| 1 |
Dale Pontius wrote: |
| 2 |
> 7v5w7go9ub0o wrote: |
| 3 |
>> Romain BERGE wrote: |
| 4 |
>>> Hey list, |
| 5 |
>>> |
| 6 |
>>> I am planning buying a laptop. I would like to install a hardened |
| 7 |
>>> (workstation) profile on it. |
| 8 |
>>> |
| 9 |
>>> Which hardware features/components should I take care of ? (to be |
| 10 |
>>> the most compatible with hardened) In the opposite, are there |
| 11 |
>>> some hardware components/brand to avoid ? |
| 12 |
>>> |
| 13 |
>>> Thanks |
| 14 |
>>> |
| 15 |
>>> |
| 16 |
>> Went through a similar exercise a few years ago; concluded that |
| 17 |
>> one: |
| 18 |
>> |
| 19 |
>> - first chooses the laptop that meets his needs (I wanted a 2 |
| 20 |
>> pounder with good screen and graphics to carry about in a back |
| 21 |
>> pack, with frequent stops at hotspots) |
| 22 |
>> |
| 23 |
>> - second googles about for linux success/failure stories about that |
| 24 |
>> laptop. Gentoo has some great documentation and explanations |
| 25 |
>> concerning Linux; Ubuntu has some great user lists regarding |
| 26 |
>> specific hardware. My Sony was 95% Linux good to go, with detailed |
| 27 |
>> Ubuntu discussions about xorg.conf. |
| 28 |
>> |
| 29 |
>> - third if it works on Linux, it'll likely work for hardened. (this |
| 30 |
>> was true for 32bit on my laptop; 64 may be different; I'll know |
| 31 |
>> shortly ) |
| 32 |
>> |
| 33 |
>> FWIW, IMHO a hardened profile, along with other precautions, makes |
| 34 |
>> a lot of sense on a laptop as there is all sorts of mischief |
| 35 |
>> occurring at anonymous, college and Saturday-afternoon hotspots - |
| 36 |
>> some of it quite sophisticated due to "pen test" software. It's a |
| 37 |
>> wild west that you'll not experience on your firewalled desktop. |
| 38 |
>> |
| 39 |
> Just a side comment on this... I have scripts that figure out where |
| 40 |
> the heck I am when networking comes up, and based on that decide |
| 41 |
> what, if any, service(s) to bring up. When the current network is on |
| 42 |
> "other", NO services are started at all - even X is started with |
| 43 |
> "-tcp nolisten" so there are no open ports. Scratch that - dnsmasq |
| 44 |
> is listening on loopback, but that's it. |
| 45 |
> |
| 46 |
> Maybe it's not all that's necessary, but it's a good first line of |
| 47 |
> defense. |
| 48 |
> |
| 49 |
> Dale Pontius |
| 50 |
|
| 51 |
Heh.....clever idea; makes good sense to me. :-) |
| 52 |
|
| 53 |
(Some might argue for a VPN so as to avoid DNS poisoning or an |
| 54 |
attack against Mara directly - guess that would depend upon the nature |
| 55 |
of one's business at the hotspot. FWIW, I run unbound (DNS) in its own |
| 56 |
jail. I'll shut it down and use a VPN when doing banking/other |
| 57 |
sensitive stuff) |
| 58 |
|
| 59 |
(Given I use individual, hardened (grsecurity) jails for anything that |
| 60 |
connects outside, I can't totally block X - but I do firewall it; and |
| 61 |
also confine it through xhost to local host only. |
| 62 |
|
| 63 |
As far as running services - nope! Heh.... mindful of poisoning or |
| 64 |
buffer-overflow attacks, I'll passively monitor the place with kismet |
| 65 |
for a minute or two before announcing my presence, and then bring up |
| 66 |
DHCPCD in a hardened jail for 3 seconds - long enough to set the network |
| 67 |
assignments - then automatically kill it. Arpon can passively monitor |
| 68 |
external ARP activity.) |
Archives