nice post thx GONQ
parent
a9bf128ae5
commit
f80d5bf516
31
6-tricks-part-II..md
Normal file
31
6-tricks-part-II..md
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
Tips for securing Bitmessage
|
||||||
|
=======================================
|
||||||
|
|
||||||
|
# Method 1, Firejail + chroot
|
||||||
|
- create a chroot and put python binaries, shell, firejail and Bitmessage source code in it
|
||||||
|
- create a low-priveleged user and change the owner of the chroot to that user
|
||||||
|
- create a firejail profile outside the chroot and one inside the chroot, restricting that user's access
|
||||||
|
- use the restrictive firejail the mount the chroot, then use the firejail inside the chroot to run Bitmessage
|
||||||
|
|
||||||
|
# Method 2, Firejail
|
||||||
|
- create a firejail profile for Bitmessagemain.py restricting file access to the keys.dat folder
|
||||||
|
- copy over the required binaries as if creating a chroot
|
||||||
|
- add network interface restrictions so Bitmessage can only access the Tor proxy
|
||||||
|
- create a new user that will only have access to that folder and invoke Bitmessage as that user
|
||||||
|
- you could even try running Bitmessage as user <nobody>
|
||||||
|
- firejail instances can be embedded in parent firejail instances for extra armor
|
||||||
|
|
||||||
|
# Method 3, Docker
|
||||||
|
- set up a Docker container and run Bitmessage inside it
|
||||||
|
- Docker allows easy isolation using Linux kernel namespaces - it is very secure
|
||||||
|
|
||||||
|
# Method 4, Systemd (if your distro has it)
|
||||||
|
- use Systemd-nspawn to isolate the Bitmessage directory in a container
|
||||||
|
- copy over the necessary binaries and libraries to the restricted folder
|
||||||
|
|
||||||
|
# Method 5, Apparmor (if your distro has it)
|
||||||
|
- Apparmor can be very secure but you might need to read the manual to set it up for your particular distro
|
||||||
|
- Firejail or Docker are probably going to be easier to implement, and can be combined with Apparmor
|
||||||
|
|
||||||
|
GONQ broadcast
|
||||||
|
BM-5oQUrQbR4xu2rnBFGM2A6BLkJMfYvsw
|
Reference in New Issue
Block a user