Secure by design…

So I figured that if I really wanted to leverage the capabilities of OpenBSD, I should do my utmost to ensure that what I created was a secure experience.  The first thing that jumped to mind was cryptographic security of the hard drive.  In the event that the possibly mythical (after all, am I really that interesting?) “Bad Guy”(TM) stole my laptop, how can I prevent them from finding the innumerable pictures of cats that clog my browser cache from http://reddit.com/r/aww and embarrassing me with their publication on a national news site?

I started doing some research (a fancy way of saying I fired up my browser and hit Google) and discovered that OpenBSD had me covered already here.  OpenBSD has full disk encryption and setting it up was really simple.  I visited one of my favorite sites (http://bsdnow.tv) and found a tutorial that shows how to set up full disk encryption for each of the BSDs:

http://www.bsdnow.tv/tutorials/fde

The nice thing about OpenBSD is that the swapfile has been encrypted by default for several versions now so there were no special hoops to jump through.

The next thing I wanted to think through was network security.  Fortunately the built-in firewall software (PF) that is provided with OpenBSD is very powerful.   Incredibly powerful.  I might lock my keys in the car and have to walk to work powerful. Again though, the good people of the Internet have provided some really nice tutorials that provide some good starting points here.

One of the things I wanted to do was to see if I could block inbound traffic from countries that should never be connecting to my laptop.  I’ve been running a Debian server for some time on my home network (an old Power PC G4 Mac Mini that I had no other uses for) where I opened up port 22 on my firewall and redirected it to this machine (which only had a single user with a crazy password on it).  The fun thing (and yes, I recognize that this is an odd hobby) was to look at the country of origin for the approximately 5 login attempts per second that I was registering on this server.  No offense to my friends from these regions, but the bulk were Russian, Chinese, or Korean addresses.

I found an article on Undeadly.org that explained how you can leverage the data at http://ipdeny.com to do this pretty nicely:

http://undeadly.org/cgi?action=article&sid=20140527054301

It should be noted that this might not be the most precise source of data for doing this type of thing, but it gets pretty close.

Finally, once I am connected to the Internet, I want to make sure that my browser(s) of choice (I typically run both Firefox and Chrome so that I can test my web applications with both major rendering engines) are configured to maximize my privacy.  For that, I look to a collection of browser plugins:

  • HTTPS Everywhere (forces the browser to use HTTPS exclusively if the site offers it)
  • Ghostly (blocks trackers)
  • AdBlock Pro

The last one (blocking ads) is a bit personally controversial for me in that I want to support my favorite tech sites by generating impressions for their ads (which generates revenue for them).  However, given recent news that has come out of malware being spread by maliciously crafted ads that exploit flaws in things like Adobe Flash, I felt that I really needed to take this step as well.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s