> Source based distro > LUKS full disk encryption > Minimalist (suckless tools) > Statefull firewall with iptables : dropping all but 53,80,443 output > Suricata IDS watching trafic and popping alerts > AIDE filesystem integrity check > Qemu/KVM with libvirt for compartmentalization > Bubblewrap to jail apps
I used to run this way, then I just decided it was easier to maintain Arch with a few services and ufw allowing the ports I use.
Nolan Campbell
I just switch on FileVault
Mason Cruz
Why not, it’s simple to allow a port on-the-fly
Jace Howard
Pretty solid if you can manage to configure it. But why AIDE and not AppArmor?
David Ortiz
why AppArmor and not SELinux?
Camden Lopez
Just run qubes dude you're trying to set up a corporate network from within a single machine as it is right now Also what do you think blocking all out ports but essential ones will do? You think malware can't phone home over http?
Brandon Murphy
Throw in eufi firmware verification if you have it
Luke Mitchell
>> Minimalist (suckless tools) kek
Carter Martinez
>Linux >Security Choose one.
Chase Thompson
Stop being a neet and use RHEL.
Eli Anderson
>LUKS Privacy != Security >Minimalist (suckless tools) You are going to run most of the suckless tools as a normal user, it doesn't matter whether they're exploited or not, since they aren't listening to external connections anyways. Here's what you should be worried about: -Any application that listens to the internet (curl, web browsers, etc...). -Your system's cryptographic library. -The kernel. -The init system. -Applications with the setuid bit. -Privileged daemons. >IDS lol >AIDE lol >using virtualization as a security measure marc.info/?l=openbsd-misc&m=119318909016582
You're simply throwing shit at a wall that's made of feathers, hoping that it sticks and protects you.
Joshua Clark
>You think malware can’t phone home over http?
This.... I use http ports for all my shells (legal CTF’s, thanks). I think OP just google’d a laundry list of shit and doesn’t actually understand what he’s trying to accomplish
James Ramirez
Do you have a good guide or links about hardening?
Is a mandatory «secured» sort of proxy the solution? How to deal with https? Any tips?
Eli Hill
>443 open >no mention of SSL inspection I have an email to send you senpai. I am a Nigerian prince.
Tyler Carter
Is SSL inspection worth it? Is there any opensource software?
Why are you so concerned about malware on a personal linux workstation? I could understand if you were setting up a homelab for fun/learning but for actual security malware is the least of your worries. For a start you have no assets like a corp does and second you run Linux, so most malware doesn't even target you. How the fuck do you even install malware anyway when you use a package manager? What's the use case here?
Dylan Cruz
have sex
Elijah Wood
Why not just buy a NGFW and sit behind that? Get some decent end-point security and you will be much better off. Sophos do a free end point for linux