Security guide for the paranoid

ffries · July 27, 2017, 11:59am

Dear friends,

I am writing a new guide about security and LEDE:
https://lede-project.org/docs/howto/security-guide-for-the-paradoid

It is a guide explaining how to set up a home/small company using deep defense:

A main LEDE router
Secondary routers organized by zones: trusted, untrusted, DMZ.
A serial console server and an admini console, with no connection to Internet.
A logging server and network probes.

First, I need to upload SVG graphics made with dia and I notice that i don't have sufficient rights.
Could you allow me to upload graphics to the WIKI?

Also, where should my howto stand while it is being written ?

Kind regards,
French fries

tmomas · July 27, 2017, 5:30pm

You are allowed to upload, no special rights necessary.

"When the media manager opens,
your very first action should be to change to the media namespace"

-> https://lede-project.org/meta/adding_images_to_lede_wiki#troubleshooting

ffries · July 28, 2017, 8:35am

Got it, thanks!

roshii · August 15, 2017, 8:56pm

I had been looking for such guide for long. Big up to you!
I'm looking forward at hardware as well as settings recommendations!

Thanks

ffries · November 8, 2017, 11:03am

Sorry, I will not write such a guide right. now.

The reason is that I believe that GNU/Linux is somehow full of security holes.

The only way to secure a network is probably to:

Use special hardware or design your own.
Listen on the network for unwanted connections, with tools like Suricata.
Monitor file changes and logs very closely.

I don't want to discuss those issues in public, so I prefer not to write such a guide.

Feel free to pick-up those issues, which could be referred in English as "Defense in depth".

Kind regards,

dlang · November 8, 2017, 7:50pm

we need a guide for people just a touch less paranoid.

Linux may be full of security holes, but the holes are still smaller than the
competition, and it's routinely used for things you really care about (like
secureing your bank account)

David Lang

windowsrefund · November 14, 2017, 4:09am

I really appreciate your suggestion to use only Free Software. That said, you immediately follow that suggestion up with a reference to "commerical software". This implies that "commercial software" is somehow different or "at odds with" Free Software. This is a common misunderstanding in our circles and I'd prefer to not see the same confusion repeated here (if possible). Free Software is software that grants its users 4 essential freedoms (these are well documented on fsf.org) while non-free software is any software that is not free (as in freedom). It's about the amount of freedom granted and has nothing to do with cost. At the end of the day, there are only really 2 groups of software: free and non-free. What you pay for any instance of either is totally unrelated.

Dom · November 25, 2017, 5:27pm

While I did get into LEDE for the rootkits and the network defense, I think you may be a bit too isolated from the average developers/admins.

Personally the first thing on my list would be not to use this site. Nothing against the dev team, but the attack surface on a lot of the JavaScript frameworks is just too large and I think it is legitimately hard to keep up with the bugfixes.

I wouldn’t use SVGs either. Aren’t those like executable images? No PDFs either, unless it’s a honeypot server.

I’ve been checking out Bro, it’s basically an event based scripting language for packet analysis.

I’m curious, what do you guys think of the skill of these botnet developers?

tmomas · September 8, 2019, 9:44am

@ffries Since this page hasn't seen any relevant edits in more than two years now: Is this page still work in progress? Can the WIP and "do not modify" be removed now?

grafik