How to configure Kali Linux in terms of security and anonymity

  • How to configure Kali Linux in terms of security and anonymity

    Greetings to the Hackers!

    As you asked me to post about Kali Linux. Since you didn’t like my posts about Virology Programming and SI


    I decided to roll a small article for those who just decided to master kali linux

    But I will not describe specific tools, their purpose and use. I will tell you how to safely configure the system in terms of security and anonymity, which is now very relevant. So that the poor unfortunate newcomer does not scour the forum search and google, trying to get answers. For this I decided to collect the accumulated material in one place.
    Healthy criticism and additions are welcome.

    All the manipulations described in the article were performed on Kali 64 bit with the Gnome 3 graphical environment.

    For performance on a different capacity or environment, I can not vouch. Do everything at your own peril and risk!

    First, find out what bit depth your system has:

    The code:

    grep -qP ’^ flags \ s *:. * \ blm \ b’ / proc / cpuinfo && echo 64-bit || echo 32-bit

    We write it to a USB flash drive with a volume of 4 Gb using the utility

    We will install Kali Linux on a fully encrypted file system.

    I won’t explain the charms of this particular installation

    After the first login, disable swap through Menu-Utilities-Disks. This is the fastest way:

    No need to use my instruction with rewriting swap from this topic.
    It is for an already used system, but on a freshly installed one, the above is enough!
    Is swap disabled, can be viewed in the System Monitor:

    Check that the repositories in /etc/apt/sources.list have the form:

    Check that the repositories in /etc/apt/sources.list have the form:

    The code:

    deb kali-rolling main contrib non-free

    deb-src kali-rolling main contrib non-free

    We make sure that each time you connect to the network, the mac changes to random.
    (Thanks @ z3RoTooL for the great tip in my article)
    To do this, the contents of the /etc/NetworkManager/NetworkManager.conf file are changed to:

    The code:

    plugins = ifupdown, keyfile

    managed = false

    wifi.cloned-mac-address = random

    ethernet.cloned-mac-address = random

    Now configure ssh correctly and safely, because without it, nowhere:

    The code:

    update-rc.d -f ssh remove
    update-rc.d -f ssh defaults
    cd / etc / ssh /
    mkdir insecure_original_default_kali_keys
    mv ssh_host_ * insecure_original_default_kali_keys /
    dpkg-reconfigure openssh-server

    In the configuration file / etc / ssh / sshd_config, change:

    The code:

    Port 22

    PermitRootLogin without-password


    The code:

    Port 2282
    PermitRootLogin no

    Port 22 is changed to any non-standard (in our case 2282) to protect against brute force.
    PermitRootLogin no prohibits other machines from connecting to the root user on our machine.
    Perhaps in the future you will get your VPS. Therefore, I advise you to connect to it not with a password, but create a key, since it is safer:

    The code:

    ssh-keygen -t rsa

    Hit Enter a few times. The generated key /root/.ssh/ then put on your server.
    I also do not advise adding the ssh service to startup, but starting / disabling the commands:

    The code:

    service ssh start
    service ssh stop

    Now an important point in the article. Let's make a self-destruct password for the encrypted disk headers.
    In fact, without them, it turns into just a brick. There is an excellent forum article on this topic.
    Let me reduce this process to a minimum:

    The code:

    cryptsetup luksAddNuke / dev / sda5
    Enter any existing passphrase: your encryption phrase
    Enter new passphrase for key slot: Self Destruct Password
    Verify passphrase: Repeat password self-destruct

    cryptsetup luksHeaderBackup --header-backup-file luksheader.back / dev / sda5

    file luksheader.back

    openssl enc -aes-256-cbc -salt -in luksheader.back -out luksheader.back.enc
    enter aes-256-cbc encryption password: Password for the encrypted header
    Verifying - enter aes-256-cbc encryption password: Repeat password for encrypted header

    ls -lh luksheader.back *

    file luksheader.back *

    Files luksheader.back and luksheader.back.enc are stored on encrypted using LUKS
    (can be done using Menu-Utilities-Drives) microsd flash drive somewhere outside the house.
    Some kind of nest in the forest is ideal.
    Now it’s time for us to update the system:

    The code:

    apt-get update && apt-get dist-upgrade

    It is also likely to request, so we remove unnecessary packages:

    The code:

    apt autoremove

    If in the future we want to receive updates via https, then we do:

    The code:

    apt install apt-transport-https

    Check that the repositories in /etc/apt/sources.list have the form:

    The code:

    deb kali-rolling main non-free contrib

    deb-src kali-rolling main non-free contrib

    And again, update the system:

    The code:

    apt-get update && apt-get dist-upgrade

    Soft Why so? The following is a description of why each tool is needed:

    The code:

    apt-get install mat steghide network-manager-openvpn-gnome secure-delete keepassx pidgin pidgin-otr etherape irssi tor lighttpd virtualbox

    I also think that it’s not superfluous to install and configure something else:
    Bluetooth It does not work normally, so we use the setup manual.
    Ram wiping. Cleans up a core dump on reboot.
    VPN I wrote an article with an example on the riseup service, but the command also works on another resource:

    The code:

    openvpn --client --dev tun --config YOUR_CONFIGURATION.ovpn --proto tcp

    Already purchased a Wi-Fi adapter ALFA or just think? Then we write the script / bin / wlan1 with the contents:

    The code:

    #! / bin / sh

    ifconfig wlan1 down
    macchanger -r wlan1
    iw reg set BZ
    iwconfig wlan1 txpower 30
    ifconfig wlan1 up
    echo "MAC updated ..."
    exit 0

    and make it executable:

    The code:

    chmod + x / bin / wlan1

    Now, when ALFA is connected and the wlan1 command is entered in the terminal, not only will the mac change, but also the power will increase.
    Perhaps you need a Tor browser?
    Do not forget to add the path_to / tor-browser_en-US / Browser / TorBrowser / Data / Tor / torrc to the very bottom of the line:

    The code:

    ExcludeNodes {ru}, {ua}, {by}

    This will exclude connection to dysfunctional nodes. If the provider blocks access: That's all. Of course I can go on forever, but this is for beginners.

    Thank you all for your attention.

Log in to reply

Login in your account to Start Chat