[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /sec/ - 4107

File: 1486753691730.png (10.94 KB, 300x168, download.jpg)


I see a lot of talk about netsec here but not a lot about how you protect your local os (besides basic encryption). So, lainians, how do you protect your computer?


BIOS password, grsec kernel, PaX, firejail, DNSCrypt


Well, OSes are always made of many different parts, and the important part of is security is to identify the most vulnerable parts of your system and isolate them from the rest of the system or just don't use them. Once a competent attacker breaks past that first line of defense, 9 times out of 10 they can get access ti anything else they need. For instance, Web browsers tend to be extremely vulnerable, so it's a good idea to isolate them as much as possible and not use them when you don't have to. Another majorly vulnerable component t is usually the TCP/IP stack, so hardened kernels are a must.


BIOS strong passwords, and strong login passwords, and full disk encryption for physical attacks,

close unused ports and services for things you don't need (not so much a problem for desktops, but still) and keep everything up to date

if you are not using a piece of software (java, adobe flash and other common attack client side vectors) uninstall, and keep your attack surface low as possible

To avoid social engineering don't click attachments on emails or links. Senders can easily be spoofed with tools like SET, If you don't know and need to click, create a vm with snapshots to be safe.

if your browsing shady sites use a vm, for worst case scenario and always keep external backups in a safe location.

Location security, such as needing anonymity while not always need. vpn's and TOR or TOR like substitutes can be used, but make sure you check for leakage because it can happen. Also check vpn companies policy most say they don't check logs, but keep in mind they can start at anytime.

at the end of the day, there is so such thing as 100% security, it's all about getting it to acceptable range or, as low as reasonably possible.


grsecurity+PaX kernel and their RBAC or SELinux if you are confident, wayland instead of X and running AIDE once in awhile to check if anything changed.
I also use the TPM for more trusted boot.


Man, reading through this post made me realize that I don't do nearly enough netsec. While I don't encrypt my root and data partition, my personal cloud is encrypted and I try to self-host as much as possible. Other than that I block all ports by default and use VPNs.
I've looked at grsec/PaX/SELinux in the past but I wasn't really convinced. Though it should be easy to install since Gentoo has profiles for that sort of thing.


gentoo has a pretty good introductory pages, within the wiki, for selinux as well as basic security practices during install and while running.