• tools
• Protecting_your_Notebook

Protecting Your Notebook

If you use your notebook computer for work at Anchor you must take several measures to protect yourself and Anchor against any form of attack and/or data theft.

Protecting Data with Encrypted LVM

• https://help.ubuntu.com/community/EncryptedFilesystemLVMHowto

• http://linuxgazette.net/140/kapil.html

Protecting Data with EncFS

If you have any Anchor data of any sort on your notebook, it must be encrypted. EncFS is a relatively easy and relatively secure way to do so.

1. sudo apt-get install encfs

2. sudo gpasswd -a USERNAME fuse

3. sudo echo "fuse" >> /etc/modules

4. Log out and back in again to re-evaluate group membership

5. encfs ~/.crypt ~/crypt

6. Select 'y' and 'y' to create the two directories
7. Select the paranoia option
8. Enter a passphrase which will be used to encrypt and later mount the encrypted filesystem

Now, the encrypted files will be stored in ~/.crypt - do not change anything in this directory. The unencrypted files will be mounted in ~/crypt. Add your files here.

You may like to have a simple script that eases mounting and unmounting your encrypted filesystem:

if [ "$1" == "start" ]
then
        encfs -i 15 ~/.crypt ~/crypt
elif [ "$1" == "stop" ]
then
        fusermount -u ~/crypt
fi

Just run 'secret start' and enter the password to mount the encrypted filesystem, or 'secret stop' to unmount it.

The -i parameter specifies a timeout of 15 minutes of inactivity before the filesystem is automatically unmounted.

Protecting yourself with a firewall

The standard Anchor firewall template is a good start for a notebook/home computer firewall. You may like to use something like this:

rules.filter

# allow all on loopback
{ input lo local; output lo local } accept;

# wired ethernet
input eth0 local {
        # FIXME: replace this with smarter ICMP filtering
        proto icmp accept;

        # reject auth instead of dropping it so that services
        # requiring it don't timeout
        proto tcp dport auth reject;

        # additional per-host include fragments
        include input.d

        # unconditionally drop all other packets, do not log
        log text "Incoming" drop;
};

output eth0 local {
        # common output fragments
        include output.d

        log text "Outgoing" drop;
};

If you have a wireless adaptor, say eth1, just duplicate the about input and output sections for the eth1 adaptor.

I've found the following fragments help with every day usage:

input.d

ftp proto tcp sport { ftp ftp-data } accept;

vpn

proto esp source { 202.4.235.107 59.167.253.146 } accept; 
proto udp sport isakmp dport isakmp source { 202.4.235.107 59.167.253.146 } accept;

output.d

domain proto { tcp udp } dport domain accept;

ftp proto tcp dport { ftp ftp-data } accept;

hpprinter proto tcp dport 9100 accept;

icmp proto icmp accept;

ipmi proto udp dport 623 accept;

jabber proto tcp dport 5222 dest 10.108.62.254 accept;

mail proto tcp dport { pop3 pop3s smtp submission } accept;

ntp proto udp dport ntp accept;

rdp proto tcp dport 3389 accept;

ssh proto tcp dport ssh accept;

vnc proto tcp dport 5900 accept;

vpn proto udp sport isakmp dport isakmp dest { 202.4.235.107 59.167.253.146 } accept;

web proto tcp dport { http https } accept;