Security on the Internet under GNU/Linux

Its a big deal these days, whether its companies tracking your browsing habits to serve up adverts or the government trying to snoop on your activity under the bullshit pretense that it protects you from 'terrorists', when in reality its an infringement on Article 12 of the UN Universal Declaration of Human Rights which states…

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

…there are any number of reasons you might wish to improve the security and way in which you use the Internet. Its a big topic, so I've made these notes as I fumble my way through the process for future reference and perhaps they might be useful to someone else.

An Aside

A large proportion of the software that underpins the Internet is Free and Open-Source Software (FOSS) which means that the source code is available to anyone who may want to look at and modify it. This is a good thing since the more eyes scrutinising the code the less bugs there will be and everyone benefits when someone adds a missing feature or fixes a bug. It also means that should malicious code be included its highly likely to be seen by others and removed. Its nice getting things for free and very generous of programmers to give away the fruit of their labour, but if you use the software a lot, as you might with things like OpenVPN, its worth considering making a donation to the programmers. Its true that many are get corporate support, but there is no harm in donating the cost of a pint for the software you use, its a lot cheaper than the Micro$oft license fees. The Free Software Foundation would be a good choice to make such a donation as they promote and defend FOSS.

Anonymity

If you want to be even more secure in your browsing you can do so using a live distribution that is designed for security. There are a number of different options and I've tried a few.

De-Googlfy

Useful resources for alternatives to Google can be found at A huge list of alternatives to Google products. Privacy tips, tricks, and links..

Topics

Overview and Definitions

A lot of new terms…

  • Certificates documents issued by VPN providers to users allowing them to connect securely to their network.
  • (HTTP) Cookies small text files that reside on your computer and detail your preferences on a website and what you have looked at there.
  • Free Open Source Software (FOSS) software that anyone is freely licensed to use, copy, study, and change in any way and for which the source code is available.
  • Gateway a server through which you connect from one network to another.
  • Internet Service Provider (ISP) is who you pay for an internet connection. Sometimes this will be whoever you have your mobile phone with.
  • Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each communication session.
  • OpenVPN Free Open Source Software (FOSS) implementing Virtual Private Network (VPN).
  • Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks.
  • TOR is a network that anonymoises your browsing by routing it through a network of public servers.
  • Virtual Private Network (VPN) is a private network that you can connect to over the internet. Traffic then passes between you and the private network without anyone in between being able to see what is passing between you. This in essence means you appear to be located wherever the VPN server is physically located.

Making life a little easier

You have to save certificates for your VPN connection, and you can make life a little easier if you use a cloud service to save them in the same place on different systems. Many people use Dropbox but a more secure, zero knowledge option is SpiderOak. If you save your VPN providers certificate to somewhere within a synchronised folder and you have the same username accounts on multiple (GNU/Linux) computers then the files will likely reside in the same place (i.e. wherever you put them under /home/[user]/SpiderOak Hive/ by default). This makes copying configuration files between systems really easy.

Virtual Private Server (VPS)

A dedicated section on configuring a VPS with OVH.

Virtual Private Networks (VPN)

This should be your first step in improving your internet security. Your ISP is capable of logging all of the internet traffic that passes in/out of your house, whether you are browsing the web, torrenting sites, making SSH connections to remote servers, it all passes through your modem and the connection your ISP provides. As of writing there are proposals in the draft Investigatory Powers Bill by the UK Government to force ISPs to log a years worth of customers browsing habits at the level of the domain you visit (i.e. http://www.bbc.co.uk/ but not http://www.bbc.co.uk/news). By using a VPN your ISP only sees you making a connection to the VPN and not what you then subsequently browse whilst connected to the VPN.

Protocols

There are four main protocols you might encounter when using VPN

Protocol Encryption Description
PPTP MPEE 128 BIT Oldest and most widely used, built into a lot of software making it simple to use.
IPSec 128 BIT Designed for OSX/iOS its heavy on you CPU but is built into the OS and therefore simple.
OpenVPN 256-bit The strongest encryption and very widely used.
Wireguard A newer in-kernel VPN, now the better option over OpenVPN but not necessarily provided by all VPN providers yet.

Choosing a VPN service

There are lots to choose from, I'm no expert, so read this detailed article on TorrentFreak who asked a whole host of VPN services to describe their approach to anonymity, there is also this useful article from CNET. There is also an excellent VPN Comparison sheet. I short listed of a few I considered…

For now I've opted for SlickVPN, its cheap and they report they don't keep logs and run everything on their gateways in RAM so when the plug is pulled everything is lost. Once you've signed up for a service you can start configuring your devices to use the VPN.

SlickVPN Gateways

Its highly likely that any provider you use will offer multiple gateways located in different countries, so consult their documentation for details of the addresses.

The default gateway for SlickVPN used in their documentation and example files is in the US, this will mean that if you are physically in the UK you can't use certain services restricted to say the UK since once you've connected it will appear you are in the US. If you want to use a specific gateway located in a particular country find the address of the servers from your VPN provider. SlickVPN has a map but I list them below for convenience.

Router Configuration

If you configure your router/modem to use the VPN then any device connected to your home network automatically will have everything routed through the VPN. This has Pros and Cons, on the up side it means you don't have to mess around enabling the VPN connection on each device and starting/stopping it. On the downside it might mean you can't view certain geographically restricted services such as BBC iPlayer if the VPN gateway you use is outside the UK, but on the flipside this might be an advantage if for example you wanted to view films that are only available on US Netflix and not on UK Netflix. Although this can be circumnavigated at the router level using

The choice of router is perhaps the most tricky step as ideally you want it to be compatible with either OpenWRT or DD-WRT. Below I detail my choice and steps taken to install and configure a router.

GNU/Linux Configuration

There are a lot of different GNU/Linux distributions out there, I use Gentoo and run NetworkManager to manage my internet connections on my different systems. These instructions should be generic enough to allow you to configure any system using NetworkManager (you'll just have to install the necessary programs for your distribution).

Install OpenVPN/NetworkManager/NetworkManager OpenVPN plugin

You only need to emerge one package, it will pull in all the other key dependencies (NetworkManager itself; OpenVPN; nm-applet to give a toolbar GUI)…

emerge -av networkmanager-openvpn

Debian based systems

If you're using a Debian based system such as Ubuntu or one of the many Raspbian based distributions for RaspberryPi then you can install with…

sudo apt-get install network-manager-openvpn

If you are not using a Graphical User Interface (e.g. a headless RaspberryPi without display) then you don't need the NetworkManager component and can just install…

sudo apt-get install openvpn

Configure NetworkManager

Start NetworkManager on boot remove any net.* init scripts and/or dhcpcd from any existing run-levels and add it to the default run-level on booting (this assumes you are using OpenRC to initialise your system, if you have switched to systemd then see here)

for service in $(rc-update show default | grep 'net\.' | awk '{ print $1 }'); do rc-update del $service default; done
rc-update del dhcpcd default
/etc/init.d/NetworkManager start

If you haven't already started NetworkManager do so with…

root #rc-update add NetworkManager default

Configure OpenVPN using NetworkManager

This is heavily based on SlickVPN HowTo : NetworkManager, read it if you're using SlickVPN, or if you're using a different provider then read their documentation for the relevant settings such as protocols, certificates and ports that should be used.

If you are using SlickVPN you will need to download their certificate (link at top of page (direct)), if you are using a different provider obtain their certificate.

You should now have NetworkManager running when you boot (and in the current session if you have started it). Start nm-applet if there isn't already an icon in your system tray with two monitors showing you are connected to the net. To set up an OpenVPN connection to SlickVPN right-click on the icon and select 'Edit Connections' and…

  • Click on Add
  • Select OpenVPN and the click Create
  • Call your new connection SlickVPN (gw1.lil1.slickvpn.com) using the gateway you wish to use (making it easy to distinguish multiple entries and what they are).
  • Under Gateway paste your gate way e.g. gw1.lil1.slickvpn.com.
  • Under Type select Password and enter your SlickVPN username and password in the fields below.
  • Under Certificate load the SlickVPN certificate you downloaded.
  • Click Advanced
  • In Port enter 443 or 8888 (this will likely differ if you are using a different provider, check their documentation).
  • Under MTU enter 1557 (this too will likely differ if you are using a different provider, check their documentation).
  • On the Security tab under Cipher select AES-256-CBC
  • Click Ok then Save

You should now be able to select the VPN connection by left-clicking on nm-applet in the system tray, going to VPN Connections and selecting your profile. I would recommend setting up several different gateways in case you wish to use a specific geographical location or are getting a poor connection.

Configure OpenVPN DNS

I use a Raspberry Pi with Pi-hole to provide DNS with a load of adverts and tracking blocked and normally use it for DNS when on my home network. Alternatively you may wish to use Googles Public DNS (currently 8.8.8.8 and 8.8.4.4) rather than those provided by your VPN provider. To ensure your OpenVPN connection uses this then edit the file /etc/openvpn/client.conf and add the following line (replacing the IP address to reflect that of your own preferred DNS provider

Start VPN automatically

ToDo

Copy Configurations Between Computers

If you're lazy like me then all this pointing and clicking is quite tedious. You can save having to do this again on a second computer by copying the files created for your VPNs from one computer to another providing your certificate is in exactly the same location on both systems. To do this copy the configuration files which can be found under /etc/NetworkManager/system-connections/ to your other computers. The files have the same name as the profiles you gave each when setting them. If the certificate you downloaded from your provider is stored in a different location then after copying the files to a new computer edit them and modify the line that begins cs= to reflect the path the certificate is saved at on the specific computer.

Android Configuration

# host/port of vpn server
remote gw1.iad1.slickvpn.com 8888
# file containing username and password
#auth-user-pass openvpn.userpass
# ... or prompt for authentication
auth-user-pass
# equivalent to pull, tls-client
client
# redirect all outgoing traffic to the vpn gateway
redirect-gateway
# verify the server certificate for authenticity
remote-cert-tls server
#cipher
cipher AES-256-CBC
proto udp
dev tun
nobind
<ca>
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
</ca>
  • Choose the gateway you want to use, edit the file and save it, then copy it to your Android device (an easy way to do this is to email it to yourself as an attachment then save the attachment, other options include sFTP or cloud based storage such as the aforementioned SpiderOak).
  • Starte OpenVPN Connect on your Android device and select Import from the menu.
  • Select Import from SD card and navigate to where ever you have saved the OpenVPN mobile configuration file (likely Downloads if you emailed it to yourself and saved it).
  • You are then asked to enter your username and password for your VPN service (SlickVPN emailed this to you when you signed up) and your password.
  • Now click Connect and you should connect to SlickVPN and see a little key in the notification bar of your device.

M$-Windows Configuration

OpenVPN provide a generic program for connecting to VPNs (SlickVPN provide their own client but I opted not to use it, see also their instructions for configuring OpenVPN). Download and install the latest version of [[http://openvpn.net/index.php/open-source/downloads.html|OpenVPN. Once installed…

  • Right-click on the icon and select 'Properties' and then 'Advanced'
  • Select the tick box to 'Run as Administrator', you'll need to enter the password whenever you run OpenVPN. Its now running in your Taskbar.
  • Download the certificate and OpenVPN configuration file your VPN providers gives you and place them in the Program Files/OpenVPN/config/ directory.
  • In the system tray right-click on OpenVPN and a connection based on the configuration file should be available, select to Connect and enter your username and password.
  • As with both GNU/Linux and Android configuration its possible to use different gateways, just replace the gateway in the sample configuration file and then save it to a new name and it will appear as an option to connect to under OpenVPN.

A note about DNS

DNS translates web-addresses into IP addresses so that when you type a URL the request goes to the right server and you see the web-pages you want. You need to make sure that your VPN service provides DNS servers for you to use otherwise you'll most likely use your ISPs DNS servers that your router is configured to use (see explanation here). The easiest way to do this is if your VPN service provides tunneling (SlickVPN do), and once connected to your VPN you can once connected (under GNU/Linux using NetworkManager) right-click on the system tray icon and select Connection Information to see what DNS servers are being used. Some places might censor certain IPs/domains. To avoid such censorship use DNS servers from OpenNIC.

If you have setup Pi-hole as described below you might want to change the order of DNS servers so that you requests go via the Pi-hole and you don't see adverts.

TOR

Web Browsers

You've gone to all this bother of setting up and using a VPN so that your ISP can't see what you are browsing and/or the sites you are viewing think you are in a different location than you are, but there is a key step in staying anonymous on the web that most overlook and can be strongly argued gives away more information about you than anything else….the web browser.

Web browsers are the interface to the vast majority of peoples uses of the internet and as such the way in which they are used has a huge impact on your security and privacy. All browsers have some default security built-in, but they almost all allow the use of cookies which websites/services use to not just enhance your browsing, but also keep track of what you do. Thankfully there are innumerable add-ons/plugins that can be used to improve your security and some suggestions are listed below, but they are by no-means exhaustive.

Search Engines

Google still have one of the best search algorithms behind their services and its continually being updated. However, their business model frames the user as the product and they harvest a lot of data about you from your browsing habits, search queries, email, your mobile devices. When it comes to searching there are alternatives.

DuckDuckGo

Probably the most popular alternative is DuckDuckGo which is owned by Yahoo! It purports to not track you and recently the announced even more features to protect your browsing. Install their browser application to Firefox for more private searching.

Tips & Tricks

DuckDuckGo has lots of features that can be used to simplify your searching. Perhaps the most useful are !Bangs which allow you to directly perform searches on other search engines, although be mindful that when you do so you are likely to then be subject to tracking by the site. Common ones are…

Bang Search Engine
!a Amazon
!g Google
!w Wikipedia

Add-ons/Plugins

Add-on Description Firefox Chrome
https-everywhere Ensures the https protocols is used if a site supports it Add-Ons Web Store
Terms of Service; Did not Read Reminds you of the Terms of Service for a site (that you probably didn't read). Add-Ons Web Store
Ghostery Blocks tracking and cookies. Add-Ons Web Store
Privacy Badger Tells you who's trying to track you. Add-Ons Web Store
Mailvelope Open-PGP encryption for web-mail services (i.e. Gmail) Not Available Web Store
uBlock Origin Excellent ad-blockers with low memory usage NB Do NOT use ublock.org the site is unrelated to uBlock Origin Add-Ons Web Store

Synchronising

If you use a web-browser that syncrhonises your passwords, bookmarks and browsing history to the internet then this means to a large extent that your attempts to mask your browsing from your ISP are redundant since the details are held in the synchronised account. There are obvious advantages to using such services, but an informed choice of whether to do so is something only you can make. If you're bothered about Governments snooping on your activity then it would be logical to think that you would have similar problems with sharing such information with companies who very often see their users as a commodity and may, or may not, take your privacy seriously.

Adverts and Tracking

My view on advertising and tracking of browsing habits to “improve” this experience is that I pay for my internet connection so I should choose what passes over it. I appreciate many sites rely on advertising for revenue, but I've never really paid attention to adverts anywhere and the internet is no different, so why should my browsing experience be hampered by having to wait whilst a load of mostly irrelevant adverts that I wouldn't be interested in load. Thus I use the plugins listed above and in addition I have a Raspberry Pi set up and running as a Pi-Hole to block requests for adverts from ever leaving my local network, further reducing unnecessary bandwidth usage.

For some time there have been browser add-ons that block adverts, recently however some of these have become something of an oxymoron because things like Adbloc Plus allow "acceptable ads" as a means of generating revenue for themselves. Quite how someone else can decide what I consider to be an “acceptable ad” I've no idea, that would require input from me rather than payment from the advertiser to the supposed ad-blocker. Thankfully for now uBlock Origin (NOT ublock.org) blocks all adverts and uses less memory resources in doing so, thus it gets my recommendation if you're not going to setup Pi-Hole to block adverts for you.

Hard Drives

Encrypting

Securely Erasing

Simply deleting a file does not remove it from your hard drive, it removes the reference to it (even if you delete it from your “Wastebasket”), and savvy people smarter than me can recover data from such devices. To truely wipe a hard drive you have to write over every segment of the disk.

hdparm Secure ATA Erase

I tried followin the instructions Securely erasing frozen hard disks with hdparm to wipe the hard drive of a laptop we were donating to a local charity but found that it reported…

snippet.bash
# time hdparm --user-master u --security-set-pass foo /dev/sda
 Issuing SECURITY_SET_PASS command, password="foo", user=user, mode=high
SG_IO: bad/missing sense data, sb[]:  70 00 05 00 00 00 00 0a 04 51 40 00 21 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

…and so when I came to try erasing it I got…

snippet.bash
# time hdparm --user-master u --security=erase foo /dev/sda
security_password: "foo"
 
/dev/sda:
 Issuing SECURITY_ERASE command, password="foo", user=user
SG_IO: bad/missing sense data, sb[]:  70 00 05 00 00 00 00 0a 04 51 40 00 21 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SG_IO: bad/missing sense data, sb[]:  70 00 05 00 00 00 00 0a 04 51 40 01 21 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

As stated in the linked article and the thread where the solution was found this was because the disk was frozen (shown under the Security section of hdparm -I. The solution was simply to close the lid of the laptop and allow it to suspend, on waking up and running hdparm -I again the drive was not frozen and I could set the password and securely erase the drive.

Links

General

Passwords

Software

DNS

VPN Providers

VPN Reviews

HowTos/Forums

Hardware

Encrypting Hard Drives/Devices

Wiping Hard Drives

linux/security.txt · Last modified: 2022/01/12 14:29 by admin
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0