Q&A security for a paranoid elder

mathok87

New Member
Thread author
Jan 5, 2022
5
I'm setting up a computer for my paranoid father. An example of the precautions he takes is to shut down the modem/router when not in use and disconnect the DSL phone line. Also unwilling to use wireless mice or keyboards lest his password keystrokes be logged by rogue hackers in the neighbourhood.

I've taken some notes of posted security configurations on this forum however I initially came here with questions on the following general points:

- Are pi-holes attached to router worth considering?
- What software firewalls are recommended? Is there a better physical alternative for purchase or creation from old computer?
- What's a good VPN either paid or free? The TOR browser is considered but my father would never trust it's nature
- What anti-virus programs are worth considering? Avast had a virtualized environment in the past I recall but I never tested it's efficacy.
- How's Malwarebytes considered these days? I've used it for scans before but how would it's live protection mesh in a good protection scheme?

Let me know what your entry and mid level security recommendations may be please. I'm not well versed in networking but technical enough to implement most things.

Thanks.
 

Gandalf_The_Grey

Level 61
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,009
IMO don't go overboard and start with the basics.
That is main security of the system.

1) F-Secure Safe with F-Secure Freedom VPN is a great start protection wise.
You can harden the system further with Simple Windows Hardening or even further with Hard_Configurator.
2) You can go with all Window built-in protection by using Microsoft Defender Antivirus and use all modules of Hard_Configurator.
3) Comodo Firewall is an option used with @cruelsister settings.
4) VoodooShield is an option for application control
5) Kaspersky Internet Security tweaked for maximum protection

Out of these options nr. 2 would be my advice for an elder.

There is a lot of info to be found here and many knowledgeable and helpful members around.

If you pick a solution post your security configuration here so that members can give you advice how to improve it:
 
Last edited:

cruelsister

Level 39
Verified
Helper
Top poster
Content Creator
Well-known
Apr 13, 2013
2,840
How's Malwarebytes considered these days?
It has been and remains a horror.

What software firewalls are recommended?
An Outbound alerting firewall is always an essential security component. I prefer (surprise) Comodo Firewall.

What anti-virus programs are worth considering?
Gandalf's recommendation #2 above is worthy of consideration for both ease of use and overall security, and paired with CF will allow your Father to relax (a bit).

(in addition, use KVRT as a 2nd opinion scanner. Other choices are not as sensitive in detecting infectious thingies)
 
Dec 12, 2021
186
Make them use an standard user account, install Hard_Configurator (add EXE and TEMP in Whitelist By Path, launch ConfigureDefender and put it on High protection level, you can also set it on Block under Cloud protection level, also enable Block All Inbound Connections in Firewall & Network protection, also use an adblocker like uBlock Origin.

An VPN does very little for your privacy, let alone security, 90% of connections and websites on the internet are already encrypted using HTTPS, DNS over TLS or HTTPS over DNS/TLS, and modern trackers doesnt need your IP address to track you, for that they use your browsers digital fingerprint, which if you use Chrome or Firefox, is unique, meaning they can follow you around by just looking at the fingerprint, no cookies, trackers or IP addresses needed, instead use an DNS service, like Cloudfare, Quad9, or NextDNS, the latter two includes malware filtering, not only does using an DNS over your ISP one is not only does it encrypt your DNS queries (which VPN's also does, though it doesnt make your surfing habits invisible to your ISP), it also speeds up browsing speed.

Malwarebytes is mediocre, its good at finding unwanted stuff, but not so good at detecting actual malware, and their nagging is on par with Avast, though not as aggressive, its still an good enough tool to run alongside Windows Defender, just make sure to turn off all real time protection and disable Register in Security Center (Disable notifications in it settings to stop it from nagging about disabled real time protection modules)
 
Last edited:

kC77

Level 4
Aug 16, 2021
191
I'm setting up a computer for my paranoid father. An example of the precautions he takes is to shut down the modem/router when not in use and disconnect the DSL phone line. Also unwilling to use wireless mice or keyboards lest his password keystrokes be logged by rogue hackers in the neighbourhood.

I've taken some notes of posted security configurations on this forum however I initially came here with questions on the following general points:

- Are pi-holes attached to router worth considering?
- What software firewalls are recommended? Is there a better physical alternative for purchase or creation from old computer?
- What's a good VPN either paid or free? The TOR browser is considered but my father would never trust it's nature
- What anti-virus programs are worth considering? Avast had a virtualized environment in the past I recall but I never tested it's efficacy.
- How's Malwarebytes considered these days? I've used it for scans before but how would it's live protection mesh in a good protection scheme?

Let me know what your entry and mid level security recommendations may be please. I'm not well versed in networking but technical enough to implement most things.

Thanks.

Pihole - YES along with unbound for recursive DNS & block all other DNS leaks in hardware firewall
Software firewalls - Spyshelter firewall/tinywall/simplewall/windows firewall controll/glasswire etc (spyshelter firewall has the advantage of keystroke protection)
Good VPN - ProtonVPN - free & Paid - only really needed if he doesnt want the isp logging his websites or if torrenting)
AV - Windows defender with Configure Defender in high mode, or KAV
MBAM - no comments
 

Chuck57

Level 7
Verified
Well-known
Oct 22, 2018
318
For me, being probably among the oldest on this forum, Comodo Firewall (CS settings) and Wisevector StopX is a pretty good combination. Once set, both tend to do their jobs and leave me alone. When you get old, crotchety, and annoyed by everything not being pestered is nice.
 

ticklemefeet

Level 26
Jan 31, 2018
1,548
For me, being probably among the oldest on this forum, Comodo Firewall (CS settings) and Wisevector StopX is a pretty good combination. Once set, both tend to do their jobs and leave me alone. When you get old, crotchety, and annoyed by everything not being pestered is nice.

Welcome to among the oldest on this forum.

F-Secure has become a very good AV. As far as a firewall, I like Fort Knox but Tiny Firewall is pretty good as well.
If Daddio is really paranoid, install Shadow Defender. For a good second on demand scanner, I would recommend Dr Web's CureIt.
A top of the notch paranoid person would also install Appguard.
And above all else Marcrium Reflect with USB full backups
Now I won't say Comodo products are bad, and I have nothing at all against mt fav shoe model but because of principal personal reasons I won't recommend Comodo anything because of what they did to Kevin. Yes, it is true BoClean was not doing as well and that is because most of his contracts were the government but when new nasties required more, the gov told Kevin he cannot touch the kernel with his software and so that was that. Now look what they decided to use anyway. And if you think Kevin's forum posts are long, you should have seen his e-mail.
In case you are wondering who Kevin was, I am including an old link to Comodo Forums.

Happy New Year
 

ticklemefeet

Level 26
Jan 31, 2018
1,548
install virtualbox and then create a Tails linux vm
all free & provides what is essential for paranoid user

Tails

Virtual Box is great but really only needed if an install requires a reboot. And requires a bunch of resources. Shadow Defender isn't free but is cheap and a lifetime Lic. I only know of one way to beat Appguard and that is by using one of the rusted signed certs included in the program with your malware. There might be others, but I am not aware of them.
 

oldschool

Level 67
Verified
Top poster
Well-known
Mar 29, 2018
5,637
An example of the precautions he takes is to shut down the modem/router when not in use and disconnect the DSL phone line. Also unwilling to use wireless mice or keyboards lest his password keystrokes be logged by rogue hackers in the neighbourhood.
IMO don't go overboard and start with the basics.
The most important first step is to talk with your father about basic computer and intenet hygiene. This is essential. Try to understand the source of his paranoia. Do you live in a place ridden with rampant extortion, civil unrest, other crime, etc.? Or is he spinning these beliefs in his head out of past traumatic experiences, etc. or from some unreliable media sources or security clickbait?

Once you understand where he's coming from you can start to come up with solutions that work for him. I can't stress enough that basic computer and intenet hygiene education is an essential foundation and starting place for computer security.
 

mathok87

New Member
Thread author
Jan 5, 2022
5
Wow thank you everyone for all this information! Plenty to sort through and great recommendations! Here is what I'm considering at the moment:

- Antivirus: F-Secure or Kaspersky Internet Security (doesn't look like I'd really need Total Security package). Also will present Microsoft Defender as an option but he'll probably feel better paying for something he feels is even more secure.

- Firewall: Fort Knox (seems pretty complete), TinyWall (doesn't list protection from "outbound" attacks), Comodo (seems appealing especially with Cruelsister settings - is there significant benefit over the other options?)

- Other considerations: Definitely will Harden Windows, VoodooShield Free looks like a worthwhile security addition, KVRT as additional scan option.

Beyond all this his ISP supplied router is old however it lacks WPS which he likes. He's read that WPS sometimes isn't entirely disabled on routers when done through the router interface (I haven't come across this myself). To that end is it likely one could actually encounter attacks directed at the router itself circumventing the software security options above? I'd doubt it but I'm not qualified to back my doubts up. I've always setup my routers with the following guide in mind:


With that guide in mind is there really specific 3rd party routers worth considering with further security in mind? As stated I'd presume any half decent router with standard security setup should be absolutely fine with above software options but if there's something with tangible benefit that's not a fortune I can direct it to him for consideration.

By the way my dad doesn't engage in anything nefarious but rather just standard internet browsing. His biggest fear as it stands is suffering a network infection that would log his information when he uses his Chromebook for internet banking. Said Chromebook is only used for this purpose and is otherwise turned off.

Again thanks again everyone for this.
 

mathok87

New Member
Thread author
Jan 5, 2022
5
The most important first step is to talk with your father about basic computer and intenet hygiene. This is essential. Try to understand the source of his paranoia. Do you live in a place ridden with rampant extortion, civil unrest, other crime, etc.? Or is he spinning these beliefs in his head out of past traumatic experiences, etc. or from some unreliable media sources or security clickbait?

Once you understand where he's coming from you can start to come up with solutions that work for him. I can't stress enough that basic computer and intenet hygiene education is an essential foundation and starting place for computer security.
Absolutely basic computer and internet hygiene is important is something he's fairly savvy with. He has background as an electrical engineer and thus has worked with computers his whole life. He's pretty good at identifying scam emails and not clicking on potential malware links. He's extra concerned though if he even opens an email that contains a link within it. He once opened a text message on his phone that had a suspicious link and subsequently got a new phone number. Computer security is a grey area for him so his default response is stressed paranoia over every action taken online.
 
Dec 12, 2021
186
Absolutely basic computer and internet hygiene is important is something he's fairly savvy with. He has background as an electrical engineer and thus has worked with computers his whole life. He's pretty good at identifying scam emails and not clicking on potential malware links. He's extra concerned though if he even opens an email that contains a link within it. He once opened a text message on his phone that had a suspicious link and subsequently got a new phone number. Computer security is a grey area for him so his default response is stressed paranoia over every action taken online.
NextDNS offer protection against Newly Registered Domains, blocking websites newer than 30 days, useful to ease his paranoia.

Also, aslong as the router is kept up to date, an strong password is used, and attached devices are monitored theres no need for him to worry about network attacks, the inbuilt firewall already offers some degree of protection against such attacks, theres really no need for third party firewalls.
 

mathok87

New Member
Thread author
Jan 5, 2022
5
NextDNS offer protection against Newly Registered Domains, blocking websites newer than 30 days, useful to ease his paranoia.

Also, aslong as the router is kept up to date, an strong password is used, and attached devices are monitored theres no need for him to worry about network attacks, the inbuilt firewall already offers some degree of protection against such attacks, theres really no need for third party firewalls.
Well dang that's a nice service! He'll definitely be interested in NextDNS. Thanks also for the router advice!
 
  • Like
Reactions: Nevi and Sorrento

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,155
If you can, try to educate the elder about which security concerns are relevant to home users and which are not. It sounds to me like he wants a setup to protect nuclear secrets, which is overkill.
Nowadays, since we are all behind a router, attackers cannot penetrate the system straight from the internet like they could with the old-style modems. If a user is on a trusted home LAN network, it is not likely that he will be targeted. That happens to businesses and public figures, not to ordinary home users.
 
Last edited:

Sorrento

Level 4
Dec 7, 2021
190
In my opinion, using a program such as Kaspersky Internet Security for example along with AdGuard for Windows, decent router with firewall, maybe Wise Disk Cleaner along with an imaging system will do all you want - Adding a VPN will potentially throw up CAPTCHA's due to sharing IP address & this can worry people - More than that for a low risk user could put you in the paranoid category not your father?
 

JoyousBudweiser

Level 14
Verified
Top poster
Well-known
Aug 22, 2013
688
Well dang that's a nice service! He'll definitely be interested in NextDNS. Thanks also for the router advice!
Mikrotik routers support DNS over HTTPS (Doh), am running NextDNS doh on my Mikrotik, it has a pretty decent firewall too.
Untitled-1.jpg
 
  • Like
  • +Reputation
Reactions: Nevi and oldschool