I got mysteriously affected by taking a computer security course at university. It’s not that I knew nothing about computer security before – it’s always been kind of a favourite subject of mine. It’s also not that I didn’t care about it at all before either. It’s just that I … couldn’t bother with it. It requires a lot of effort, right? Cumbersome?

Actually, no.

I guess that’s what the course taught me. Basic security doesn’t have to be that hard. Most things are actually pretty easy on a day-to-day basis, once you have learned them.

Lest I forget, here are some topics I’m interested in exploring, potentially learning and applying to my machines, in no particular order.

• Firewall configuration for a server. A simple “default deny” firewall shouldn’t be that hard to set up. I want one.

  Status: Success!

• Firewall configuration for a laptop. 99.5% of the time, my laptop is behind a NAT box and not directly accessible from the internet. This puts slightly different requirements on the firewall rules, I suspect. I want to know what those requirements are.

• Other security concerns on an untrusted local network. There are plenty of exploits available to someone who is physically connected to the same network as you. I want to find out what those are and how to become immune to them.

  Status: Step one, dns, tackled!

• Day-to-day use of OpenPGP. I’m starting to get comfortable with the OpenPGP protocol, but I feel like there are many areas where I could use it a lot more than I do.

  Status: This has turned out to be a thing where I learn just a little bit every week from using it. Making a huge dive into it is probably unreasonable.

• _gpg_ agent forwarding. At the moment, I install my private keys on remote machines. I learned today that this is not necessary – gpg on the remote machines can be configured to communicate with the gpg agent on my local machine, thus keeping my keys closer to my body.
• OpenPGP smart cards. Yet another way to keep my keys close to my body is by literally carrying them on my body at all times, never letting them touch a computer. This would be both convenient and secure, but I’m not there yet.

• SELinux. Stop disabling SELinux!

  Status: SELinux integration was the deciding factor when I installed CentOS on my desktop computer. Unfortunately, I have still not had any reason to learn SELinux, because on CentOS, it just … works without any human intervention at all.

• Log watching. I want to get emails for any log messages on my system that I haven’t explicitly told the computer are part of the set of “normal” log messages.

  Status: I have the basic built-in log watching with daily summaries enabled on my FreeBSD gateway, but I have not done anything more extreme. I have also installed Ganglia on a couple of machines at home to monitor continuously varying values, but this is not hooked up to any alerting function.

• Passwordless setups. Passwords, when used as the only form of authentication, have to be communicated to anyone who wants to confirm your identity. That sucks.

  Status: I’m not planning on going straight from a 6 character password to no password authentication at all (which is effectively the same as a password of infinite length) but I do approach that territory slowly, by increasing the length of my passwords little by little, and using them less and less in favour of alternate means of authentication. I am a religious user of ssh keys, I have configured my vpn (see below) to use certificate based tls authentication, and when I encrypt stuff I do it with public key cryptography rather than shared secrets. Passwordless sudo is also part of the picture.

• vpn. I have previously never felt any good reason to learn about vpn software, but at some point, I felt like setting a vpn server up on the home gateway.

  Status: It is so good. Not only can I connect to it on any untrusted network and instantly feel very safe, it also enables a large degree of convenience: I have very little confidentiality measures installed for traffic from the local network, but with the vpn I am connected to the local network regardless of where I am!

Changelog

• 2017-07-09: Added two more things to the list.

-2018-01-22: Elaborated a bit on vpn, SELinux, log watching,