Advanced Security Lenny's Security Config 2024

  • Thread starter ForgottenSeer 107474
  • Start date
Last updated
Apr 28, 2024
How it's used?
For home and private use
Operating system
Linux
Other operating system
Linux Mint cinnamon
On-device encryption
N/A
Log-in security
    • Basic account password (insecure)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
N/A - Linux / Mac / Other operating system
Smart App Control
Off
Network firewall
Enabled
About WiFi router
We have a tri-band router at home. One 5Ghz channel for me and one 5Ghz for my wife. All IOT devices and smartphones are on the Guest network of 2.4 Ghz (the 2.4 Ghz band itself is not used) with a short lease time (12 hours). It is a setup idea I copied from a member on MT. It actually works very well for us. In all our rooms of our appartement we achieve maximum ISP contract WIFI speeds (up/down) with this 'each has its own channel' setup. This setup also has some security benefits (the 2.4 Ghz network is partitioned and the 5 Ghz networks have MAC-IP binding). Our router is supposed to have stateful packet inspection on top of the NAT-firewall and checks for clients using not updated vulnerable protocols (and blocks them).
Real-time security
None :eek: (running standard user) using only passive protection:
  1. NextDNS setup in resolved.conf
  2. Thunderbird
    a) Emails are scanned by ISP
    b) WarnAttachment (add-on)
  3. Brave:
    a) Google safe browsing
    b) VT4Browsers (extension)
Firewall security
Built-in Firewall for Mac/Linux
About custom security
  1. Using flatpaks for user applications (browser, mail, office, mediaplayer, image editor) with build-in bubblewrap sandbox
  2. Stripped rights from flatpaks using Flatseal and user applications have only read access to my data partition.
  3. Pinting service is allowed in user applications, because it is running with AppArmor profile enabled.
Periodic malware scanners
None, when you know a browser based scanner, please let me know
Malware sample testing
I do not participate in malware testing
Environment for malware testing
None, do not participate
Browser(s) and extensions
Brave as only browser with hardened site permissions with Brave Shield only using Brave's adblock filter plus Kees1958 Mv2 most used filter and some 30 custom rules. Added VT4Browsers extention to check downloads (in ask mode),
Secure DNS
NextDNS free account with all security enabled, but without ad/privacy blocklists.

Desktop VPN
Free Windscribe (only on holiday or on hotspots for sensitive tasks).
Password manager
Linux build-in keys/password manager
Maintenance tools
None
File and Photo backup
Free FileSync (data base disabled) to external USB HD and we are using an extra Gmail account to send important documents to (e.g. insurance, mortgage, testament, work contracts etc)
Subscriptions
    • None
System recovery
TimeShift with snapshots stored on a separate partition (so I can always restore using Live USB-iso)
Risk factors
    • Browsing to popular websites
    • Working from home
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
Laptop with Ryzen7 5700U, 16GB RAM and 1TB M2.SSD
Notable changes
28-04-2024 - New chapter, moved to Linux Mint (going in MT rehab)
What I'm looking for?

Looking for maximum feedback.

F

ForgottenSeer 107474

Thread author
I decided to move entirely to Linux Mint, because my new laptop did not feel faster than my old potato desktop on Linux Mint (while laptop CPU benchmark was 3x faster than benchmark of desktop, GPU was 2x faster and SSD was 3x faster). Now laptop feels a bit faster, but it shows that absurd differences in benchmark tests, don't translate to real world usage experience). :sneaky:

In Easter weekend I will be trying out to AppArmor PulseAudio using a profile I got from @wat0114 (y) (thanks)
 
Last edited by a moderator:
F

ForgottenSeer 107474

Thread author
Everything is good except 3 things:
  • Your computer doesn't meet the requirement to use Bitdefender (I9 14900KS or R9 7950X3D)
  • Use vpn for banking might get flagged for fraud.
  • Password manager.
1 Bitdefender does not feel heavier than Avast or Microsoft Defender, but your comment makes sense, a Free AV needs an expensive CPU to balance the spend a little :)
2 I use a VPN server in same town where I live (when abroad), never ran into a problem yet (but it is a valid remark, which I had not realized, thanks (y) ).
3.I am always using pass phrases which I associate with the website or service I am using, easy to remember for me hard to guess for others
E.g. I associate your nickname white mouse with a pink elephant, so when you would have a website with security related info I would use a passphrase like "@11 the Pink Elephants are dancing" (when the cat is away from home, it is secure for a white mouse to dance). The joys of a twisted mind I guess ;)
 
Last edited by a moderator:

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,441
E.g. I associate your nickname white mouse with a pink elephant, so when you would have a website with security related info I would use a passphrase like "@11 the Pink Elephants are dancing" (when the cat is away from home, it is secure for a white mouse to dance). The joys of a twisted mind I guess ;)
GG I just cracked your MalwareTips password, it was imissboramurdar, consider changing it.

Great security btw!
 
F

ForgottenSeer 107474

Thread author
I don't know whether this option remains after the PRO trial has expired, but when you set Spyshelter to paranoid, it shows a popup when (non-Microsoft signed) applications start.

When the application control popup appears, users have the option to block, allow once, trust program or trust publisher. I got 5 popups in total (I have a fairly vanilla dominantly Microsoft Software setup, so maybe not representative for other users). Now Spyshelter is running in paranoid mode.
 
F

ForgottenSeer 107474

Thread author
@WhiteMouse , @Jonny Quest and @Dave Russo

When I tried VPN at home, I had a similar experience with my bank. When doing a purchase on a website, normally I only have to scan the QR code (generated for the purchase) with my phone and the mobile phone banking app asks me to enter my pin-code and then I am finished (single authentication challenge). When using the VPN I also had to use the passkey calculator of my bank (when I activate that calculator like device with my pincode, I have to enter the unique number on the banking website and it generates a pass key which I have to enter on the website again to verify it is me). So it also seems to ask for a second authentication challenge when using VPN on a different device.
 
Last edited by a moderator:

Jonny Quest

Level 17
Verified
Top Poster
Well-known
Mar 2, 2023
815
@WhiteMouse , @Jonny Quest and @Dave Russo

When I tried VPN at home, I had a similar experience with my bank. When doing a purchase on a website, normally I only have to scan the QR code with my phone and the mobile phone banking app asks me to enter my pin-code and then I am finished (single challenge). When using the VPN I also had to use the passkey calculator of my bank (when I activate that device with my pincode, I have to enter the number on the banking screen and it generates a pass key which I have to enter on the website). So it seems to ask for a second authentication challenge when using VPN
Yep, and I now no longer use a VPN while banking. I don't know if using OpenVpn in Mullvad and connecting to a closer server to my state helped? Before with Mullvad using WireGuard, I was getting emails of concern from the bank.

Now, I'm just using F-Secure online banking protection without a VPN and am able to log in without any prompts at all.
 
F

ForgottenSeer 109138

Thread author
Yep, and I now no longer use a VPN while banking. I don't know if using OpenVpn in Mullvad and connecting to a closer server to my state helped? Before with Mullvad using WireGuard, I was getting emails of concern from the bank.

Now, I'm just using F-Secure online banking protection without a VPN and am able to log in without any prompts at all.
When it comes to banking and using a VPN, one needs to spend a little more money to get a dedicated IP from the Vender which once established with the bank will no longer be an issue.
 

Jonny Quest

Level 17
Verified
Top Poster
Well-known
Mar 2, 2023
815
When it comes to banking and using a VPN, one needs to spend a little more money to get a dedicated IP from the Vender which once established with the bank will no longer be an issue.
Do you think it helps though, that I do all of my online banking from my home network which even though it's behind a cheaper Linksys router (I may need to reconsider that one, link below) that is up-to-date with the firmware, is password-protected and I go over my settings every now and then? 9 times out of 10 when I bank, it's from the desktop PC that is connected directly by Ethernet to the router, and I only have 1 tab open in Chrome while banking.

My bank has mentioned using their phone banking app which has so many "wonderful features", but so far I refuse to install that on my phone, I just don't have any real peace of mind about that one.

 
F

ForgottenSeer 109138

Thread author
Do you think it helps though, that I do all of my online banking from my home network which even though it's behind a cheaper Linksys router (I may need to reconsider that one, link below) that is up-to-date with the firmware, is password-protected and I go over my settings every now and then? 9 times out of 10, when I bank it's from the desktop PC that is connected directly by Ethernet to the router, and I only have 1 tab open in Chrome while banking.

My bank has mentioned using their phone banking app which has so many "wonderful features", but so far I refuse to install that on my phone, I just don't have any real peace of mind about that one.

Personally as you just mentioned, banking online is a risk anytime. I prefer to do this in person as much as possible. All banking institutions I have seen already use a secure connection as far as encryption goes, so I would not deem it necessary. I merely pointed out that if one intended upon using a VPN full time and needed access to their banking without issue a dedicated IP is the best method.
 
F

ForgottenSeer 107474

Thread author
Decided to go back to running standard user after watching @cruelsister video on MBAM & UAC and @Andy Ful video's on antivirus challenges.

I returned to running standard user again because CS showed how trival it is to bypass UAC and Andy showed how easy it is to disable Defender protection with elevated privileges. I also reduced the SRP application level from all users to 'all except admin' and added block rules for the LoLbins mentioned in Github project. Reason for doing so is that all CS exploits in MBAM video would be blocked by SRP-SWH part of WHHL, except for one: the modified executable using NETSH to bypass MBAM. WDAC-ISG would have probably blocked this executable when it would not be signed by trusted software developer/publisher. But the 'probably' settled in my mind and started to doubt my decision to run admin again.

Running standard user enforces a hard border between standard user and admin (as opposed to UAC only providing a soft-border). Additionally I am blocking LoLBins (like Netsh) system wide when started by standard user. I kept Andy's set of SRP rules to block risky file extension to run in user folders and block executables running in archives and prevent misuse of LNK and UAC holes. Although I can execute and install programs my setup is actually whitelist based. System wide Malware Defender's only allows programs to run which are whitelisted in the cloud and the user folders are additionally protected with WDAC-ISG small (hence more aggressive) local whitelist (in case internet connection fails).

I have ran this standard user with hardened SWH-SRP and MD on MAX as long as I have this laptop without problems, so I am not expecting any problems with this enhanced setup (with WDAC-ISG added). This probably also means that I will have less to post, because there is no need to change something when it is working perfectly.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,226
WDAC-ISG would have probably blocked this executable when it would not be signed by trusted software developer/publisher. But the 'probably' settled in my mind and started to doubt my decision to run admin again.

Yes. It would be blocked. The ISG without SmartScreen backend takes into account the file prevalence. Non-prevalent files are blocked, except for files specially whitelisted by Microsoft. The attack could be blocked even when the file has got reputable certificate.
The attack would be also blocked by H_C in Recommended Settings.(y)
 
F

ForgottenSeer 107474

Thread author
Yes. It would be blocked. The ISG without SmartScreen backend takes into account the file prevalence. Non-prevalent files are blocked, except for files specially whitelisted by Microsoft. The attack could be blocked even when the file has got reputable certificate.
The attack would be also blocked by H_C in Recommended Settings.(y)
Thanks. My setup is inspired by your "super strong two user account WHHL setup' ;)(y)
 
Last edited by a moderator:
F

ForgottenSeer 109138

Thread author
Decided to go back to running standard user after watching @cruelsister video on MBAM & UAC and @Andy Ful video's on antivirus challenges.

I returned to running standard user again because CS showed how trival it is to bypass UAC and Andy showed how easy it is to disable Defender protection with elevated privileges. I also reduced the SRP application level from all users to 'all except admin' and added block rules for the LoLbins mentioned in Github project. Reason for doing so is that all CS exploits in MBAM video would be blocked by SRP-SWH part of WHHL, except for one: the modified executable using NETSH to bypass MBAM. WDAC-ISG would have probably blocked this executable when it would not be signed by trusted software developer/publisher. But the 'probably' settled in my mind and started to doubt my decision to run admin again.

Running standard user enforces a hard border between standard user and admin (as opposed to UAC only providing a soft-border). Additionally I am blocking LoLBins (like Netsh) system wide when started by standard user. I kept Andy's set of SRP rules to block risky file extension to run in user folders and block executables running in archives and prevent misuse of LNK and UAC holes. Although I can execute and install programs my setup is actually whitelist based. System wide Malware Defender's only allows programs to run which are whitelisted in the cloud and the user folders are additionally protected with WDAC-ISG small (hence more aggressive) local whitelist (in case internet connection fails).

I have ran this standard user with hardened SWH-SRP and MD on MAX as long as I have this laptop without problems, so I am not expecting any problems with this enhanced setup (with WDAC-ISG added). This probably also means that I will have less to post, because there is no need to change something when it is working perfectly.
That's awesome, now you can place it on the shooting range to test its ability to sustain. lol j/k, but seriously running windows as it was designed will carry you far. The admin/standard accounts were placed in the OS for a reason. Just that act alone will help harden your system, something many are failing to understand for home uses/family.
 
F

ForgottenSeer 107474

Thread author
That's awesome, now you can place it on the shooting range to test its ability to sustain. lol j/k, but seriously running windows as it was designed will carry you far. The admin/standard accounts were placed in the OS for a reason. Just that act alone will help harden your system, something many are failing to understand for home uses/family.
Running double whitelist (cloud of Defender, local of WDAC-ISG) as a standard user could be considered both layered protection as well as good security habits ;)
 
Last edited by a moderator:
F

ForgottenSeer 109138

Thread author
Running double whitelist (cloud of Defender, local of WDAC-ISG) as a standard user could also be considered both layered protection as well as good security habits ;)
Sure, if you have the knowledge and capabilities to do so properly and not misconfigure it.

Although keep in mind whitelisting is allowing, which certainly requires those habits to verify.
 
Last edited by a moderator:
  • Like
Reactions: toto_10
F

ForgottenSeer 107474

Thread author
Sure, if you have the knowledge and capabilities to do so properly and not misconfigure it.

Although keep in mind whitelisting is allowing, which certainly requires those habits to verify.
Agree, but some habits can be automated and enforced by tools. I have two chrome profiles with wo different DNS settings (with different security measures and limitations), which are sort of similar to using my admin and standard user account, The good habit is to use the correct profile for the intended purpose (web surfing versus trusted sites). With technology the user is always part of the solution (with good habits) or part of the problem (ignorance or over confidence), but no matter how good your driving skills or habits are, you are safer in a 5 star NCAP car than a 2 star NCAP car, you are safer with safety belt and airbag than only applying (the good habit of holding) the steering wheel firmly with two hands in the ten for two position.
 
Last edited by a moderator:
  • Like
Reactions: toto_10

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top