From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id cBFeL/ncjl9UYQAA0tVLHw (envelope-from ) for ; Tue, 20 Oct 2020 12:50:01 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id OHrwKvncjl90egAAB5/wlQ (envelope-from ) for ; Tue, 20 Oct 2020 12:50:01 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C60E6940466 for ; Tue, 20 Oct 2020 12:50:00 +0000 (UTC) Received: from localhost ([::1]:50704 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kUr5T-0002MG-Gk for larch@yhetil.org; Tue, 20 Oct 2020 08:49:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37216) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kUqbS-0008Dc-No for help-guix@gnu.org; Tue, 20 Oct 2020 08:18:58 -0400 Received: from mail-oln040092253109.outbound.protection.outlook.com ([40.92.253.109]:6228 helo=APC01-SG2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kUqbO-0008Ed-SY for help-guix@gnu.org; Tue, 20 Oct 2020 08:18:58 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=B3Z5Xf46JsUSUXMgGSOxt9pCLI1mcraGWBitS8zMdJXcR93CaJl7D0Yl8O5jPp3v3vND/2dlZSlusod/n6mS9bBY6VsUl9JU4BjcLPD1PBTPsnHUllIFqeAjCWAIfozw3GPwhC9P52CIuYrgl1zSwVbFxaqEqrc8+IJ/4tERZ7fC+YzxYnRrQoLIkKO7bgxU/OzB0HKk2RZ6dvol2mB4nZG4abEMebB9YzFFJogkM0/FsrT5klR862tm2LtI9+0qIaJziPJ50G6kw8/9hkC6BvmBLbIduvPU9eqRnqKU7MaE+7E90FWJ43601gjRvN4e/cPsv0FSgDmZdYngNQG2ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nZH+ehsLwZntntl7odlQvB6m1eMxkkUSy/J96WRizkQ=; b=lB4x5rCI7/w6D3qBIJZUxt4G9L55onEYeP3lwZZCw6ol+ZiLIxa/HYBbnmMsMxLAiwcRm/3QugPqoA5kzBB6qVivOP13wH7KvlUzHzo+MvZYz06AuWcCMeA9T7ZH7vmoIVeVxh4MdDCvQJtjESBhWquS4hxwF2mTzodmoEjI7ztg0oaywNBHJ1R8QTQjE7br87OoxdrMejZ/fzU7NgBfb/OjIAyVzzv6HGpoVtomIHSRzSChWftKiGsUOy64x91uKCuoLspOCBsmrU10Hw2OCCxlImN8PJRUZJoCAdcKZPOLXI031DvVEeugIm53p7wK2avz+2q/pax5XXsglPCNRQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nZH+ehsLwZntntl7odlQvB6m1eMxkkUSy/J96WRizkQ=; b=WmnA8O/DENkBkJbPMc80Rhh8cDJbnV0ytd7AFxz4y0rJtJ94qsAzkMTa7JyeI2fjsClDul+LJDnbwmP6Aetm9DL6SpBYPJpe4BVzZYIXBmZpfCU50fSqaTgLxjuVt9PeXNvEafrmkKfkk5+LCnQObmCLg1wB9SaEFboVN8L3ngnonDfsHtnwk7XQbBERMyxuyegZLPwAgcQfGrvgPppMwIukxbW9ukqZw8lJLZGBq/EqI2dPAR7MB/NOzoxsEdOpfpjCxKGPZVTNwzyP08WKjpAb0vJU8tPiDF33J2qg73Eg79yegl4CmU9zVBmF/jRc7CRDh5r9P8tzyNu55iClIg== Received: from SG2APC01FT020.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebd::50) by SG2APC01HT103.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebd::300) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.21; Tue, 20 Oct 2020 12:18:46 +0000 Received: from PSXP216MB0214.KORP216.PROD.OUTLOOK.COM (2a01:111:e400:7ebd::43) by SG2APC01FT020.mail.protection.outlook.com (2a01:111:e400:7ebd::219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.21 via Frontend Transport; Tue, 20 Oct 2020 12:18:46 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:45880D77661A7AF53281875D56D5257CF4D1A2193E37B32B7BFBA623B59A8C96; UpperCasedChecksum:C125D81D365C8DD862F16AA663C20929298EA13F47652CE0A2BD1F60BD3C2D3E; SizeAsReceived:8528; Count:47 Received: from PSXP216MB0214.KORP216.PROD.OUTLOOK.COM ([fe80::1cfa:2e37:bbce:dfa1]) by PSXP216MB0214.KORP216.PROD.OUTLOOK.COM ([fe80::1cfa:2e37:bbce:dfa1%11]) with mapi id 15.20.3477.028; Tue, 20 Oct 2020 12:18:46 +0000 Date: Tue, 20 Oct 2020 12:18:43 +0000 From: luhux To: jbranso@dismail.de Subject: Re: What are you using to harden your Guix System? Message-ID: References: <6004ce9acbf415572566cdc4c3f6d916@dismail.de> Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <6004ce9acbf415572566cdc4c3f6d916@dismail.de> X-TMN: [VADIwtLre+EjN3rlQZHX/fq/+Rq0fGkV] X-ClientProxiedBy: HK2PR04CA0057.apcprd04.prod.outlook.com (2603:1096:202:14::25) To PSXP216MB0214.KORP216.PROD.OUTLOOK.COM (2603:1096:300:7::12) X-Microsoft-Original-Message-ID: <20201020121843.GH2@tencent> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost (119.45.133.18) by HK2PR04CA0057.apcprd04.prod.outlook.com (2603:1096:202:14::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.18 via Frontend Transport; Tue, 20 Oct 2020 12:18:45 +0000 X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 47 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: 53f98127-2a67-4137-d855-08d874f24ad2 X-MS-TrafficTypeDiagnostic: SG2APC01HT103: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: mkbrK8DQ4T00XXHsACb88K9p3wix/uuzVq7qsNl5u6obi7QivICyfjVFvmR/uHwaqBE+PwNJVB58Qey4q0N1MgHg5ohOfwjcYkN4RuymEy05LNAhVbx+eAdKnR1/rV+CUlFDgtNqWA+Y/2mG6bR9mXIIB/JRa5anynwYgY2vh5I9yKv5I5IBRE+yrKWEiVCTc8+qUr98nMDfxUC7nc7Tow== X-MS-Exchange-AntiSpam-MessageData: 7iH47jQs3wMQGnkWKdR8qv2mKlh+VESfUZIefw+NgIFEn3cT8riG/22p4rrw6Fh++K9lyiwCoue0TkXnQOHnyMqW1VB7Km79vn6tUzdwzYxL7fuDBG6CLT2/2a28PBwDt/6rOfqKDv2Iw/mqdL391w== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 53f98127-2a67-4137-d855-08d874f24ad2 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Oct 2020 12:18:46.3032 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: SG2APC01FT020.eop-APC01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2APC01HT103 Received-SPF: pass client-ip=40.92.253.109; envelope-from=luhux@outlook.com; helo=APC01-SG2-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/20 08:18:51 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 20 Oct 2020 08:49:49 -0400 X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=outlook.com header.s=selector1 header.b=WmnA8O/D; dmarc=pass (policy=none) header.from=outlook.com; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -1.71 X-TUID: 75mQN0yUjTRy On Tue, Oct 20, 2020 at 09:43:33AM +0000, jbranso@dismail.de wrote: > I'm using sway instead of X. Does that count? > > Though I'm still using X for Emacs.... > > It would be great to add a cookbook page about how to harden guix! > > Thanks, > > Joshua Thank you for your suggestion, I will try to find a suitable alternative under wayland. Switching from X to wayland is a bit difficult for me, because I did not find an alternative to'cwm' under wayland Harden cookbook is a good idea, if you find a cookbook or create it, please let me know Before creating the cookbook, everyone can use this mail as a place to discuss harden. Let me share: * Except the partition where grub or efi is stored, let other partitions be encrypted with luks (thanks to grub, it can mount the partition encrypted by lusk, and then load the kernel to boot) * Use `guix environment --container` to containerize some programs to make the system more secure. * For programs that are not very trusted or run by root, or programs for testing, use `guix system container` to build it and start it * Use iptables or nftables to build firewall rules * When using docker, disable the iptables rules automatically built by docker, and then decide docker's network access by yourself (using iptables or nftables): =============================================== (service docker-service-type (docker-configuration (enable-iptables? #f))) =============================================== * On the public network server, I closed icmp, closed the ssh port, and then used wireguard to access it. * In ~/.ssh/rc I wrote a script to automatically send emails after sign in suceesfully in the background (although pam_exec can be used to do it, and it can do better, but I don’t know pam too much) * Use some code that is not a lot, but reliable programs such as (suckless st, cwm, password-store, libressl) thank luhux