|
How do you make your GNU/Linux system very secure?
Like for example, the NSA, government or some organisation will find it harder to spy on you indirectly?
|
Don't connect to the Internet. Be prepared to explain why.
|
I think you should look at it from a different POV. Don't set these organizations as your adversaries, because you likely to just fall into the traps they place. Instead, focus on hardening your system to reasonable and maintainable level, and making good decisions. There are plenty of threads on here and the internet about hardening your system.
Here's a list of basic things that everyone should have: see: http://docs.slackware.com/howtos:sec...basic_security 1) Firewall, configured properly. There are plenty of GUI programs to configure them. 2) Trim down the number of services you have running with open external ports. Every one of them could have a bug and could lead to system compromise. 3) Run rkhunter and maybe clamav regularly to detect malware. 4) Choose strong passwords for important things like your system and online credit card access. 5) Stay up-to-date with security fixes for your distro, and sometimes take action yourself by updating programs that the distro maintainer refuses to. As for others spying on you, I would recommend the following: 1) Get a router that can run dd-wrt or openwrt. Many routers have backdoors and can lead to local network compromise, where monitoring is extremely easy. You could also just use an older computer as a router, but you probably need some more ethernet cards. 2) Make sure that your browser controls javascript very strictly (NoScript). It is very easy to track you with javascript enabled and new methods appear all the time. Enable javascript ONLY for sites that absolutely require it and only just enough to let the site function. This can be tedious, but with time you will be able to configure NoScript properly. 3) Make sure you disable ads in your browser (Adblock, I recommend Edge over Plus). Many ad sites do track you by simply loading the ads (and so they can give you targeted ads), and I hate ads, so both of these should be enough to make you want to remove them. If you know of safe ad sites, you can add them to the whitelist. Some hints: 1) Don't believe things just because they're in the news. Research them first, and understand them. Just because a project exists with a certain declared purpose doesn't mean that this is its actual purpose or that it will help you in any way rather than harm you. (Ok, yes, I'm talking about Tor here) 2) Act as if you are being watched all the time, but know that you are probably not. They just don't have the resources. Take a look into NSA history and you'll see their computers tend to be overloaded. They're not gonna waste time going after you if you don't arouse suspicion (using Tor will definitely arouse suspicion). |
I'd agree with everything except the bit about "strong passwords." :)
Seriously: if you need to provide ssh, or VPN, then you should not be relying on (or permitting ...) "passwords" at all. (In VPN-land, they call these "PSK = Pre-Shared Keys," and they are just as evil.) No, you should be issuing a unique badge to everyone, in the form of a digital certificate, issued by your own organizational certificate-authority as need be, this unique certificate then being password-protected (enciphered ...) using a strong password. Verdict: you cannot get in without possession of a valid key. (A "badge.") After all, every time I went into Apple's front door, I had to "swipe my badge." No one ever looked at me sternly and demanded that I "say the magic word." In some very-secure areas you have to swipe your badge and enter a numeric sequence on a keypad ... a sequence that, like your badge, is unique to you, and is known only to you, and only works when your badge is swiped. Then, when I'm not working with Apple, I know that my badge (even though I still possess it) won't let me in anywhere. (And yet, next time, they don't have to issue me a new one.) (Key gets lost or stolen? Quick phone call, and presto ... it, alone is stone-dead.) That's "security-management 101," and that's what you must (also) do. Note that when I say, "organizational certificate-authority," I am speaking of a group within your organization (it could of course be "you") which issued (and then, profoundly protects) a "self-signed" root certificate and then uses it to sign other certificates ... and which has arranged for various other computers to trust, or to trust only, certificates having this signature. In this context, you do not (and should not ...) engage the services of any "signatories for-hire." This CA is, simply, "your company security-department." The one that issues the only badges that will ever work at your company. |
security is a process and a "life style"
you mention the NSA so use RHEL or CentOS and keep SE set to ENFORCING and targeted use FULL disk encryption use tor ( ?????? read the recent security news from conferences ) or BUILD the source for freenet ( yes a source build -read the "frost" message board on WHY!!!!) then well ...... fallow the "best practices" of security experts however doing just the NORMAL everyday things is your best option going "the tinfoil hat" route is MADNESS |
Dunno ... if NSA and those guys actually cared about what was on your drive, they could hold a gun to your head and I'll bet that those passwords would be theirs in a matter of seconds. :)
Anyway, they're WE'RE not the WATCHING real YOU problem here. ;) A lot of what you're got to do is simply to make your system a non-trivial "opportunity." Not the easiest house on the block to hit. (For example, the windows are shut and the door is actually locked. The porch light blinks on as you walk up the drive.) Most intrusions are crimes of opportunity. So, the first and perhaps the single most-important factor is to eliminate easy opportunity. If a thief has a million IP-addresses to troll through, looking for sitting-ducks, and he or his script discovers that your duck is awake and even snapping back at him, he's going to move on to the next house. ("Why bother?") I routinely set up my systems with a tiny little clever-proxy on the SSH port. (I rolled my own.) This proxy always answers a request to offer a password with an invitation to do so, then throws it away. Only traffic that meets, ahem, "certain other requirements," is passed on to the real SSH server. If you actually want to get inside, you have to have your certificate, but this little proxy is there in the DMZ just to attract more flies. I've seen scripts throw hundreds-of-thousands of attempts at this proxy, because they are convinced, based on the responses that they see, that eventually there will be some password that will work. (Call it my own version of "shooting (back) at sitting ducks.") :p I've probably got a download of the entire words.txt library by now. |
Never buying a computer in the first place is the only way to keep your secrets safe.
|
Quote:
|
Quote:
downloaded rkhunter and updated my system. While it is NOT Slackware and it IS Debian, it still GNU/Linux system so it should work anyway and help a lot of users as well. Quote:
live, in the UK, I don't think it can run dd-wrt or openwrt anyway. Using an older computer as router seems like a good idea, heard of it but don't really know how it work, does it goes side by side with the other router or what? Quote:
Quote:
|
Quote:
|
Quote:
|
It's difficult to do, I admit, even for me, so you can just ignore that one if it is not possible. At least keep your router firmware up-to-date and hope they didn't put a backdoor in it.
|
| All times are GMT -5. The time now is 07:25 PM. |