Hardening Debian Against Common Surveillance and Security Threats v18.11.10 Table of Contents Introduction...........................................................................................................................................2 Design Philosophy................................................................................................................................3 Threat Model.........................................................................................................................................5 Download and Verify Installation Image Signatures............................................................................8 Write Verified Image to Installation Media........................................................................................12 Protect Motherboard Firmware...........................................................................................................13 Operating System Installation Configuration.....................................................................................15 Default Deny Firewall.........................................................................................................................18 Kernel and Network Hardening..........................................................................................................21 Routing Package Management through Tor........................................................................................24 Minimizing your Software Attack Surface.........................................................................................26 Routing DNS Traffic through Tor.......................................................................................................27 Blacklisting Domains with Hosts........................................................................................................30 Configuring Mandatory Access Control.............................................................................................33 Firewalling USB Interfaces.................................................................................................................38 Locking the Bootloader.......................................................................................................................42 Automating Security Scans.................................................................................................................45 Running Security Audits.....................................................................................................................51 Configuring a System-Wide VPN.......................................................................................................55 Hardening the Web Browser...............................................................................................................60 Keeping Computing Local..................................................................................................................72 File and Backup Encryption................................................................................................................76 Testing Your Configuration.................................................................................................................81 Closing Thoughts................................................................................................................................87 Useful Links and References..............................................................................................................89 1 Introduction What happened to the Internet? We were sold a promise that it would be a space entrusted to freely explore information and to be a bastion of digital liberty. So why does it seem as though every online entity is maliciously trying to harvest our information and control every aspect of our digital presence? Why are industries and governments so driven to weaponize our own data against us? When I think about the state of the modern web, I cannot help but to recall an old comic shared circa 2008: It depicts the web as a hellscape requiring a metaphorical armored tank of a web browser simply to interact with any site. The image of a battlefield certainly embellishes the situation although it is not entirely inaccurate. In fact, in 2016 NATO ha d officially declared the Internet to be a warzone. I would not consider one to be foolish for treating every bit of information entering their computer as a potential assault on their digital well-being. That is why, in this walk-through, we will look at strengthening every weak point and plugging as many holes as practicable with a Debian installation. We want to ensure that only you are the absolute authority who has the final say as to what does and does not get to access your computer. 2 Design Philosophy The aim of this document is to deliver instructions in a dense and hopefully easy to understand manner. The instructions are presented in a CLI terminal format whenever applicable. Followed beginning to end, in order, this document outlines a way to configure a trustworthy, strong foundation on which to construct your own secure and privacy oriented computer. This document assumes the reader has already heeded introductory guides. Resources which emphasize migrating away from products and services of known surveillance state collaborators. Here, we focus instead on changes and additions which can be made to your security strategy. While many of these methods are described as applied to Debian, most should readily translate to Debian derivatives and other GNU/Linux distributions. 3 We assume no trust beyond the NIC. Some approaches to securing your privacy enjoy the benefits provided by router hardening. Here, the local machine is considered our only sanctuary. This also focuses on building out a system from a fresh installation, although nothing should prevent readers from individually adopting some of the outlined practices on an existing installation. Some of the details surrounding the instructions presented in this document are left intentionally vague. This is done for a few reasons. 1) To keep the guide general and applicable beyond strictly Debian GNU/Linux. 2) To encourage readers to fine tune these configurations to suit their own specific needs. 3) To encourage readers to research beyond what is presented in this guide. We will focus heavily on free-libre software since, w hile free software does not guarantee security, it is a hard prerequisite to constructing a trusted computing environment. Indeed, there exists commercial proprietary security software available for GNU/Linux however we cannot place trust in a program to do only what it claims if nobody is allowed to truly investigate its inner workings. 4 Threat Model This document addresses the threat faced by most of us, automated dragnet surveillance. Whistle blowers, activists and political dissidents may encounter targeted advanced persistent threats. The other 99.9% of us should instead be concerned with wider pervasive monitoring. We will also cover protecting your system against snooping roommates/coworkers/etc who may have physical access to your hardware. And while the methods outlined here cannot guarantee protection to dissidents, whistle blowers or journalists, they may still be helpful as smaller components in a related security strategy. What we are attempting to defend against: 1) Bulk data collection. 2) Surveillance capitalism. 3) Common adware, malware and spyware. 4) “Evil maid” unauthorized access. What we are not attempting to defend against: 1) Targeted law enforcement operations. 2) Targeted nation state operations. 3) Other advanced persistent threats. Below is a rough conceptual model of what we will be building. It enforces most input (abstracted for network packets, web objects, USB peripherals, and others) to traverse a 3 ½ tiered defensive structure. Line one represents the default deny firewalls which will ultimately make up our outer perimeter. Much of it permits incoming data only at the user’s explicit discretion. And, since all users are prone to error, line two provides a second opinion based on pre-established blacklists by third parties. If 5 the inbound data matches any of these items it will be automatically rejected, unless otherwise authorized by the user. Line three depicts a layer of various confinement strategies which restrict the potential damage that can be unleashed by a malicious program which may have evaded lines one and two. Line three, and the system as a whole, will be monitored by a number of malware and intrusion detection programs. The user is responsible for the remediation of any true positives that are discovered. The entire system, as well as incoming and outgoing data, will be encapsulated in a layer of encryption as much as is practicable. And, in an effort to truly limit outgoing data as much as possible, any processing that can be done inside of the perimeter will be done locally. 6 7 Download and Verify Installation Image Signatures To ensure that the installation image has not been tampered with or modified between you and the packagers, we want to check published hash sums against our own hash sum of the image. Download the Debian netinst ISO (substituting the latest release version) for your architecture and its hash sums: wget --https-only --no-cookies https://cdimage.debian.org/debian- cd/current/amd64/iso-cd/debian-9. 5.0-amd64-netinst.iso wget --https-only --no-cookies https://cdimage.debian.org/debian- cd/current/amd64/iso-cd/SHA512SUMS
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages89 Page
-
File Size-