Security & Anonymity

From Manjaro Linux
Jump to: navigation, search


Introduction

In the digital age that we now find ourselves living, the terms security & personal privacy, have taken on whole new meanings.

A computer or mobile device user that takes no precautions is being tracked every time that they search for something on the web. There are extremely few websites that don't at least log your IP address when you enter it, & most sites have a long list of trackers that are recording what you look at on a web page, even where your mouse goes without you having selected anything with a mouse button!

People are gradually becoming more concerned about protecting their data & their personal privacy. Whilst on the other hand, Governments & corporations are applying continued pressure in a variety of ways, in their various efforts to limit & remove the individual's rights to personal privacy & data security.

This wiki page attempts to give a mostly general introduction to some common security practices. There also currently exists some detailed examples further down the page.

With user input from the Manjaro forum, this page will hopefully continue to grow & evolve. All of this is done in an effort to help give users a stronger chance of making their online experiences as safe, secure & private as they currently can be.


Malware - equals Viruses & Rootkits

It is worth reading the following wiki page: [1] to gain an improved understanding of the situation re. GNU/Linux & Malware - Viruses & Rootkits.


Malware

Malware or malicious software includes computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs, rogue security software, and other malicious programs; the majority of active malware threats are usually worms or trojans rather than viruses.


Viruses

A virus which is described as a piece of code that is capable of copying itself, and typically has a detrimental effect, such as corrupting the system or destroying data.

Fortunately, due to their inherently more secure design, (& particularly in the case of GNU/Linux, its frequent updates), the Linux & OS/X systems are not too vulnerable to viruses. You will notice (as of this writing) the complete lack of posts on the Manjaro forum from users complaining about a virus that has effected their system. A search of the web will also show that there really isn't much going on when it comes to viruses that effect GNU/Linux systems. The information on this previously recommended site is worth a read if you would like to further your understanding of the situation: [2]

For users running a Linux mail server &/or serving other data to Windows machines, it is certainly well worth running the free ClamAV anti-virus software on that Linux system (or alternatively, on a specialized Linux firewall such as IPCop [3]) in an effort to protect all of the machines that use that network (the vulnerable by their nature, Windows machines, in particular).


Rootkit

A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and to enable continued privileged access to the computer it resides on.

See the following section for info' re. rootkits?


Summing up Malware

What can we do to protect our systems &/or networks from Viruses & Rootkits?

There exist two excellent programs: Clam Anti-Virus (ClamAV) [4] & Rkhunter (Rootkit Hunter) [5]. These are available with most if not all Linux distributions. More information can be found by selecting the links beside their names above.

Those that desire not to be tracked & or identified when they are using the internet may find the following page of use to them, especially if they use Firefox: [6]

Those that want to use Thunderbirdin a secure manner, please take a look at this paragraph in the arch wiki: https://wiki.archlinux.org/index.php/Thunderbird#Dangerous_defaults


Passwords

A chain is only as strong as the weakest link. The more links in the chain the stronger the possibility one will fail. Having your browser remember your passwords or using a password manager provides what some users consider to be another weak link in this chain. As even password managers that use encryption may be able to be obtained by experienced hackers.

Cracking encryption that uses a strong password & 128 or 256bit encryption isn't a quick process. Only users that have made themselves standout to government agencies &/or other extremely powerful organizations need to be very concerned about their encrypted passwords held by a password manager at this point in time at least.

It is always a good idea to keep your passwords written down and stored in a secure location. It is also a good idea to always log out of online sessions when completed.

Passwords should be varied, i.e. never use the same password for more than one site, it is best if they are at least ten characters in length and as random as possible. Perfect Password [7] is an online resource provided by Steve Gibson of the Gibson Research Foundation. It is a highly recommended resource used to help people use strong passwords.


Domain Name System (DNS)

DNS stands for “Domain Name System.” Domain names are the human-readable website addresses we use every day. For example, Google’s domain name is google.com. If you want to visit Google, you just need to enter google.com into your web browser’s address bar.

However, your computer doesn’t understand where “google.com” is. Behind the scenes, the Internet and other networks use numerical IP addresses (Internet protocol addresses). Google.com uses the IP address of 173.194.39.78 . If you typed this number into your web browser’s address bar, you will end up at Google’s website.

DNS Spoofing is a computer hacking attack, whereby data is introduced into a DNS name server's cache database, causing the name server to return an incorrect IP address, which diverts traffic to another computer, often the attacker's. So you may think you are are at your banking website when you are actually at a clever forgery and ready to expose your information to the attacker.

To protect yourself it is a good idea to see how spoof resistant your DNS servers are and once again The Gibson Reasearch Corporation has a tool to do just that at the following link: [8]

If it turns out you receive a poor score you can always change your DNS servers. The Swiss Privacy Foundation DNS servers are highly recommended:

77.109.138.45 for the Primary and
77.109.139.29 for the secondary.

Linux distributions can be setup to in a variety of ways, due to this fact it is a good idea to be sure that your your chosen nameserver IP addresses don't get overwritten on reboot. See this Manjaro web page for instructions on how to ensure that the following (or any other DNS IP addresses that you choose to use, work properly for you: [9]

nameserver 77.109.138.45
nameserver 77.109.139.29

The Swiss Privacy DNS Servers do not log your traffic and support DNSSEC (Secure DNS) You can learn more at the following link (Translation Needed): [10]


Universal Plug N' Play (UPnP)

Is a feature that easily allows the devices on your home network to discover each other and access certain services automatically without any effort by other UpnP enabled devices. When this is enabled any UPnP enabled device can connect to your network and your shared content is exposed. Some consider this to be a huge security risk, though in reality it does depend on your circumstances i.e. if you live in a highly populated area with people in relatively close proximity you are more vulnerable than if you live in the country with & have a lower population density.

There exist many tutorials on port forwarding, for those attempting ensure as secure a system as possible, port forwarding can be used in place of UPnP.

Port Forwarding is the technique of taking packets destined for a specific TCP of UDP port and machine, and 'forwarding' them to a different port and/or machine. This is done 'transparently', meaning that network clients can not see that Port Forwarding is being used.

To Test how secure UPnP is in your system we can turn once again to the Gibson Research Corporation using the following link: [11]

Most routers have the ability to turn UPnP off and to set up port forwarding.

An excellent tutorial on port forwarding can be found at the following link: [12]


Wireless Networks

An unsecured or improperly secured wireless network just makes it easier for your personal information to be leaked. Leaving your network open to share with the neighbours also means you share it with everyone else in range. You should always use wireless security and WPA2 with AES is the recommended type with a randomly generated password at least ten characters in length. If you wish to share access give the password to your neighbour but remember the more people who have a password the less secure it becomes. Again, I Perfect Passwords can be very useful to use to generate more effective passwords: [13]


Browser Extensions

Web browsers are not created equal. Some browsers will display web sites more effectively than others. Some have more built in security & other functions than others, some have an enormous number of extensions or add-ons available for them.

Ultimately it is of course completely up to the user which browser they prefer to use.

Following is a link to a Manjaro wiki page that focuses on browser security, it carries useful information for those using any browser, though it is focused on Firefox & Pale Moon, presenting a specific strategy for using add-ons that don't duplicate or otherwise interfere with each others functions: [14]

The Web of Trust (WoT) browser extension is an extension that does some things a bit different. It lets you know when the website you are visiting is trustworthy or not. That way if you happen across a website that you think is trustworthy and even looks it, you get a warning that you should not submit your personal information to the site.

WoT requires personal information to setup your account, it then tracks you via both cookies (you can choose to turn cookies off for WoT, though this disables some of its functions) & via an encrypted code that uniquely identifies your computer. They say in their privacy policy that no personally identifiable information is collected(?) & that the data they collect is for statistical analysis. As far as I'm concerned WoT is just another tracker.


Proxy Server

A proxy is exactly what it sounds like something that stands between you and another person and mediates for you. In this case it stands between you and the internet. There are many different types of proxies SOCKS, Web, and SSL but we will concentrate on web proxies. Some of the most popular HTTP/HTTPS proxy servers are:-

  • Anon Proxy Server: [17]
  • Squid Web Caching Proxy: [18]

A Manjaro wiki page on Squid can be found here: [19]

These do little beyond filtering scripts such as AdBlock and enforcing HTTPS rules such as HTTPS Everywhere so why am I bothering to mention them? In case you happen to use a browser that does not have those extensions available. Some of these are also caching proxies meaning they remember the pages you visit and can actually speed up your browsing experience as well. Make no mistake that some VPN (Virtual Private Network Providers offer a SOCKS proxy that can route to a different server and can change your IP Address giving you a better sense of anonymity. When coupled with SSL it can also provide an encrypted tunnel for your data to pass through almost as secure as a VPN.

Squid, beyond speeding up your surfing experience due to its cache, also replaces your user agent string with the following:

HTTP_USER_AGENT:Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

The above makes you look like a Googlebot to those servers that don't look too hard at you. ;) Squid also allows you to dramatically limit how much identifiable data your browser gives away to each server that it touches. See the Manjaro wiki page for more: [20]


VPN's

A VPN is a secure encrypted tunnel from your computer to the VPN server. Only the VPN server's IP Address is exposed. This has become a very popular way to secure your data & to be more anonomous on the internet. People in some countries use VPN's to get around the restrictions placed on which sites they may & may not visit, by their governments.

There are a lot of free and low cost VPN's but remember you get what you pay for.

First make sure that the VPN provider you choose has port forwarding. If you have the VPN running constantly you will need this if you have any ports you need open say for a gaming service like Steam.

Second if you truly wish to remain anonomous make sure they accept an untrackable form of currency such as bitcoin or equivalent. Be sure and do research on the providers to make sure they stand behind their practices and promises. If you use a VPN from the United States and still connect to a server in the United States the same laws govern their practices as well for instance they may say they don't keep logs but when asked by an agency of the Unites States the server must turn over whatever they have which may reveal your IP.

Also, try to choose a private instead of a shared IP. On a shared IP you will be with a group of other people and if one person does something stupid to get banned the entire group gets banned. Choose a dynamic IP so that your IP Address will change each time you connect, this makes you harder to track. Most VPN providers offer two kinds of VPN's and I will go over each one.


OpenVPN

OpenVPN is a software based VPN that is available in our repos. It can be setup & configured in a variety of fashions. Some VPN systems will use a more complex .ovpn file situated in the /etc/openvpn directory that includes information that other VPN providers place in multiple files. You can also call files that are stored elsewhere, such as the ~/.config/openvpn directory.

Other methods may require you to install additional software and then set it up via the importing of an .ovpn file into the network manager; or, by changing the the file from .ovpn to .conf and placing it into /etc/openvpn along with your cert IE: VPN.crt and a text file containing just your username and password without spaces one line at a time as follows:

Username
password

In the following example we name the file private to give the file proper permissions use this command in a terminal:

Sudo chmod 600 /etc/openvpn/private

The private file is then entered into the conf file using the line auth-user-pass private. I will show a common config file as an example:

client
dev tun
proto udp
remote “IP OF SERVER IE: 101.101.101.101” 1194
resolv-retry infinite
auth-user-pass private
nobind
persist-key
persist-tun
comp-lzo
ca VPN.crt
verb 3
tun-mtu 1500
fragment 1400
mssfix
reneg-sec 0

This is fairly easy on most modern Linux distributions. I have heard a lot of people say that if OpenVPN disconnects, you can use IPTables rules to make sure it does not disclose your information. Personally I do not like software firewalls and find these rules cumbersome. I find it much easier to add the following lines to the file /usr/lib/systemd/system/openvpn@.service

Restart=always
RestartSec=30

So my configuration looks like this:

[Unit]
Description=OpenVPN connection to %i

[Service]
Type=forking
ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --daemon openvpn@%i
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target

This way if the service is killed it will restart automatically in 30 seconds.

The second type of VPN is L2TP/IPSEC (Layer Two Tunneling Protocol Internet Protocol Security) which does not require additional software to set up on Windows, Android Or Macintosh but does on Linux and can be cumbersome. Read the following link to check out L2TP/IPSEC Setup: [21]


Another danger when using a VPN is if you use your ISP's DNS servers your activities are still being logged. Look at the link below (previously mentioned in this page) for a simple way to change your DNS server IP addresses & prevent them from being overwritten at boot, which is what will happen for many of us, if they are placed in /etc/resolv.conf [22]

As mentioned in the first part of this article change them to a more secure DNS such as the Swiss Privacy Foundation Servers (info' included here [23].

To check and see if you are leaking DNS information you can visit the following link: [24]


Local DNS Servers

We have talked about DNS in part one but you can also keep your DNS cache on you own machine. The advantage of doing this is that the cache will be kept locally so it will be harder to spoof as we discussed earlier and it will speed up browsing because the server will remember the entry. The two most popular local DNS servers that I recommend are:


Which is sometimes pre installed in some Linux Distributions and just needs to be set up. The following link has a very nice tutorial: [26]


Unbound DNS is a bit harder to set up than DNSMasq and is usually not pre installed. However with a little reading from the following links you can set up several kinds of configurations. I find Unbound a bit more geared toward the security conscience; when reading the tutorials you will see why. [28] [29]


AirVPN - uses OpenVPN, own DNS servers & FOSS client software called Eddie

The following is not an advertisement for AirVPN, I'm
using AirVPN as an example of the kind of things that
a high quality VPN provider can do for you... 
If you are looking for a VPN, the following should
give you a measuring stick.

AirVPN is a VPN provider that costs you money to use as you would see (amongst other things) from their home page: [30]

When using Eddie (the GUI client software which comes in versions that run on Windows, OS/X, Linux, Android, iOS; plus AirVPN has installations for DD-WRT, Tomato, pfSense, Tor, VPN SSH Tunnel, VPN SSL Tunnel) you have many configuration options that if you are an expert you can use, if you are not an expert, you shouldn't have to worry about any of them. Which is nice.

One of the main & most used options of Eddie (the GUI client software), is the ability to use the Network Lock. This is implemented in various ways, depending on your OS & other variables. In Linux, the most common method is for any IPtables rules that you have to not be used, & for AirVPN to temporarily use their own rule set (whilst ever you are using Network Lock).

What this rule set does is lock your machine into using one of AirVPN's DNS servers. If for some reason you loose your connection to AirVPN, your machine will immediately be unable to use the internet. This is a great fail-safe for anyone who is using their machine behind a national firewall (like China, & some Middle Eastern countries), as there will be no record of the addresses that you have been visiting, as you have been using an AirVPN DNS server, (via encryption) that is in another country, & doesn't keep any records containing any personally identifying data.

AirVPN provide a website: [31] that anyone can use to test their system's internet security. It also has a Torrent address detection ability, amongst other functions.

AirVPN allows you a certain number of port forwarding port addresses (you get to choose what they are, from a large number of options). Port forwarding is often used by people that use bittorrent, as it is the most efficient way to set up for torrenting.

If you can't tell your torrent client what port to use, then it is rubbish! Use a better one (e.g. qBittorrent, Transmission, etc...), one that incorporates the facility that allows you to choose the port address that it will use.

When you download the AirVPN client from their website, it comes self contained with all of the files that it needs; including its own OpenVPN files which it will use even if you already have OpenVPN installed on your machine.

All of these go in a directory such as ~/airvpn . If you install via the AUR, then the OpenVPN that you already have (or it will be installed) on your system will be used, plus the other associated files will be installed in the various parts of your / where they would normally belong on an Arch OS based system. There is an ~/.airvpn directory created which caries IPtables rules & a few other files.

If you have an AirVPN account, you are allowed to have three machines using AirVPN simultaneously.

Also, & most importantly, AirVPN keeps no logs, so even if some government managed to find a way to legally force AirVPN to open its doors to them (which in Europe, they currently can not do), there is no history kept that could be used against someone for whatever reason.

There is no traffic limit. No time limit. Access to all of AirVPN's exit-nodes. You can switch servers whenever you want, as often as you want.

You can pay via bitcoin, & a number of other methods.

I've found both their forum community (good atmosphere) & their official support to be extremely helpful & respectful. I've used them for approaching ~4 years, primarily as a means to make it more difficult for me to be tracked by all of those entities that I've never given permission to, to track me, & who nonetheless track everyone that they can, for no ones best interest but their own.


Support

Following is a link to this page's forum counterpart where you can post any related feedback: [32]