So in the first part of this series we did some basics on our browser and discussed how to use a password manager. In this part we will go deeper into the concepts of protecting your desktop and how to think about security and privacy.
Why should I care?
Well for one this is becoming a very important topic and for the layman/woman it is not a easy task to wrap your head around this.
It might have been somewhat of a lie to say that the basics of security and privacy starts at the browser and password level. Surely they are a integral part, so now it is time to put on the tinfoil hat and get dirty.
So the first issue here is what Operating System you are using at the moment. There are several to choose from, or three (Windows, Linux, BSD and OSx). If you feel the need to be safe any of the above is “okay”, if you are using the latest one. As you might imagine I prefer Linux and specifically CentOS. Independent of what your personal choice is remember:
- Keep the applications and Operating System updated
- Keep to well known applications and distribution points
- Always run a script-blocker in the browser
- Ensure that basic security is adhered to at all times
- Never trust an email or link
- If it seems to good to be true take it as a warning sign
Since I mostly use CentOS we will now take it up a notch and start discussing particulars.
First and foremost let us discuss the source of the medium with which we will install the Operating System. On the website of CentOS you can find mirrors that is geographically close to you so go ahead and download the “Netinstall” image from there. Then proceed to ensure that the image is correct.
To prepare for the installation we need to do some things first…
Base install aims to be a complete, secure and slim Operating System that uses a well-known Linux distribution as the foundation. CentOS 6.X fulfills all the demands and is also widely used due to those facts, but to further develop the concept some changes has been made. To support newer and a more wide range of packages CentOS 7.X is also used with the same parameters as the above.
To be able to handle restrictive hardware allocations the guide is based upon hardware with the following specifications:
CPU: 2 core
What you add later is then dependent on the role of the server but this will be enough for most roles (DNS/DHCP/FTP/HTTP).
To be able to fit within this narrow margin but still be able to handle a wild card physical machine follow these rules:
- At least 2 hard-drives
- Use RAID to create 2 logical volumes
- Always use RAID (fake-raid/software if you lack a RAID card)
So if the above is true we will create a logical RAID volume with 20GiB of storage space and let the other logical volume be the second drive where all data storage will take place.
The partition scheme is based upon security guides provided by the community and to secure against local file-system vulnerabilities. Each physical disk is split into three partitions one for the /boot partition, one for the EFI partition and the third for the full disk with LVM. All partitions should be XFS formatted where applicable.
|/usr||4GiB||usr||Binary and library|
|/var||2GiB||var||System variable files|
|/boot||512MiB||boot||Boot files and Kernel|
When the role of the server/workstation then demands extra storage (database/web/videos) a second harddrive is added. Instead of cluttering the system with partitioned drives there will be two drives (sda and sdb). Where sdb will not contain any MBR/GPT tables but instead it will be a physical volume.
One thought here is that if this is for instance a NFS server where we know that data volumes will be above 2TiB it is suggested that you splice the data over more then one extra hard-drive. This is both true for virtual and physical environments since moving a hard-drive of +2TiB is really time consuming.
There is no magical one-fits-all solutions, if you are going to be using 200TiB NFS server then you might need to think a bit extra ;).
Usually there is a good reason to use for instance /opt, in the documentation here we always use /usr/local. This will contain anything local and unique to the server/workstation. Above all else try and keep to normal shares otherwise, adding complexity will not make normal system tasks easy on the administrators. Also always keep to the thing you decide upon.