[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ssh clarification needed




Mail Lists-3 wrote:
> 
> 
>    By hand it would be something like this - let me assume for this your
> swap partition is /dev/sda7
> 
> 

This is an excellent guide to getting the maximum security on the swap
partition.  One other point that is also worthwhile considering is that if
you are really paranoid and about to do a clean install of F10 and plan on
encrypting partitions, then randomising ALL the partitions before installing
is an additional security safety measure although it is a bit tedious to
arrange to do this.  

I did this on a laptop ahead of F9 some time back - and what I did was to
have an additional partition apart from those that I want my real install to
go on, and installed to that spare partition with the /boot area as a
separate unencypted partition. Then I booted into that F9 and did
essentially the parts of the process described by the previous post to
randomise the swap area. However I additionally also randomised the / and
the /opt partitions that I would then be keeping as encrypted in my real f9
install.

So then I set up the install and asked it to encrypt and format swap, / and
/opt and then also used the unencrypted /boot area.

Once that install was complete it then used all its partitions as luks
encrypted that had previously been randomised. 

So as far as I could tell that was extremely secure against theft. As a
final step the unwanted partition containing the "old" f9 root partition was
then also randomised.  This then resulted in a laptop that was as secure is
it was possible to have, and included SElinux enforcing.  I believe that
this is as safe as can be done on any machine regarding security.

Of course the security of any system is dependent on the weakest link - so
divulging passwords (or leaving them in a file elsewhere, or leaving a
post-it note stuck in the laptop bag etc etc) is one way the bad guys can
get in - as is using your original password in a web site as well as your
laptop login password and then accessing the website via an http rather than
a https link etc.

Either way if you really want a good level of security then the techniques
described in these posts are a pretty good start - and of course it is then
also probably necessary to keep an unencrypted backup of your files on a
local server away from the laptop and hope that the bad guys don't get your
backup as well as the laptop !

All these things are a personal choice and depend on how far you want to go
as well as how much time you have to devote to dealing with security matters
- but clearly a machine used for home and casual browsing is going to
generally be treated differently to one operated by a government security
agency - although as hinted already those agencies don't always take
security seriously enough.
-- 
View this message in context: http://www.nabble.com/ssh-clarification-needed-tp21274919p21278264.html
Sent from the Fedora List mailing list archive at Nabble.com.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]