Reply
 
Thread Tools Display Modes
  #1  
Old 12-20-2012, 07:34 PM
sharris sharris is offline
Senior Member
 
Join Date: Apr 2010
Posts: 158
Thanks: 2
Thanked 1 Time in 1 Post
Default How to protect my PcBSD?
Although I have posted a lot of threads here, I have no true experience with PcBSD other than being an master installer of all OS (my way), which turn me into an mbr-HDD expert. Other than that all I done was read about PcBSD, seeking to make it crash-proof (UFS data and meta-data protection no matter what). I need no ZFS right now. I been with Windows since 1996. Since September of this year my most important personal files is now relying on PcBSD for protection, with Windows, LINUX and an older version of PcBSD (8.2) running in vBOX as the only way to touch my machine via the INTERNET, as I work with my personal files under the host, and as * ROOT*. I do not suggest for others to do this, but please, do not beg me not to. My take is:

1)
For simple INTERNET surfing I'm sure Windows-XP will be the best for the job because it can't see UFS partitions which is where my most important files lives.

2)
I would use the PcBSD-8.2 under vBOX for VPN'ing, connecting to an dedicated FreeBSD web servers, etc.

3)
LINUX under vBOX is just there so I can keep an eye on the Jone's and IBM if I ever find some time.

Virtual-Box docs say *just pull it in and the bridge will protect the host OS*. As of today with PcBSD 9.1, I don't trust nothing on my PcBSD unless experienced BSD users say-so.

My question is what are the packet-filtering rules to guranteed that nothing what-so-ever can peep-in on any part of PcBSD as packet travel to the Virtualbox bridged ETHERNET? ... or is this automatic and is truly safe.

I read but I never done networking. So I'm thinking to even go to the extremes of piping, ipsec or whatever those guys and gals do to actually know and see INTERNET data going straight to the Virtualbox bridged ETHERNET network for insurance. Just trying to get an clue.

Thanks in advance
Reply With Quote
  #2  
Old 12-21-2012, 12:42 AM
maioral maioral is offline
Senior Member
 
Join Date: Nov 2012
Posts: 105
Thanks: 28
Thanked 4 Times in 4 Posts
Default
Please explain better... What is your host system?
Your windows xp is host or inside vm?

I recomend...

1) for your HOST system, PCBSD for unix or DEBIAN for linux.
I dont trust canonical, so no ubuntu or mint. If you use windows as host is easy to invade, print screen and keylog your bsd vm.

2) Be sure to be carefull in windows xp inside virtual box, no upgrades are done in a long time for xp and is easily hackeable. Even if you just browse, dont browse your important e-mails there.

3) Linux and Unix gui firewalls are OLD and do not offer too much monitoring liability. Yesterday i was in linux and not firestarter or the ufw could see my friend that was in skype with me (his ip) in active connections. Only inside windows i saw him and he uses ipv4 with no ipv6 too so was very strange.

4) i recomend:

- MAIN SYSTEM PC BSD
- linux inside vm (i like debian)
- Windows inside VM

In windows, install:

1) SANDBOXIE
2) COMODO FIREWALL, and delete all preconfigured firewall permissions. Put in paranoic mode and dont forget to see advanced configurations in firewall and defense.
3) ADVANCED SYSTEM CARE, as will turn off vulnerabilitys and upgrade what exists for windows xp.
4) ccleaner + ccleaner enhancer to clean temp files + flash cookies
5) firefox + security add ons
6) spybot search and destroy to make browser immunization

In windows inside VM, go to network connections, find your connection property and delete ALL protocols BUT ipv4. Turn off NETBIOS inside ipv4 too. Google on how to close ports 135, 137, 139, 445.
Always browse inside sandboxie
If you use skype... Well is Microsoft, unreliable and closed source, so i woudnt install in host system for nothing. Better in VM.

And don´t use hardware virtualization options in virtualbox to maximize security and memory gaps since i heard a lot about hardware backdoors like intel.

If you are really paranoic go to the deep web tor onion ring and read about nic (Network interface card) backdoors (yes they exist and are now few) and what are the safe nic hardware options and how to make some jumpers to avoid the new unsafe hardware.

As for packet filtering rules... I will wait to see what the masters here recomend since i am a noob and dont know much about it. But comodo well configured inside windows VM will already be a good start to avoid windows malware to peep anything.

Last edited by maioral; 12-21-2012 at 12:55 AM.
Reply With Quote
  #3  
Old 12-21-2012, 06:54 AM
sharris sharris is offline
Senior Member
 
Join Date: Apr 2010
Posts: 158
Thanks: 2
Thanked 1 Time in 1 Post
Default
Quote:
...my important personal files is now relying on PcBSD for protection, with Windows, LINUX and an older version of PcBSD (8.2) running in vBOX as the only way to touch my machine via the INTERNET, as I work with my personal files under the host

*under the host points to who my files now rely upon*.

I would never use anything other than a BSD as host. To run as HOST is the greatest thing to happen for UNIX. Windows as host is not for me, and Linux is not UNIX, so they both goes to the dungeon (VM) to do some simple internet tasks, including keeping any kind of stupid hack in their world and out of PcBSD garden. I don't how else to say it.

Anyway maioral, those are some awesome suggestions and ideas. After all these years many of em I never thought of or even read about. Now I know the truth of what could happen and why to an OS running in VM. This is the knowledge I seek everyday but in my personal security plan, as already indicated, I really don't give a darn if Windows or any other OS get hacked to cabbage as long as there are no possibilities of the host-PcBSD being dragged in as part of the deal. All I care about, is is it a FACT that the host, namely, PcBSD and his present operations will not be step or spied upon, tricked or tapped in any kind of way by whatever running virtual-machine being hacked or taken down??? That is the most important part of the question if not the entire question. All ideas, completed how-to's and any pros and cons would be very helpful.

Quote:
As for packet filtering rules... I really hope one of the masters here recomend since i am a noob and dont know much about it.
maioral, As for packet filtering rules... what a reminder and a half. I forgot myself. That should do the trick if PF really works for PcBSD.

Last edited by sharris; 12-21-2012 at 06:27 PM.
Reply With Quote
  #4  
Old 12-21-2012, 06:40 PM
sharris sharris is offline
Senior Member
 
Join Date: Apr 2010
Posts: 158
Thanks: 2
Thanked 1 Time in 1 Post
Default
I think I just found the ultimate solution, but how would this be done on PcBSD using the VirtualBox PBI, or is this even possible?

http://forums.freebsd.org/showthread.php?t=35328

Than I found this;
But it's about port-Jail, not JAIL.
http://www.youtube.com/watch?v=3NlAW1B1W-E

Can we do standard-Jails on PcBSD 9. There got to be a way to lock down VirtualBox PBI?.

Please don't forget about the original Packet-Filtering Rule question.

Last edited by sharris; 12-21-2012 at 06:44 PM.
Reply With Quote
  #5  
Old 12-23-2012, 08:33 PM
maioral maioral is offline
Senior Member
 
Join Date: Nov 2012
Posts: 105
Thanks: 28
Thanked 4 Times in 4 Posts
Default
Dude, i believe will be hard for someone to tell you this.
You probably won´t have an answer even if you wait months.

That is why NO ONE KNOWS.

Do you know that "most" linux and unix contributions like last year in "open source" and in kernels came from MICROSOFT?

That was for virtualization compability; Even the "main" system has codes made by 1 microsoft man and noone made any review... (when system starts you can see the message of trying to see if the main system is inside a VM)
Or don´t even understand the 20k line codes that man implemented for virtualization.

So noone will be able to answer about packet filter security between host and guest machines... Just because noone knows that.
Besides, the "virtual NIC" system used by virtualization programs are complex and unless you work in those projects you will not know too...
Quote:
In a Linux Weekly News story, currently only available to subscribers, an analysis of Linux 3.0 contributors reveals that Microsoft was the fifth largest corporate contributor to Linux 3.0...The vast bulk of Microsoft’s contributions has been to its own Hyper-V virtualization hypervisor drivers
They also did it on UNIX, but noone covered how... Or "how much", at least i did not find.

But 1 thing i am sure: The great probability of backdoors in those codes.

After all, i trust MORE on BSD, but NOT 100% TOO.

Read about the CIA BACKDOOR they putted inside BSD like 10 years ago.
I heard the guy that disclosed it was arrested as a national security treath.

Almost every big corporation fights for data invasion methods... Governments and companies. But 90% of that happens in USA.
USA is not so democratic anymore, with their new laws, if the government tells you an order to do something, like put a backdoor in your system, you "have" to obbey. If not you can be arrested with no rights for national security threath.
With Billions of dollars at stack, would you trust a closed group of people? You just look the most secure system. And that is PC-BSD for desktop.

Unless you are from the power elite, with customized closed hardware and shells, like i saw once with a huge company president, you will never be safe from governments or corporations, and that is a fact.
But normal people will not be able to bypass your security.
If you want government peep security, use an offline computer to work without intrnet and acess the web in stolen wireless connections.
If not, you are already safe inside the probability of a grain of sand in a beach in the middle of the other systems.

Last edited by maioral; 12-23-2012 at 08:54 PM.
Reply With Quote
  #6  
Old 12-24-2012, 03:28 PM
maioral maioral is offline
Senior Member
 
Join Date: Nov 2012
Posts: 105
Thanks: 28
Thanked 4 Times in 4 Posts
Default
These are just a few exemples to illustrate what i said before.
And these are the "public" ones...
Most of this things are covered by NDA (Non Disclosure Act) when private or, in USA, the new laws that forbidden you to open your mouth about government secrets, so people can not talk or testify, and nothing can be public proved.

http://www.linuxjournal.com/content/...rs-may-be-true

http://cryptome.org/2012/01/0032.htm

http://beforeitsnews.com/scandals/20...p-2430580.html

http://newsworldwide.wordpress.com/2...ating-systems/

https://www.eff.org/nsa-spying

http://www.zdnet.com/former-pentagon...ms-7000000908/

http://www.tomsguide.com/us/FBI-Back...ews-15090.html

http://www.techsupportalert.com/cont...not-enough.htm

http://www.privacylover.com/encrypti...-cia-honeypot/

http://www.privacylover.com/encrypti...th-fbi-access/

http://www.privacylover.com/other-pe...zilla-firefox/

Last edited by maioral; 12-24-2012 at 03:58 PM.
Reply With Quote
  #7  
Old 12-24-2012, 05:22 PM
dphrei dphrei is offline
Junior Member
 
Join Date: Dec 2012
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Talking sharris, you are right.
yes sharris. You are probably better off web-browsing in xp. Good luck with that.
Reply With Quote
  #8  
Old 12-26-2012, 03:10 PM
maioral maioral is offline
Senior Member
 
Join Date: Nov 2012
Posts: 105
Thanks: 28
Thanked 4 Times in 4 Posts
Default
lol, dphrei ahahahahaha

Sharris... At least get a separated NIC to use in your VM if you are so unsure.
And use a free VPN on it...

You can use a vm with TAILS or LIBERTEE too to browse...

Since you are so upset about noone to spy on your bsd... Try to make 1 external HD or USB install of it, just to use your offline data and when you use it, do with internet off...

Have you ever googled ZERO-DAY EXPLOITS MARKET?

USA Government pays up to 250.000 US$ for some exploits... What about an exclusive exploit for the most used server system on the world? How much would it cost?
How hard would be to pay 1 guy responsable for compiling the binaries... or to make a "donation" for 1 group to make a hard to identify firewall change...?

http://www.forbes.com/sites/andygree...ware-exploits/

What if someone comes to pc-bsd creator and say: We are the government... Here is 1 million Dollars. Put our backdoor in your stuff. Will be used "only" to catch criminals... Be quiet or we put you in a secret terrorist prision... As a bonus we will always support you...

What if that incident with FREEBSD months ago wasn´t an "accident"...?

Show me someone here that revises open source codes.

i believe 80% or more of the exploits found by hacking clans are not "given free to humanity" so they dont have nothing special anymore after a hard time studying to find one...
They are used or SOLD. They worth MONEY.

How do you think Apple got government support to give that huge blow on Samsung?
Here, in my country, federal Police presents MacOS Print Screens in court for any people investigated...

Those resources were not born in my third world country...

You really think pc-bsd is 100% free of this?
very innocent of you...

Last edited by maioral; 12-26-2012 at 03:42 PM.
Reply With Quote
  #9  
Old 12-26-2012, 06:20 PM
David30 David30 is offline
Senior Member
 
Join Date: Jun 2012
Posts: 325
Thanks: 20
Thanked 30 Times in 29 Posts
Default
Nothing is 100% safe and secure.

I'm not a programmer, so I don't know if malicious code is being activated from the BIOS and "hiding" at every bootup, nor does anyone else know, except for the people who created the code. Any wonder why computers sometimes misbehave for no rhyme or reason - even when all the electronic parts are working properly?

What about closed-source device drivers such as Nvidia graphics drivers? There could be a snippet of malicious code in the driver doing whatever it wants?

I believe you can definitely trust PC-BSD/FreeBSD. We all know how bad Window's security is, despite what Microsoft's glossy marketing and "independent" studies say.

If you are not scared, you could read this: http://www.grc.com/sn/sn-009.txt
Reply With Quote
  #10  
Old 12-26-2012, 08:53 PM
maioral maioral is offline
Senior Member
 
Join Date: Nov 2012
Posts: 105
Thanks: 28
Thanked 4 Times in 4 Posts
Default
David is 100% right.

About NVIDIA... In windows7, even turning updates off, and telling to close the update process... Nvidia process try to connect to the internet and my firewall open the screen lots of times... Detail: I disabled ipv6 there, but it tryes to communicate ipv4 and ipv6. In Windows xp, too

NVIDIA SELLS HARDWARE!!! WHY KEEP THE SOURCE CODES CCLOSED???
Cause they infringe GPL?

noooo not just cause of that...

http://www.freshdl.co/file/142365-FB...oor-Files.html

http://step.yourfiledownloader.com/j...UwQAvaMEBxxDxP

Anyone tested this? lol

http://phoronix.com/forums/showthrea...-Using-DMA-BUF to understand the way of nvidia by the comments

Edit: There is another reason why NVIDIA hides its codes, i forgot. Is Because they have the Ultra Expensive Models like QUADRO for engineering and architects, etc. The specifications are almost the same as the game models, but with different tunning. And people pay thousands of dollars for those tunnings...

Last edited by maioral; 12-27-2012 at 12:44 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:33 AM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.

Copyright 2005-2010, The PC-BSD Project. PC-BSD and the PC-BSD logo are registered trademarks of iXsystems.
All other content is freely available for sharing under the terms of the Creative Commons Attribution License.