I would also call this a security issue… you send your Locale Passwords to AMD/Intel and this guys send it to the NSA because of a gag order. How this is Hardening Manjaro? I dont know.
TPM is a feature for mainstream users who blindy execute stuff without thinking twice.
Instead i go personaly the complette other direction… i disable TPM/Secure Boot and also UEFI and i use Legacy Boot and still use MBR.
Where your OS dont get access to your Bios-Settings and where a Virus cant infected your Motherboard cache.
The downside, some newer GPU’s dont support Legacy boot anymore… so in this case you only will get a signal from your TFT with a second GPU to check your bios settings or you just use a 2080Ti, like i do (which supports UEFI and Legacy… its maybe the possible last working Legacy GPU? I dont know…
No security measure is full proof and this includes firewalls. Each an every program has flaws and vulnerabilities. Which is why one designs a layered security system. That concept applies to both digital and analog security models. Think of it like this. Would you leave you front door unlocked just because you have a gate across your driveway? The same goes for digital security. You want layers so that if one is breached then the intruder just hits another wall/door/lock. As for attack vectors of home networks their are many and they include intrusion via internet connections, wifi access points, Trojans, malware, an many others. So once again security is not a destination but a journey and ones security model should be both complex and layered.
TPM has advantages but I would prefer to utilize a discrete TPM module. However physical dimensions make that quite impossible. On my MB the TPM header is located directly under the GPU and the moduled itself is oriented to be vertical off the header thus causing installation to be impossible.
Maybe it would… im actually not sure about that. In all articles that i read about that issue, nothing comes up to this relation.
The answer would be definitely intresting.
Edit: After thinking about, on the otherside… it would be a pain to always give in your password after restarting your system everytime. Wasn’t the mainseller for UEFI not to accelerate the boot time for 2-3sec?
Maybe my first answer got us on the wrong foot. Tbh: I think you got yourself a bit locked in your security focus.
While studying computer science, one of our first lessons in network security was “what is your threat?” (the first in pentesting was: you won’t get through a correctly configured firewall if there’s no connection to another service)
You got your drives encrypted? That’s great against somebody who has physical access to your computer and in many cases more or less unbeatable (for your normal joe and your local police. Think reasonable)
You got a Firewall and no open Ports? Perfect, so nobody get’s into your system, except you let them (“you” includes services you installed). Then you keep everything up to date and your only worry are zero days and mistakes you make yourself (nothing can protect against that, except awareness. Even in a corporate environment)
I see your argument but as described above: What is your threatmodel?
Against somebody who wants to compromise my system from another country: I would even let my gate open.
Against somebody who wants to steal my physical stuff: That’s a completly different story
Would be interesting how your network topology looks like. Where is your DMZ and MZ. Are public servers in the same network as your client?! If yes: what is your client used for and why is it in the same network?
Can you please describe your usecase/situation and especially the threats?
If it’s a case of “I did everything to protect myself but there is still a realistic threat” you should probably look into intrusion detection. The documentation of snort might be a good point to start to get a grasp of this topic
My threat model is both broad and diverse as I am protecting against anything and everything. Physical access one model however the steps to hardening against this begin far beyond the machine itself. Regardless you are correct the encrypting a storage device aims to protect against that.
Not really something I care to publish publicly. But in a general sense I have a number of different machines running a OPNSense router, TrueNAS scale machine, laptops, desktops, mobile devices, etc… The network itself is broken into several VLANs and sub-networks (some of which are isolated). I also have plans to add an Apache server in the future. The point is that my network is not a typical home network and open ports are a reality.
Hmm, I think now we are getting to the interesting part.
Well, that’s getting off topic (in terms of the manjaro forum). You should probably consider a distro with a more server focused approach (SUSE, CentOS or RHEL, etc). More minimalist. Manjaro is imo perfect for the normal home user and gamer but in this case, maybe not so much
I respect that for many reasons but always remember: security through obscurity is the worst idea. If somebody gets access, he will probably know your topology
I see this point and hope they are configured correctly, so nothing comes even close to your clients
See above
If executed correctly: good planning
Public?
Wouldn’t hosting it somewhere else make more sense?
Just speaking about powerbills, hardwarereplacement AND security
If open ports on your client are the case you probably should either think about a more server focused OS or restructure your network (hard to choose between with my current knowledge about your infrastructure)
Edit: What’s your experience level with linux in general and server infrastructure?
Yes and the majority of my systems run Fedora however this particular machine wouldn’t for some reason. Thus it has Manjaro. Thus the point of my question.
Yes which is why I configure my network and hardware with security in mind.
They are.
Yes. I don’t care about power bills but I do care about ensuring I have full control of my server(s) and it’s security (both physical and digital).
I think really hardening Manjaro is pretty hard for such an environment, since it follows the KISS principle, which, for the normal user, is the opposite to a minimalist approach. Thought about pure Arch and going with that minimalist philosophy?
Since it’s what Manjaro is based on, it should work flawlessly
That’s half the work for a secure system overall, so good work
Well that’s a new one for me but I don’t know how datacenters are managed in your location, so I see where this opinion possibly comes from
So, if everything I wrote is accounted for, I don’t know what else to add, even if I still don’t agree with your opinion about VPN’s hosted by anyone other than yourself
Anyone in this thread who thinks a vpn is unnecessary in most regular circumstances might want to read up on the “TrustPID” project by EU telco carriers and ask themselves, if that changes their opinion in circumstances.
In any case: I recommend reviewing web-browser usage. I use different browsers, but mainly firefox which has (thankfully) re-gained ground on security features: I use a couple of different profiles with it, for example one for accessing regular go-to sites and another with a locked-down browser footprint for free surfing (e.g. https://wiki.archlinux.org/title/Firefox/Privacy#Hardened_user.js_templates). Another feature that got very mature the firefox container extension, which makes a “poor&lazy qubes-container” possible for browsing. It comes in handy, if you use some social media sites intensively and want to separate the activity from other, or your banking login from the rest. After I setup a browser, I do check its footprint with a tool (e.g. from the eff).
< irony > Well then, what’s the point of asking if you know everything already? < /irony >
As I read from your descriptions:
Your Network is protected by OpenSense Firewall, so nobody from the outside should come in except via the ports you have opened deliberately.
I assume that any open port is routed to a specific server, so the traffic you WANT to come in is handled by a dedicated server?
I guess that every server is protected with fail2ban, CrowdSec or similar to prevent brute forcing in?
I assume that you set up strong and complicated passwords for every machine and/or public key authentification and/or 2FA?
Probably you also disabled ssh login for root on every machine on your network?
And most likely you made sure that each machine on your network has only the services enabled that are necessary to perform the task it is dedicated for, so no unnecessary port is open?
Well then, I guess all you have left to worry about is somebody IN your network planning mischief…
Encrypt all hard drives, additionally encrypt sensitive files seperately, look for IoT devices and shut them down, disable WiFi and Bluetooth, don’t use wireless keyboard and/or mice.
Use wireguard for every network connection inside your networks and (obviously) keep all machines updated.
Basically you try to establish a Zero-Trust-Network which is a good goal.
Depending on the scope of your network and how sensitive your data is, you will always find some aspects to fine tune.
You might find some useful tips in the Linux Enterprise Security podcast