From f80d5bf5162876e4b09c6b78736a91eb33a312bc Mon Sep 17 00:00:00 2001 From: s3goat <41472927+dimyme@users.noreply.github.com> Date: Sat, 22 Dec 2018 05:17:47 +0100 Subject: [PATCH] nice post thx GONQ --- 6-tricks-part-II..md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 6-tricks-part-II..md diff --git a/6-tricks-part-II..md b/6-tricks-part-II..md new file mode 100644 index 0000000..c80d250 --- /dev/null +++ b/6-tricks-part-II..md @@ -0,0 +1,31 @@ +Tips for securing Bitmessage +======================================= + +# Method 1, Firejail + chroot +- create a chroot and put python binaries, shell, firejail and Bitmessage source code in it +- create a low-priveleged user and change the owner of the chroot to that user +- create a firejail profile outside the chroot and one inside the chroot, restricting that user's access +- use the restrictive firejail the mount the chroot, then use the firejail inside the chroot to run Bitmessage + +# Method 2, Firejail +- create a firejail profile for Bitmessagemain.py restricting file access to the keys.dat folder +- copy over the required binaries as if creating a chroot +- add network interface restrictions so Bitmessage can only access the Tor proxy +- create a new user that will only have access to that folder and invoke Bitmessage as that user +- you could even try running Bitmessage as user +- firejail instances can be embedded in parent firejail instances for extra armor + +# Method 3, Docker +- set up a Docker container and run Bitmessage inside it +- Docker allows easy isolation using Linux kernel namespaces - it is very secure + +# Method 4, Systemd (if your distro has it) +- use Systemd-nspawn to isolate the Bitmessage directory in a container +- copy over the necessary binaries and libraries to the restricted folder + +# Method 5, Apparmor (if your distro has it) +- Apparmor can be very secure but you might need to read the manual to set it up for your particular distro +- Firejail or Docker are probably going to be easier to implement, and can be combined with Apparmor + +GONQ broadcast +BM-5oQUrQbR4xu2rnBFGM2A6BLkJMfYvsw \ No newline at end of file