Question(s) about security

[krumpf]

Hi,

First, I'd like to say I know one secure his computer to the level he deems worthy, I mean some people don't give a damn about security, and some can be paranoid about it.
Linux (& Gentoo) offers many techniques to reach one's goal, like iptables, hardening, selinux, apparmor, drive encryption, etc...

I'm a simple regular guy (and a bit clueless about security), there aren't secrets of state on my computer, no one besides me uses it and the most sensitive data might be logins/passwords to merchant sites stocked by Firefox. So, I'd like opinions on the security level I should use.

Hence my (I hope not too stupid) question : what should be the "generic" level of security for a home computer ?


Edit : Gentoo's Security Handbook page starts with « Much of the content of the Security handbook has not been modified since 2010 and may be a bit behind the times. Until further notice treat the content with caution. », is that reassuring ?

[eccerr0r]

I think being mindful of the attack vectors is the best way, and know how to cover them.

The problem is if you don't know or don't understand (and not care about trying to learn). Then the best way is to depend on the OS. In this case Gentoo might not be the best choice because updates are sometimes very hard to do, due to the rolling release aspect Then simply going with a fixed version release where the provider keeps things maintained up until it's time to reinstall (and then you reinstall a new OS) is the best choice.

It's hard to even say for a "home" machine what the "best" case is. Not only that, some ISPs also provide a layer of "security" that could be leveraged, simplifying your efforts. While on-computer firewalls and stuff like this might be helpful, this is a paranoia thing IMHO and NAT (from ISP or your router) tends to already be there to help.

Keeping the browser updated is paramount for "home" users under any circumstance. I don't know of any other particular software that must be maintained as a lot of stuff isn't really visible to the outside world as an attack vector. If you worry about stolen hard disks, encryption should be on your radar, but thefts don't happen everyday and to everyone - hence this is not a big issue.

It all depends on ones own attack surface, and knowing what that is will tell you what you need to do.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[pietinger]

Hi krumpf,

I am paranoid for security ... AND ... my privacy. You have to distinguish between them (some solutions fulfill both like e.g. DNS over https).

Please note: If you use a notebook you have a different level of danger - to loose it - than with a desktop at home.

I made a german "Insatallation guide for paranoid dummies" and I will take my general thinkings from there to google translator (because of my poor english) and I hope it will help you a little bit:

=====>

When users in private or semi-professional area speak colloquially of computer security or IT security, they actually only mean two things: the protection of personal data in the home directory from unauthorized read (or even copy) and protection against unauthorized change of the system (hacking). Experienced users include also data backup to protect against loss of data on IT security, while availability is usually only safety-critical for professional users. You can find a brief introduction and definition on this topic:
https://de.wikipedia.org/wiki/Informationssicherheit

In the private sector, the two protection goals are mainly required:

A. Confidentiality (no unauthorized persons may read our love letters and the tax return on our PC) and
B. Integrity (we don't want to be hacked to become a spam slingshot in a bot network)

Which security solutions are needed is not only based on the goals, but also on the need for protection. Anyone who has to consider legal requirements (e.g. data protection) must meet certain requirements and requirements. This not only affects banks or large companies, but also professional groups such as doctors, lawyers, tax advisors and others. Still others have the need for protection of self-protection; I am thinking, for example, of journalists in certain countries.

Basically there are only two ways to get to/on our computer to threaten these two goals:

1. Direct physical (physical) access (offline tampering), or
2. Access via the network (online Attack). Since attacks from the local network (in-house attack) are rather rare among private individuals, network is therefore to be equated with the Internet.

-------

If we consider (1) the following constellations in the private sector:

1a) Only you have sole access to your PC. Other people usually have no access and would have to get it through break -in (if necessary with theft). The same applies to your notebook.
1b) Your cleaning lady has unattended access, but no authority for your PC.
1c) Your marriage/life partner has (unattended) access to the common PC and also the authorization (extra user account).
1d) Your son with an advanced advanced course also has access and its own account and is especially in the experiment phase.

Which threat scenarios now exist for 1a? Only: burglary with theft or our own failure (because we left the notebook somewhere). It should be evident that our notebook in the car is more at risk than our domestic major calculator. Before you think of possible solutions, you should take into account that in both cases you will probably never see your notebook again. I therefore expressly say that so that the protection goal (b) then no longer exists (if you get it back, format and reinstall everything); You then only have the desire that the thief cannot read your data (in which it is expanding your SSD, for example, and installing it in another PC). The only sensible solution is therefore: encryption of /home (and swap partition).

I have listed the cases 1b to 1d as a (harmless) bandwidth of possible hazards. Are you really worried that your cleaning lady wants to hack your PC with a bootable CD? If so, the simplest and therefore most sensible solution is a BIOS boot password. Are you worried that your wife is trying to install a keylogger to get your home directory? If so, then check a divorce ... and buy your son an own PC. Why am I saying something like that?

Because nowadays it is hipp and chic to install a full disk full encryption (which is actually none at all), which swallows more performance than the worst parameters for hardening the kernel (which comes in B.2). But do we really need that? Despite Paranoia, I actually don't have a single encrypted partition on my domestic desktop - just the home partition on the notebook.

After completing A.3, you also installed Vaults with KDE. Which I expressly recommend for use on the home computer, since it has a very nice gimmick: You can set that opening (by input) of an encrypted directory, all network connections are automatically ended (but is only optional). For your notebook, however, you need complete encryption from /home so that all emails and contacts that save the KDE wildly somewhere in the home directory are safe.

-------

Now let's look (2). Here unauthorized persons basically have two ways to access our computer: active or passive. An active access is a targeted connection from outside. With passive access, you first have to surf a "bad" side with your web browser - but can also be a "good" side that was hacked in turn. In both cases, hard disk encryption would not offer any protection against (a) and (b) because all partitions have been decrypted after the boat process. Nor would a encrypted home directory to protect your data. Yes, there is the possibility that /home is only integrated (and thus decrypted) after / with the registration. But if you are not registered at all, an active attacker could at least not compensate for your data (A). Unfortunately it is false. He can install anything (B) that only has to wait until you have registered and then send your /home. What solutions are there?

Active attacks: These are only possible if you operate a server service and you therefore had to unlock incoming connections to this in your firewall. If you operate a server, I recommend separating servers and private data to two computers. If this is not possible, I recommend separation using virtual machines (which, however, exceeds this guide), in addition to the mandatory hardening of kernel and server service. Otherwise you are not exposed to active attacks (the harmless port scans already start your DSL router).

Remains last:

Attacks that you are exposed to when browsing, or opening an email, or opening another prepared file (MPEG, JPG, etc.). Yes, in reality this is the most dangerous threat to private users. To protect yourself from it, I recommend:

1. Use a proxy that filters out dangerous content,
2. hardening of the kernel,
3. Operation of the browser in a sandbox, or even better: protection by Apparmor and/or IMA,
4. And keep your programs up to date !

Unfortunately, these measures are neglected in many descriptions for "full disk encryption" ...

<=====


You asked for "generic" level of security for a home computer.

Let me add my recommendation as not being paranoid:


1. Do a "emerge -uUDv @world" at minimum ONCE a month ! Better: Once a week (I do).

2. Only for a notebook: Use an encrypted /home. I use "fscrypt" for this.

3. Harden your kernel: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP
(maybe you will need this before: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Manual_kernel_configuration )

4. Secure your browser and all applications processing dangerous files with AppArmor (for a desktop; use SELinux for a server).

5. Use a local DNS resolver and do DNS over https. I use "unbound" for this.

If you want raise your security - going to more paranoia:

6. Use a personal firewall and a web proxy (but beware what a firewall can do AND what it CANT do)

7. Use IMA in kernel



(Translate all articles from: https://forums.gentoo.org/viewtopic-t-1112798.html )

[krumpf]

Thanks for the answers, they're giving some food for my thoughts !

I guess my computer is currently "sufficiently" secure for its usage.
But maybe I should harden a bit the kernel (unless it cripples performances a lot, as a gamer, I'd rather not hog the CPU with security stuff).
Also, thanks for the idea about 'sandboxing' the browser, that's something I had never thought about.