous topic :: View next topic |
Author |
Message |
Noose n00b
Joined: 22 Aug 2015 Posts: 4
|
Posted: Sat Aug 22, 2015 3:16 pm Post subject: How much security is sensible? |
|
|
Hi guys,
My experiences with Linux are few - I ran Crunchbang off an old server while my main machine was out of order, and I managed to install Arch on an old laptop. So as long as documentation exists, I can manage.
Now, I've got my hands on a Core 2 Duo notebook that I plan to use for work related stuff, as well as online banking. Basically I want to move anything that could be considered sensitive to there. Since I also want it to be fairly snappy, Gentoo with OpenRC seemed like the obvious choice. After chewing through a good bit of the Handbook, it looks like LVM encryption will be the easiest. I want to only have to put in my password once, and creating an initramfs has the added benefit of not requiring a separate /boot with ext2 on it.
The problem is - I don't really know what I'm going to need to run a safe Linux. Some swear by hardened kernels and others may just run a firewall and nothing else. If I'm going to use the notebook to access various WLANs, is it sufficient if I use encryption to protect my data in case of theft, and a firewall to protect my system while it's running? Assuming everything is properly configured and I cherry-pick those programs that access the internet in the first place?
Cheers. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54300 Location: 56N 3W
|
Posted: Sat Aug 22, 2015 3:36 pm Post subject: |
|
|
Noose,
Welcome to Gentoo.
In simple terms, it all depends on your level of paranoia how much security is enough.
More realistiacally, you need to exame your perceived threats, then take measures to guard aganst them.
The first measure is to not run services you don't need.
Public WiFi is insecure, think of it as wide open. Set up a VPN or tunnel everything ovel ssh if you need to use public WiFI.
Your own WiFi is not much better.
You may not need a firewall. If there are no listening services, what will it do?
You can set up a firewall to stop nasties phoning home if they do get in but most firewalls are set up by default to allow all outgoing traffic.
If you run sshd, use key based logins. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Hypnos Advocate
Joined: 18 Jul 2002 Posts: 2889 Location: Omnipresent
|
Posted: Sat Aug 22, 2015 5:06 pm Post subject: |
|
|
You're ahead of the game if you do the following:
1) Apply all security updates -- Gentoo makes this easy by marking GLSA's in Portage.
2) Don't run unnecessary services -- this is easy to do in Linux, and especially so in Gentoo since your building the OS yourself.
3) Protecting authentication tokens (e.g., passwords) is trickier. If you have a single user machine with no network servers running, a sufficiently complex password (no simple words, non-keyboard) is probably enough; if you need remote login capability, use key-based authentication with ssh as Neddy says. If you need to support multiple users or other services, there's a lot more that should be done ...
One amusing exercise is to run Wireshark on your home network -- you might be surprised by what you see. _________________ Personal overlay | Simple backup scheme |
|
Back to top |
|
|
Noose n00b
Joined: 22 Aug 2015 Posts: 4
|
Posted: Sat Aug 22, 2015 5:47 pm Post subject: |
|
|
Thanks guys.
It's a rather simple set-up, pretty much a 'consumer device' notebook. It's just going to connect to the internet, either through a home WLAN, friends' WLAN or occasionally a public one. So I'm thinking a free VPN might be the way to go, since that is fairly straightforward to set up. My other machine doesn't run Linux and neither do my employers - nowhere that I'd need access to, anyway - so I probably won't need ssh.
Wireshark eh? ...it's gonna make me paranoid, isn't it. Damn you. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54300 Location: 56N 3W
|
Posted: Sat Aug 22, 2015 6:01 pm Post subject: |
|
|
Noose,
Just because you are paranoid does not mean that they are not out to get you. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Sat Aug 22, 2015 7:54 pm Post subject: |
|
|
NeddySeagoon wrote: | More realistiacally, you need to exame your perceived threats, then take measures to guard aganst them. | +1
It is also worth thinking about your data and about what is more important to you:
a) preventing data being changed but remaining undetected by you
b) preventing someone else accessing your data
c) having your data available for you
Encryption will delay someone having access to your data (but don't assume that means never will be able to access), and once the password has been entered the data is available for you and others.
For banking I always use a separate user account, disable wifi, reboot the router and use a wired connection ... but you will need to decide what works for you |
|
Back to top |
|
|
Roman_Gruber Advocate
Joined: 03 Oct 2006 Posts: 3846 Location: Austro Bavaria
|
Posted: Sat Aug 22, 2015 9:55 pm Post subject: |
|
|
well.
genkernel intiramfs => for getting luks and lvm (that will provide you with something that ask you to enter hte password and if correct it will boot up the box) assuing you have 512mb ext2 /boot partition for kernel and initramfs from genkernel with options. grub2 for booting ..
hardened is a bit overkill because => no more gaming afaik. skype and other junk will probably not work.
luks is nice, but remember that the hardware has its limitations. (too much to tell now).
basically luks is enough regarding the flaws of these days.
Next installation I will do a hardened box when gaming will work (I may be wrong, it may work now, but i doubt that the binary nvidia-driver will work wiht hardened..)
You may also know that bios are insecure and closed firmware.
keyloggers are available
the user is the biggest risk
hardware has its limitations ... data is recoverable from unencrypted areas like RAM.
and i am sure much more other jokes which may be known or not
and thats why I think luks with amd 64, ordinary profile is enough ... |
|
Back to top |
|
|
Noose n00b
Joined: 22 Aug 2015 Posts: 4
|
Posted: Sun Aug 23, 2015 4:14 pm Post subject: |
|
|
I'll probably do a separate /boot after all. I'm just not seeing the advantage to encrypting that too, compared to the hassle of setting it up. As for hardware limitations.. I did a cryptsetup benchmark and found, to my surprise, that serpent-xts was the fastest on a C2D with about 170MB/s both ways, which should exceed the harddrive speed by a fair bit. I assume 'iterations' relates only to the benchmark and isn't any kind of performance indicator, right?
I know about BIOS issues and Intel microcode and all that, but at the end of the day we're only trying to get an operating system to run here, and I don't have the cash to shell out thrice the money for LibreBoot. Those guys might as well be living on the moon for how relevant they are these days. |
|
Back to top |
|
|
Buffoon Veteran
Joined: 17 Jun 2015 Posts: 1369 Location: EU or US
|
Posted: Sun Aug 23, 2015 4:43 pm Post subject: |
|
|
Encrypting your filesystems does not help at all if there is an virus/trojan/net-attack. It helps only if your box is stolen, it prevents the thieves from accessing your data. |
|
Back to top |
|
|
|