Advanced Plus Security askalan's Linux Security Config 2019

[AlanOstaszewski]

Note on Security Updates and User Access Control:
LMDE has an update management that checks for updates every day and as User Access Control I mean sudo of course.

 

[shmu26]

Looks great to me.
Do you have any special configurations in the firewall? Do you use Gufw?

 

[ZeroDay]

Looking good.

 

[bribon77]

Great distro LMDE 3, it's practically Debian, I used it when it came out a few years ago and I liked it a lot.
Thanks for sharing.

 

[AlanOstaszewski]

Looks great to me.
Do you have any special configurations in the firewall? Do you use Gufw?

GUFW is just a GUI for UFW (uncomplicated firewall). I use UFW and use commands in the terminal to configure it. I don't need a GUI

The firewall gets re-set by my VPN Killswitch script every time the operating system starts.

First the firewall is set to default settings and configured so that no connection to the internet is allowed (except the connection to the VPN).

sudo ufw --force reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
# allowing VPN
sudo ufw allow out 53/udp
sudo ufw allow out 443/udp
sudo ufw allow out 1194/udp

Then it is specified that the traffic can reach the Internet via the VPN.

sudo ufw allow out on $NW_TUN from any to any
sudo ufw allow in on $NW_TUN from any to any

Then at last only the firewall is turned on.

sudo ufw enable

This code is from my Killswitch, which you can also find in my topic. So actually quite easy

 

[StrikeFIN]

Do you use ISP or which DNS?

 

[AlanOstaszewski]

Do you use ISP or which DNS?

By default, you use the DNS server from the VPN when you are connected to one (I am 24/7 connected to CyberGhost).

Since the DNS server of Cyberghost is very slow, I use a pi.hole DNS server, which is set up locally on my operating system (I have given the filter lists above) and which uses the Cloudflare DNS server as base.

In short: pi.hole with Cloudflare DNS

A DNS server is not intended to block malware. For this reason, you should select the DNS server that is fastest for you.

 

[JM Safe]

If you use UFW you don't need anything else.

 

[AlanOstaszewski]

Two new hard disks have been added and my RAM has doubled. System has been running very stable since half a year. I didn't have to fall back on an automatic snapshot of BtrFS yet.

Despite Debian, I don't have the impression that the programs are old.

I still use CyberGhost all the time without exceptions with my Killswitch. I get 80Mbit/s DL and 40Mbit/s UP with a 30ms ping. I don't notice any difference when I turn off the VPN.

 

[LDogg]

Nothing more to add, great comp setup.

~LDogg