Frieder Schlesier
49a5940eab
* 'master' of https://gitlab.com/fschl/dotfiles: update documentation for wireguard update wireguard documentation, fix install, add example for server show status of wg0 interface in main status line add documentation for wireguard fix whitespace add wireguard to install extend .spacemacs (especially org config) add dual extern screen for notebook updates add cups-browsed to standard desktop install update license year update arduino and audacity |
||
|---|---|---|
| .i3 | ||
| .ssh | ||
| .urxvt/ext | ||
| bin | ||
| etc | ||
| scripts | ||
| wireguard | ||
| .Xdefaults | ||
| .Xresources | ||
| .aliases | ||
| .bashrc | ||
| .dircolors | ||
| .dockerfunc | ||
| .gitconfig | ||
| .gitignore | ||
| .path | ||
| .profile | ||
| .spacemacs | ||
| .tmux.conf | ||
| .vimrc | ||
| .xsessionrc | ||
| 20-thinkpad.conf | ||
| LICENSE.md | ||
| Makefile | ||
| README.org | ||
| userChrome.css | ||
README.org
fschl dotfiles
Things that make my linux life more comfortable, portable and secure. For debian, or debian-based distros. using i3wm.org on the desktop. And containers everywhere :)
inspired by https://github.com/jessfraz
Questions this repos tries to answer
- How long does it take for you to set up a machine?
- Do you have backups?
- Are you using a password manager?
- How do you transport your secrets?
-
Can you get things done without your computer?
- Rescue+Recover friends laptops/computers
- panic-ops using a friends laptop
Security
Hardening ssh
- https://blog.g3rt.nl/upgrade-your-ssh-keys.html
- https://stribika.github.io/2015/01/04/secure-secure-shell.html
- https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client
- see `/etc/ssh/ssh_config` and `.ssh/config`
add this to `~/.ssh/config`:
# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to.
HashKnownHosts yes
# Host keys the client accepts - order here is honored by OpenSSH
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctrgenerating keys
# RSA keys are favored over ECDSA keys when backward compatibility ''is required'',
# thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA).
$ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
# ED25519 keys are favored over RSA keys when backward compatibility ''is not required''.
# This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"GnuPG
- https://wiki.mozilla.org/Security/Key_Management
- https://keyring.debian.org/creating-key.html
- https://wiki.debian.org/Subkeys
`~/.gnupg/gpg.conf`:
personal-digest-preferences SHA512 SHA384
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed
keyid-format 0xlongManaging logins & passphrases
- use a secure, cross-platform, cloudless password manager, e.g keepass2
Backup Secure Keys
- get 2 USB thumb drives
- on each, create 2 partitions (ext4, you will never use them on any windows device anyway)
- https://wiki.archlinux.org/index.php/Dm-crypt/Device_Encryption
Nowadays it's mere chance to find a USB thumb drive with less than 4GB storage. Though, you want a dedicated drive to transport your password database, ssh keys and GPG keys. Those don't require more than a couple MB. So what to do with the remaining space?
Scenarios:
- You visit friends, only have your keys with you and you have to check your mails, assist a colleague in some network/ops emergency or just securely look up some confidential information.
- A family member calls: their HDD just died and you are asked to quickly help out on recovery.
Boot into a safe environment, having all your credentials available in a secure manner. Have a bootable forensics toolbox around to quickly get going in a familiar setup.
Solution: multi-boot!
thumb drive setup
3 partitions: boot+isos, luks encrypted, unencrypted partition for non-sensitive data
building kali linux iso [0/7]
- https://docs.kali.org/downloading/kali-linux-live-usb-install
- add encrypted persistence https://docs.kali.org/downloading/kali-linux-live-usb-persistence
- add kali meta packages https://www.kali.org/news/kali-linux-metapackages/
- https://docs.kali.org/development/live-build-a-custom-kali-iso
- customize live image contents https://live-team.pages.debian.net/live-manual/html/live-manual/customizing-contents.en.html#517
- add LUKS Nuke support https://www.kali.org/tutorials/nuke-kali-linux-luks/
- OPTIONAL add PowerShell https://www.kali.org/tutorials/installing-powershell-on-kali-linux/
TODO
[0/4]
- explain setup, ideas, practises
- add HOWTO
- seperate sources.list setup for server/desktop/laptop
- move to ansible for easier modularization of setup