Some guidance is needed for a complete newbie

alessandro_mo · 2024-11-17 09:54:24

I installed the OS two weeks ago and really like it overall, but I could use some guidance, as it requires too much energy and time to fix/find/repair/whatnot.
Tried to install nodejs and npm packages just yesterday and it messed my system up, ended up with re-installing. I want to prevent these kind of issues in the future as I face these highly often trying things to just work, but have no strict idea on how and with what tools.
While I don't want to compromise on security, I recognize that it's a vast topic, are there specific steps I can take on a fresh system to enhance security gradually? I would like to implement new security features without jeopardizing the existing setup.
Currently I have:
LUKS on disks.
firewalld - with no much rules except to reject incoming and allow outgoing.
firejail - but it can't run GPU as far as I got it
tor
Highly considering to use from today:
Timeshift - I think I’ll start using, since I frequently run into issues.
Not really sure about:
AppArmor or SELinux - can't use both simultaneously?

There also another thing, from what I got, the SELinux was developed by the NSA, and so the Tor. How can we trust them, exactly? It's probably not easy, but very possible to implement backdoors/exploits into SELinux, it's not that complicated to control Tor's nodes. Could you please either debunk or validate my skepticism regarding this?

ewaller · 2024-11-17 16:40:29

Whenever this topic come up it begs the question, "What is the threat about which you are concerned?"
Are you trying to protect personal data (ID, birthday, banking credentials)? Company proprietary data? State secrets?
Are you concerned about your anonymity?
Does your computer have any users besides you? Who has physical access to it?

This computer has no firewall. I don't even encrypt (most) data at rest. It has only port 22 open (ssh) and requires a public key authentication to log in. I don't think it has ever been connected to the public internet directly -- I am pretty sure it has always been on private networks with gateways to the public internet.

If I were to change anything, I would encrypt data at rest. I strongly recommend requiring public key authentication for remote logins.
I would not worry about firewalls unless you are exposed to the internet or a really hostile private network.

As to backdoors in Tor or SELinux? We may as well argue how many angels can dance on the head of pin. I suppose one has to assume they are compromised, so what?
I always go by the notion that data are only safe if value of those data is less than cost to steal them.

As to difficulty of maintenance? I spend about 10 minutes a week to keep my two Arch Linux systems up to date. These installs or both years old. How did you install said nodejs and npm packages ?

MAYBL8 · 2024-11-17 17:10:28

You might want to look a this distro instead of building all the pieces through Arch:
https://www.digi77.com/linux-kodachi/

dakota · 2024-11-17 23:42:56

That link requires that I enabe javascript to even look at their website.

Now, why would I do a fool-thing like that? Sure doesn't fill me with confidence when they can't (or won't) even write an html-based web page.

Cheers,

MAYBL8 · 2024-11-18 00:56:28

Sorry

alessandro_mo · 2024-11-18 11:41:42

ewaller wrote:

Whenever this topic come up it begs the question, "What is the threat about which you are concerned?"
Are you trying to protect personal data (ID, birthday, banking credentials)? Company proprietary data? State secrets?
Are you concerned about your anonymity?
Does your computer have any users besides you? Who has physical access to it?
This computer has no firewall. I don't even encrypt (most) data at rest. It has only port 22 open (ssh) and requires a public key authentication to log in. I don't think it has ever been connected to the public internet directly -- I am pretty sure it has always been on private networks with gateways to the public internet.
If I were to change anything, I would encrypt data at rest. I strongly recommend requiring public key authentication for remote logins.
I would not worry about firewalls unless you are exposed to the internet or a really hostile private network.
As to backdoors in Tor or SELinux? We may as well argue how many angels can dance on the head of pin. I suppose one has to assume they are compromised, so what?
I always go by the notion that data are only safe if value of those data is less than cost to steal them.
As to difficulty of maintenance? I spend about 10 minutes a week to keep my two Arch Linux systems up to date. These installs or both years old. How did you install said nodejs and npm packages ?

I'm trying to keep the system as secure as possible from all threats while still allowing enough room for comfortable use. Same with anonymity, I don't expect to use banking being anonymous, but I do want to make it as hard as possible for whoever it may be, including gov, to hack me.
I'm using a computer as a standalone device, so comparing it to something behind a private network isn't appropriate. But yeah, I got the point.

So do you agree that Tor could be considered a honeypot or has a high potential to be one? I'm not sure, so I'm trying to clarify things for myself with more knowledgeable people in here.

I’m not sure what went wrong with node/npm, but I installed it according to the docs

pacman -S nodejs npm

. I tried it again with Timeshift enabled, just in case, and it went smoothly, but I'm fighting demons now with apparmor, it doesn't work as I expected and doesn't reload/restart with systemctl calls etc.

MAYBL8 wrote:

You might want to look a this distro instead of building all the pieces through Arch:
https://www.digi77.com/linux-kodachi/

Is there a list or something similar that outlines how I can accomplish these pieces with Arch?

dakota wrote:

That link requires that I enabe javascript to even look at their website.

So you simply avoid 99% of the websites that are powered by JS?

Last edited by alessandro_mo (2024-11-18 11:46:59)

MAYBL8 · 2024-11-18 12:21:59

Taken from their website:
"Browse the internet anonymously: All of your online connections are routed through a VPN and then the Tor network, coupled with DNS encryption, to ensure maximum privacy"
And encrypting your files.

Is that enough for you?

You can do all of this with Arch.

I personally don't use any of these options. My info is out there all over the place. Hackers are stealing data everyday. It is a losing battle.
So I just deal with issues as they come.
I try to be safe when I am visiting places on the internet.
Make sure my passwords are better than 123456.
Try to avoid Windows Completely.
Use a password manager.
Backups are also done. Not as often as I should.

I even run a mail server at my house.
I see it being attacked everyday , Almost every minute. But it is setup as secure as possible but still allows it to operate.

Good luck in your quest.

Last edited by MAYBL8 (2024-11-18 12:22:56)

archlynovice · 2024-11-18 12:30:45

You do realize that your question too broad, yes? People can send you places so you can dive into a rabbit hole, but not much more.

For data at rest encryption you can implement the following setup: Full disk encryption via LUKS with detached LUKS header on USB stick. The USB also contains the boot partition, so your disk is encrypted from first to last block. Implement an LVM on LUKS. Set up hibernation / suspend to disk. Now you have serious physical encryption and basically 2FA.

Everything you need you can find with those key words in the Arch wiki. I can't make sense of where you stand in your Linux journey, but this may keep you busy for a while. At least I learned a lot along the way.

Some books I didn't read:

Kalsi   -  Practical Linux Security Cookbook
Nemeth  -  Unix and Linux System Administration
Rankin  -  Linux Hardening in Hostile Networks
Tevault -  Mastering Linux Security and Hardening

Last edited by archlynovice (2024-11-18 12:45:54)

alessandro_mo · 2024-11-18 18:57:56

MAYBL8 wrote:

Taken from their website:
"Browse the internet anonymously: All of your online connections are routed through a VPN and then the Tor network, coupled with DNS encryption, to ensure maximum privacy"
And encrypting your files.
Is that enough for you?

That actually contradicts the Tor docs and common sense, especially if the person who owns the system is from Oman.
Thanks for the tips.

archlynovice wrote:

You do realize that your question too broad, yes? People can send you places so you can dive into a rabbit hole, but not much more.
For data at rest encryption you can implement the following setup: Full disk encryption via LUKS with detached LUKS header on USB stick. The USB also contains the boot partition, so your disk is encrypted from first to last block. Implement an LVM on LUKS. Set up hibernation / suspend to disk. Now you have serious physical encryption and basically 2FA.
Everything you need you can find with those key words in the Arch wiki. I can't make sense of where you stand in your Linux journey, but this may keep you busy for a while. At least I learned a lot along the way.
Some books I didn't read:
Kalsi - Practical Linux Security Cookbook
Nemeth - Unix and Linux System Administration
Rankin - Linux Hardening in Hostile Networks
Tevault - Mastering Linux Security and Hardening

We all learn at different paces. Yes, I'm aware of what you said and I use LUKS with LVM.
Thanks

loqs · 2024-11-18 20:18:05

alessandro_mo wrote:

firewalld - with no much rules except to reject incoming and allow outgoing.

This is so vague it could be interpreted as all traffic not originating on the system is rejected which would break TCP (apart from loopback).

alessandro_mo wrote:

MAYBL8 wrote:
Taken from their website:
"Browse the internet anonymously: All of your online connections are routed through a VPN and then the Tor network, coupled with DNS encryption, to ensure maximum privacy"
And encrypting your files.
Is that enough for you?
That actually contradicts the Tor docs and common sense, especially if the person who owns the system is from Oman.
Thanks for the tips.

Please provide links to the Tor documentation you are referencing and your common sense analysis.

Last edited by loqs (2024-11-18 20:27:38)

ewaller · 2024-11-18 21:33:20

alessandro_mo wrote:

So do you agree that Tor could be considered a honeypot or has a high potential to be one?

No, not what I said.
I said that it pointless to argue about as we won't find an answer. As in all crypto discussion, you start by assuming the communication path is compromised.

alessandro_mo · 2024-11-19 06:13:06

loqs wrote:

Please provide links to the Tor documentation you are referencing and your common sense analysis.

I'm sure I've seen this somewhere official, but I can't find it on their website at the moment. The common sense analysis is that you place too much trust in the VPN, and it doesn't really matter what privacy laws they have, it also attracts much more targeted attention for monitoring.

ewaller wrote:

No, not what I said.
I said that it pointless to argue about as we won't find an answer. As in all crypto discussion, you start by assuming the communication path is compromised.

Yeah, but in that context, what can you really do about it except avoid things you normally wouldn't? Is there a specific layer of protection you can recommend?

loqs · 2024-11-19 13:52:16

alessandro_mo wrote:

The common sense analysis is that you place too much trust in the VPN, and it doesn't really matter what privacy laws they have, it also attracts much more targeted attention for monitoring.

The monitoring would detect all your traffic is to TOR nodes. How is that placing too much trust in the VPN?

alessandro_mo · 2024-11-20 06:41:21

The connection between a user and the VPN is encrypted, the connection between the VPN and Tor is also encrypted, but not the entire thing as one, the means the VPN could inject packets and so on. Even if it somehow magically doesn't work like that and I'm wrong it still has at least the same level of trust as your ISP which could lead to things like timing attacks. There are many vectors for targeting, not just monitoring.

Why do people trust Tor in the first place? They don't hide that it was developed by government agencies, and there are a very limited number of servers in regular data centers that could be and probably are compromised.
Can someone knowledgeable please clarify?

loqs · 2024-11-20 12:15:28

alessandro_mo wrote:

The connection between a user and the VPN is encrypted, the connection between the VPN and Tor is also encrypted, but not the entire thing as one, the means the VPN could inject packets and so on.

Contents of packet is encrypted with TOR guard nodes public key will be unwrapped last, this is encrypted with the middle nodes public key, this is then encrypted with the entry nodes public key, this is then encrypted inside the VPN. So the packet has been encrypted four times with four different keys and must be decrypted in the reverse order.

Last edited by loqs (2024-11-20 14:11:25)

Awebb · 2024-11-20 12:41:11

I'm not sure if being developed by the NSA changes anything. People are willing to trust a random stranger on the internet more than a US three letter agency. This is hilariously comical, because those agencies have the resources to infiltrate, say, the kernel security team.

The only way to securely identify a backdoor in SELinux is a code review of SELinux and the whole compiler infrastructure.

Have a look at Apparmor, its creators (from Saxony of all places) were bought by Novell (a British company) and later cooperated with Canonical (another UK based company). That's two states that equally ignore civil rights when surveillance is an option involved. As soon as an IT company is involved, you're basically in the hands of national legislation.

alessandro_mo · 2024-11-20 14:09:08

loqs wrote:

Contents of packet is encrypted with TOR guard nodes public key will be unwrapped last, this is then re-encrypted with the middle nodes public key, this is then re-encrypted with the entry nodes public key, this is then re-encrypted inside the VPN.

You're not listening and have missed the point of what you were trying to answer.

Awebb wrote:

I'm not sure if being developed by the NSA changes anything. People are willing to trust a random stranger on the internet more than a US three letter agency. This is hilariously comical, because those agencies have the resources to infiltrate, say, the kernel security team.

On the other hand, a random person doesn't have the resources and motivation while the three letter agencies do. These agencies do infiltrate, and they would go above and beyond if it weren't for other forces holding them back.
I agree with the rest.

loqs · 2024-11-20 14:19:07

alessandro_mo wrote:

The connection between a user and the VPN is encrypted, the connection between the VPN and Tor is also encrypted, but not the entire thing as one, the means the VPN could inject packets and so on. Even if it somehow magically doesn't work like that and I'm wrong it still has at least the same level of trust as your ISP which could lead to things like timing attacks. There are many vectors for targeting, not just monitoring.
loqs wrote:
Contents of packet is encrypted with TOR guard nodes public key will be unwrapped last, this is then re-encrypted with the middle nodes public key, this is then re-encrypted with the entry nodes public key, this is then re-encrypted inside the VPN.
You're not listening and have missed the point of what you were trying to answer.

How was my response not addressing what you wrote? If you point is your threat model is a state level adversary that can require and obtain logs from your ISP your VPN provider and all the TOR nodes you used, can monitor all your internet traffic then I agree.

Last edited by loqs (2024-11-20 14:20:11)

archlynovice · 2024-11-20 14:29:06

I've been following this thread a little. At this point, why don't you just pick up a loose end (plenty have been provided here) and go to work. You call yourself a "complete newbie" yet have very strong opinions about what is right and wrong. Going by the join date and the amount of previous contributions on this forum, you've gotten responses from quite knowledgeable people. Beyond that, I don't even understand what this thread is about anymore.

alessandro_mo wrote:

That actually contradicts the Tor docs and common sense

This was 2 days ago. Plenty time to follow through and provide actual information. Have you found anything?

alessandro_mo · 2024-11-21 05:44:02

loqs wrote:

How was my response not addressing what you wrote? If you point is your threat model is a state level adversary that can require and obtain logs from your ISP your VPN provider and all the TOR nodes you used, can monitor all your internet traffic then I agree.

alessandro_mo wrote:

The connection between a user and the VPN is encrypted, the connection between the VPN and Tor is also encrypted, but not the entire thing as one, the means the VPN could inject packets and so on

Sort of MITM, but actually worse.

Last edited by alessandro_mo (2024-11-21 05:44:30)

Awebb · 2024-11-21 07:31:54

Next time, please follow the usual netiquette and do not dish out such a clickbait title. You're clearly not a complete newbie and you clearly knew, that you wanted to talk about security. Complete newbies run through archinstall and then forget to do the chroot parts before rebooting. See the link in ewaller's signature.

Having recently taken charge of the IT department of a company group, I have seen myself asking a similar set of questions and after interviewing the folks in charge of our SOC, I've got the same question in return that ewaller asked you, just in different words:

"What is the actual threat model you're worried about?"

alessandro_mo · 2024-11-21 11:26:47

So you do follow the usual netiquette by making false assumptions based on your insecurities and limitations? I tend not to compare my abilities to those of others.
Perhaps the title is indeed vague, but it reflects my uncertainties and the focus on security was based on its greater importance compared to others, which are simpler and easier to grasp.
That being said, I see that I'm probably in the wrong place, asking the wrong people at the wrong time. With that in mind, I want to thank you all and wish you good luck.

loqs · 2024-11-21 13:21:30

alessandro_mo wrote:

The connection between a user and the VPN is encrypted, the connection between the VPN and Tor is also encrypted, but not the entire thing as one, the means the VPN could inject packets and so on

Yes the entire connection is encrypted as you are sending TOR traffic through the VPN rather than trusting the VPN is routing traffic through TOR.
Edit:
I have edited post number 15 to make it clearer.

Last edited by loqs (2024-11-21 13:22:50)

Arch Linux

#1 2024-11-17 09:54:24

Some guidance is needed for a complete newbie

#2 2024-11-17 16:40:29

Re: Some guidance is needed for a complete newbie

#3 2024-11-17 17:10:28

Re: Some guidance is needed for a complete newbie

#4 2024-11-17 23:42:56

Re: Some guidance is needed for a complete newbie

#5 2024-11-18 00:56:28

Re: Some guidance is needed for a complete newbie

#6 2024-11-18 11:41:42

Re: Some guidance is needed for a complete newbie

#7 2024-11-18 12:21:59

Re: Some guidance is needed for a complete newbie

#8 2024-11-18 12:30:45

Re: Some guidance is needed for a complete newbie

#9 2024-11-18 18:57:56

Re: Some guidance is needed for a complete newbie

#10 2024-11-18 20:18:05

Re: Some guidance is needed for a complete newbie

#11 2024-11-18 21:33:20

Re: Some guidance is needed for a complete newbie

#12 2024-11-19 06:13:06

Re: Some guidance is needed for a complete newbie

#13 2024-11-19 13:52:16

Re: Some guidance is needed for a complete newbie

#14 2024-11-20 06:41:21

Re: Some guidance is needed for a complete newbie

#15 2024-11-20 12:15:28

Re: Some guidance is needed for a complete newbie

#16 2024-11-20 12:41:11

Re: Some guidance is needed for a complete newbie

#17 2024-11-20 14:09:08

Re: Some guidance is needed for a complete newbie

#18 2024-11-20 14:19:07

Re: Some guidance is needed for a complete newbie

#19 2024-11-20 14:29:06

Re: Some guidance is needed for a complete newbie

#20 2024-11-21 05:44:02

Re: Some guidance is needed for a complete newbie

#21 2024-11-21 07:31:54

Re: Some guidance is needed for a complete newbie

#22 2024-11-21 11:26:47

Re: Some guidance is needed for a complete newbie

#23 2024-11-21 13:21:30

Re: Some guidance is needed for a complete newbie

Board footer