Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How much security is sensible?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
Noose
n00b
n00b


Joined: 22 Aug 2015
Posts: 4

PostPosted: Sat Aug 22, 2015 3:16 pm    Post subject: How much security is sensible? Reply with quote

Hi guys,

My experiences with Linux are few - I ran Crunchbang off an old server while my main machine was out of order, and I managed to install Arch on an old laptop. So as long as documentation exists, I can manage.

Now, I've got my hands on a Core 2 Duo notebook that I plan to use for work related stuff, as well as online banking. Basically I want to move anything that could be considered sensitive to there. Since I also want it to be fairly snappy, Gentoo with OpenRC seemed like the obvious choice. After chewing through a good bit of the Handbook, it looks like LVM encryption will be the easiest. I want to only have to put in my password once, and creating an initramfs has the added benefit of not requiring a separate /boot with ext2 on it.

The problem is - I don't really know what I'm going to need to run a safe Linux. Some swear by hardened kernels and others may just run a firewall and nothing else. If I'm going to use the notebook to access various WLANs, is it sufficient if I use encryption to protect my data in case of theft, and a firewall to protect my system while it's running? Assuming everything is properly configured and I cherry-pick those programs that access the internet in the first place?

Cheers.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43178
Location: 56N 3W

PostPosted: Sat Aug 22, 2015 3:36 pm    Post subject: Reply with quote

Noose,

Welcome to Gentoo.

In simple terms, it all depends on your level of paranoia how much security is enough.

More realistiacally, you need to exame your perceived threats, then take measures to guard aganst them.
The first measure is to not run services you don't need.

Public WiFi is insecure, think of it as wide open. Set up a VPN or tunnel everything ovel ssh if you need to use public WiFI.
Your own WiFi is not much better.

You may not need a firewall. If there are no listening services, what will it do?
You can set up a firewall to stop nasties phoning home if they do get in but most firewalls are set up by default to allow all outgoing traffic.

If you run sshd, use key based logins.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Sat Aug 22, 2015 5:06 pm    Post subject: Reply with quote

You're ahead of the game if you do the following:

1) Apply all security updates -- Gentoo makes this easy by marking GLSA's in Portage.

2) Don't run unnecessary services -- this is easy to do in Linux, and especially so in Gentoo since your building the OS yourself.

3) Protecting authentication tokens (e.g., passwords) is trickier. If you have a single user machine with no network servers running, a sufficiently complex password (no simple words, non-keyboard) is probably enough; if you need remote login capability, use key-based authentication with ssh as Neddy says. If you need to support multiple users or other services, there's a lot more that should be done ...

One amusing exercise is to run Wireshark on your home network -- you might be surprised by what you see.
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
Noose
n00b
n00b


Joined: 22 Aug 2015
Posts: 4

PostPosted: Sat Aug 22, 2015 5:47 pm    Post subject: Reply with quote

Thanks guys.

It's a rather simple set-up, pretty much a 'consumer device' notebook. It's just going to connect to the internet, either through a home WLAN, friends' WLAN or occasionally a public one. So I'm thinking a free VPN might be the way to go, since that is fairly straightforward to set up. My other machine doesn't run Linux and neither do my employers - nowhere that I'd need access to, anyway - so I probably won't need ssh.

Wireshark eh? ...it's gonna make me paranoid, isn't it. Damn you. :lol:
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43178
Location: 56N 3W

PostPosted: Sat Aug 22, 2015 6:01 pm    Post subject: Reply with quote

Noose,

Just because you are paranoid does not mean that they are not out to get you.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 309

PostPosted: Sat Aug 22, 2015 7:54 pm    Post subject: Reply with quote

NeddySeagoon wrote:
More realistiacally, you need to exame your perceived threats, then take measures to guard aganst them.
+1

It is also worth thinking about your data and about what is more important to you:
a) preventing data being changed but remaining undetected by you
b) preventing someone else accessing your data
c) having your data available for you

Encryption will delay someone having access to your data (but don't assume that means never will be able to access), and once the password has been entered the data is available for you and others.

For banking I always use a separate user account, disable wifi, reboot the router and use a wired connection ... but you will need to decide what works for you ;)
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3806
Location: Austro Bavaria

PostPosted: Sat Aug 22, 2015 9:55 pm    Post subject: Reply with quote

well.

genkernel intiramfs => for getting luks and lvm (that will provide you with something that ask you to enter hte password and if correct it will boot up the box) assuing you have 512mb ext2 /boot partition for kernel and initramfs from genkernel with options. grub2 for booting ..

hardened is a bit overkill because => no more gaming afaik. skype and other junk will probably not work.

luks is nice, but remember that the hardware has its limitations. (too much to tell now).

basically luks is enough regarding the flaws of these days.

Next installation I will do a hardened box when gaming will work (I may be wrong, it may work now, but i doubt that the binary nvidia-driver will work wiht hardened..)

You may also know that bios are insecure and closed firmware.
keyloggers are available
the user is the biggest risk
hardware has its limitations ... data is recoverable from unencrypted areas like RAM.
and i am sure much more other jokes which may be known or not

and thats why I think luks with amd 64, ordinary profile is enough ...
Back to top
View user's profile Send private message
Noose
n00b
n00b


Joined: 22 Aug 2015
Posts: 4

PostPosted: Sun Aug 23, 2015 4:14 pm    Post subject: Reply with quote

I'll probably do a separate /boot after all. I'm just not seeing the advantage to encrypting that too, compared to the hassle of setting it up. As for hardware limitations.. I did a cryptsetup benchmark and found, to my surprise, that serpent-xts was the fastest on a C2D with about 170MB/s both ways, which should exceed the harddrive speed by a fair bit. I assume 'iterations' relates only to the benchmark and isn't any kind of performance indicator, right?

I know about BIOS issues and Intel microcode and all that, but at the end of the day we're only trying to get an operating system to run here, and I don't have the cash to shell out thrice the money for LibreBoot. Those guys might as well be living on the moon for how relevant they are these days.
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1074
Location: EU or US

PostPosted: Sun Aug 23, 2015 4:43 pm    Post subject: Reply with quote

Encrypting your filesystems does not help at all if there is an virus/trojan/net-attack. It helps only if your box is stolen, it prevents the thieves from accessing your data.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum