Advanced Plus Security kC77's Security Config for 2021

Last updated
Nov 6, 2021
How it's used?
For home and private use
Operating system
macOS 15 Sequoia
On-device encryption
Log-in security
Security updates
Allow security updates and latest features
User Access Control
Always notify
Smart App Control
Network firewall
Real-time security
Unifi UDM-Pro Security Gateway - IDS set to FULL, DPI Full, No Open Ports, multiple VLAN's (Trusted network/iOT network/Guest Network) also Geoblocking ALL countries except the UK)

Windows Defender with Configure defender on High

Controlled Folders using Defender & exclusions as required

Spyshelter Firewall 12.7

but the MOST important security protection is COMMON SENSE - i run COMMON Sense v1.0 !
Firewall security
About custom security
OS partly controlled by Spyshelter Firewall 12.7 Hips / Antikeylogger
Also use O&O shutup 10+ to remove many privacy concerns

only 3 devices on my Main "trusted" network VLAN

everything else (chromemcasts/pihole/security cameras/xbox/shield/mobile devices/tv's etc) are on their own iOT VLAN

another VLAN/Subnet NiX_Lan where my lonely pi4b sits which is out there in the wild of the interwebz, this serves as my "Nextcloud" server - only open to the UK unless im out of the country and need to add a rule

anyone else friends/family can access a completely separate isolated Vlan Guest_lan
Periodic malware scanners
Hitman Pro
ADWCleaner
NPE
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
BRAVE (personal)
EDGE Chromium (work) (bypassed in protonvpn)

both use Brave Search
Edge has uBlock Origin (brave doesnt need it) & pihole catches most anyway

No website shares any password, all my accounts have individual secured/randomized passwords.

2FA is used everywhere possible
Secure DNS
Pihole (raspberry pi) on separate VLAN (iOT network) - firewall rule to allow main LAN UDP 53 & tcp80 for mgmt.
Pihole uses UNBOUND on the same PI in recursive mode working with DNSSEC, so I am my own DNS server.
Desktop VPN
ProtonVPN
Password manager
keepass
Maintenance tools
Windows defrag auto
Brave/edge browser set to auto cleanup on exit
CleanMGR+ ran before taking a backup
File and Photo backup
manually Robocopied to NAS

Occasionally a second offline NAS on sepratae VLAN is powered on to SYNC NAS's, once synced, its then powered off (so its Immutable)

every few days manually robocopy to external bitlockered driver stored in car
(if my house burns down while im AFK i have everything needed)
System recovery
Macrium reflect 8 to backup my OS drive only, usually incremental daily sometimes a Full before or after any major changes/updates, then robocopy to NAS-A for the other drives/data (photos/music/projects etc) robocopy in /MIR mode

Macrium reflect my Rpi3 (pihole/unbound) to NAS-A again before or after any major changes/updates

Macrium reflect my Rpi4 (nextcloud) to NAS-A again before or after any major changes/updates

then robocopy NAS-A to NAS-B (nas B is immutable by being offline and in another vlan/subnet, only brought online for an occasional sync, then shutdown) no accounts anywhere are shared, dont re-use the same password anywhere.

BOTH NAS's are encrypted and need to be mounted at boot with a secure password (not auto mounted)

also I robocopy the most essential things to a 8tb USB3 bitlockered drive occasionally. This is kept in my car, so if im away and a meteor hits the house, ive got most the stuff id need



if something took out the house & the car, then theres a good chance it took me out too... so f*7k the data!
Risk factors
    • Working from home
    • Browsing to popular websites
    • Browsing to unknown / untrusted / shady sites
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Downloading software and files from reputable sites
    • Sharing and receiving files and torrents
    • Requesting and accepting remote access
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Streaming audio/video content from shady sites
Computer specs
Self built, I7 6700K, 32GB ram. onboardGPU.
512Gb SSD OS
3 x 4TB WD drives for Audio/Photos/Video editing
Notable changes
08/12/21 - updated as instead of using cloudflare for DNS, I now run UNBOUND on my pi for extra privacy (no 3rd party DNS provider)
What I'm looking for?

Not looking for any feedback.

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
232
not only for security, but more for privacy, over the past few months ive replaced many apps & services with better or self hosted solutions....... and i am totally trying to degoogle my life.

Chrome -> Brave
google search -> Brave Search
uBlockorigin > no longer needed as already running pihole network wide & brave has great inbuilt adblock no extension required
google dns > cloudflare > unbound (recursive dns sec on my pi3) i am the DNS!
gmail > protonmail
google calendar & contacts > netxcloud (self hosted on secondary rasperry pi4b)
google drive & dropbox > netxcloud (self hosted on secondary rasperry pi4b)
google photos > netxcloud (self hosted on secondary rasperry pi4b)
google keep > standard notes
microsft onenote > standard notes
Google Maps > Magic Earth
Google Authenticator - AndroidOTP (on mobile) & keepass (when on desktop/laptop)

after for years being so reliant on google accounts & google services ........my next step is to put calyxOS on my pixel4
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,584
Great move and great alternatives. Still, there are two things I would change.

1. Instead of Dropbox you could use MEGA which is open-source and private friendly. It even supports anonymous payment options like Bitcoin or PaySafeCard.

2. Consider using Quad9 DNS instead of Cloudflare which is better in terms of privacy and even security (malicious sites blocking abilities)

Edit: Whoops, you are not using Dropbox. Got you wrong, my bad. :)
 

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
232
Great move and great alternatives. Still, there are two things I would change.

1. Instead of Dropbox you could use MEGA which is open-source and private friendly. It even supports anonymous payment options like Bitcoin or PaySafeCard.

2. Consider using Quad9 DNS instead of Cloudflare which is better in terms of privacy and even security (malicious sites blocking abilities)
Hi thanks, I'm avoiding the middlemen in both of those...
Running nextcloud I am my own mega... I control the encryption keys and access and host it myself.

As for DNS, I actually block all outbound DNS requests unless it comes from my own hosted unbound server (recursive)
So all my pi knows is the root.hints.....and dnssec from there, the pi-hole then categorizes the clients as to what they can or cannot access (social/porn/tracking/telemetry etc) I have zero reliance on any public DNS provider gathering up data, and if any device or malware tries to bypass it (hardcoded DNS), it's blocked at the firewall.
 

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
232
So the only reason for using Cloudflare is speed?
There is no cloudflare at all...

I used to use Google DNS... Then I used to use cloudflare .... But now neither.... My only dns server is myself

Every device (even when I'm mobile I vpn to home) gets the DNS of my unbound/pihole server

Pihole passes these queries on and according to the blocklists deals with accordingly

So unbound is the recursive DNS server, it doesn't have any forward lookups or upstream DNS... All it knows are the root hints and deals with dnssec.... It caches queries, but even when not cached is blisteringly quick.

 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
I am curious as to what method you used to bypass the cpu requirement for Windows 11. Do you like Windows 11? I was OK with it but then encountered an annoying disk issue that compelled me to reinstall Windows 10. Definitely seeing the difference in performance (11 is better).
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,584
There is no cloudflare at all...

I used to use Google DNS... Then I used to use cloudflare .... But now neither.... My only dns server is myself

Every device (even when I'm mobile I vpn to home) gets the DNS of my unbound/pihole server

Pihole passes these queries on and according to the blocklists deals with accordingly

So unbound is the recursive DNS server, it doesn't have any forward lookups or upstream DNS... All it knows are the root hints and deals with dnssec.... It caches queries, but even when not cached is blisteringly quick.

I guess it's too late for my brain to work, sorry for that. Got it now, thanks for the explanation :)
 

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
232
I am curious as to what method you used to bypass the cpu requirement for Windows 11. Do you like Windows 11? I was OK with it but then encountered an annoying disk issue that compelled me to reinstall Windows 10. Definitely seeing the difference in performance (11 is better).
Hi, running a few machines (work laptop/main desktop/surface pro all on windows 11) (but all have TPM) this regtweak allowed the CPU to be bypassed

• create a new registry entry on HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup Use the “REG_DWORD” type
• Name it “AllowUpgradesWithUnsupportedTPMOrCPU”
• Set value to “1”
• Reboot your system

From <Microsoft shares Windows 11 TPM check bypass for unsupported PCs>

i was running windows 11 from insider (since late august) and had no major issues, with any 3rd party apps/drivers, performance has been as good if not better for most things.
 
Last edited:

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
232
I guess it's too late for my brain to work, sorry for that. Got it now, thanks for the explanation :)
no worries.... for most people the best would be to use quad9 or cloudflare especially with the additional filtering they provide... e.g malware blocking/cloud filtering, the upsides to these services is ease of use & security the downsides to these services is privacy.
.
however I am not interested in the protection/filtering they provide, I am already covered for protection..... I am more interested in privacy, my DNS queries are not being logged in the traditional manner, yes cloudflare etc may say they dont log your queries..... but im not so sure and id rather take control of this myself.
now when any device on my lan or vpn client looks up a domain, it goes to my pi, pihole checks the lists.... if its good, it gets sent to unbound that uses the root hints Root Servers to then securely via dnsec if possible try to resolve the record and caches it on my pi.... at no point is any public/upstream dns server involved.
if it was a domain in my blocklist/regex then it just gets sunk.

i've never been a big linux user, but raspberry pis are amazing devices.....
a good firewall... a pi for pihole/unbound and a pi for nextcloud.... many happy windows devices private and secure behind it.... ill update again in 2022... probably have 45 raspberry pis by then!
 
  • +Reputation
Reactions: Kongo

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,250
Google Authenticator - AndroidOTP (on mobile) & keepass (when on desktop/laptop)

after for years being so reliant on google accounts & google services ........my next step is to put calyxOS on my pixel4
What about Aegis Authenticator and andOTP? they are the best Authenticator for Android phone thats privacy

According to the sources, Avoid Authy or Google Authenticator.
 
  • Like
Reactions: harlan4096

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
232
What about Aegis Authenticator and andOTP? they are the best Authenticator for Android phone thats privacy

According to the sources, Avoid Authy or Google Authenticator.

yes AndOTP thats what im using, google auth has gone
"Google Authenticator - AndroidOTP (on mobile) "

that should of read "Google Authenticator -> AndOTP (on mobile) "

thanks!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top