Czy taki config będzie wystarczająco bezpieczny? - Wersja do druku

+- Kryptoanarchizm (
+-- Dział: Kryptoanarchizm (/forumdisplay.php?fid=14)
+--- Dział: Anonimowość i prywatność w sieci (/forumdisplay.php?fid=21)
+--- Wątek: Czy taki config będzie wystarczająco bezpieczny? (/showthread.php?tid=3977)

Czy taki config będzie wystarczająco bezpieczny? - p1r3k - 03.09.2018 2:37

Pozwoliłem sobie skopiować z anѕwеrstedhсtbek.оnіon:

opal hart napisał(a):>setup mac spoofing
if you're using your home network, don't bother. for public networks, the archlinux wiki provides a nice guide for mac spoofing using iproute2 (which should be available on all distros)

>disable non-tor traffic in firewall settings
that doesn't tell you about transparent tor proxying, which i use on my torified server for hidden answers

>use Gentoo Hardened
this entirely depends on your familiarity and willingness to use gentoo. you can easily harden any distro, and in fact, alpine linux has a few hardening measures of its own built in (compile-time options like PIE and NX memory). if you want to go all-out, you can create a kernel stub for use with UEFI, sign it, and use secure boot to verify that you are booting from the right kernel. additionally you can make sure that kernel modules are signed as well or built in to the kernel

>optionally use obfs4proxy
this is only useful if you are using an ISP that is hostile toward tor users; chances are this isnt the case with you. it provides literally no other benefit

>use full disk encryption with aes-xts-plain64 cryptsetup
should be fine

>do stream isolation
i think this is a tor default?

>do sandboxing
you really have to consider cost-to-benefit ratio with this; it's very possible to sandbox incorrectly and end up with a more insecure system than you started with. my advice would be to have a login user with no network connectivity (not even through tor), chmod 750 ~ to protect your home dir from other users, and then groupadd net and create new users (e.g. firefox and xmpp if you use those programs) that are in the net group and have no filesystem access

>set proxy for Gentoo-specific and regular applications
if you set up tor's TransPort you don't even need to bother with this. just keep in mind the above advice for allowing certain applications to use the internet. this prevents stuff from accidentally/purposefully making connections that you don't want

>always use Tor Browser
no opinion on this

>set DNS to
this assumes you use TransPort. if you want to use the SocksPort and manually proxy applications, you should make an iptables rule such as -I OUTPUT -j REJECT -p udp (all your OUTPUT rules should be REJECT and not DROP so you don't experience "hanging" applications)

>optionally use OpenRC instead of systemd
openrc is easier to use in my experience and overall better coded than systemd, so i agree

>avoid proprietary programs
if you're like me and need to run proprietary programs (or even FOSS but untrusted programs) then use partial or full sandboxing to run them – a separate user for each program to do its own thing should be enough, and you shouldn't have to run anything as root

>set overwriting RAM with random data at shutdowning system
good idea, i need to start doing this but i rarely shut down my pc. TAILS' website has a good resource about this

>place swap partition on encrypted LUKS container
it's better to avoid swap if you don't use it. if you never hibernate your pc and you have enough RAM for normal use, just disable it

>optionally encrypt boot partition
what will that do? you wont be able to boot your pc if the boot partition is encrypted. use secure boot to verify your kernel is legitimate, but don't encrypt it

>use libreboot if possible
if you want to go that far, sure, but coreboot should be enough if your hardware doesn't support it. coreboot seems to have its own "secure boot" mechanism called VBOOT2 if you do end up using it instead of stock UEFI firmware, so look into that if you want a signed kernel stub. i'm not entirely sure how it works and i'm more familiar with UEFI security (although it probably isn't the best to rely on since UEFI firmware is often unauditable)

Może komuś się przyda Tongue

RE: Czy taki config będzie wystarczająco bezpieczny? - kompowiec2 - 01.11.2018 20:39

1. DNS można ustawić na phiole w celu ochrone przed sledzacymi reklamami
2. Hibernacja załatwia sprawe nadpisania RAM. Po prostu przenosi je na dysk.