> Source based distro
> LUKS full disk encryption
> Minimalist (suckless tools)
> Statefull firewall with iptables : dropping all but 53,80,443 output
> Suricata IDS watching trafic and popping alerts
> AIDE filesystem integrity check
> Qemu/KVM with libvirt for compartmentalization
> Bubblewrap to jail apps
What do you think ?
Other urls found in this thread:
marc.info
arxiv.org
twitter.com
No port 22?
qubes
I used to run this way, then I just decided it was easier to maintain Arch with a few services and ufw allowing the ports I use.
I just switch on FileVault
Why not, it’s simple to allow a port on-the-fly
Pretty solid if you can manage to configure it. But why AIDE and not AppArmor?
why AppArmor and not SELinux?
Just run qubes dude you're trying to set up a corporate network from within a single machine as it is right now
Also what do you think blocking all out ports but essential ones will do? You think malware can't phone home over http?
Throw in eufi firmware verification if you have it
>> Minimalist (suckless tools)
kek
>Linux
>Security
Choose one.
Stop being a neet and use RHEL.
>LUKS
Privacy != Security
>Minimalist (suckless tools)
You are going to run most of the suckless tools as a normal user, it doesn't matter whether they're exploited or not, since they aren't listening to external connections anyways.
Here's what you should be worried about:
-Any application that listens to the internet (curl, web browsers, etc...).
-Your system's cryptographic library.
-The kernel.
-The init system.
-Applications with the setuid bit.
-Privileged daemons.
>IDS
lol
>AIDE
lol
>using virtualization as a security measure
marc.info
You're simply throwing shit at a wall that's made of feathers, hoping that it sticks and protects you.
>You think malware can’t phone home over http?
This.... I use http ports for all my shells (legal CTF’s, thanks). I think OP just google’d a laundry list of shit and doesn’t actually understand what he’s trying to accomplish
Do you have a good guide or links about hardening?
Is a mandatory «secured» sort of proxy the solution? How to deal with https? Any tips?
>443 open
>no mention of SSL inspection
I have an email to send you senpai. I am a Nigerian prince.
Is SSL inspection worth it?
Is there any opensource software?
God no: arxiv.org
Why are you so concerned about malware on a personal linux workstation? I could understand if you were setting up a homelab for fun/learning but for actual security malware is the least of your worries. For a start you have no assets like a corp does and second you run Linux, so most malware doesn't even target you. How the fuck do you even install malware anyway when you use a package manager? What's the use case here?
have sex
Why not just buy a NGFW and sit behind that?
Get some decent end-point security and you will be much better off.
Sophos do a free end point for linux
QubesOS