Securing a family computer installation

abstract: After automating the installation - which documents the installations and insures that all boxes have the designed structure and the documented security set - I want to study the way our computers and our data could be threatened and investigate the protection applied. Is the protection sufficient? Are there detectable holes?

Securing a family computer installation

After automating the installation - which documents the installations and insures that all boxes have the designed structure and the documented security set - I want to study the way our computers and our data could be threatened and investigate the protection applied. Is the protection sufficient? Are there detectable holes?

The collection of boxes consists of: - several desktops (me, christine, giorgoi) at two locations (in town, countryside) - several laptops (one each) - servers (i.e. various single board computers) for special purposes: - music (i.e. mpd) - print - sync (synchronizing the files between the different machines, similar to dropbox or other cloud services)

Threats

Assumptions

I assume that - updated Debian programs operate as described, - the cryptographic methods achieve what is expected, - the foe does not have access to the physical computer for more than an hour undisturbed. - the modem (rented from the provider) is blocking incomming traffic as default - the protection of the providers of services I use, i.e. a server provider and my internet provider, are not corrupted or breached.

Protecting measures

Theft or other loss of a computer.

Laptop can be stolen easily or lost; it seems that ministers of some countries have a habit to leave their laptops in a taxi. Dangerous is especially the disposal of a computer not used anymore, which goes with its disks with data into the garbage collection system.

If the physical box falls in the wrong hands, the only protection is a complete encryption of the disk; this needs further investigation, as I have not used this technology yet.

Attack thru the internet

Access to our local networks is thru a modem. The modem permits access from connected boxes to the internet, if the connection is initiated by the box (outgoing traffic); there is no login possible.

Only a limited number of boxes are acessible to the internet (incoming traffic). They need special considerations.

Prevent login

Passwords are required and should be hard to guess - especially for computers with sudo power; it should be possible, to get the password from the password store (or use visudo to avoid typing it in).

use ssh-agent to protect the private key which is required when the remote host texts the public key it has.

Login in

A attacker might try to login to an exisint account. Accounts which cannot get root level permissions (christine, giorgio and similar) are not problematic as they can only access their own files and there are no valuable secrets and no path to gain further access.

If data there are damaged, they can be reconstructed from backup; if partitions are encrypted by ransom software, synthing likely stops syncing - because the folder marks are missing or the disk in the sync server are overflowing and stop, but even if some files are encrypted, the previous state is available on the sync server and can be restored.

Carfuel: docker permission gives wheel permission!

It is possible to access one box and then jump to another one (using ssh); this feature is useful to connect from the outside to boxes not directly accessible in an emergency - but can be switched off (??)

foot: https://zanderwork.com/blog/jump-host/

All boxes are protected with fail2ban from login thru brute force guessing of passwords. This is important for the boxes accessible

q Should only key-based access to boxes be permitted? inside the netwok not really a benefit? What to do if I do not have the key? how to start the first connection?

footnote: box means a computer included and connected to the family network; other computerized devices may exist.

access to authorized hosts

With ssh-copy-id the remote ssh servers can be accessed with a key and do not rely on a password. The public-key of the initiating host is sent to the server and stored there (in authorized keys file).

The remote host contains the public key (in a directory non writable to others). The private key should be protected by a passphrase and use an agent to avoid typing it in often.

THere seem to be two factor authorization (via mobile phone) possible:

access to stored passwords in browser

The passwords can be stored in a password manager (preferably UNIX pass) and protected with a passphrase. The passphrase protects against all methods to acquired a copy of the stored data - the keys cannot extracted without the passphrase.

To avoid to enter the passphrase each time a key is used (e.g. to login to a web page or an ssh server), the passphrase is cached for a certain time period on the running system by an software agent, which authorizes the password use.

The passphrase is valid in an agent for a certain amount of time

Two factor authorisation U2A

The Universal two-factor authorization protocol can be used to authorize the use of the passphrase given on another device. It is two factors as not only the storage is (on the computer) is required but an additional device (e.g. the mobile phone). An attacker would then to break into the phone, or just steal it, to effecutuate the authorization; this would usually require to log on to the mobile phone with a fingerprint, a pattern or a password.

I will assume that the phone is (independently) secured and accept the authorization as valid. The situation that the mobile phone is taken from the user and used to access the passphrase on the equally taken computer is not a considered threat. Approaches to control and secure the mobile phones comes later.

Practicality

An ideal solution would be to use one, secure password manager. The obvious choice would be Unix pass. The issue is how well it integrates with the browser, because the browser is where passwords are most used; passwords are further used when opening bank applications, the ansible vault etc.

Pass integration into firefox browser with passFF

A third-party FOSS plugin for Firefox exists; it is, in principle, easy to install (from github page) and works -- when one has finally understood how the designer wants to store the passwords and the url they relate to. It is possible to store the passwords, but each entry requires some manual operations, whereas password managers which are fully integrated with a browser do automatically store new and changed passwords (with the danger that passwords end up in the password file which should not).

password store synced

The password store (in `~/.password-store) can be in a synced directory (Data) and replace with a symlink. The file is then synced (not using git, which is somewhat tricky when the git file is in a synced directory; syncthing does not understand git and vice versa).

Decision

For the time being, I will work with the passFF (but should probably install keepassXC on christine's computer; which is much better integrated and mostly automatic). The advantage of keepassXC over the built-in password manager in Firefox is that the location of the file storage can be selected freely (and thus synced with syncthing and not with Firefox sync).

There seem to be a android version for password: https://android-password-store.github.io/docs/users/release-channels

missing: export from firefox and import (attention: passwords in plain text!)

I guess I am forced to use both, the Unix password and keepassXC; the first for improved security and independence from a company, the second for the improved integration with Firefox. PassFF is an option, but too cumbersome to add new keywords (questionable argument!) - perhaps once the keywords are installed...

For Christine, keepass should be all what is needed.

Open: can I use pass to fill the key for keepass? is a simple key and a keyfile which is not synced or synced in a different partition a sufficient protection for web keywords.

The important passwords are those for: - email accounts (which can be used to retrieve a lost password) - bank accounts - accounts which allow orders (e.g. amazon, pollini)

Those would have to be stored in pass.

Produced with SGG on with master5.dtpl.