diff --git a/content/docs/computer/advanced-networking.md b/content/docs/computer/advanced-networking.md new file mode 100644 index 0000000..906dab2 --- /dev/null +++ b/content/docs/computer/advanced-networking.md @@ -0,0 +1,242 @@ +--- +title: 'Advanced networking' +date: 2024-05-19T19:35:43+02:00 +weight: 4 +prev: /docs/computer/basic-configuration +next: /docs/computer/xfce-desktop +--- + +The initial setup during the [system preparation](../system-preparation) may be +sufficient for the [basic configuration](../basic-configuration) tasks. However, +time synchronization[^1] and enhanced privacy requires a more advanced setup: + +1. Switch to a [#Network Manager](#network-manager) with: + 1. [#IPv6 privacy](#ipv6-privacy) + 2. [MAC address randomization](#mac-address-randomization) +2. Use chrony for [#Time synchronization](#time-synchronization) +3. [#Securing DNS](#securing-dns) via: + 1. [#DNSSEC](#dnssec) for validating DNS queries + 2. [#DNS over TLS](#dns-over-tls) for encrypting DNS traffic + +## Network manager + +First of all an utility for controlling network related tasks is desirable. The +[NetworkManager](https://wiki.archlinux.org/title/NetworkManager) can easily, +yet extensively manage wireless and wired ethernet[^2] interfaces. I install the +[networkmanager](https://archlinux.org/packages/?name=networkmanager) package: + +```bash +sudo pacman -Sy networkmanager +``` + +The [DHCP client](https://wiki.archlinux.org/title/NetworkManager#DHCP_client), +which is integrated in the NetworkManager can cause issues in big wireless +networks such as [eduroam](https://eduroam.org). For this reason, I install the +[dhclient](https://archlinux.org/packages/?name=dhclient) as an alternative: + +```bash +sudo pacman -Sy dhclient +``` + +For switching, I create a `/etc/NetworkManager/conf.d/dhcp-client.conf` file: + +```{filename="/etc/NetworkManager/conf.d/dhcp-client.conf"} +[main] +dhcp=dhclient +``` + +### IPv6 privacy + +To prevent [MAC address](https://en.wikipedia.org/wiki/MAC_address) leakage of +my interfaces, I enable the *IPv6 Privacy Extensions* for NetworkManager. I +create the file `/etc/NetworkManager/conf.d/ipv6-privacy.conf` containing: + +``` {filename="/etc/NetworkManager/conf.d/ipv6-privacy.conf"} +[connection] +ipv6.ip6-privacy=2 +``` + +### MAC address randomization + +Additionally, with [MAC address randomization](https://wiki.archlinux.org/title/NetworkManager#Configuring_MAC_address_randomization) +enabled my physical MAC address is never leaked during layer 2 communication. +I create the file `/etc/NetworkManager/conf.d/rand-mac-address.conf`: + +``` {filename="/etc/NetworkManager/conf.d/rand-mac-address.conf"} +[device-mac-randomization] +# "yes" is already default, but let's be safe +wifi.scan-rand-mac-address=yes + +[connection-mac-randomization] +# randomize MAC for each connection +ethernet.cloned-mac-address=random +wifi.cloned-mac-address=random +``` + +### Starting NetworkManager + +I disable and stop the Systemd-networkd service which has been configured in the +[#Networking](../system-preparation/#Networking) section of system preparation: + +```bash +sudo systemctl stop systemd-networkd.service +sudo systemctl disable systemd-networkd.service +``` + +Afterwards I enable and start the NetworkManager to take over control: + +```bash +sudo systemctl enable NetworkManager.service +sudo systemctl start NetworkManager.service +``` + +The existing wired configuration of the system preparation should be detected +and connect automatically. I remove the configuration file afterwards to ensure +that Systemd-networkd cannot interfere with the NetworkManager: + +```bash +sudo rm /etc/systemd/network/20-wired.network +``` + +## Time synchronization + +Synchronizing the system clock can happen via internet by using the Network Time +Protocol[^3] (NTP). The [chrony](https://wiki.archlinux.org/title/Chrony) NTP +client is a roaming friendly alternative to the reference implementation `ntp`. +I install the [chrony](https://archlinux.org/packages/?name=chrony) package via: + +```bash +sudo pacman -Sy chrony +``` + +### NTS + +The time synchronization can apply Transport Layer Security[^4] (TLS) by +[using NTS servers](https://wiki.archlinux.org/title/Chrony#Using_NTS_servers). +I edit the `/etc/chrony.conf` file to use a nearby NTS server and a fallback: + +```{filename="/etc/chrony.conf"} +server ptbtime1.ptb.de offline nts +server nts1.time.nl offline nts +``` + +### Starting chrony + +I disable and stop Systemd-timesyncd to prevent any conflicts: + +```bash +sudo systemctl disable systemd-timesyncd.service +sudo systemctl stop systemd-timesyncd.service +``` + +Afterwards I enable and start the chronyd.service using these commands: + +```bash +sudo systemctl enable chronyd.service +sudo systemctl start chronyd.service +``` + +And I check the configured NTP servers via: + +```bash +chronyc -N 'sources -a -v' +``` + +### NetworkManager dispatcher + +Additionally, chrony can automatically go into online/offline mode depending on +the connection state when using a NetworkManager dispatcher script. Install the +[networkmanager-dispatcher-chrony](https://aur.archlinux.org/packages/networkmanager-dispatcher-chrony/) +package from the AUR: + +```bash +yay -Sy networkmanager-dispatcher-chrony +``` + +I enable and start the NetworkManager-dispatcher.service afterwards: + +```bash +sudo systemctl enable NetworkManager-dispatcher.service +sudo systemctl start NetworkManager-dispatcher.service +``` + +## Securing DNS + +The DNS[^5] is used to map IP addresses to domain names. DNS traffic from and to +your computer is unencrypted by default and leaks information about the sites +you visit in your web browser or can be used to identify which operating system +you are running, for example. Read more background information on this topic in +the [Privacy and security](https://wiki.archlinux.org/title/Domain_name_resolution#Privacy_and_security) +section in the Arch Wiki article about Domain name resolution. + +### DNSSEC + +I create `/etc/systemd/resolved.conf.d/dnssec.conf` with the following content +to enable [DNSSEC](https://wiki.archlinux.org/title/DNSSEC) for DNS query +validation in Systemd-resolved: + +```ini {filename="/etc/systemd/resolved.conf.d/dnssec.conf"} +[Resolve] +DNSSEC=true +``` + +### DNS over TLS + +Additionally, to use TLS for encrypting the DNS traffic between my host and the +DNS server I create `/etc/systemd/resolved.conf.d/dns_over_tls.conf` to enable +[DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS) for +Systemd-resolved by containing: + +```ini {filename="/etc/systemd/resolved.conf.d/dns_over_tls.conf"} +[Resolve] +DNS=176.9.93.198#dnsforge.de +DNSOverTLS=yes +``` + +{{< callout type="warning" >}} + The DNS server must support DNS over TLS. Otherwise all requests will fail. A + list of censorship-free DNS servers can be found at + [DNS Checker](https://dnschecker.org/public-dns/de). +{{< /callout >}} + +Afterwards I restart the systemd-resolved.service to activate the changes: + +```bash +sudo systemctl restart systemd-resolved.service +``` + +I check if the new DNS server is used and `+DNSoverTLS` is listed in *Protocols* +in the output of the following command: + +```bash +resolvectl status +``` + +### Known bugs + +Some applications (such as Firefox or LibreWolf, Thunderbird and other) read the +file `/etc/hosts` instead of using Systemd's resolver[^6]. To prevent resolving +`localhost` over the network I add the following lines to `/etc/hosts`: + +``` +127.0.0.1 localhost +::1 localhost +127.0.1.1 arch-studio24 +``` + +Remember to change `arch-studio24` to your hostname! + +Next up is the [Xfce desktop](../xfce-desktop/) guide describing how to install +and setup a desktop environment. + +[^1]: [Time synchronization](https://wiki.archlinux.org/title/Time_synchronization) +in the ArchWiki +[^2]: [Ethernet](https://en.wikipedia.org/wiki/Ethernet) in the Wikipedia +[^3]: [Network Time Protocol](https://en.wikipedia.org/wiki/Network_Time_Protocol) +in the Wikipedia +[^4]: [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) +in the Wikipedia +[^5]: [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) in +the Wikipedia +[^6]: The [localhost is resolved over the network](https://wiki.archlinux.org/title/Network_configuration#localhost_is_resolved_over_the_network) +section of the Network configuration article in the ArchWiki \ No newline at end of file diff --git a/content/docs/computer/basic-configuration.md b/content/docs/computer/basic-configuration.md index 5439cd9..56e68bf 100644 --- a/content/docs/computer/basic-configuration.md +++ b/content/docs/computer/basic-configuration.md @@ -3,7 +3,7 @@ title: 'Basic configuration' date: 2024-04-28T12:07:39+02:00 weight: 3 prev: /docs/computer/system-preparation -next: /docs/computer/xfce-desktop +next: /docs/computer/advanced-networking --- After [system preparation](../system-preparation/) I am able to boot the @@ -30,10 +30,9 @@ for a general basic setup to my needs include the following tasks: 1. Creating [#Users and groups](#users-and-groups) 2. Apply [#Security measures](#security-measures) -3. Improve [#Privacy settings](#privacy-settings) -4. [#Package management](#package-management) -5. Adding [#Console improvements](#console-improvements) - +3. [#Package management](#package-management) +4. Adding [#Console improvements](#console-improvements) +5. Installing a [#Graphics driver](#graphics-driver) {{< callout type="info" >}} Some of my instructions are specific to the hardware found in the laptop model @@ -74,7 +73,7 @@ the `wheel` group is an option I use to implement: ```bash pacman -Sy sudo -gpasswd -a patient0 wheel +gpasswd -a thisven wheel EDITOR=vim visudo ``` @@ -150,132 +149,6 @@ to avoid cluttering system logs by executing: sudo ufw logging off ``` -## Privacy settings - -Further measures for tightening security and improving privacy include a more -advanced setup of network services and application fine tuning. The next -sections deal with the adaption of default configurations to use trustworthy -service providers (from my perspective) and a high level of encryption to -prevent some leakage of personal data. - -### Securing DNS queries - -The DNS[^3] is used to map IP addresses to domain names. DNS traffic from and to -your computer is unencrypted by default and leaks information about the sites -you visit in your web browser or can be used to identify which operating system -you are running, for example. Read more background information on this topic in -the [Privacy and security](https://wiki.archlinux.org/title/Domain_name_resolution#Privacy_and_security) -section in the Arch Wiki article about Domain name resolution. - -I create `/etc/systemd/resolved.conf.d/dnssec.conf` with the following content -to enable [DNSSEC](https://wiki.archlinux.org/title/DNSSEC) for DNS query -validation in Systemd-resolved: - -```ini {filename="/etc/systemd/resolved.conf.d/dnssec.conf"} -[Resolve] -DNSSEC=true -``` - -Additionally, to use TLS[^4] for encrypting the traffic between my host and the -DNS server I create `/etc/systemd/resolved.conf.d/dns_over_tls.conf` to enable -[DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS) for -Systemd-resolved by containing: - -```ini {filename="/etc/systemd/resolved.conf.d/dns_over_tls.conf"} -[Resolve] -DNS=176.9.93.198#dnsforge.de -DNSOverTLS=yes -``` - -{{< callout type="warning" >}} - The DNS server must support DNS over TLS. Otherwise all requests will fail. A - list of censorship-free DNS servers can be found at - [DNS Checker](https://dnschecker.org/public-dns/de). -{{< /callout >}} - -Afterwards I restart the `systemd-resolved.service` to activate the changes: - -```bash -sudo systemctl restart systemd-resolved.service -``` - -I check if the new DNS server is used and `+DNSoverTLS` is listed in *Protocols* -in the output of the following command: - -```bash -resolvectl status -``` - -Some applications (such as Firefox or LibreWolf, Thunderbird and other) read the -file `/etc/hosts` instead of using Systemd's resolver[^5]. To prevent resolving -`localhost` over the network I add the following lines to `/etc/hosts`: - -``` -127.0.0.1 localhost -::1 localhost -127.0.1.1 arch-studio24 -``` - -Remember to change `arch-studio24` to your hostname! - -### NTS - -The time synchronization can also be configured to require a TLS connections by -[using NTS servers](https://wiki.archlinux.org/title/Chrony#Using_NTS_servers). -I edit the `/etc/chrony.conf` file to use a local NTS server and fallback: - -``` -server ptbtime1.ptb.de offline nts -server nts1.time.nl offline nts -``` - -After editing I restart the following services: - -```bash -sudo systemctl restart chronyd.service -sudo systemctl restart NetworkManager-dispatcher.service -``` - -And I check the configured NTP servers via: - -```bash -chronyc -N 'sources -a -v' -``` - -### IPv6 privacy - -To prevent [MAC address](https://en.wikipedia.org/wiki/MAC_address) leakage of -my interfaces, I enable the *IPv6 Privacy Extensions* for NetworkManager. I -create the file `/etc/NetworkManager/conf.d/ipv6-privacy.conf` containing: - -``` {filename="/etc/NetworkManager/conf.d/ipv6-privacy.conf"} -[connection] -ipv6.ip6-privacy=2 -``` - -### MAC address randomization - -Additionally, with [MAC address randomization](https://wiki.archlinux.org/title/NetworkManager#Configuring_MAC_address_randomization) -enabled my physical MAC address is never leaked during layer 2 communication. -I create the file `/etc/NetworkManager/conf.d/rand-mac-address.conf`: - -``` {filename="/etc/NetworkManager/conf.d/rand-mac-address.conf"} -[device-mac-randomization] -# "yes" is already default, but let's be safe -wifi.scan-rand-mac-address=yes - -[connection-mac-randomization] -# randomize MAC for each connection -ethernet.cloned-mac-address=random -wifi.cloned-mac-address=random -``` - -Don't forget to restart the `NetworkManager.service` after these adaptions: - -```bash -sudo systemctl restart NetworkManager.service -``` - ## Package management In order to automatically retrieve, build and install the many packages from an @@ -378,7 +251,7 @@ sudo ln -s /usr/bin/vim /usr/bin/vi For efficient working with `vim` in a graphical desktop environment, I like to deactive [using the mouse](https://wiki.archlinux.org/title/Vim#Using_the_mouse) in order to use the copy & paste function in terminal windows. I also set syntax -highlighting[^6], indentation and spell checking. I create a `~/.vimrc` +highlighting[^3], indentation and spell checking. I create a `~/.vimrc` configuration file and insert the following settings: ```vim {filename="$HOME/.vimrc"} @@ -433,7 +306,7 @@ source /usr/share/doc/pkgfile/command-not-found.bash EOF ``` -### Graphics driver +## Graphics driver To set display resolution from the kernel space rather than the user space I use [Kernel mode setting](https://wiki.archlinux.org/title/Kernel_mode_setting). As @@ -481,21 +354,11 @@ I finally [reboot](../system-preparation/#reboot) my machine to apply the graphics driver configuration and troubleshoot any issues. The configuring of the VA-API is only necessary if you encounter errors. -As the general recommendations state, running graphical applications requires a -GUI[^7]. On the [Xfce desktop](../xfce-desktop/) page I will describe how to -install and setup a desktop environment. - +In the next [advanced networking](../advanced-networking) guide, I show how to +secure and tweak the default network configuration. [^1]: [Pacman](https://wiki.archlinux.org/title/Pacman) in the ArchWiki [^2]: [CPU](https://en.wikipedia.org/wiki/Central_processing_unit) in the Wikipedia -[^3]: [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) in -the Wikipedia -[^4]: [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) -in the Wikipedia -[^5]: The [localhost is resolved over the network](https://wiki.archlinux.org/title/Network_configuration#localhost_is_resolved_over_the_network) -section of the Network configuration article in the ArchWiki -[^6]: [Syntax highlighting](https://en.wikipedia.org/wiki/Syntax_highlighting) -in the Wikipedia -[^7]: [Graphical user interface](https://en.wikipedia.org/wiki/Graphical_user_interface) +[^3]: [Syntax highlighting](https://en.wikipedia.org/wiki/Syntax_highlighting) in the Wikipedia \ No newline at end of file diff --git a/content/docs/computer/xfce-desktop.md b/content/docs/computer/xfce-desktop.md index 1c946e8..8bf59ad 100644 --- a/content/docs/computer/xfce-desktop.md +++ b/content/docs/computer/xfce-desktop.md @@ -1,9 +1,9 @@ --- title: 'Xfce desktop' date: 2024-05-19T16:20:19+02:00 -weight: 4 -prev: /docs/computer/basic-configuration -next: /docs/computer/advanced-networking +weight: 5 +prev: /docs/computer/advanced-networking +next: /docs/computer/multimedia-internet --- [Xfce](https://wiki.archlinux.org/title/Xfce) is a lightweight but full-featured @@ -159,6 +159,20 @@ the [panel preferences](https://docs.xfce.org/xfce/xfce4-panel/preferences) and add it to a panel of my choice (per default this is most probably *Panel 1*) in the *Items* tab. +### NetworkManager applet + +To manage NetworkManager connections graphically, I install the package +[network-manager-applet](https://archlinux.org/packages/?name=network-manager-applet) +and start it in the background using the `nm-applet &` command: + +```bash +sudo pacman -Sy network-manager-applet +nm-applet & +``` + +Using the [nm-applet](https://wiki.archlinux.org/title/NetworkManager#nm-applet) +I can easily create additional connections as needed. + ### Theming To apply a built-in dark theme I open the Xfce settings and set *Adwaita dark* @@ -297,14 +311,14 @@ URI scheme, but mounting it using the `/etc/fstab` file is provided by Thunar. Sometimes the background image or color is missing and the right click menu doesn't appear. This is fixed by running `xfdesktop` in a terminal as described -on [Fosslicious](https://www.fosslicious.com/2019/09/fix-xfce-desktop-error-cant-right-click.html): +at [Fosslicious](https://www.fosslicious.com/2019/09/fix-xfce-desktop-error-cant-right-click.html): ```bash xfdesktop & ``` -In the next [advanced networking](../advanced-networking) guide, I show how to -secure and tweak the default network configuration. +For setting up multimedia capabilities and Internet technologies proceed with +the next guide [Multimedia and Internet](../multimedia-internet). [^1]: [Desktop Environment](https://wiki.archlinux.org/title/Desktop_environment) in the ArchWiki