Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I live in a college dormitory, and I don't particularly trust all the users on the school's network.
I'm wondering if I can set up an *nix computer with whatever security tools are necessary in order to secure the connections between my own PCs and the school's router to protect myself
I guess there is really no way to encrypt incoming internet traffic that comes in from the school's router to my firewall then my computers, since anyone can sit there on the router's connection and peek at everything that comes rolling in, but I'd like to at least encrypt all of my outbound traffic by sending it to my firewall computer first, then having my firewall computer ship out all the traffic encrypted so nobody can sniff the information (I'm not sure what's stopping them from decrypting all of it, but hopefully whatever encryption method is available to put on my firewall will take a user lots of processing power and lots of time to crack). If there's a better solution for this, please let me know.
Also I hope that it is a given that if anyone tries to target my connection through the router, they'll just hit the firewall and not be able to bypass it into my personal computers. If this isn't true, please notify me of this as well.
As my knowledge on networking is less than par, I'm hoping the people on this Linux forum might be able to be of assistance. Thanks in advance.
Thing is, there isn't really any "connection" between your computer and your school's router (or anyone else's, for that matter). Packets are just getting forwarded, so tunneling would need to be explicitly enabled on your college's router, which you have no control over. This is why the scenario in your drawing wouldn't work. You can't have encrypted traffic all the way up to a router you have no control over and then have the traffic be decrypted by that router when it goes out the other side. I think your best option is VPN. Is it possible for you to VPN to a remote location (such as your parent's home)? If so, all the traffic between you and your parent's home would be encrypted, securing it from snoopers at your college.
Quote:
I'm not sure what's stopping them from decrypting all of it
Nope, if I had access to a private connection elsewhere, I would use it...I've been thinking about getting my own internet here at school, but I really want to save money which is the only reason preventing me from getting my own connection. Otherwise I would connect to the internet I have at home, but unfortunately there is no internet back home because I spend 10/12 months at school, and my parents don't use computers.
What other options do I have at my disposal? I wouldn't mind setting up a firewall even if it takes some work, since I can buy a cheap computer for like $20 and use that since it won't need any graphics or anything CPU/memory stressful (I think?).
Oh, the firewall method won't work...
Well, if I can't prevent them from spying on what I'm doing on the internet, can I at least stop them from gaining access to my computers? I've heard about people within the same network breaking into other computers in the network just because they're all on the same router/connection.
Last edited by SentralOrigin; 03-07-2009 at 10:05 AM.
There's always the option of using Tor, though, but this isn't exactly what it's designed for and could cause you more problems than it would fix. That said, it would indeed encrypt all the traffic between you and the exit node, so it would certainly stop college snoopers if used properly. I would, however, strongly suggest you make sure you have a solid understanding of how Tor works (especially the dangers) before deploying it, should you choose to do so.
Quote:
Well, if I can't prevent them from spying on what I'm doing on the internet, can I at least stop them from gaining access to my computers? I've heard about people within the same network breaking into other computers in the network just because they're all on the same router/connection.
A stateful packet filter will provide you with the first layer of defense in this case. It's what you would get by installing one of those off-the-shelf dedicated router/firewalls, except you could also do it with software on your machine by means of Netfilter/iptables. Keep in mind this doesn't make you anything close to invulnerable, but it's a step in the right direction.
I've actually used Tor before, but I stopped mainly because it was so, so slow. Like, sometimes it would connect to a server in Germany, and it would take about 3-5 minutes to load Google. Then I have to click "Google in English" because the Google homepage is in German, and it takes another couple minutes to load the English version of the website. Not to mention websites with actual content that take really long to load (like video sites, for example).
I read about that thing where someone compromised a Tor exit node and was able to read government e-mails sent with Tor. I asked Tor about it, and they said Tor was generally safe and explained the whole technical aspects of it, which I didn't understand. This was sometime around last year, so I don't know what's changed since then. I wouldn't want someone like that waiting to access my bank account information while I'm running through it with Tor.
If I have a spare Linksys router that I have saved from when I used to have internet back home, can I use that as protection for an alternative to a stateful packet filter or netfilter/iptables?
If I do decide to use a stateful packet filter and/or netfilter/iptables, what other measures would I have to take in order to be more secure? I don't have many services, so I think I'm generally safe in that department, but can never be too sure. What else is there?
Last edited by SentralOrigin; 03-07-2009 at 10:22 AM.
Yeah, Tor will be much slower than your normal Internet connection - nothing you can do about that except limit yourself to using Tor only for certain things when necessary. There was indeed a bad incident in which a ton of government passwords were sniffed by a Tor exit node. Keep in mind the problem here wasn't an exit node getting compromised, it was the government employees not understanding how Tor works. Tor provides anonymity only - not security. You need to assume every single exit node is compromised, otherwise you're asking for trouble. Passwords are sniffed via Tor every single day. This is why it's important that you never transmit login credentials via Tor unless you are using HTTPS (or some other means of encryption).
Yes, a Linksys router will be just fine (assuming it does stateful packet filtering, which most do).
A Linksys NAT router would block unused ports. This doesn't add privacy but would help against an attack on your computer from another students at school.
If you have more than one computer, without a firewall, the ports used for filesharing for example, would be exposed unless you use separate interfaces for internal vs external traffic and use your computer's firewall to block incoming requests on the external interfaces.
All in all...do you think that it's just best if I get my own internet connection here?
Not really. I would say you'd be better off getting a VPS which you could VPN to. I don't know about you but I hate contracts and I will avoid them whenever possible. Additionally, if you get your own Internet connection you are still vulnerable to being snooped on by your college mates, since they will likely have physical access to the wires. Although I won't deny that the probabilities of snooping that way are significantly lower than if you are on the same network.
Quote:
If a website does not support an https connection, there's no other way to encrypt the login information, right?
Right. If the server doesn't support encryption, then the best you can do is encrypt up to a certain point. For example, the connection between you and the VPN would be encrypted, but the connection between the VPN and the non-HTTPS server would be in the clear.
Well, if I can't prevent them from spying on what I'm doing on the internet, can I at least stop them from gaining access to my computers? I've heard about people within the same network breaking into other computers in the network just because they're all on the same router/connection.
Why not just setup a software firewall, i.e. iptables ? (as win32sux suggests at one point) That would prevent most hacking attempts. The other thing to do is turn off any services you don't use, and make sure some ports remain closed unless you have a reason for them (for example disable any remote connection possibility).
As for the privacy issue, that's a bit more complicated, sure tor is an options, but I hate it, it's so damn slow. And really nothing I do ever really warrants this much hassle for a bit of privacy.
Now the question comes up, what do you want to do ? But, you don't have to answer, just know that if it's something not good, don't do it. Schools are very strict about these kind of things, just get your own connection.
Quote:
I'm not sure what's stopping them from decrypting all of it
Quote:
Originally Posted by win32sux
Mainly, mathematics.
lol, that was good (but I would have said statistics, randomness, etc.)
Last edited by H_TeXMeX_H; 03-07-2009 at 03:50 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.