securing trisquel

15 Antworten [Letzter Beitrag]
cmhobbs
Offline
Beigetreten: 06/24/2013

What are some good packages to help me lock down my Trisquel netbook? I've been using open wireless networks a lot lately in cafes and at work and I want to make sure I'm keeping ports closed and general access to my machine restricted.

Thanks!

lembas
Offline
Beigetreten: 05/13/2010

The only server there is by default is the ssh server. If you don't use it, remove it.

ssdclickofdeath
Offline
Beigetreten: 05/18/2013

How do I disable/remove the ssh server? I'd prefer to disable it.

ZykoticK9
Offline
Beigetreten: 04/07/2011

in /etc/init rename ssh.conf to ssh.conf.disabled or something

ssdclickofdeath
Offline
Beigetreten: 05/18/2013

After restarting my computer, why do I still see a process called ssh-agent running?

ZykoticK9
Offline
Beigetreten: 04/07/2011

ssh-agent is some client side thing. TBO, i really don't know what it does...

ZykoticK9
Offline
Beigetreten: 04/07/2011

wikipedia tells me, it's for securely storing SSH passwords.

GNUser
Offline
Beigetreten: 07/17/2013

That is actually a very good question that I have been wondering. With the wireless system inside a computer being like an invisible bridge to connect other systems, it might not be totally paranoid to think that a hardware hack could attack a computer through that. I am not talking about "service X running and listening to data coming from other PC". I mean like "sending certain signals that would make the hardware itself react in certain ways, enabling certain spying activity". But for that the only solution would be open-source hardware with a thorough security audit.
Or maybe the NSA guys know :P

Anyway, for now, the best is to have ufw configured to deny all incoming connections. Disable remote access and maybe install DenyHosts. No more ideas :S

ZykoticK9
Offline
Beigetreten: 04/07/2011

regarding your wireless, theory... watch "30c3-5713-en-de-To_Protect_And_Infect_Part_2_webm.webm" the NSA is already doing it... it's not paranoia when it's happening.

GNUser
Offline
Beigetreten: 07/17/2013

Actually, the biggest danger when using a public wifi, is the fact that anyone can watch what your doing. I have once tried a smartphone app that simply connected to the wifi, and was able to get access to emails and facebook accounts. I deleted everything don't worry ;)
But it was a matter of showing to a friend of mine the dangers of not being safe online... and it worked. Now he runs Tor :)

Download and use the Tor Browser Bundle and you will have all your web browsing being encrypted locally.
If you don't want to use Tor or can't (google accounts and such) you can just install HTTPS everywhere and it will protect you to the best extent possible. If you really want to be paranoid I think there is a addon for firefox that allows ONLY https connections.

ZykoticK9
Offline
Beigetreten: 04/07/2011

ahhh, i don't think Tor encrypts anything... that's why they suggest using SSL everywhere. Tor is for anonymity when browsing, NOT encryption.

GNUser
Offline
Beigetreten: 07/17/2013

You are wrong, I'm afraid.
Tor encrypts everything before sending it to the Tor Network. So, anyone spying on YOUR side of the connection will not see anything except that you are speaking to the Tor network. 3 layers of encryption are applied. Each node (guardian, middle relay, and exit relay) removes one layer of encryption. The exit node has access to the raw data you sent. If you are using non-SSL connections, they can read everything you write and read. If you use SSL/TLS, the exit node can only see SOME things. If you are using a hidden service, there is no "exit relay", and thus the connection is end to end encrypted (similar to SSL/TLS). However, it still is the same: your side of the connection is an encrypted connection to the Tor Network. Nothing else is readable. How do you think you have anonymity using Tor??

So, if you are in a public wifi, USE Tor!

You can check some youtube talks by Roger Dingledine, Jacob Appelbaum and Mike Perry to get an idea of how it all works in a more technical way.

ZykoticK9
Offline
Beigetreten: 04/07/2011

Yes. Sorry, you're right.

cmhobbs
Offline
Beigetreten: 06/24/2013

Is there a good way to get all of my network services talking to Tor like I can with Orbot on my Replicant device? I suppose that's a question for another thread...

G4JC
Offline
Beigetreten: 03/11/2012

Regarding original post, firewall is the least of the concern here.

* All public hotspots are hackable.
* HTTPS doesn't help much thanks to old implementations of SSL and SSLStrip.

You should:
1) Use a reputable VPN service to protect anyone from both gaining access to your computer as well as seeing your data as mentioned above.
Good list: https://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition/

* Parabola GNU/Linux community uses: LibreVPN - una red libre virtual (I have not tested it but it is free and supports free software so they may interest you as well)

2) Encrypt DNS. The last issue here is you can have a great VPN and experience DNS poisoning which will land you on a phishing site to someone else on the hotspot. You'll want to use: http://dnscrypt.org/

3) Tor as mentioned above can help... however using it alone does not help you and in some cases if not used properly can actually make you more vulnerable than not. (Evil exit nodes)
https://www.brainonfire.net/blog/tor-best-practices-anonymous-browsing/

GNUser
Offline
Beigetreten: 07/17/2013

Why do I have the feeling (looking at LibreVPN webpage) that it is a rip-off of Tor and I2P? :S