How to configure Kali Linux in terms of security and anonymity
Greetings to the Hackers!
As you asked me to post about Kali Linux. Since you didn’t like my posts about Virology Programming and SI
Okay.
I decided to roll a small article for those who just decided to master kali linux
But I will not describe specific tools, their purpose and use. I will tell you how to safely configure the system in terms of security and anonymity, which is now very relevant. So that the poor unfortunate newcomer does not scour the forum search and google, trying to get answers. For this I decided to collect the accumulated material in one place.
Healthy criticism and additions are welcome.
All the manipulations described in the article were performed on Kali 64 bit with the Gnome 3 graphical environment.
For performance on a different capacity or environment, I can not vouch. Do everything at your own peril and risk!
First, find out what bit depth your system has:
The code:
grep -qP ’^ flags \ s *:. * \ blm \ b’ / proc / cpuinfo && echo 64-bit || echo 32-bit
We write it to a USB flash drive with a volume of 4 Gb using the utility
We will install Kali Linux on a fully encrypted file system.
I won’t explain the charms of this particular installation
After the first login, disable swap through Menu-Utilities-Disks. This is the fastest way:
No need to use my instruction with rewriting swap from this topic.
It is for an already used system, but on a freshly installed one, the above is enough!
Is swap disabled, can be viewed in the System Monitor:
Check that the repositories in /etc/apt/sources.list have the form:
Check that the repositories in /etc/apt/sources.list have the form:
The code:
deb http://http.kali.org/kali kali-rolling main contrib non-free
deb-src http://http.kali.org/kali kali-rolling main contrib non-free
We make sure that each time you connect to the network, the mac changes to random.
(Thanks @ z3RoTooL for the great tip in my article)
To do this, the contents of the /etc/NetworkManager/NetworkManager.conf file are changed to:
The code:
[main]
plugins = ifupdown, keyfile
[ifupdown]
managed = false
[connection]
wifi.cloned-mac-address = random
[connection]
ethernet.cloned-mac-address = random
Now configure ssh correctly and safely, because without it, nowhere:
The code:
update-rc.d -f ssh remove
update-rc.d -f ssh defaults
cd / etc / ssh /
mkdir insecure_original_default_kali_keys
mv ssh_host_ * insecure_original_default_kali_keys /
dpkg-reconfigure openssh-server
In the configuration file / etc / ssh / sshd_config, change:
The code:
Port 22
PermitRootLogin without-password
on
The code:
Port 2282
PermitRootLogin no
Port 22 is changed to any non-standard (in our case 2282) to protect against brute force.
PermitRootLogin no prohibits other machines from connecting to the root user on our machine.
Perhaps in the future you will get your VPS. Therefore, I advise you to connect to it not with a password, but create a key, since it is safer:
The code:
ssh-keygen -t rsa
Hit Enter a few times. The generated key /root/.ssh/id_rsa.pub then put on your server.
I also do not advise adding the ssh service to startup, but starting / disabling the commands:
The code:
service ssh start
service ssh stop
Now an important point in the article. Let's make a self-destruct password for the encrypted disk headers.
In fact, without them, it turns into just a brick. There is an excellent forum article on this topic.
Let me reduce this process to a minimum:
The code:
cryptsetup luksAddNuke / dev / sda5
Enter any existing passphrase: your encryption phrase
Enter new passphrase for key slot: Self Destruct Password
Verify passphrase: Repeat password self-destruct
cryptsetup luksHeaderBackup --header-backup-file luksheader.back / dev / sda5
file luksheader.back
openssl enc -aes-256-cbc -salt -in luksheader.back -out luksheader.back.enc
enter aes-256-cbc encryption password: Password for the encrypted header
Verifying - enter aes-256-cbc encryption password: Repeat password for encrypted header
ls -lh luksheader.back *
file luksheader.back *
Files luksheader.back and luksheader.back.enc are stored on encrypted using LUKS
(can be done using Menu-Utilities-Drives) microsd flash drive somewhere outside the house.
Some kind of nest in the forest is ideal.
Now it’s time for us to update the system:
The code:
apt-get update && apt-get dist-upgrade
It is also likely to request, so we remove unnecessary packages:
The code:
apt autoremove
If in the future we want to receive updates via https, then we do:
The code:
apt install apt-transport-https
Check that the repositories in /etc/apt/sources.list have the form:
The code:
deb https://http.kali.org/kali kali-rolling main non-free contrib
deb-src https://http.kali.org/kali kali-rolling main non-free contrib
And again, update the system:
The code:
apt-get update && apt-get dist-upgrade
Soft Why so? The following is a description of why each tool is needed:
The code:
apt-get install mat steghide network-manager-openvpn-gnome secure-delete keepassx pidgin pidgin-otr etherape irssi tor lighttpd virtualbox
I also think that it’s not superfluous to install and configure something else:
Bluetooth It does not work normally, so we use the setup manual.
Ram wiping. Cleans up a core dump on reboot.
VPN I wrote an article with an example on the riseup service, but the command also works on another resource:
The code:
openvpn --client --dev tun --config YOUR_CONFIGURATION.ovpn --proto tcp
Already purchased a Wi-Fi adapter ALFA or just think? Then we write the script / bin / wlan1 with the contents:
The code:
#! / bin / sh
ifconfig wlan1 down
macchanger -r wlan1
iw reg set BZ
iwconfig wlan1 txpower 30
ifconfig wlan1 up
echo "MAC updated ..."
exit 0
and make it executable:
The code:
chmod + x / bin / wlan1
Now, when ALFA is connected and the wlan1 command is entered in the terminal, not only will the mac change, but also the power will increase.
Perhaps you need a Tor browser?
Do not forget to add the path_to / tor-browser_en-US / Browser / TorBrowser / Data / Tor / torrc to the very bottom of the line:
The code:
ExcludeNodes {ru}, {ua}, {by}
This will exclude connection to dysfunctional nodes. If the provider blocks access: That's all. Of course I can go on forever, but this is for beginners.
Thank you all for your attention.
Subscripe https://vk.com/academy_hacker
https://anonymoushackers.org/user/hackers-academy