Already encrypted your root file system? Tricks for even more security.

An encrypted root file system protects data at its best when the computer is powered off.  But most of the time your computer is powered on. An intruder who gets his fingers on your computer when it’s powered on could easily extract your private data.  If you already have enrypted your root file system, here’s some suggestions on how to increase the security even more.

Pam_faildelay.so to prevent brute force attacks

Most people with encrypted root file systems  enter a very long passphrase at boot time to unlock the encrypted root partition. The use of a long passphrases at boot is sustainable. But entering a 30 charachter passphrase each time ”su root” is issued, that’s a real pain in the ass. Therefore, I’m using much shorter passphrases for the local user accounts. This opens up a slight oppurtunity for an intruder to replace the keyboard with some kind of brute force device and thereby crack the root password. To minimize this threat, I’m using the PAM-module pam_faildelay.so to get a 30 second delay after each failed login attempt. This means an intruder would be able to check only two passwords per minute. Performing a brute force attack will be much harder. Simply add ”auth required pam_faildelay.so delay=30000000” to /etc/pam.d/login.

Screensaver with password protection

I’m using gnome-screensaver to blank the screen and lock the computer with a passphrase. Some people say that XScreenSaver is more secure. I can’t, however, find any real evidence for this.

A password proteced screensaver,  no big deal, aight? But for the password protection to be secure, it’s  necessary to make absolutely sure that the option to kill the X server by hitting CTRL+ALT+Backspace is disabled. Otherwise the screensaver password protection would be useless. It’s also recommended that the screensaver utilizes pam_faildelay.so to prevent brute force attacks.  Add ”auth required pam_faildelay.so delay=30000000” to /etc/pam.d/gnome-screensaver.

Update: Disabling CTRL+ALT+Backspace isn’t enough.  If the X server is started from console (”startx”) the screensaver protection could  easily be overridden by switching to console ( CTRL+ALT+F1) and then CTRL+C to kill the X server. Solution: Do not start X from console. Instead, use a display manager like gdm or kdm.

Lock computer when WLAN is out of range

An intruder might steal your computer just before the screensaver has activated. By moving the mouse, the intruder prevents the screensaver from activating. If so, the intruder will have unlimited time to finish his work. Before he extracts your private data, he will probably move away to a safe place. To prevent this type of attack, I’ve designed a little script that activates the screensaver when the computer is moved to a place where your wireless network connection is out of range. The script relies on SSID-scans, so an up and running wireless connection isn’t necessary. Let the Cron daemon execute the script each 5 minute. It’s very important that the script is executed as the user logged in to the X environment. Otherwise the screensaver won’t activate.

#!/bin/bash
MY_SSID="ssid"
AVAILABLE_NETWORKS=0
SSID_SCAN=$(iwlist wlan0 scanning)

let AVAILABLE_NETWORKS=\
AVAILABLE_NETWORKS+$(echo $SSID_SCAN|grep -c $MY_SSID)

if [ $AVAILABLE_NETWORKS -lt 1 ]
 then
 gnome-screensaver-command --activate
fi

Läs även andra bloggares åsikter om , , ,

Annonser

There are no comments on this post.

Kommentera

Fyll i dina uppgifter nedan eller klicka på en ikon för att logga in:

WordPress.com Logo

Du kommenterar med ditt WordPress.com-konto. Logga ut / Ändra )

Twitter-bild

Du kommenterar med ditt Twitter-konto. Logga ut / Ändra )

Facebook-foto

Du kommenterar med ditt Facebook-konto. Logga ut / Ändra )

Google+ photo

Du kommenterar med ditt Google+-konto. Logga ut / Ändra )

Ansluter till %s

%d bloggare gillar detta: