Secure operation under Linux.
Everything described below is my personal experience of using linux for work purposes. I’m sure my approach to security is suboptimal. But most people neglect such measures as well. If this article will help me to increase my contact list in jabba and decrease my ICQ contacts then I wrote for a reason. I took out the lyrics and left only the practical advice.
VPN openvpn 2.0.8-16 The choice between openvpn and pptp is in my opinion obvious. Of course, if your security is important to you. Installing and configuring the openvpn client is easy. Download the latest version of sources, and trivial sequence ./configure, make, make install solves most cases. If you don’t have ssl, you will have to install it first (in my case: openssl_0.9.8d-17). The initial use of openvpn is occasionally marred by the lack of a GUI, but you get used to it. Startup goes like this:
Where: /usr/sbin/openvpn path to the executable (yours may be different); config /home/user/job-disk/vpn/config.ovpn here we specify where the configuration of the particular VPN service is; daemon this option we start VPN as a daemon (a Windows service), as a result it will not occupy our terminal and display a bunch of not interesting messages about connection to the server. You don’t need to type in long startup command in terminal every time. It is enough to type everything in small script. I have the following problems when using openvpn under linux: First, openvpn works with a tun device (/dev/net/tun) which only the root has access to by default. It is not reasonable to change it. It’s enough to prescribe in the script to start openvpn with superuser rights:
This can also be added to the openvpn startup script. After these manipulations, the VPN should work without any problems.
CRIPTO-CONTAINER truecrypt 4.3-0
I use truecrypt to create a crypto disk. I have not had any reason to prefer it to any proprietary software yet. It is also a console program. Launching the crypto disk creation dialog:
The questions are simple. Only the choice of hash and crypto algorithms is essential. On the web you can find a lot of thoughts about hacking different algorithms, I do not know if it is true or speculation, one thing is clear and Blowfish and Whirlpool in this context are not mentioned once. This is why I chose them. Disk Mounting is done by command:
Where: /home/user/disk path to the crypto container file; /home/user/job directory where we mount the crypto container. This command also makes sense to put in the script. Total script, which ensures the launch of the WAP and the mount of the crypto-container file will look like this:
Name it briefly, e.g. job, and put it in the appropriate bin directory (for example: /home/usr/bin). As a result, before you start you just need to type in the console:
Then enter the crypto container password and the root password to start the VPN. It’s much faster than clicking on boxes with your mouse. You can also add all the routines you do before you start the script. For example launching a messenger, browser, etc. In order to get the job done as quickly as possible, you should create a script that will: stop the WPR, unmount the crypto-disk, and reset resolv.conf to its original state. It will look something like this:
Where: sudo start-stop-daemon -K exec /usr/sbin/openvpn uses a small start-stop-daemon program to stop a particular daemon, which can be identified by its executable file location. Installing start-stop-daemon, if you do not have it yet, is quite trivial. sleep 2s give a short pause to stop the daemon. truecrypt -d unmount all crypto disks in the system (although you can specify a certain disk). echo bla-bla-bla /etc/resolv.conf well here we return the previous content of resolv.conf into place. You can name it stop, for example, and put it next to the job. Of course, this script, like previous one, can be edited at will. And yes, don’t forget to make both files (job and stop) executable.
SHIFT COMMUNICATION gpg 1.4.5 gpg2 1.9.22 gpgme 1.1.2 libgpg-error 1.4 KGpg 1.2.2 PSI 0.10-3 For secure correspondence and communication, I believe it is best to use the open-source implementation of PGP GPG. Normally, all the packages needed for GPG to function are installed with the system. But even a standalone installation should be no problem. KDE’s GPG has a very friendly gui called KGpg. It makes setting up and using GPG in KDE self-explanatory and straightforward. To use gpg you will need to set up a public and a private key pair. You can send the first one to everyone you talk to. It will encrypt everything your peers want to send you (emails, instant messenger messages, files). They can only be decrypted using your private key. So it should be carefully stored.
As I see it, the safest and friendliest communication protocol is jabber. And the best messenger based on it is PSI. It has a simple and nice interface and supports all the features of the jabber protocol. I have only faced two problems when using PSI: a) PSI does not provide a choice of the directory in which to store the logs of correspondence. The least time consuming way to make it store the logs in a crypto container is to create a symbolic link in the place of the logs folder (located at /home/user/.psi/profiles/default/history), which would lead to the folder where the crypto container is mounted (/home/user/job/). For example:
That way, the message history will be stored on the crypto disk, unless you forget to mount it before starting. b) To use GPG encryption for PSI communication, the Use GnuPG agent option must be checked in KGpg, because without it the dialog for entering your secret key password is not called when connecting to the server, so the connection is not performed.
To ensure secure communication in PSI, you must: check use SSL encryption, ignore SSL warnings; uncheck Allow plaintext login; tell PSI which private key you will use to decrypt messages; send your interlocutor a public key that is paired with your private key; get your interlocutor’s public key and assign that key to his contact in PSI (Assign OpenPGP key); click the padlock icon in the chat window. Your interlocutor should naturally do the same.
Small note: if you use some jabber servers you will need to specify host and port of the server you are using manually in the PSI settings.
SOXIFICATION proxychains 3.1 I chose the console-based ProxyChains as the proxy program. Its latest versions make almost all the necessary software (with the exception of KDE’s Konqueror browser) work without bugs. It lacks many redundant features, but has many goodies. Configuration of the program and addition of socks is done by editing the proxychains.conf file. In most cases, you can add the following line to the end of the file:
Where: socks5 defines the type of socks or proxy (socks4, socks5, proxy); 184.108.40.206 12345 IP and port of the socks used. Start the program as follows:
Where the application (or the full path to the executable file) to be socketed is specified after proxychains.
Requests, corrections and constructive criticism are welcome.
The rights to this article belong to the author. Reprinting, using parts of it, etc. for personal purposes on other resources is only permitted with the author’s verbal agreement.
Copyright (C) 2007 Z-a specially for https://ver.sc
cc cvv shop