Advanced Plus Security askalan's Linux Security Config 2019

Last updated
Jan 4, 2019
Windows Edition
I am not running Windows
Security updates
Check for updates and Notify
User Access Control
Always notify
Real-time security
  • no sandboxing and no virus scanner (everyone who uses something like this under Linux either has a plausible reason or is paranoid, please don't suggest it to me!)
Firewall security
About custom security
My VPN Killswitch script. This script needs an individual adjustment for your PC! If you don't know how to change this script, please don't use it!
#!/bin/bash

# Your VPN name on Network Manager, to list all connections you can use: nmcli con
VPN_NAME="cyberghost-vpn-germany"
# Your network device, usually wlan0 for wifi and eth0 for cable, check with: ifconfig
NW_DEVICE="enp27s0"
# You VPN connection device, change if different
NW_TUN="tun0"

# Set up the firewall and block all connections
sudo ufw --force reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
# Allow the connection only to/from our VPN server
sudo ufw allow out 53/udp
sudo ufw allow out 443/udp
sudo ufw allow out 1194/udp
sudo ufw allow out on $NW_TUN from any to any
sudo ufw allow in on $NW_TUN from any to any
# Enable firewall
sudo ufw enable

# Monitor VPN connection and connect again if dropped
function monitor {
# Connect to VPN
nmcli con up id $VPN_NAME
echo -e '\nMonitoring VPN connection for possible drops. Press Ctrl + Z to stop monitoring\n'
nmcli connection monitor $NW_TUN # Will exit as soon as status changes
echo -e '\n############################\nConnection to VPN dropped - Reconnecting...\n############################\n'
nmcli con down id $VPN_NAME # Just in case connection was in progress
sleep 5 # To allow VPN detect we are not connected anymore
nmcli con up id $VPN_NAME
monitor
}

monitor
Periodic malware scanners
/
Malware sample testing
Browser(s) and extensions
Firefox ESR
KeePassXC-Browser, uBlock Origin, I don't care about cookies
Maintenance tools
Bleachbit
File and Photo backup
pendrive
System recovery
Automated Timeshift for backup of system files with BtrFS
Risk factors
    • Gaming
    • Logging into my bank account
    • Browsing to popular websites
    • Streaming audio/video content from shady sites
    • Downloading malware samples
    • Browsing to unknown / untrusted / shady sites
    • Working from home
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
CPU: AMD Ryzen 5 1400
GPU: Radeon RX 460
RAM: 16GB
248 GB SSD, 2x 128 GB SSD, 1TB HDD
shmu26 said:
Looks great to me.
Do you have any special configurations in the firewall? Do you use Gufw?
Click to expand...

GUFW is just a GUI for UFW (uncomplicated firewall). I use UFW and use commands in the terminal to configure it. I don't need a GUI ;)

The firewall gets re-set by my VPN Killswitch script every time the operating system starts.

First the firewall is set to default settings and configured so that no connection to the internet is allowed (except the connection to the VPN).
Code: 
sudo ufw --force reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
# allowing VPN
sudo ufw allow out 53/udp
sudo ufw allow out 443/udp
sudo ufw allow out 1194/udp


Then it is specified that the traffic can reach the Internet via the VPN.
Code: 
sudo ufw allow out on $NW_TUN from any to any
sudo ufw allow in on $NW_TUN from any to any


Then at last only the firewall is turned on.
Code: 
sudo ufw enable


This code is from my Killswitch, which you can also find in my topic. So actually quite easy (y)
 
  • Like
Reactions: Dave Russo, JM Safe, harlan4096 and 3 others
StrikeFIN said:
Do you use ISP or which DNS?
Click to expand...

By default, you use the DNS server from the VPN when you are connected to one (I am 24/7 connected to CyberGhost).

Since the DNS server of Cyberghost is very slow, I use a pi.hole DNS server, which is set up locally on my operating system (I have given the filter lists above) and which uses the Cloudflare DNS server as base.

In short: pi.hole with Cloudflare DNS

A DNS server is not intended to block malware. For this reason, you should select the DNS server that is fastest for you.
 
  • Like
Reactions: Dave Russo and harlan4096
Two new hard disks have been added and my RAM has doubled. System has been running very stable since half a year. I didn't have to fall back on an automatic snapshot of BtrFS yet.

Despite Debian, I don't have the impression that the programs are old.

I still use CyberGhost all the time without exceptions with my Killswitch. I get 80Mbit/s DL and 40Mbit/s UP with a 30ms ping. I don't notice any difference when I turn off the VPN.
 
  • Like
Reactions: Dave Russo, ZeroDay, oldschool and 2 others
You must log in or register to reply here.

You may also like...