Puppy Combined w/ OpenBSD base system on 2nd Computer

For discussions about security.
Post Reply
Message
Author
User avatar
mikeslr
Posts: 3890
Joined: Mon 16 Jun 2008, 21:20
Location: 500 seconds from Sol

Puppy Combined w/ OpenBSD base system on 2nd Computer

#1 Post by mikeslr »

Hi All,

I just wanted to call your attention to rufwoof's post, http://murga-linux.com/puppy/viewtopic. ... 83#1002783.

"I have a OpenBSD base system only box, running on a old single core Celeron box, that I can sshfs mount as a local folder (so files can be viewed using rox or whatever). OpenBSD takes just minutes to install (cli based installation process) and its base system is very secure...

In effect I'm (trial) running fatdog (linux) and openbsd as a combined 'system' where fd is the desktop and openbsd stores my most invaluable stuff (data/docs etc.) and where that data is only accessible if you know both the userid and password (making brute force attacks that more difficult). Not even root on the desktop system can access/mount that data without knowing both the appropriate userid and password, and it can be mounted/unmounted on a as needed basis (such as not being mounted whilst also browsing the internet)."

Who among us doesn't have an old computer which just can't cut it with today's graphic rich web? Or acquire one for a couple a bucks?

And wouldn't it be more economically sound for institutions handling/managing financial data to hire clerical staff to transfer data between the computers connected/exposed to the world and a local, protected computer used for storage of data or only just for backup than loosing billions and exposing our identities to hackers?

mikesLr

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#2 Post by rufwoof »

Thanks Mike.

In addition to the userid and password having to be known, a hacker would also need to know the relevant machine/IP. Such that even weak passwords aren't that much of a concern.

I know many hereabouts like urxvt as a terminal, personally however I like xterm. With xterm there's a ctrl left-mouse-press menu option for "Secure Keyboard" that when activated inverts the xterm colours (I usually have black background, white text in standard mode so it flips to white background/black text when secure keyboard mode is activated). If it fails (colours don't flip) it could be a indicator that a man-in-the-middle/keylogger ...etc. hack could already be being used/installed.

When the secure keyboard mode is activated, xterm uses a protocol that directs all keyboard input directly and solely to xterm. That does mean that while you have the secure keyboard mode turned on you can't use the keyboard to interact with any other applications, i.e. it is usually only suitable to a very brief interaction, such as entering a password. It ensures however that other applications cannot "listen in" on your interaction with xterm via the keyboard or execute a man-in-the-middle keystroke logging attack.

Note that many Pup's have a "xterm" but more often that's just a sym-link to urxvt or whatever, more usually you have to install a proper xterm from PPM or wherever.

A nice thing about ssh (and sshfs, scp ...etc.) is that you can open up your router/firewall to portforward ssh such that potentially you might access you systems from anywhere in the world (data access), and most devices, even smartphones, usually are capable of installing/using a ssh client. The likes of tmux (multiple terminal sessions that you can flip between windows or panes (and zoom/restore panes), along with mc (and its internal text editor) work well over ssh. Two or more of you can even ssh into the same box using the same userid and connect to the same tmux instance (collaboration).

That all said, the more you open up your network the greater the security risks. Personally I only open up remote ssh infrequently on a as and when needed basis.

With data separation such as being stored on a cheap old low powered system then it doesn't really matter which desktop/gui you use to access that. I personally have my celeron connected to the TV along with a remote control keyboard with integral mouse, along with a reasonably decent set of speakers/amplifier. If you're just into sound alone, then the likes of mpv can be run from the cli to play videos (sound only) through that sound system, but controlled directly from your "desktop" ('remote' system, running Puppy or whatever).

I also use the celeron as a web cam recorder (security cam). So again if ssh port fowarding is on then those images can be viewed from anywhere. My intent is to replace that with a much smaller/lower electrical powered device as and when it dies. Perhaps one of those PC's on a stick type devices that plug into the TV's USB.

scp is another command worth learning, very similar to standard cp but copies through ssh. Basically you just prefix the filename with the user@machine: prefix, so something like

Code: Select all

scp user@192.168.1.1:/home/user/somefile .
(so a file called somefile on the remote system is copied to a local copy (dot at end of the command indicates its copied as the same filename).
Attachments
s.png
(82.12 KiB) Downloaded 239 times
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#3 Post by rufwoof »

Update: I was using the console, loaded with tmux and mc ..etc. to nox boot into and had a twin script to do all that, that auto runs as part of auto login as root, where one of those tmux windows started up xwin under userid user. My thought being to only enter passwords at the console, never in X ... but! found that the default fatdog permits spot to see the console - so everything that root might be viewing/doing. I also ran a penetration test of xterm Secure Keyboard and ... spot also saw all of the keystrokes. So given that spot might be running a old, easily hacked (published flaws) browser, I've opted for a alternative stance. Run everything as root, but isolate the system - treat it as though its been compromised by default. Booting liveCD and saving to DVD-R, no HDD's, access to data is via remote data server connecting to fatdog, so no password that might be eavesdropped being entered by fatdog to access the data server. http://murga-linux.com/puppy/viewtopic. ... 13#1003513

I did consider using fatdog for both desktop and dataserver, surprisingly I used the desktop DVD that runs on a AMD/Radeon, to boot in the Celeron Intel ... and whilst X didn't load, a quick run of xorgwizard had that sorted, so I had all the configuration of the AMD system all available from the get-go. I couldn't however find a sftp-server for fatdog, which is needed by the reverse sshfs script I'm using, so it was easier just to revert back to using OpenBSD as the dataserver as that's ready to go out of the box (I did install bash as the rsshfs script was written for bash).

That Intel Celeron is flagged as vulnerable (cat /proc/cpuinfo), however as a data server, outbound connections only (behind two routers), and base OpenBSD only (+ bash until I get around to rewriting rsshfs) - that only stores files (no general programs being run) ... meh! Better than landfill, however my intent is to swap it out for a micro PC of some kind - PC on a stick type thing.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

Post Reply