Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I like to know how to setup a Linux laptop for exclusively use in an unsafe network (like free Wifi at fastfood joints or public libraries).
Like if a poor person doesnt have internet service at home. Or you live where internet service is sketchy. But you have to do important online tasks, like accessing social securty and medicare service.
Last edited by Alfred-Augustus; 12-30-2022 at 10:48 PM.
Distribution: Mainly Devuan, antiX, & Void, with Tiny Core, Fatdog, & BSD thrown in.
Posts: 5,487
Rep:
Another option might be to use a distro that loads to ram, such as Fatdog64, no need to even have a disk in the laptop if running it from a pendrive, & once up & running, just remove the pendrive, therefore giving a hacker nowhere to mess with.
Another option might be to use a distro that loads to ram, such as Fatdog64, no need to even have a disk in the laptop if running it from a pendrive, & once up & running, just remove the pendrive, therefore giving a hacker nowhere to mess with.
There is also Tails, which now has improved, optional persistent storage. It fits nicely on a thumb drive.
Typical home network is connected to the internet via a firewall (usually NAT), devices inside the firewall are considered safe (not quite true, actually, many IoT devices... but let's not digress) - and this is considered safe. The only thing you need to get the same level of security on the public network is the properly configured personal firewall such as ufw if you are on ubuntu. Advice given above, while perfectly valid, targets levels of security well above that of your home network and is frankly speaking is bordering on paranoid. Sorry, but this is true.
Lets say you are in a public space and you trust no one...
Disable all services that listens on both tcp/udp.
If via wireless, then use wpa_supplicant to connect but nothing wrong with Network Manager either.
Once on the network use vpn to tunnel everything.
I would hazard that one should use the same security practices on every network, in other words, every network should be viewed as potentially insecure: Block all incoming ports (I do make an exception to that on non-portable machines my home network so I can use ssh locally), open only the outgoing ports that you need (email, www, etc.), install fail2ban, run an AV, etc.).
Also, on my home network, I block all incoming ports on my router unless I have a positive need for them (which, at this point, I do not).
VPN is the easy solution for public wifi. It also gets you around the restrictions; some won't let you access certain sites. I use public wifi a lot, and I've seen this happen with torrents, youtube, and google play for example, so now just use openvpn all the time.
I guess if you don't want to buy vpn, tor might be useful?
It is not recommended to set up a laptop for unsafe networks, as it can put your device and personal information at risk. However, if you must use a laptop on an unsafe network, there are a few precautions you can take:
Use a VPN (Virtual Private Network) to encrypt your internet connection and protect your data from being intercepted.
Keep your operating system and software up to date to ensure that any security vulnerabilities are patched.
Use a firewall to block incoming connections and limit the attack surface of your device.
Use anti-virus software to protect against malware and other malicious software.
Be cautious when connecting to unknown networks or networks that do not have proper security measures in place.
Use a Strong and unique password for your device and avoid using public Wi-Fi networks for sensitive tasks such as online banking or shopping.
It's also worth noting that even with all these precautions, there is no guarantee that your device will be completely safe on an unsafe network. It is always best to avoid connecting to such networks whenever possible.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
This is the one situation I might suggest a ToR based system - if you assume everything is hostile then ToR would make sense to me. I don't know how well ToR would work in China (as example of technical nation with censorship) but something like Tails if you can verify the source should be good.
dugan: I tend to agree but how do we know whether the certificates used by websites are not shared by a state?
It might be worth noting the difference between what I'll call "private VPN" and "public VPN."
"Private VPN" is the case where you're using a company-issued laptop to securely connect to your company's internal network – just as though you were really there. If set up correctly, your laptop is using an individually-issued-to-you secure cryptographic certificate (not a mere "PSK=password") to secure communications to a known, company-provided, cryptographically-identified endpoint. Although to you it's as simple as "click on an icon at the top of the screen, and the company's network now appears to be 'local,'" the communications are secure and can never be intercepted start-to-finish. If the laptop is stolen, its access can be individually killed.
"Public VPN," on the other hand, merely uses VPN to connect to a public subscription service which will then dump your traffic, now unencrypted, onto the public internet for final delivery. This is a great way to protect against "eavesdroppers in your coffee shop." It might get you past a few content restrictions. But it does not, "stem to stern," protect the traffic nor guard against a "man in the middle," because the cryptographic tunnel does not extend all the way to your final destination.
P.S.:"TOR = The Onion Router" has a different purpose. Its aim is to conceal the fact that two parties are communicating at all. (For example, "two spies.") The owner of the network is presumed to be hostile, and would act to disrupt the communication channel if he knew that it existed. It goes without saying that the traffic being passed is encrypted.
Last edited by sundialsvcs; 02-12-2023 at 09:59 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.