I got mysteriously affected by taking a computer security course at university. It’s not that I knew nothing about computer security before – it’s always been kind of a favourite subject of mine. It’s also not that I didn’t care about it at all before either. It’s just that I … couldn’t bother with it. It requires a lot of effort, right? Cumbersome?
I guess that’s what the course taught me. Basic security doesn’t have to be that hard. Most things are actually pretty easy on a day-to-day basis, once you have learned them.
Lest I forget, here are some topics I’m interested in exploring, potentially learning and applying to my machines, in no particular order.
Firewall configuration for a server. A simple “default deny” firewall shouldn’t be that hard to set up. I want one.
- Firewall configuration for a laptop. 99.5% of the time, my laptop is behind a NAT box and not directly accessible from the internet. This puts slightly different requirements on the firewall rules, I suspect. I want to know what those requirements are.
Other security concerns on an untrusted local network. There are plenty of exploits available to someone who is physically connected to the same network as you. I want to find out what those are and how to become immune to them.
Status: Step one, dns, tackled!
Day-to-day use of OpenPGP. I’m starting to get comfortable with the OpenPGP protocol, but I feel like there are many areas where I could use it a lot more than I do.
Status: This has turned out to be a thing where I learn just a little bit every week from using it. Making a huge dive into it is probably unreasonable.
- gpg agent forwarding. At the moment, I install my private keys on remote machines. I learned today that this is not necessary – gpg on the remote machines can be configured to communicate with the gpg agent on my local machine, thus keeping my keys closer to my body.
- OpenPGP smart cards. Yet another way to keep my keys close to my body is by literally carrying them on my body at all times, never letting them touch a computer. This would be both convenient and secure, but I’m not there yet.
SELinux. Stop disabling SELinux!
Status: SELinux integration was the deciding factor when I installed CentOS on my desktop computer. Unfortunately, I have still not had any reason to learn SELinux, because on CentOS, it just … works without any human intervention at all.
Log watching. I want to get emails for any log messages on my system that I haven’t explicitly told the computer are part of the set of “normal” log messages.
Status: I have the basic built-in log watching with daily summaries enabled on my FreeBSD gateway, but I have not done anything more extreme. I have also installed Ganglia on a couple of machines at home to monitor continuously varying values, but this is not hooked up to any alerting function.
Passwordless setups. Passwords, when used as the only form of authentication, have to be communicated to anyone who wants to confirm your identity. That sucks.
Status: I’m not planning on going straight from a 6 character password to no password authentication at all (which is effectively the same as a password of infinite length) but I do approach that territory slowly, by increasing the length of my passwords little by little, and using them less and less in favour of alternate means of authentication. I am a religious user of ssh keys, I have configured my vpn (see below) to use certificate based tls authentication, and when I encrypt stuff I do it with public key cryptography rather than shared secrets. Passwordless sudo is also part of the picture.
vpn. I have previously never felt any good reason to learn about vpn software, but at some point, I felt like setting a vpn server up on the home gateway.
Status: It is so good. Not only can I connect to it on any untrusted network and instantly feel very safe, it also enables a large degree of convenience: I have very little confidentiality measures installed for traffic from the local network, but with the vpn I am connected to the local network regardless of where I am!
- : Added two more things to the list.
-: Elaborated a bit on vpn, SELinux, log watching,