There's no need for a firewall at all (in fact it's probably the worst
idea).
Just set a root password (you're probably a win user, the command is simply
"passwd") and it'll be fine.
In addition to that, a separate encrypted partition for /root (or /home
Imho it's not needed to encrypt the whole system.
Would be the better choice to have some crypto-containers for the files that
really need to be secured (phonebook, messages, important documents). We had
some discussion in IRC a while ago and my idea would be to have that
containers and a daemon in background who handles encryption/decryption,
asks for passwords if needed and makes sure that applications who want
access to a encrypted container get it (e.g. dialer wants to look up a
number in the phonebook).
This way the containers can stay decrypted while the phone is on and access
is granted dynamically (as needed).
Yeah, it's a little much effort, but there is no security without it.
If you'd encrypt the whole rootfs you'd have it decrypted the whole time the
phone is on (otherwise nothing would work), what means, the security is
gone.
Well, that's only a part of a possible security framework, but this are only
some thoughts.
> In addition to that, I'd say all linux security administration best
It's a standard linux system with a lightweight, but still standard, packet
management, so that's how it already is handeled (well, without the
automatic, but I don't like automatic updating anyway).
After the basic security is in good shape, one could move on to fun
Possibly to be implemented in a (modular) "security-daemon", as mentioned
before.
Hello, I've only had my freerunner for a week or so, so I'm not too into the security aspects yet. One thing I did notice was of course passwordless
root login. Now over usb this can be acceptable, but if this is possible over wifi (I haven't actually tested), it needs the firewall / make it listen only to the usb.
There's no need for a firewall at all (in fact it's probably the worst idea).
Just set a root password (you're probably a win user, the command is simply "passwd") and it'll be fine.
In addition to that, a separate encrypted partition for /root (or /home if the account will changed to a non-privileged user) could be nice, but
maybe too heavy and battery draining?
Imho it's not needed to encrypt the whole system.
Would be the better choice to have some crypto-containers for the files that really need to be secured (phonebook, messages, important documents). We had some discussion in IRC a while ago and my idea would be to have that containers and a daemon in background who handles encryption/decryption, asks for passwords if needed and makes sure that applications who want access to a encrypted container get it (e.g. dialer wants to look up a number in the phonebook).
This way the containers can stay decrypted while the phone is on and access is granted dynamically (as needed).
Yeah, it's a little much effort, but there is no security without it.
If you'd encrypt the whole rootfs you'd have it decrypted the whole time the phone is on (otherwise nothing would work), what means, the security is gone.
Well, that's only a part of a possible security framework, but this are only some thoughts.
In addition to that, I'd say all linux security administration best practices should be at least considered, including automatic security
updates.
It's a standard linux system with a lightweight, but still standard, packet management, so that's how it already is handeled (well, without the automatic, but I don't like automatic updating anyway).
After the basic security is in good shape, one could move on to fun things like phone lock/unlock/shutdown with an sms, personal data
backups / remote removal... the possibilities! :)
Possibly to be implemented in a (modular) "security-daemon", as mentioned before.
