An encrypted root file system protects data at its best when the computer is powered off. But most of the time your computer is powered on. An intruder who gets his fingers on your computer when it’s powered on could easily extract your private data. If you already have enrypted your root file system, here’s some suggestions on how to increase the security even more.
Pam_faildelay.so to prevent brute force attacks
Most people with encrypted root file systems enter a very long passphrase at boot time to unlock the encrypted root partition. The use of a long passphrases at boot is sustainable. But entering a 30 charachter passphrase each time ”su root” is issued, that’s a real pain in the ass. Therefore, I’m using much shorter passphrases for the local user accounts. This opens up a slight oppurtunity for an intruder to replace the keyboard with some kind of brute force device and thereby crack the root password. To minimize this threat, I’m using the PAM-module pam_faildelay.so to get a 30 second delay after each failed login attempt. This means an intruder would be able to check only two passwords per minute. Performing a brute force attack will be much harder. Simply add ”auth required pam_faildelay.so delay=30000000” to /etc/pam.d/login.
Screensaver with password protection
I’m using gnome-screensaver to blank the screen and lock the computer with a passphrase. Some people say that XScreenSaver is more secure. I can’t, however, find any real evidence for this.
A password proteced screensaver, no big deal, aight? But for the password protection to be secure, it’s necessary to make absolutely sure that the option to kill the X server by hitting CTRL+ALT+Backspace is disabled. Otherwise the screensaver password protection would be useless. It’s also recommended that the screensaver utilizes pam_faildelay.so to prevent brute force attacks. Add ”auth required pam_faildelay.so delay=30000000” to /etc/pam.d/gnome-screensaver.
Update: Disabling CTRL+ALT+Backspace isn’t enough. If the X server is started from console (”startx”) the screensaver protection could easily be overridden by switching to console ( CTRL+ALT+F1) and then CTRL+C to kill the X server. Solution: Do not start X from console. Instead, use a display manager like gdm or kdm.
Lock computer when WLAN is out of range
An intruder might steal your computer just before the screensaver has activated. By moving the mouse, the intruder prevents the screensaver from activating. If so, the intruder will have unlimited time to finish his work. Before he extracts your private data, he will probably move away to a safe place. To prevent this type of attack, I’ve designed a little script that activates the screensaver when the computer is moved to a place where your wireless network connection is out of range. The script relies on SSID-scans, so an up and running wireless connection isn’t necessary. Let the Cron daemon execute the script each 5 minute. It’s very important that the script is executed as the user logged in to the X environment. Otherwise the screensaver won’t activate.
SSID_SCAN=$(iwlist wlan0 scanning)
AVAILABLE_NETWORKS+$(echo $SSID_SCAN|grep -c $MY_SSID)
if [ $AVAILABLE_NETWORKS -lt 1 ]
Läs även andra bloggares åsikter om datasäkerhet, kryptering, linux, privatliv