Secure CentOS 7 Server
-
We have a guideline for a secured host, be it Windows or Linux. On our stuff we deploy our images, we have processes for others. We don't have one for CentOS 7, mostly because we are not deploying it yet.
-
No shame whatsoever in wanting privacy. Privacy is a basic right. No citizen of their own country deserves to be spied on. In the last 15 years Americans and Europeans have decided to give up freedom for security. That is always a loss in my book. Especially when the so called "security" has done nothing to stop any type of attack. The odds of dying from any type of terror is less than being attacked by a shark.
-
@IRJ
But how do we prove it when everything is wrapped up in secrecy?How do we know that a major landmark was saved by security, or 100s of people did not train due to a bombing on a train, we just don't know.
-
@Breffni-Potter I dislike secrecy -- especially in the government... If the government is going to do something, at least be bold enough to tell the public about it... Even if it is after the fact. Otherwise it comes out as a "leak" around election time and detracts from the real issues that the American public is facing.
-
@Aaron-Studer said:
My first thought was about securing the root login so that Digital Ocean could not login to my server. With a public SSH key, that seems pretty easy to do, but you have to remember that Digital Ocean has console so in theory could still get in.
None of that protects against the host getting in at all. Remember, if they are going to break the law and hack your system, they will START by taking an image of your system and transporting it somewhere that you can't see. Then they have unlimited time to pull the filesystem apart. Honestly, this would be so simple that they would never even realize that you had passwords or keys. They'd have all of your data so easily that none of that would even slow them down.
Only disk or data encryption, which also prevents your system from booting on its own, will keep them from being able to see everything, anytime they decide to do so.
Remember the first rule of technology security - you have to trust your administrators. In this case DO is your admin. They have access.
-
@dafyre said:
@Breffni-Potter I dislike secrecy -- especially in the government... If the government is going to do something, at least be bold enough to tell the public about it... Even if it is after the fact. Otherwise it comes out as a "leak" around election time and detracts from the real issues that the American public is facing.
It's because the government thinks that they can claim security by obscurity and, for the most part, they are correct. Normal people confuse obscurity for security.
-
@Aaron-Studer said:
Also, I could host it outside the USA? Would this help?
If the goal is to keep things away from the NSA, you can host completely outside of the US with a company that has no US ties in a country that will not turn anything over to the US. Best candidates are China and Iran. But that only stops them handing you over, doesn't stop the NSA from attacking you.
-
@Breffni-Potter said:
Safest data is offline data in a safe. Paper records are impossible to hack.
If hack does not involve social engineering. Paper records are the easiest for the FBI to get if they are on US soil.
-
@Breffni-Potter said:
@IRJ
But how do we prove it when everything is wrapped up in secrecy?How do we know that a major landmark was saved by security, or 100s of people did not train due to a bombing on a train, we just don't know.
Are you kidding me? if the NSA ever stopped anything they would brag about it like crazy. Also even if 100s of people were saved its still a drop in the tub compared to how many people die from other causes. Let's give the incompetent NSA some non deserved credit and say the NSA saved 350 lives since 2008. That would be an average of 50 people a year. Here are some statistics of freak deaths from venomous bites in the United States.
http://ufwildlife.ifas.ufl.edu/venomous_snake_faqs.shtmlAssuming they actually saved lives, which they haven't. You are still more likely to die by Lightning Strike and Hornet/Wasp sting.
If you trust the US government or any government for that matter to keep you safe and responsibly spy on you then I feel bad for you.
-
@scottalanmiller said:
If hack does not involve social engineering. Paper records are the easiest for the FBI to get if they are on US soil.
In a safe, in a field, with no paper trail.
If things are so easy to find, where is Jimmy Hoffa?
-
@Breffni-Potter said:
The day we stop asking questions for fear of the man, is the day Big Brother has taken complete power.
So.... a while ago
-
@Breffni-Potter said:
If things are so easy to find, where is Jimmy Hoffa?
When the government wants you to disappear, you disappear. When they want you found, you get found.
-
@handsofqwerty said:
@Aaron-Studer said:
AJ - I thought by changing your username that you were turning over a new leaf. Guess not.
I have. I just don't see the whole purpose of the post. If it's for fun, why are you hosting it? Do something like this on your own hardware.
What's wrong with hosting it? I don't see why the goal would make hosting it elsewhere not make sense?
-
@Breffni-Potter said:
In a safe, in a field, with no paper trail.
If things are so easy to find, where is Jimmy Hoffa?
He's probably in a safe, in a field with no paper trail! I think you answered your own question
-
@dafyre said:
@Breffni-Potter I dislike secrecy -- especially in the government... If the government is going to do something, at least be bold enough to tell the public about it... Even if it is after the fact. Otherwise it comes out as a "leak" around election time and detracts from the real issues that the American public is facing.
This was the idea behind FOIA granted half the time they'll use some excuse not to give you information. Heck having to government jobs on my resume has hindered me getting other jobs. One even flat out said they would not hire someone who's working or has worked for our corrupt government.
-
If you don't trust DO with your data then honestly you shouldn't be using them. Any level of security can be bypassed with enough time when you have physical access.
-
https://technet.microsoft.com/en-us/library/hh278941.aspx#EBAA
Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea. -
@scottalanmiller said:
@handsofqwerty said:
@Aaron-Studer said:
AJ - I thought by changing your username that you were turning over a new leaf. Guess not.
I have. I just don't see the whole purpose of the post. If it's for fun, why are you hosting it? Do something like this on your own hardware.
What's wrong with hosting it? I don't see why the goal would make hosting it elsewhere not make sense?
Nothing. Just seems like it'd make more sense to try this at home first, but that's just me.
-
@handsofqwerty said:
Nothing. Just seems like it'd make more sense to try this at home first, but that's just me.
Dont' see why. If the goal is to learn about security, how does learning at home make it more useful than learning in a hosted environment? What about home makes more sense?
-
“People who say they don’t care about privacy because they have got nothing to hide have not thought too deeply about these issues. What they are really saying is I do not care about this right. When you say I don’t care about the right to privacy because I have nothing to hide, that is no different than saying I don’t care about freedom of speech because I have nothing to say or freedom of the press because I have nothing to write.”
-Edward Snowden in an interview today.
http://www.theguardian.com/us-news/2015/may/22/edward-snowden-nsa-reform
