workstation security,what do I need? (talking about college)

[jason99x]

Hi, I am behind a router and plan to not run any servers, because next school year I will be in college, which doesn't allow the use of servers. A lot of the security sources (for example, hardened gentoo homepage) focus more on server security. My real concern will be mostly anonymity. As a workstation node and not a server/router, which security measures should I focus on more? How needed are things such as PaX memory protection, and the general use of hardened-sources/selinux/grsecurity? Again, the focus will be more on anonymity ("offensive" security) than "defensive" security (although I won't ignore defense mechanisms either). One other question, if I am in college, will p2p always be blocked (in that case, I could try to do things through nonstandard ports)?

[jason99x]

Oh wait, one other thing... I am currently wireless with WEP (I know WPA is safer, but in college my connection will be wired). I don't know how much this will make a difference in advice right now, but I thought I would let you know.

Also, an iptables question, since I am/and will be behind a router, will setting iptables to block all except router address (i.e. 192.168.1.1) let in all web sites because it goes through the router (because iptables will be implemented ON MY WORKSTATION NODE), or does it really block websites like it says it would?

[Triptol]

Now I know this is some very ugly answer, but you should read a book on network security... There are some nice O'Reilly pieces around, pick one.

Now back to your question of being anonymous. This is a hard one, based on the way IP works, you must always leave your IP, so the other part can send an answer back to you. The other server would never know where to send its answer, unless it would know who you are and where you are (your IP). There goes your desire.

So if you want to be anonymous you would very much need to use other servers that would post your request for you and send the answer back to your (proxies). So for the answering server it seems that the request has come from the 3rd party. Only the 3rd party will know that you are the real one in need for the packages and send them back to you. You might want to look into a package called 'tor' since this will do that for you. Have a look here to see what it can do for you. You can install it by emerging tor:

[jason99x]

Thank you for your answer. With iptables I did plan on blocking all incoming traffic, unless that makes things such as p2p unfunctional (but don't worry, I don't intend to be a major warez whore anyway). The big thing also is to make sure the university admins aren't spying on me, so I would need some anonymity for both the world outside the university router and from inside the router. This does seem real difficult indeed. I think the other reason the university won't allow servers running is the physical limitation of the 192.*.*.* ip subdivision thingy that only one node can run a server for given port (like I could technically be the only computer that ssh requests get forwarded to).

[Triptol]

For p2p you normally need ports forwarded to you. If you just get an IP in a non-routable range (192.168.x.x) that will be hard to get. Most p2p will still work, but even slower than normal. Who needs warez when he's got linux? (Almost) everything is GPL anyway.

Basically, if you don't get an encrypted connection to the other server outside (like ssh, or HTTPS) the university admins can see everything you do. Chat protocols by default are also non-encrypted, so they are readable as well. Only encryption will help you here. This means that your friends need to be encrypted as well! Gaim does support some encryption (haven't played with it) and so does AOL OOTB.

If you have an open SSH port, it means that you can at least use your machine from all other machine within in the same sub-domain (192.168.x.x). This might be practical. But it also might be illegal, in which case I would recommend you not to do it.

[jason99x]

I just read about httptunnel. I suppose I could use this to get around some of the likely restrictions on p2p.

[Triptol]

Hmmm. Last time I've tried it, it wasn't easy to set up and a bit unstable.

It is more used for the following: you are behind a proxy that blocks all your access to the internet except for http. Now you need more access than you get through the proxy (for instance, the proxy filters websites and you need to see them, or you need to have ssh, or ...).

In this case you set up httptunnel on a box outside of your proxy, somewhere on the internet. You then use httptunnel to logon to that box and from there on you can further forward you requests. So for your local proxy server it seems like you are webserving your remote box (all request look like http request, hence httptunnel). You could actually be ssh-ing into another box somewhere on the net, but it would still look like an http request to your remote box.

This does not encrypt your traffic to, let's say, google.com. To be anonymous for your college admins, you could setup the following. Have a box that is connected to the internet somwhere else (at home, at an isp,...). Use ssh to login to that box and make sure it does portforwarding, for instance forward port 8080 to 80. Now let your browser use your localhost:8080 as a proxy. In this case everything your browser does will go encrypted over your college network to your home. There it will be decrypted and sent to the target website. Your college admins will not be able to see what you do.