Linux

Not all Linux distributions are created equal. When choosing a Linux distribution, there are several things you need to keep in mind. Release Cycle You should choose a distribution which stays close to the stable upstream software releases, typically rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such example) rather than bump the software to the “next version” released by the upstream developer....

Linux is not a secure desktop operating system. However, there are steps you can take to harden it, reduce its attack surface, and improve its privacy. Before we start… Some of the sections will include mentions of unofficial builds of packages like linux‑hardened, akmod, hardened_malloc, and so on. These are not endorsements — they are merely to show that you have options to easily obtain and update these packages. Using unofficial builds of packages means adding more parties to trust, and you have to evaluate whether it is worth doing so for the potential privacy/security benefits or not....

Containers aren’t that new fancy thing anymore, but they were a big deal. And they still are. They are a concrete solution to the following problem: - Hey, your software doesn’t work… - Sorry, it works on my computer! Can’t help you. Whether we like them or not, containers are here to stay. Their expressiveness and semantics allow for an abstraction of the OS dependencies that a software has, the latter being often dynamically linked against certain libraries....

There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open-source or because it is widely used in the cloud. However, this is a far cry from reality. There is already a very in-depth technical blog explaining the various security weaknesses of Linux by Madaidan, Whonix’s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post....

MAC address randomization Note that Ethernet connections can still be tracked via switch ports, and WiFi connections can be broadly localized by access point. Furthermore, MAC address spoofing and randomization depends on firmware support from the interface. Most modern network interface cards support the feature. There are three different aspects of MAC address randomization in NetworkManager, each with their own configuration flag: WiFi scanning [device] wifi.scan-rand-mac-address=yes WiFi connections [connection] wifi.cloned-mac-address=<mode> Ethernet connections [connection] ethernet....

Before We Start… I sent Proton an email regarding this issue in late August 2022 and was told they are working on fixing it, though it will take some time as it requires some architectural changes in how the killswitch works. The Leak Ideally, when implementing a killswitch, a VPN client should drop all connections on non-VPN interfaces except when the connection is to the VPN provider’s servers. This is necessary to prevent accidental leaks, at least by unprivileged applications....

Passwordless authentication with OpenSSH keys has been the de facto security standard for years. SSH keys are more robust since they’re cryptographically sane by default, and are therefore resilient to most bruteforce atacks. They’re also easier to manage while enabling a form of decentralized authentication (it’s easy and painless to revoke them). So, what’s the next step? And more exactly, why would one need something even better? Why? The main problem with SSH keys is that they’re not magic: they consist of a key pair, of which the private key is stored on your disk....

Mailcow is a fairly popular self-hosted mail server. If you use it, there are a few ways you can improve its security by following these steps. Postfix Configuration Consider disabling weak ciphers and TLS versions below 1.2 in data/conf/postfix/extra.cf: tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 tls_preempt_cipherlist = yes smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_ciphers = high smtp_tls_mandatory_ciphers = high smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_ciphers = high smtpd_tls_mandatory_ciphers = high NGINX Configuration These security configurations can be added/modified in data/conf/nginx/includes/site-defaults....

Currently, the Proxmox installer does not support setting up encryption with ZFS. Thus, we have to set it up manually. This post will go over how to use the native ZFS encryption with Proxmox. The post also assumes that the Proxmox installation is new and does not have any virtual machines or containers yet. Encrypting the rpool/ROOT dataset Proxmox installs its system inside of the rpool/ROOT dataset. This is what we will encrypt first....