After viewing the video below, was
wanting to get some feedback from
friends here.
3 Likes
I am afraid I never bother. Privacy on that scale is not one of my concerns. I regard visiting the internet as the same as going to the local shops… I dont care who sees me do it.
5 Likes
Most of us use store cards to get a discount so they know better than usual what we eat and drink, but like Neville I really do not care, especially If I am getting a good price
1 Like
So… just a touch of hype on this.
Suppose it might be of interest to those who are employed by three letter agencies.
1 Like
I run uBlock Origin and Disconnect. Mostly just to prevent ads from showing. Websites are so much more usable without the ads on the screen.
I don’t use a firewall on my desktops.
7 Likes
I also am a member of this group!!! If one accesses behind a router, that is enough for me!!! Although I do at times use my VPN, when using W11!!!
4 Likes
I suppose if government employees work from home they may need to take steps with security
I dont either. I think being behind NAT is sufficient protection . Those who want login access from the internet do need to be much more diligent.
You can turn off sshd on your internet NIC if you want more protection than NAT.
Most home PC’s have very little data that would attract interest. I do take extra precautions with my banking and passwords. Other than that I keep no data that would attract interest.
6 Likes
I have a fair amount of data, if one likes music, photos and notes on Gentoo and LFS!!! Sometimes I get lucky and find the data I need or just re-google!!!
3 Likes
My data directory is over 1TB… mostly source code and scientific data.
Noone would be interested in it. Most of the useful source code is on github anyway… The best way to keep something is to give it away… open source conquers materialism.
3 Likes
My “Data” directory - if I include Movies and Music - is about 3 TB… Maybe a bit more…
But it’s on my NAS… Nobody outside has access to my NAS… I have a (< 100 GB) subset of my music collection sync’d using ResilioSync - that does sometimes leave the house - but - it’s on encrypted storage (Apple on my Macbooks, LUKS on my ThinkPad)… and my Android phone is “secured” with my fingerprint and/or unlock doodle-thingie…
Like everyone who said before - I don’t care if people see me shopping… Some stores here even track customers by cameras with face-ID (that does make me somewhat uncomfortable though!)…
I mostly use contactless EFTPOS to pay for shit… They can track me that way anyway…
I don’t run any firewall on most of my stuff - my work supplied MacBook has a bunch of security layers installed including Falcon Crowdstrike (yuck!)… I reckon my router’s firewall is sufficient for my usage…
All my work connections are across encrypted links… Whether that’s Citrix, or Microsoft AVD… and all my work stuff uses MFA (right pain in the arse at times)… In some cases, I’m Remoting in three layers deep of nest RDP, and at each one - I have to MFA again!
I am occasionally required to deploy hardened Linux servers… Depends on what the specs are - on Red Hat Linux 8 and 9, there’s CIS1 and CIS2 hardening… Oracle Linux offers “Essential 8” hardening (that’s an Australian government spec)… I kinda prefer “Essential 8” - with CIS1 and CIS2 - you have to get down to nitty gritty minutiae on filesystems - e.g. all of /var, /var/log, /var/tmp, /home should be on separate devices (partitions), and I think /dev/shm needs a separate partition too and it won’t install if they’re not setup like that… I HATE having to make capacity decisions on the fly like that…
As for my home Linux systems? I don’t dual boot so I just have a single “/” - which also has /var and /home…
I guess one advantage of having /var/ as separate, especially a server - filling it up usually doesn’t crash the system, unlike filling up “/”… But I’m pretty sure most modern Linux systems, reserve a certain amount of space to prevent filling of “/” so that you can still remote in and diagnose - so filling up “/” doesn’t crash things like RHEL / OEL 8 and later, and probably Ubuntu 18.x and later, and I’m guessing maybe Debian 9 or 10 and later?
Update - edit : I have a Pi4 that I can SSH to from the public-cloud (e.g. from my phone when I’m roaming) - my router forwards a non-standard port to the SSH port on the Pi4… The Pi4 is running fail2ban… three unsuccessful attempts and that IP address gets banned… Doing a whois - the most recent attempts have come from a Japanese registered IP address, and also from a Chinese registered IP address…
4 Likes
Sorry to reply to my own post - I’m replying to the general garbage that SystemD really is - from a security perspective…
WTF? When I want to dig deep on Debian 12.11 (Raspbian 12.11) - i.e. into my system logs - they’re not plain text files in /var/log…
They’re all binary files in /var/log/journal - WTF?
I can’t cat or less or anything with them! If I have to use journalctl to query them - that’s gone way past the “UNIX philosophy”…
At least on RPM based distros - like RHEL or Oracle or even Fedora (haven’t tried Fedora desktop for a while) - every attempt to login to a system is logged in either /var/log/secure, or /var/log/audit… (or maybe /var/log/auth - but it’s easy to kinda guess which one)…
Not so on Debian / Ubuntu… Why? Who even thought that would be a good idea? On Debian I have to figure out ALL the bullshit “journalctl” arguments if I want to query who tried to log into my system? Was that an improvement?
Yeah - Nah!
This is the folder that SystemD on Debian 12, is writing my logs to :
/var/log/journal/5cd999b61fed424cad510a881765cfd3
and it’s full of files with mostly hexadecimal filenames - e.g. :
user-1000@f896bdf94bba42b4bc93f71891b4e019-0000000000000712-000621b908dde81e.journal
WT actual F? OK - so that might make it harder for hackers to locate an obvious file… Who cares? If you’re already that compromised - you’re already f–ked and it’s too late anyway - if hackers or malign actors are reading your log files- you’re probably royally f–ked anyway… All that does is make a sysadmin’s job 10,000 x harder..
Much as I kinda hate Red Hat and Oracle Linux - thank F–K I don’t have to support systems that write logs to SystemD bullshit like Debian is now doing…
And thankfully - fail2ban itself still logs to logical files like /var/log/fail2ban.log and switches logs the traditional way…
The above is going to make me think twice before using Debian (or Ubuntu) again… Maybe Fedora or whatever Red Hat are going to decide is the replacement for CentOS…
1 Like
I believe one can configure Debian to write normal syslog txt file logs. I think you have to install syslogd.
and
I think you can tell systemd not to write its logs
That may not help if you are working on someone else’s system that you can not change.
Anyway, its nice to hear you complain about systemd. All alternative init systems keep txt file logs.
3 Likes
You’re right - it was relatively painless / trivial to replace journalctl with rsyslog / plain text logging :
systemctl stop systemd-journald
systemctl disable systemd-journald
systemctl stop systemd-journald-dev-log.socket
systemctl disable systemd-journald-dev-log.socket
vi /etc/systemd/journald.conf
and change
#Storage=auto
to
Storage=none
Then :
apt install rsyslog
systemctl enable --now rsyslog
That won’t be enough to make me switch to a non-systemd init system or distro though…
The RedHat family are heavily systemd focussed, but they still have plain logging in plain text files in /var/log…
Now I just gotta figure out how to force fail2ban to do a longer (or permanent) ban… fail2ban on Debian 12 is WAY too permissive - compared to how it was on Ubuntu 20 / 22 and Debian 10 and 11…
4 Likes
Yes, several distros do that. … sometimes only a partial set of syslog logs.
I agree 100% on binary logs. Backward step. Someone needs to modify systemd.
3 Likes
I updated my fail2ban config…
- Set it to ignore my home LAN CIDR
- ban on 3 attempts (was 5)
- ban for 60 minutes (was 10)
- ban on retry within 60 minutes (was 10)
Ridiculous - and instead of using familiar tools (cat / grep / less /more) that are part of most UNIX and UNIX like systems and have stood the test of time - you have to learn a whole new bunch of commands and switches… Step Backwards…
3 Likes
Looks like you got it… I found this useful
3 Likes
I guess I’m guilty of not hardening my linux either. I use brave and surfshark and call it a day. I’ve thought of moving to a systemd-free distro, but wonder how difficult that will be since so many programs depend on it - at least, I assume they do. I haven’t done any research on that at all.
1 Like
It is not difficult provided you choose a well constructed distro.
The easiest and most trouble free is MX.
Also well constructed , but rolling release, are Artix and Void.
In my opinion Devuan lags behind these.
Gentoo can be without systemd, but Gentoo requires considerable learning effort.
2 Likes
So true on Gentoo! I actually managed to install it several years ago, after printing out the installation manual. Mind you, when I say “install”, I mean just the kernel. No desktop, no browser, etc. Love the concept, but I didn’t want to spend a week on an install. 
Void looks like more than I want to tackle, similar to Gentoo? I just downloaded Artix, so I may give that a go in a VM. Thank you Neville 
2 Likes
Yes Artix is easier than Void… but Void is a lot easier than Gentoo.
Think about which init system you would use with Artix. Artix offers several init systems and each is a separate download. I use Artix with Dinit. I would recommend Artix with either OpenRC or Dinit…S6 is too complicated for a home user.
2 Likes