A Guide For The Slightly Paranoid User (v.0.4-beta) --------------------------------------------------- (C)opyleft Robert Fahy, November 2009, for the Anubis-Linux project Free to redistribute and modify and redistribute modified, under the following rules: * personal and/or non-profit use (i.e. don't make money out of it) * modified versions must be marked clearly as such (i.e. don't try to mess up my rep) * all registered trademarks, etc. are property of their respective owners (i.e. leave me alone if I dared mention your trademark) CONTENTS 0. SHORT INTRO 1. PROBLEMS 2. ENCRYPTION 3. FUN THINGS TO DO 4. INTERNET USAGE 0. SHORT INTRO Anubis-Linux has a proposed goal of teaching programming and supporting the development process, out of the box. It also contains a lot of tools for forensic and security-related work. Last but not least, it strives to give a decent level of security to its users. In this doc, it is the last point that we will be discussing. 1. PROBLEMS The main issue with AL is that it's based on the unstable Debian branch. Besides the general conflict between versions which sometimes results in small and non-fatal malfunctions, overall security has taken a backseat. Users of AL need to be extra careful because their OS is much more prone to attack, being unstable and insecure and all that. So basic axiom 1: (1) AL is meant for PERSONAL use only. ABSOLUTELY NO SERVER INSTALL. So what does "being careful" imply? Well simply put, that you be a good student and learn how things work. You have all the documentation you'll ever need. Basic axiom 2: (2) AL is not a true leisure operating system. Sure, it has some "non-free" plugins and stuff preinstalled, that allow you view videos, listen to MP3's, play Win games etc. But at its core, it's an OS designed for work and study. In the end: don't trust it too much and keep control. Even the CSFP tools I've myself written VERY probably contain security holes. I'll build new versions as soon as I'm done reading the SecuProgrHOWTO. ;) 2. ENCRYPTION AL can encrypt your data. Not from the installer, but that doesn't matter much. Firstly, because there's little reason for you to ever encrypt the root filesystem, where non-critical data should be stored. Unless you have something to hide and you must keep the logs in /var safe from unautho-access, you can leave the root FS unencrypted. Secondly, you could only use semi-powerful passwords. More about this later. Also, if you have 1 GB RAM or more, don't create a swap partition, it is an utter waste of space. So all this talk and we didn't even clarify what hard drive encryption is. Basically HDE is a way to encrypt your data "on-the-fly". No longer will you have to manually create encrypted, passworded archives. How does it work? Well it'll be transparent to you as a user. An encrypted drive will show up and work just like a regular one. But the data is written in such a manner that it's not possible to read unless you have the password. A "middle" device is used, called mapper. The mapper encrypts the data as it's written and decrypts the data as it's read. Here's how you create an encrypted filesystem (in this example, it's hda1). The partition must be unmounted before we proceed. Also, all data will be lost. We must be root (login with "su"). A program called cryptsetup will be used for creating, initializing or stopping our "encrypted device." It can take the password from standard input. Which is great news because we can use very powerful passwords because of this. We can use csfp-paranoid. Let's run csfp-paranoid just to see what it can do (two examples): # echo "create a password" | csfp-paranoid 20 s5vXFo2)T!gJ(KrUz\H} # csfp-paranoid input_file_having_any_size 20 {3r4xW#\Ei1tUxVDe$jI CSFP-P is a password regenerator. It uses the standard input or a given file and computes a password. The number represents the password's desired length. Different input data, different input file or different password length will all result in a different password. So we will do this: (1) fill the partition with random data - you may skip this step to (1b) # dd if=/dev/random of=/dev/hda1 (1b) fill the partition with zeroes - in some cases the above won't work # dd if=/dev/zero of=/dev/hda1 (2) prepare hda1 for mapping # echo "password" | csfp-paranoid | cryptsetup --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/hda1 Pause here. So we used csfp-paranoid, gave it "password" as input and it generated a true password of 128 characters length. (Max length up to 2048, but default is 128.) That password was then used by cryptsetup for the encrypted partition. So then: (3) let's initialize our mapper: # echo "password" | csfp-paranoid | cryptsetup luksOpen /dev/hda1 mymapper The above command will generate the mapper /dev/mapper/mymapper. When we want to actually use the encrypted partition, we mount the MAPPER, and not the actual partition: # mount /dev/hda1 /mnt/hda1 [-- VERY BAD --] # mount /dev/mapper/mymapper /mnt/hda1 [-- VERY GOOD --] If you cared to try to mount the mapper device by following the above examples, you were probably given an error. Why? Well it doesn't have any usable format. Yet. (4) so let's create a filesystem! # mkfs.ext4 /dev/mapper/mymapper Now we can finally mount and use our mapper. You have to regenerate the mapper this way [see (3)] every time you reboot. Obviously, you only have to go through step (4) once. Some docs will give you instructions on how to edit /etc/fstab and /etc/crypttab for automating the process, but you shouldn't do that! Automation means insecurity. You will also be asked for the mapper's password on boot. And remembering 128 characters of semi-random junk is hard. ;) So keep to the manual method for your own sake. So Cryptsetup/LUKS works a bit like this: a random "master key" is generated when you set up your partition. The M.K. is used for the actual encryption/decryption processes. But what is it that what you supply, in the form of the password? You give the password for the password, so to say. The M.K., which is responsible for all the actual disk encryption, is in its turn, encrypted. That's why you can set more passwords for a given partition. The M.K. is always the same. That's also why you need to supply a password when adding a new password, or to have initialized that partition - so that the master key can be accessed. Pro-Hint: Search the web for better ways to use Cryptsetup/LUKS. AES/Rijndael on 256 bits probably won't cut it nowadays. Camilla or Serpent, maybe. 3. FUN THINGS TO DO Installing AL as LiveCD on a 800 MB partition, instead of a true installation, will not only save space - but also improve personal security as logs are never saved other than on the RAM drive, and are therefore "cleaned" automatically. And the filesystem is genuinely read-only to everyone i.e. bye, rootkit software and any current or projected viruses which work by infecting the system files. You basically only have to create a 800-900 MB Ext4 partition, copy the contents of /cdrom then check the Remastering doc for how to install GRUB (grub-install h/sda1). 4. INTERNET USAGE 3.1 Proxies Go to Proxy4Free.com for proxy IP's. Their description is very misleading though. Some "anonymous" proxies aren't anonymous at all. Verify the ones you use by visiting the site http://whatismyipaddress.com - you will then know if the proxy gives out information on you, such as your own IP (which it should hide huh?) 3.2 Tor (The Onion Router) Use Vidalia to start/stop/configure Tor. Connect to local proxy 127.0.0.1:8118 for Privoxy, which connects to Tor. See AL manual for more info on Privoxy. Tor is much better than any proxy. But don't mistake anonymity for security. The data that you send through Tor can be intercepted! And serious opponents (i.e. government or even ISP's) can possibly trace it all the way back to you! 3.3 Cookies Delete them. No exceptions. Never save passwords in your browser. Clean your /home/user/.macromedia folder often and merrily. It contains Flash cookies which your browser can't touch. And no - you don't have to watch flash videos for them to be created. Some sites seem to be generating them out of nowhere. 3.4 Utilities You can monitor the network connections through the use of: netstat, iptstate and netactview. NetActView is the best of the bunch, unless you're running in text mode of course. I pronounced NAV the best, because it can also shut down the process that shouldn't be running. In-depth analysis of traffic can be performed with Wireshark and tshark. 3.5 Firewall If you can't use a given program, such as IM client, check the firewall settings. "Guarddog" be thy name. --------------- Awaiting your suggestions, corrections at rfahy@ymail.com The final version of this document will be included in the FINAL AL release (2.0). ---------------