bronze
/
mayfrost-guides
mirror of https://github.com/mayfrost/guides.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mayfrost-guides/CHECKLIST.md

11 KiB
Raw Permalink Blame History

SECURITY IN ORDERS OF DIFFICULTY

Not necessarily meant to be followed step by step, although it is recommended. Some steps are valid during all levels, others give way to better alternatives further on.

TOC

  1. Basic Level Security
  2. Cautionary Level Security
  3. Medium Level Security
  4. High Level Security
  5. Physical Access Counter-Measures
  6. Costly Counter-Measures
  7. Deterrent Counter-Measures
  8. Exit Level Security

Basic Level Security

  • Level 1: Don't save your passwords on plaintext or in some "cloud" service like Lastpass and don't save logins on your phone or web browser. Use KeePassX or KeePassXC (and I mean the one with an X) and remember one good main password (must have lowercase, uppercase, numbers and symbols, be longer than 8 characters and be change bimonthly), then use the password manager's option to generate different passwords for each account you have and keep the password database on a USB stick. Other password manager is kpcli which works on the command line and is just a minimalist perl script (this is the best option).
  • Level 2: Remove file extensions from sensitive files such as .kdb for KeePass password databases, rename it, and keep it in encrypted folders to make it hard to sift through your disk. Better yet, keep it all in a USB stick and with backups only to a third drive disconnected from any network.
  • Level 3: Use Searx instead of Google when in need to search on the web. You can get search engine plugins for your browser from here.
  • Level 4: Use your web browser with javascript, cookies and any telemetry (like "pocket", geolocation, and WebRTC) disabled and reduce the browser fingerprinting. Enable javascript and cookies only on selected sites. GNU IceCat is the best option.
  • Level 5: Replace your e-mail provider with a more safe, more appropriate provider. A good option is Tutanota, another alternative is cock.li.
  • Level 6: Use an e-mail client that can block web beacons (tracking pixels). Thunderbird is easy and has a plugin for this. Mailx, Mutt or Alpine are better options.
  • Level 7 Use RSS for news from sites you trust and to order your podcasts instead of Youtube (although Youtube has an RSS feed for their channels too, for now). Liferea is easy and a great application for RSS feeds, newsboat and newsbeuter are command line options.
  • Level 8 Use Peertube for podcasts instead of Youtube.
  • Level 9: Use Mastodon or install Pleroma (GNU Social) instead of non-publicly auditable social networks known to sell private information.
  • Level 10: Choose IRC instead of non-publicly auditable chat networks. A good and easy IRC application is Hexchat, other options are irssi and WeeChat. You can use BitlBee to access other chat networks through an IRC client if you need.
  • Level 11: Use GNU/Linux on your computers, preferably free from "systemd". PCLinuxOS is an easy first choice, Devuan is a better option. Stay away from something called BSD.
  • Level 12: Install LineageOS on your phone and use F-Droid without gapps (Google app store), with IceCatMobile for web browser, KeePassDroid, AFWall+ and Android IMSI-Catcher Detector. Use Yalp Store or Aptoide (or download from apkmirror/apkpure) in combination with microG if you need a gapps app.

Cautionary Level

  • Level 13: Delete any metadata from files you share on the internet. ExifTool is the best tool.
  • Level 14: Avoid using your real name online and avoid giving away any personal information, if possible log into sites using donated passwords and accounts from BugMeNot.
  • Level 15: Use The Random Identity Generator (rig) to generate different online personas when you need to create accounts. Don't reuse usernames, email addresses, etc, for different sites and don't mention your other identities to avoid contamination.
  • Level 16: Anonymize your writting style for any text and document you upload with anti-stylometry software like Anonymouth.
  • Level 17: Encrypt your e-mails with GnuPG when possible. Thunderbird has the Enigmail plugin for this, you can script the use of GPG on Mutt and Mailx.

Medium Level Security

  • Level 18: Uninstall network facing services like Avahi (Bonjour), CUPS (replace with Line Printer if needed), Telnet, the R-tools (rlogin, rsh, rcp, rwho, rexec), fingerd, RPC services (D-Bus and rpcbind) and uninstall services if unused like ssh/web/ftp/mail. Also disable IPMI on BIOS.
  • Level 19: Use YaCy with collaborative database disabled when in need to search on the web.
  • Level 20: Use the Tor Browser to navigate the internet through Tor.
  • Level 21: Use Firejail or Bubblewrap to sandbox your applications.
  • Level 22: Use an OpenNIC provider known to not save logs together with DNSCrypt to prevent DNS Leaking.
  • Level 23: Use Uncomplicated Firewall ("ufw") to block inbound AND outbound network traffic, permitting only what you need. The graphical version ("Gufw") is beginner-friendly.
  • Level 24: Use Bastille Linux to harden your system.
  • Level 25: Use a source based distro, preferably without crypto libraries on its package manager (no Python), and tweak the installation files to use the minimum required dependencies. Gentoo is one option, CRUX is another and it is easy, see this link.

High Level Security

  • Level 26: Use a command line web browser like links2 and only browse web pages without javascript or cookies when possible.
  • Level 27: Set a tight configuration for iptables on each port open and drop packets for everything. Use nftables on newer kernels.
  • Level 28: Use qmail for your own e-mail server. Exim and cmail are other options.
  • Level 29: Use Squid for caching websites.
  • Level 30: Set BIND9 for caching all DNS queries on your local DNS server.
  • Level 31: Use port forwarding and a port knocker on your router or server if you have services running, and unregister your reverse dns records.
  • Level 32: Use Arpalert/ArpON (for Man-In-The-Middle -MITM- Detection), zapret (for Deep Packet Inspection -DPI- Block and Circumvention), and Suricata/Snort (for Network Intrusion Detection).
  • Level 33: Compile the kernel yourself and add only necessary features and selected modules. Enable KASLR and Capabilities on kernel configuration.
  • Level 34: When possible give your applications a separate user account and use chattr, sudo, chroot, fakeroot, ulimit and quota with them.
  • Level 35: Use Lynis to audit your system.
  • Level 36: Use a complete host intrusion detection framework like Tiger, which can work with Samhain (for integrity check), Unhide/Chkrootkit/rkhunter (for rootkit detection), ClamAV/Linux Malware Detect and a system logger like sysklogd.
  • Level 37: Use RSBAC (for RBAC) with AppArmor (for filesystem ACL).

Physical Access Counter-Measures

  • Level 38: Set a BIOS password (DON'T FORGET THIS PASSWORD!).
  • Level 39: Use USBGuard (to prevent Juice Jacking).
  • Level 40: Use disk encryption with cryptsetup (dm-crypt), saving the key on a separate USB that you keep with yourself at all times.
  • Level 41: Move your boot partition to a USB and encrypt it with cryptboot. Use the option on Libreboot too.

Costly Counter-Measures

  • Level 42: Buy a separate camera and microphone and physically remove any camera and microphone from your computer.
  • Level 43: Buy a VPS in a non-extradition, privacy friendly country outside the Five Eyes under a different name and with a good way of not getting traced by payments, set all outgoing traffic through it, then set up your own VPN server so you can audit all the traffic.
  • Level 44: Buy a phone with Replicant and libre firmware. Tehnoetic sells an S3 phone with Replicant and only libre firmware enabled, so far is the best option.
  • Level 45: Buy a router compatible with LibreCMC and install LibreCMC, keep it up to date, give it a strong password, set to monitor all traffic, and use previous techniques such as caching, port-forwarding, etc.
  • Level 46: Buy a computer compatible with the Libreboot firmware and the Linux-libre kernel, then install both or buy it preinstalled. Thinkpads model x200, t400 and t500 are the best options. Remember to check a compatible Wi-Fi card and physically remove cables connecting cameras and microphones.

Deterrent Counter-Measures

  • Level 47: Learn to hack yourself first.
  • Level 48: Use only libre software (software "free as in freedom").
  • Level 49: Reduce the amount of software installed in your computer.
  • Level 50: Opt for text-based programs with less library dependencies than their GUI counterparts.
  • Level 51: Support the GPL license as to prevent proprietary license wrapping (as with BSD/MIT/Apache licenses) by which you would lose critical updates and further features. GPLv3 also prevents tivoization, a hardware level lockout method.
  • Level 52: Deduplicate efforts and converge strategies to achieve a "tight base system" in common (use the koan "if is not strictly necessary it should be strictly optional, but still optional"), and that means making things modular and avoiding unnecessary dependencies instead of trusting "crypto libraries" like in Python.

Exit Level Security

  • Level 53: Abandon "cloud computing" and traditional, non-publicly auditable, data mined networks and erase your online persona. Use exclusively peer-to-peer services with specific protocols instead of all-in-one networks. Use IRC for live chat, e-mail for direct contact, and NNTP for newsgroups (per topic forums, what "social media" should be). IRC, e-mail and torrent services are available inside i2p, as it is NNTPChan. Tor can serve as an outproxy for i2p to reach the regular web.
  • Level 54: Abandon the Internet. Participate in local mesh networks and collaborate with global scale meshnet projects like gternet.
  • Level 55: Don't f*ck it up. Protip: you can't.