MagnumOpus3k (OP)
Copper Member
Jr. Member
Offline
Activity: 34
Merit: 98
|
|
July 29, 2021, 06:45:53 PM Last edit: October 05, 2021, 01:49:58 PM by MagnumOpus3k Merited by Welsh (15), hugeblack (15), ABCbits (13), LoyceV (12), dkbit98 (10), NotATether (10), Husna QA (4) |
|
****Please note: No updates are pushed from the LBX team and any future changes or enhancements will require the user to execute scripts/commands from our FAQ (coming soon) section under their own accord.***** I initially created this to have a dedicated & secure OS specifically for my crypto. That then grew into helping friends/family do the same as well and with the recent posts of people getting infected with crypto jacking trojans, I figured now would be a great time to release. LockBox (LBX) has been customize/hardened via: establishing a deny-all approach to only allow critical traffic, disabling ports, disabling ping replies, checking for network leaks, and scanning for baseline image vulnerabilities. Furthermore, simplicity is also an issue for some not familiar with Linux, so packages like eddy are installed by default to help install applications. Currently this image is being secured on hardened pcs and enclosures hence the name LockBox (LBX). What's Inside: - Flathub-Home of hundreds of apps which can be easily installed on any Linux distribution. Browse the apps online, from your app center or the command line.
Snapcraft- Snaps are containerised software packages that are simple to create and install. They auto-update and are safe to run. And because they bundle their dependencies, they work on all major Linux systems without modification.
Python 3.6.9 - Python is a programming language that lets you work quicklyand integrate systems more effectively. This version is used for BTCRecover.
Gufw Firewall - GUFW is a graphical utility for managing Uncomplicated Firewall (UFW)
Opensnitch - GNU/Linux application firewall.
Borg Backup -The main goal of Borg is to provide an efficient and secure way to backup data. The data deduplication technique used makes Borg suitable for daily backups since only changes are stored. The authenticated encryption technique makes it suitable for backups to not fully trusted targets.
Vorta Backup - Vorta is a cross-platform open source backup client. It makes managing Borg backups easy and there is no need to run commands in the Terminal.
Brave Browser - Brave is a free and open-source web browser developed by Brave Software, Inc. based on the Chromium web browser. Brave is a privacy-focused browser, which distinguishes itself from other browsers by automatically blocking online advertisements and website trackers in its default settings.
LibraWolf - A fork of Firefox, focused on privacy, security and freedom.
Chromium - Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web
KeypassXC - KeePassXC is a free and open-source password manager. It started as a community fork of KeePassX
Eddy - Install, update, uninstall and view information about debian packages.
Gnome Feeds - Add your favorite feeds, start reading the latest news. It’s that simple.
btcrecover - btcrecover is an open source Bitcoin wallet password and seed recovery tool. It is designed for the case where you already know most of your password or seed, but need assistance in trying different possible combinations.
resolvconf - The resolvconf package comprises a simple database for run-time nameserver information and a simple framework for notifying applications of changes in that information. Resolvconf thus sets itself up as the intermediary between programs that supply nameserver information and applications that use that information.
Home Screen GUFW Open Snitch Application Center Brave Browser Chromium LibreWolf BTCRecover KeyPassXC Vorta for Borg Backup FlatPak Snapcraft Gnome Feeds Eddy For those skeptical and or testing before deployment, I highly recommend deploying the OVA first on an isolated network (VLAN) w/o and internet connection per best security practices. I'm interested in growing the trust of the community and expanding this beyond its current scope as we progress. Any network leaks or suspicious activity spotted on the baseline image, please post publicly. Site: https://www.thelbx.io/ Git: https://github.com/StratousLabs/LockBoxSpecial thanks to: ETFbitcoin NotATether dkbit98 ETFbitcoin DaveF
|
|
|
|
NotATether
Legendary
Offline
Activity: 1778
Merit: 7372
Top Crypto Casino
|
If you want my advice, here are some things you should add/tweak inside the OS to make it airgapped. Installing software like Chrome which carries around a huge sandbox that can be broken out of compromises the security of a hardened distro.
- Bundle the Electrum & Bitcoin Core binaries and preferably OWNR, Atomic wallet and others, either from .tar.gz or snap/apt/AppImage (do this before you take the networking offline). - Get rid of all the browsers, RSS and Telegram stuff, they can't be used on an airgapped system. - Install some recovery tools such as pywallet and btcrecover so that people don't need to do that themselves
- Now edit the Systemd networking files at /etc/systemd/network/*.network and set all the ethernet and wireless interface to Unmanaged=false but do not touch the localhost interface or "lo". This will prevent systemd from automatically bringing them online but you still have to turn them off manually. Now run sudo ip link set <interface> down for all the interfaces you set to unmanaged to disable them and they won't be brought back up on reboot. This effectively airgaps the system and is beter than a firewall (although I would set iptables rules to block ALL http(s) and other unnecessary ports if I were you, leaving only the wallet port ranges open).
|
|
|
|
MagnumOpus3k (OP)
Copper Member
Jr. Member
Offline
Activity: 34
Merit: 98
|
|
July 30, 2021, 02:34:32 AM |
|
If you want my advice, here are some things you should add/tweak inside the OS to make it airgapped. Installing software like Chrome which carries around a huge sandbox that can be broken out of compromises the security of a hardened distro.
- Bundle the Electrum & Bitcoin Core binaries and preferably OWNR, Atomic wallet and others, either from .tar.gz or snap/apt/AppImage (do this before you take the networking offline). - Get rid of all the browsers, RSS and Telegram stuff, they can't be used on an airgapped system. - Install some recovery tools such as pywallet and btcrecover so that people don't need to do that themselves
- Now edit the Systemd networking files at /etc/systemd/network/*.network and set all the ethernet and wireless interface to Unmanaged=false but do not touch the localhost interface or "lo". This will prevent systemd from automatically bringing them online but you still have to turn them off manually. Now run sudo ip link set <interface> down for all the interfaces you set to unmanaged to disable them and they won't be brought back up on reboot. This effectively airgaps the system and is beter than a firewall (although I would set iptables rules to block ALL http(s) and other unnecessary ports if I were you, leaving only the wallet port ranges open).
NotATether thank you for taking a second to provide this beneficial advice. From an airgapped perspective this is certainly excellent advice, however for an average/new user ridding the browsers presents an opportunity for the user to install an malicious app unbeknownst to them. Furthermore, striking a balance of usability becomes more of a hurdle for users unfamiliar with Linux. Though the attack surface increases from application perspective, productivity is not hindered. Bundling of the wallets (though we first considered it) ultimately presents an issue of trust. Pre-loaded wallets in any capacity imo shouldn't be trusted, so we decided to leave this to the users discretion. I would also echo the same sentiment for password recovery tools given the sensitive nature surrounding private keys/seed phrases. However, your advice is absolute sound for users who wish to have tighter control, I'll begin working to script these enhancements for users who wish to hardened the OS further. Users can then choose to execute this script per their preference.
|
|
|
|
NotATether
Legendary
Offline
Activity: 1778
Merit: 7372
Top Crypto Casino
|
|
July 30, 2021, 06:22:14 AM |
|
However, your advice is absolute sound for users who wish to have tighter control, I'll begin working to script these enhancements for users who wish to hardened the OS further. Users can then choose to execute this script per their preference.
You can always just make a second version (ISO image?) of the OS just for airgapped users and leave the current one intact for newbies to use.
|
|
|
|
dkbit98
Legendary
Offline
Activity: 2408
Merit: 7561
|
|
July 30, 2021, 08:16:47 AM |
|
This is interesting idea but I would like to make a few suggestions.
- Add more information on website, add download link to github or other open source git website that is not controlled by Microsoft, like self-hosted Git service or Gitlab. - I would remove Chrome browser or at least add alternative de-googled Chromium browser. - Better alternative for Firefox browser would be Tor browser or LibreWolf that has removed telemetry and better security than Firefox. - Add list of software included in ISO package, and consider adding links for other open source crypto wallet like Electrum or Wasabi. - For Airgapped solution you can add OPTIONAL selection to disable all internet connection during installation, and don't install Telegram and similar programs. - List your Linux OS to distrowatch.com to gain more exposure.
|
|
|
|
ABCbits
Legendary
Offline
Activity: 3052
Merit: 8074
Crypto Swap Exchange
|
|
July 30, 2021, 08:54:43 AM |
|
Although Tails already exist, your distro could fill different user base. But here are few suggestion 1. Publish the source code of your distro, otherwise you would violate Elementary's GPLv3 license (according to https://github.com/elementary/os/blob/master/LICENSE) 2. Remove Google Chrome, it's privacy nightmare. Brave or Ungoogled chromium is acceptable if user wish to visit website which doesn't support Firefox. 3. Add Tor Browser. 4. I don't know if Elementary OS already have this feature, but add option to encrypt the partition during system installation. 5. Add password manager such as KeePassXC.
|
|
|
|
MagnumOpus3k (OP)
Copper Member
Jr. Member
Offline
Activity: 34
Merit: 98
|
|
July 30, 2021, 10:15:55 PM |
|
However, your advice is absolute sound for users who wish to have tighter control, I'll begin working to script these enhancements for users who wish to hardened the OS further. Users can then choose to execute this script per their preference.
You can always just make a second version (ISO image?) of the OS just for airgapped users and leave the current one intact for newbies to use. I like this. Keeping up with multiple ISO's can be a bit of pain, however its certainly worth exploring. Thanks again for the feedback.
|
|
|
|
MagnumOpus3k (OP)
Copper Member
Jr. Member
Offline
Activity: 34
Merit: 98
|
|
July 30, 2021, 10:29:42 PM |
|
This is interesting idea but I would like to make a few suggestions.
- Add more information on website, add download link to github or other open source git website that is not controlled by Microsoft, like self-hosted Git service or Gitlab. - I would remove Chrome browser or at least add alternative de-googled Chromium browser. - Better alternative for Firefox browser would be Tor browser or LibreWolf that has removed telemetry and better security than Firefox. - Add list of software included in ISO package, and consider adding links for other open source crypto wallet like Electrum or Wasabi. - For Airgapped solution you can add OPTIONAL selection to disable all internet connection during installation, and don't install Telegram and similar programs. - List your Linux OS to distrowatch.com to gain more exposure.
- Add more information on website, add download link to github or other open source git website that is not controlled by Microsoft, like self-hosted Git service or Gitlab.
Agreed, the website is still a work in progress and should have a bit more information uploaded shortly. - I would remove Chrome browser or at least add alternative de-googled Chromium browser.
Chrome was added as a convience factor for those who wish to use it, however privacy concerns are valid. Chrome will be removed and replaced. - Better alternative for Firefox browser would be Tor browser or LibreWolf that has removed telemetry and better security than Firefox.
Copy, will need to do a bit of testing before implementation, however this will be added to the roadmap. - Add list of software included in ISO package, and consider adding links for other open source crypto wallet like Electrum or Wasabi.
Yes! A detailed list of included software is currently being generated. Links were actually discussed before rollout, however we voted against it due to phishing concerns. Should the website be compromised via the links we provided, we are somewhat responsible for redirecting the users per the provided links. Still searching for that happy medium. - For Airgapped solution you can add OPTIONAL selection to disable all internet connection during installation, and don't install Telegram and similar programs.
This has been tested with the current image and users should be able to install the image without a connection. However, software and OS updates (ubuntu) will need a live connection. Linux has had some pretty brutal vulnerabilities released lately. Telegram was added for convivence, however we'll get this removed on the update. User will be able to install Telegram and other software via flatpack should they decided. - List your Linux OS to distrowatch.com to gain more exposure.
This is excellent advice and something overlooked. Thank you for this!
|
|
|
|
MagnumOpus3k (OP)
Copper Member
Jr. Member
Offline
Activity: 34
Merit: 98
|
Although Tails already exist, your distro could fill different user base. But here are few suggestion 1. Publish the source code of your distro, otherwise you would violate Elementary's GPLv3 license (according to https://github.com/elementary/os/blob/master/LICENSE) 2. Remove Google Chrome, it's privacy nightmare. Brave or Ungoogled chromium is acceptable if user wish to visit website which doesn't support Firefox. 3. Add Tor Browser. 4. I don't know if Elementary OS already have this feature, but add option to encrypt the partition during system installation. 5. Add password manager such as KeePassXC. 1. Publish the source code of your distro, otherwise you would violate Elementary's GPLv3 license (according to https://github.com/elementary/os/blob/master/LICENSE)
Thanks you for this. The baseline OS is elementary and all changes/notations have been published to our git. Also its very important to note that this image was built with CUBIC (Custom Ubuntu ISO Creator), so not directly from source. Should we garner support from the community to keep this project going, we will begin the process of compiling from source. 2. Remove Google Chrome, it's privacy nightmare. Brave or Ungoogled chromium is acceptable if user wish to visit website which doesn't support Firefox.
I think its unamanious, we'll get this removed on the next update. 3. Add Tor Browser.
Added to the roadmap! 4. I don't know if Elementary OS already have this feature, but add option to encrypt the partition during system installation.
Yep! Before install you will have the option for FDE (Full Disk Encryption) and of course we recommend it. 5. Add password manager such as KeePassXC.
I'm always a little apprehensive of pre-installing anything that deals with the users passwords or seed phrases, thus a password manager not being installed the first go around. Had a quick chat regarding this today and a concern of in the event the machine is compromised, the attackers may have access to everything possibly including the password manager. Furthermore, another piece of software increase the attack surface of the machine. We're currently ironing this out, but it is certainly being considered. Thanks again for the feedback!
|
|
|
|
MagnumOpus3k (OP)
Copper Member
Jr. Member
Offline
Activity: 34
Merit: 98
|
|
July 31, 2021, 09:56:14 PM |
|
5. Add password manager such as KeePassXC.
I'm always a little apprehensive of pre-installing anything that deals with the users passwords or seed phrases, thus a password manager not being installed the first go around. Had a quick chat regarding this today and a concern of in the event the machine is compromised, the attackers may have access to everything possibly including the password manager. Furthermore, another piece of software increase the attack surface of the machine. We're currently ironing this out, but it is certainly being considered. Thanks again for the feedback!
KeePassXC encrypt the file (which store the password), so even if the machine is compromised, user need to open the file before user's password is compromised. Besides, Tails include KeePassXC, so IMO it should be safe since your distro doesn't aim to be as secure/private as Tails. Thanks ETF! I was thinking of more along the lines of keylogging malware that would comprise the vault, however per your comments you've sparked a new idea. Thanks again for taking a sec to chime in! Greatly appreciated.
|
|
|
|
MagnumOpus3k (OP)
Copper Member
Jr. Member
Offline
Activity: 34
Merit: 98
|
|
August 19, 2021, 11:39:20 PM |
|
Update:
Near completion on the updated image. We did hit a minor snag with elementaryos and will be working to removing all trademarks pertaining to their brand. Please see their response below for transparency:
" LBX Team,
elementary OS is open source software, but the elementary brand is considered a trademark of elementary, Inc. While we don’t have official guidance for a software redistribution of elementary OS, we would expect you to comply with the guidelines laid out at elementary.io/brand, especially under the Hardware Distributors section. It’s critical that anyone using something that represents itself as “elementary OS” has the same experience as if they downloaded the OS from the elementary.io website—or that it is rebranded entirely. As our primary funding source is paid downloads of elementary OS, we do not allow redistribution of modified versions under the elementary OS name.Let me know if you have any other questions.
Best, Cassidy James Blaede Co-founder & CXO elementary.io"
|
|
|
|
MagnumOpus3k (OP)
Copper Member
Jr. Member
Offline
Activity: 34
Merit: 98
|
Nearing completion of the latest image and should have this it available shortly. Please see the list of installed applications below: Git: https://github.com/StratousLabs/LockBox1. Flathub-Home of hundreds of apps which can be easily installed on any Linux distribution. Browse the apps online, from your app center or the command line. 2. Snapcraft- Snaps are containerised software packages that are simple to create and install. They auto-update and are safe to run. And because they bundle their dependencies, they work on all major Linux systems without modification. 3. Gufw Firewall - GUFW is a graphical utility for managing Uncomplicated Firewall (UFW) 4. Gnome Feeds - Add your favorite feeds, start reading the latest news. It’s that simple. 5. Borg Backup -The main goal of Borg is to provide an efficient and secure way to backup data. The data deduplication technique used makes Borg suitable for daily backups since only changes are stored. The authenticated encryption technique makes it suitable for backups to not fully trusted targets. 6. Vorta Backup - Vorta is a cross-platform open source backup client. It makes managing Borg backups easy and there is no need to run commands in the Terminal. 7. Brave Browser - Brave is a free and open-source web browser developed by Brave Software, Inc. based on the Chromium web browser. Brave is a privacy-focused browser, which distinguishes itself from other browsers by automatically blocking online advertisements and website trackers in its default settings. 8. LibraWolf - A fork of Firefox, focused on privacy, security and freedom. 9. Chromium - Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web 10. KeypassXC - KeePassXC is a free and open-source password manager. It started as a community fork of KeePassX 11. Eddy - Install, update, uninstall and view information about debian packages. 12. Opensnitch - GNU/Linux application firewall. 13. btcrecover - btcrecover is an open source Bitcoin wallet password and seed recovery tool. It is designed for the case where you already know most of your password or seed, but need assistance in trying different possible combinations. 14. GNOME Partition Editor - GParted is a free partition editor for graphically managing your disk partitions.
|
|
|
|
DaveF
Legendary
Offline
Activity: 3654
Merit: 6664
Crypto Swap Exchange
|
|
September 05, 2021, 11:13:10 AM |
|
Is it intentional that you include few application with similar functionality? Few example 1. Flathub/Snapcraft to install additional app. 2. Gufw Firewall/Opensnitch to manage firewall. Gufw is a front end for UFW that just puts on a pretty GUI, but with no additional information. Opensnitch gives you a more info and does it a bit differently. It lets you know firefox is attempting to connect to facebook, so you can see the page but will block the connections to FB. Closer to adblock at the PC level. At least that is how I have always used it. @MagnumOpus3k how about adding an internal DNS resolver that blocks those requests. Something link Pi-Hole -Dave
|
|
|
|
dkbit98
Legendary
Offline
Activity: 2408
Merit: 7561
|
|
September 05, 2021, 11:58:35 AM Merited by DaveF (1), ABCbits (1) |
|
Do you have any updates regarding listing LockBox on DistroWatch, because I don't see it listed yet? If you didn't do it so far you can contact them directly and follow instructions on distribution submission page. Interesting thing about DistroWatch website is accepting of Bitcoin and Monero donations, along with regular paypal donations.
|
|
|
|
DaveF
Legendary
Offline
Activity: 3654
Merit: 6664
Crypto Swap Exchange
|
|
September 05, 2021, 01:47:43 PM |
|
Pi-Hole have lots of dependency though.
Does not need to be Pi-Hole, just a local DNS resolver that you can query that will give 127.0.0.1 or whatever for places that you do not want your PC going to. But...... Since 99% of the world runs on BIND it's probably going to be that and it's dependencies. Since some pages are going to sit there and wait for a response from the query you need something internally running a web server and it's dependencies. Then, you are going to need a front end to manage it since you need a simple way to add / remove blocks. It's a trip down a very deep rabbit hole. But I still think it would be a nice feature to have or at least the option to have. You could probably get some app that manages your hosts file that pulls data from the blocklists you want to use and puts them in there, and then some sort of a front end manager for that. -Dave
|
|
|
|
MagnumOpus3k (OP)
Copper Member
Jr. Member
Offline
Activity: 34
Merit: 98
|
|
September 05, 2021, 04:16:24 PM |
|
Is it intentional that you include few application with similar functionality? Few example 1. Flathub/Snapcraft to install additional app. 2. Gufw Firewall/Opensnitch to manage firewall. Hey ETF! 1. I would have much preferred to have either or with Flathub and Snapcraft, however there were simply gaps between application libraries. Snapcraft application library seems to be more geared towards advanced users as Flatpak is more so for the typical user. I incorporated both for a happy medium. 2. Gufw Firewall/Opensnitch to manage firewall. I think DaveF nailed this one. The Gufw is extremely limited in the data that it offers. You can add/block ports, log and enable/disable. Opensnitch is the modern day ZoneAlarm in my opinion. It basic incorporates a zero-trust factor and questions every single connection and blocks the connection within 15seconds (default) if not approved by the user. Furthermore, event logs are human readable thus making it easer for the average user to make a quick correlation.
|
|
|
|
MagnumOpus3k (OP)
Copper Member
Jr. Member
Offline
Activity: 34
Merit: 98
|
|
September 05, 2021, 04:35:30 PM |
|
Is it intentional that you include few application with similar functionality? Few example 1. Flathub/Snapcraft to install additional app. 2. Gufw Firewall/Opensnitch to manage firewall. Gufw is a front end for UFW that just puts on a pretty GUI, but with no additional information. Opensnitch gives you a more info and does it a bit differently. It lets you know firefox is attempting to connect to facebook, so you can see the page but will block the connections to FB. Closer to adblock at the PC level. At least that is how I have always used it. @MagnumOpus3k how about adding an internal DNS resolver that blocks those requests. Something link Pi-Hole -Dave Hey Dave! We did look into pi-hole previously, but the installation of netcat was a red flag for the build. Though its not being used for nefarious purposes, we do know it can be. Also the idea of opening additional ports wasn't ideal either as it adds to the attack surface. However, it does appear opensnitch has integrated blocklist for ads and domains (ad lists may be used). Link: https://github.com/evilsocket/opensnitch/issues/298Link2: https://github.com/evilsocket/opensnitch/wiki/block-lists
|
|
|
|
MagnumOpus3k (OP)
Copper Member
Jr. Member
Offline
Activity: 34
Merit: 98
|
|
September 05, 2021, 04:38:02 PM |
|
Do you have any updates regarding listing LockBox on DistroWatch, because I don't see it listed yet? If you didn't do it so far you can contact them directly and follow instructions on distribution submission page. Interesting thing about DistroWatch website is accepting of Bitcoin and Monero donations, along with regular paypal donations. Hey DK! Been pretty focused on doing this right but this is an action item and we look forward to submission! We should have this submitted within the next week or so.
|
|
|
|
MagnumOpus3k (OP)
Copper Member
Jr. Member
Offline
Activity: 34
Merit: 98
|
|
September 05, 2021, 05:20:35 PM |
|
Pi-Hole have lots of dependency though.
Does not need to be Pi-Hole, just a local DNS resolver that you can query that will give 127.0.0.1 or whatever for places that you do not want your PC going to. But...... Since 99% of the world runs on BIND it's probably going to be that and it's dependencies. Since some pages are going to sit there and wait for a response from the query you need something internally running a web server and it's dependencies. Then, you are going to need a front end to manage it since you need a simple way to add / remove blocks. It's a trip down a very deep rabbit hole. But I still think it would be a nice feature to have or at least the option to have. You could probably get some app that manages your hosts file that pulls data from the blocklists you want to use and puts them in there, and then some sort of a front end manager for that. -Dave No worries Dave, I think security should always include a solid dialogue and its a valid point. I'm currently reviewing Technitium DNS Server and will need to perform a bit more research before implementing. I think this may fall along the lines of your request? Link: https://technitium.com/dns/
|
|
|
|
DaveF
Legendary
Offline
Activity: 3654
Merit: 6664
Crypto Swap Exchange
|
|
September 05, 2021, 05:53:43 PM |
|
No worries Dave, I think security should always include a solid dialogue and its a valid point. I'm currently reviewing Technitium DNS Server and will need to perform a bit more research before implementing. I think this may fall along the lines of your request? Link: https://technitium.com/dns/Looks promising, will have to look into it too. It's amazing how much information you leak using public / your internet providers DNS. And how many people & places still refuse to use DNS over TLS. Look a hardware wallet connected to an encrypted PC connected to an actual cable to the SonicWall router. And lets go to Coinbase using local ISPs DNS lookup. And now we know you have (or are interested in) crypto. And since your local ISP probably is not using DNSSEC, who knows if you are really at Coinbase anyway. Yes, and extreme edge case, but still worth thinking about. -Dave
|
|
|
|
|