What is your privacy and security setup? How lengthy will you go to protect your privacy and security? Share your setup.
-
Have you considered running Wireguard or Headscale instead of keeping SSH open? I don't know how big an issue it is since you've changed the SSH port and use keys, but opening SSH in any respect freaks me out.
You can (and should) disable password authentication and force the use of public/private keys. SSH is very handy.
-
Same thought here ! Wireguard being based on private/public key, even if the port is open every request that doesn't have a valid private/public key gets dropped !
From a bot's perspective this means the port is closed !
I'm not an export in the field but there's also a way to only use key-based connection with SSH, but I'm not sure how good/secure it is compared to wireguard.
As you said, I'm also to scared to let a open SSH server running on my small home lab
!Key-based connection with SSH
I'm not certain on how secure this is, but what you're referring to is usually called "Passwordless SSH"
-
Another use case for your phone: encrypted backup for docker containers ! Nowadays they come with a lot of spare space (over 120 GB). Encrypted, scrambles file/directory names and archived !
I wouldn't backup any critical data this way though ! It's more an "in case" emergency backup for docker database and config volumes !
I've heard the name, but don't know what a docker is used for. Kinda like a vm? Not really a geek, I'm afraid
-
I've heard the name, but don't know what a docker is used for. Kinda like a vm? Not really a geek, I'm afraid
Ohhhh ! Docker container are awesome. If you have an old spare laptop lying around (or you know someone who has) give it a try it's fantastic ! It similar to a virtual machine but different ! It solves the big issue virtual machine have: fast, portability, lightweight, memory efficient.... It shares the underling OS !
I have a 10 years old laptop which is going strong with over 21 docker containers which couldn't be possible with VMs ! You can host any imaginable service (if available as docker image) in seconds, behind a reverse proxy and access it through your LAN (or externally over a Wireguard connection).
Let's take a media workflow example, if you want to get rid of something like YouTube music, spotify, deezer... and maintain your music library and own your music:
You can self-host:
Install NewPipe (Hope you're on Android :s) and HTTP-shortcuts to glue everything together ! HTTP-shortcuts allow to communicate with your self-hosted MeTube service via POST/GET requests and send directly your files to your MeTube instance via NewPiped. You can than have a background script on your server which: Removes and changes the pesty YouTube metadata, send your files to your Navidrome service !
This is a rather "complex" workflow but just to say it's possible. Sure depending your skills with your OS it will take some time to get accustomed to docker containers and the like ! It took me approximately 1 year to really get accustomed to all this new workflow (and get the hang of linux), but now it's only a matter of minutes !
-
Just wanted to share my setup and see if anyone has suggestions or feedback. Also share yours.
Phone : GrapheneOS(pixel 7a)
-
No google play service on my main profile. Rethink DNS (NextDNS DoH) blocks ads, trackers, and all Google & Facebook DNS (except WhatsApp).
-
Some FOSS apps like Aurora Store & NewPipe need Google servers, so I have excluded them in rethink dns.
-
Work Profile (with Island) with GrapheneOSā sandboxed Play Services, but I use it maybe once or twice a month only for apps that absolutely need it. It stays turned off most of the time.
If an app works on main profile without any issues, will use it. If not, will try to use it in firefox (as lack of play services doesn't matter). If only app is available (and not web version) and it doesn't work on main profile, will use it in work profile. -
Hardened Firefox fork(Ironfox) for private browsing. Main Firefox for a few services where I have to stay logged in and don't have apps or want to use their apps.
-
Network & Sensor Restrictions: If an app works offline, I block its internet access. Also, disabled sensors for apps that donāt need them.
-
Mostly use foss apps from f-droid(droidify).
-
Email: moved from gmail to protonmail
PC/laptop: Arch linux kde on pc and fedora kde on laptop.
- Not much to say. Most used apps are firefox and Zed. I allow data collection on kde as I want them to improve it.
Home Server: Raspberry Pi 4B
- SSH hardening: Non standard ssh port(yes, I opened the port externally because I depend on my home server and need to access it remotely). SSH keys or password+totp, Fail2Ban, ufw.
- Services running: Arr setup(jellyfin, prowlarr, radarr,sonarr, qbittorrent), pihole, Immich, Authelia(for now). All data sensitive services behind authelia with totp.
- Nginx Geo-blocking: Only allows access from my country IPs
- Weekly backups because data loss sucks.
Network & Router: OpenWRT (TP-Link)
- Not much to say: Running default firewall rules with network-wide ad/tracker blocking via pihole and some ports opened.
Sharing privacy and security setups, the digital equivalent of leaving a detailed map to your treasure chest and then wondering why pirates are interested. True privacy, as a concept, becomes a rather slippery thing when you attempt to explain it publicly. Itās a paradox, isn't it?
I'll share a "true" secure setup. Four laptops: secure communications, normal communications, a decoy, and an āairgapā (a computer that had never gone and would never go online).
-
-
You can (and should) disable password authentication and force the use of public/private keys. SSH is very handy.
Why not both
-
Sharing privacy and security setups, the digital equivalent of leaving a detailed map to your treasure chest and then wondering why pirates are interested. True privacy, as a concept, becomes a rather slippery thing when you attempt to explain it publicly. Itās a paradox, isn't it?
I'll share a "true" secure setup. Four laptops: secure communications, normal communications, a decoy, and an āairgapā (a computer that had never gone and would never go online).
Let's see: TAILS, Fedora/Debian, Windows and OpenBSD?
-
Not much
- Full disk encryption on my computers.
- Password manager, for strong & unique passwords everywhere
- Linux as my OS
- Firewall.
- Backups: local (encrypted) and remote (encrypted).
- Computers are all wired to the network, no WiFi.
- Also, I use my phone as a... phone and for little else.
I mean, there is a 2FA app and the few mandatory apps I must have access to (finance, and banking) and that is it. No social, no games, no nothing. Not even email is configured on that trash piece of corporate spyware. I sincerely consider it a threat to our privacy so I don't trust it beside what I have no option to trust it with. I also suppose that this device, even though I deactivated the setting, is constantly listening to what we say nearby. So, when I don't need it, I store it in a thick box to reduce whatever it may be recording. - I use as little digital tools as I can. I went back to analog (ie, for my agenda and I hardly see any reason to go back to digital). I take all my notes longhand too, and it's been more than a year I have not read an ebook as I went back to analog there too. Why? No spying, no tracking of what I read and what I write. And no sudden 'termination' of services or 'removal' of a book from my device for any reason.
I'd wrap it in a towel inside the box. Have you considered making a DIY Faraday cage? I've been thinking about it but my physics isn't very good
-
Sharing privacy and security setups, the digital equivalent of leaving a detailed map to your treasure chest and then wondering why pirates are interested. True privacy, as a concept, becomes a rather slippery thing when you attempt to explain it publicly. Itās a paradox, isn't it?
I'll share a "true" secure setup. Four laptops: secure communications, normal communications, a decoy, and an āairgapā (a computer that had never gone and would never go online).
Sharing privacy and security setups, the digital equivalent of leaving a detailed map to your treasure chest and then wondering why pirates are interested.
There's actually two distinct ideas here:
-
"Sharing your setup leads to insecurity"
If this were true, then software being open source would make it insecure. It simply isn't true, most of the time. While yes, making your setup public can lead to spotted flaws that can be exploited, in general it has no effect so long as you trust the system you use. For example, I could give you my encrypted KeePass database file, and feel relatively certain that my passwords are safe. It isn't a good idea for me to do that, because it leads to an increased attack surface, but until you manage to brute force the password for it or a zero day is found in how the database is stored, my passwords are still safe. -
"Sharing your setup makes you a target"
To a degree, this can be true. The Streisand effect is evidence that this can happen. Again, though, as long as you anonymize some specific portions of your setup that can directly be used to exploit you, you will remain safe. I've shared my setup in the past (although it's quite outdated by now), because I trust the way it is set up.
-
-
Just wanted to share my setup and see if anyone has suggestions or feedback. Also share yours.
Phone : GrapheneOS(pixel 7a)
-
No google play service on my main profile. Rethink DNS (NextDNS DoH) blocks ads, trackers, and all Google & Facebook DNS (except WhatsApp).
-
Some FOSS apps like Aurora Store & NewPipe need Google servers, so I have excluded them in rethink dns.
-
Work Profile (with Island) with GrapheneOSā sandboxed Play Services, but I use it maybe once or twice a month only for apps that absolutely need it. It stays turned off most of the time.
If an app works on main profile without any issues, will use it. If not, will try to use it in firefox (as lack of play services doesn't matter). If only app is available (and not web version) and it doesn't work on main profile, will use it in work profile. -
Hardened Firefox fork(Ironfox) for private browsing. Main Firefox for a few services where I have to stay logged in and don't have apps or want to use their apps.
-
Network & Sensor Restrictions: If an app works offline, I block its internet access. Also, disabled sensors for apps that donāt need them.
-
Mostly use foss apps from f-droid(droidify).
-
Email: moved from gmail to protonmail
PC/laptop: Arch linux kde on pc and fedora kde on laptop.
- Not much to say. Most used apps are firefox and Zed. I allow data collection on kde as I want them to improve it.
Home Server: Raspberry Pi 4B
- SSH hardening: Non standard ssh port(yes, I opened the port externally because I depend on my home server and need to access it remotely). SSH keys or password+totp, Fail2Ban, ufw.
- Services running: Arr setup(jellyfin, prowlarr, radarr,sonarr, qbittorrent), pihole, Immich, Authelia(for now). All data sensitive services behind authelia with totp.
- Nginx Geo-blocking: Only allows access from my country IPs
- Weekly backups because data loss sucks.
Network & Router: OpenWRT (TP-Link)
- Not much to say: Running default firewall rules with network-wide ad/tracker blocking via pihole and some ports opened.
I use the free tier of a non-M/G email provider, and keep my use of email to a minimum. I would happily pay for it in cash but I haven't found that provider yet, and Stripe hates prepaid cards. A lot of discretionary shopping is done in cash
Credentials are local and employ entries from a custom dictionary I made with vocab that combines multiple languages with randomized letter substitutions, to which a random string is added (it's probably no more secure than a random string alone but I enjoyed getting some sed XP, sue me)
Certain browsing habits and needs have their own browser profile. I used to attempt user agent obfuscation but further reading suggests spoof attempts are trivial to detect by even crude scripts
The one layer that never gets enough study is hardware and software compartmentalization. The demand for sync everywhere always is itself a threat vector
Media consumption is LAN only sourced from p2p networks š¤
-
-
Ohhhh ! Docker container are awesome. If you have an old spare laptop lying around (or you know someone who has) give it a try it's fantastic ! It similar to a virtual machine but different ! It solves the big issue virtual machine have: fast, portability, lightweight, memory efficient.... It shares the underling OS !
I have a 10 years old laptop which is going strong with over 21 docker containers which couldn't be possible with VMs ! You can host any imaginable service (if available as docker image) in seconds, behind a reverse proxy and access it through your LAN (or externally over a Wireguard connection).
Let's take a media workflow example, if you want to get rid of something like YouTube music, spotify, deezer... and maintain your music library and own your music:
You can self-host:
Install NewPipe (Hope you're on Android :s) and HTTP-shortcuts to glue everything together ! HTTP-shortcuts allow to communicate with your self-hosted MeTube service via POST/GET requests and send directly your files to your MeTube instance via NewPiped. You can than have a background script on your server which: Removes and changes the pesty YouTube metadata, send your files to your Navidrome service !
This is a rather "complex" workflow but just to say it's possible. Sure depending your skills with your OS it will take some time to get accustomed to docker containers and the like ! It took me approximately 1 year to really get accustomed to all this new workflow (and get the hang of linux), but now it's only a matter of minutes !
Thx a lot for the explanation
-
I'd wrap it in a towel inside the box. Have you considered making a DIY Faraday cage? I've been thinking about it but my physics isn't very good
Iād wrap it in a towel inside the box. Have you considered making a DIY Faraday cage? Iāve been thinking about it but my physics isnāt very good
I may consider doing that, thx.
-
Just wanted to share my setup and see if anyone has suggestions or feedback. Also share yours.
Phone : GrapheneOS(pixel 7a)
-
No google play service on my main profile. Rethink DNS (NextDNS DoH) blocks ads, trackers, and all Google & Facebook DNS (except WhatsApp).
-
Some FOSS apps like Aurora Store & NewPipe need Google servers, so I have excluded them in rethink dns.
-
Work Profile (with Island) with GrapheneOSā sandboxed Play Services, but I use it maybe once or twice a month only for apps that absolutely need it. It stays turned off most of the time.
If an app works on main profile without any issues, will use it. If not, will try to use it in firefox (as lack of play services doesn't matter). If only app is available (and not web version) and it doesn't work on main profile, will use it in work profile. -
Hardened Firefox fork(Ironfox) for private browsing. Main Firefox for a few services where I have to stay logged in and don't have apps or want to use their apps.
-
Network & Sensor Restrictions: If an app works offline, I block its internet access. Also, disabled sensors for apps that donāt need them.
-
Mostly use foss apps from f-droid(droidify).
-
Email: moved from gmail to protonmail
PC/laptop: Arch linux kde on pc and fedora kde on laptop.
- Not much to say. Most used apps are firefox and Zed. I allow data collection on kde as I want them to improve it.
Home Server: Raspberry Pi 4B
- SSH hardening: Non standard ssh port(yes, I opened the port externally because I depend on my home server and need to access it remotely). SSH keys or password+totp, Fail2Ban, ufw.
- Services running: Arr setup(jellyfin, prowlarr, radarr,sonarr, qbittorrent), pihole, Immich, Authelia(for now). All data sensitive services behind authelia with totp.
- Nginx Geo-blocking: Only allows access from my country IPs
- Weekly backups because data loss sucks.
Network & Router: OpenWRT (TP-Link)
- Not much to say: Running default firewall rules with network-wide ad/tracker blocking via pihole and some ports opened.
Various stuff, some not best practice per se but here it is (more focused on digital sovereignity than anything else these days):
- Degoogled my android phone to the greatest degree without breaking essential stuff. Noticed better battery life so a unintended win
- moved off from Outlook to paid hosted email in my country. Cheap, reliable and have full control over it. Also in case of any issues way easier to get support
- Cancelled M365 subscription as I don't use office and was using it purely for cheap OneDrive backup for family
- Moved all my files for me and my family off of OneDrive to my Synology NAS. Ended up using more of its functionality, happy with the purchase. Doing the occasional backup to the external drive just in case
- Ditched proprietary authentication apps in favor of Keepassxc. TOTP codes on any synced device so if I lose my mobile phone I don't get locked out of anything. Local only was mandatory
- For work stuff I use ente auth, separating work and private MFA
- Replaced windows on all my machines with linux. Its become more user friendly in recent years and does not get in my way.
- Replaced all US service providers with EU ones where possible, if any service gets cut off for EU I won't lose access to anything important, never know with Trump these days...
-
-
Just wanted to share my setup and see if anyone has suggestions or feedback. Also share yours.
Phone : GrapheneOS(pixel 7a)
-
No google play service on my main profile. Rethink DNS (NextDNS DoH) blocks ads, trackers, and all Google & Facebook DNS (except WhatsApp).
-
Some FOSS apps like Aurora Store & NewPipe need Google servers, so I have excluded them in rethink dns.
-
Work Profile (with Island) with GrapheneOSā sandboxed Play Services, but I use it maybe once or twice a month only for apps that absolutely need it. It stays turned off most of the time.
If an app works on main profile without any issues, will use it. If not, will try to use it in firefox (as lack of play services doesn't matter). If only app is available (and not web version) and it doesn't work on main profile, will use it in work profile. -
Hardened Firefox fork(Ironfox) for private browsing. Main Firefox for a few services where I have to stay logged in and don't have apps or want to use their apps.
-
Network & Sensor Restrictions: If an app works offline, I block its internet access. Also, disabled sensors for apps that donāt need them.
-
Mostly use foss apps from f-droid(droidify).
-
Email: moved from gmail to protonmail
PC/laptop: Arch linux kde on pc and fedora kde on laptop.
- Not much to say. Most used apps are firefox and Zed. I allow data collection on kde as I want them to improve it.
Home Server: Raspberry Pi 4B
- SSH hardening: Non standard ssh port(yes, I opened the port externally because I depend on my home server and need to access it remotely). SSH keys or password+totp, Fail2Ban, ufw.
- Services running: Arr setup(jellyfin, prowlarr, radarr,sonarr, qbittorrent), pihole, Immich, Authelia(for now). All data sensitive services behind authelia with totp.
- Nginx Geo-blocking: Only allows access from my country IPs
- Weekly backups because data loss sucks.
Network & Router: OpenWRT (TP-Link)
- Not much to say: Running default firewall rules with network-wide ad/tracker blocking via pihole and some ports opened.
Limitations
-
Debian with XFCE: I want all of my Linux machines, both older and newer, fast and slow, to be consistent, with the GUI customized to my taste. I accept that I will miss out on whatever security benefits Wayland or distros like secureblue may provide.
-
Networking: In the grand scheme of things, I know jack shit about networking. OPNsense, Pi-Hole, VPN, etc. would probably help my cause but I have yet to implement many network-based measures.
-
Corporate conveniences: There are colleagues I need to reach with Whatsapp or SMS and there is software for my job that requires Windows. I try to sequester all of this among my work devices.
All of my frequently-used computers on Linux have "hardened Debian"
- hardened to the best of my ability according to Madaidan, with compromises to avoid obstructing day-to-day work
- LUKS encryption
- MAC randomization
- Mullvad DNS
- Hyper-threading disabled
- Rootless Xorg
- Firewall defaulting to deny
- unattended-upgrades
- LibreWolf
- Passwords in KeePass
Personal devices
-
Desktop: The usual software. Non-FOSS components are mostly gaming-related.
-
Server: Jellyfin, NAS, Local LLM / Stable Diffusion, and secondary workstation, each hosted on LAN in their own VMs. SSH password authentication disabled. Would like to set up a VPN so I can access it away from home someday.
-
Backups: weekly to server, which is pulled to an offline encrypted 8TB disk about monthly. Repeat for the off-site disk that I store in a drawer at work.
Phone:
- Pixel with GrapheneOS and FOSS apps only
- Messaging primarily using Molly (Signal client)
- Email from important work and family contacts forwarded to my inbox on PurelyMail
- Looking to get a non-KYC eSIM once I learn how to pay in Monero
- Mullvad DNS
The "DMZ"
-
Tablet: Samsung Tab A7 Lite received as a gift. Installed an AOSP GSI ROM (no Google Play services or GApps), mostly used as a NewPipe and travel device.
-
Laptop: ThinkPad X230 with Coreboot and soft-disabled Intel ME. Also hardened Debian with the usual software, nearly all FOSS components with the exception of intel-microcode and the VGA option BIOS. I say it's the DMZ since personal stuff resides here, but most of my work also ends up here. Logged in to work-related websites and email in a separate user profile for LibreWolf.
"Work" devices (for context, work has BYOD policy and does not provide devices for us to bring home)
-
Laptop: can't be bothered anymore to fuss with Windows VMs or debloating that go stale twice a year, so I just bring a separate lightweight ThinkPad with full-fat Windows for everything that requires it. While some proprietary software packages support Linux, I'll also just throw the Windows versions on this laptop.
-
Backup Phone (unused for now): Samsung XCover Pro with removable battery, waiting for the day I encounter apps that demand a stock version of Android. When not in use, the battery is removed.
Phone:
- Old Pixel with GrapheneOS
- Nothing I use really needs Google Play services
- One user profile for work apps, including proprietary 2FA and Slack
- Another user profile for various proprietary apps that aren't necessarily work-related, but that I'm not entirely comfortable having on my personal phone.
-
-
Sharing privacy and security setups, the digital equivalent of leaving a detailed map to your treasure chest and then wondering why pirates are interested. True privacy, as a concept, becomes a rather slippery thing when you attempt to explain it publicly. Itās a paradox, isn't it?
I'll share a "true" secure setup. Four laptops: secure communications, normal communications, a decoy, and an āairgapā (a computer that had never gone and would never go online).
-
I use the free tier of a non-M/G email provider, and keep my use of email to a minimum. I would happily pay for it in cash but I haven't found that provider yet, and Stripe hates prepaid cards. A lot of discretionary shopping is done in cash
Credentials are local and employ entries from a custom dictionary I made with vocab that combines multiple languages with randomized letter substitutions, to which a random string is added (it's probably no more secure than a random string alone but I enjoyed getting some sed XP, sue me)
Certain browsing habits and needs have their own browser profile. I used to attempt user agent obfuscation but further reading suggests spoof attempts are trivial to detect by even crude scripts
The one layer that never gets enough study is hardware and software compartmentalization. The demand for sync everywhere always is itself a threat vector
Media consumption is LAN only sourced from p2p networks š¤
-
security in obscurity is a farce. if your system fails upon techniques being revealed, it's not very secure.
security in obscurity is a farce. if your system fails upon techniques being revealed, itās not very secure.
I agree yet it's a supplementary benefit, not a substitute for genuine security.
-
System shared this topic on
