Psysecure by Ray Heffer, CISO advisor and cybersecurity expert.

Self Hosting Nextcloud for Privacy, the Right Way (September 2024)

Sat, 21 Sep 2024 05:00:00 +0000

Overview
Step 1: Installation
Step 2: Server Setup
Step 3: Installing Nextcloud (Docker)
Step 4: Setting Up Let’s Encrypt SSL Certificate
Step 5: Finalizing Nextcloud Setup
Errors and Warnings
Useful Docker Commands

Introduction

If you are still using cloud services such as Dropbox or Google Drive for file sync, then this one is for you. Setting up a self-hosted Nextcloud server at home needn’t be difficult or complicated, and it offers complete control over your data, ensuring both privacy and security by keeping everything on your local network. We’ll also do this the right way. That means we’ll be using local disk encryption, and your Nextcloud server will ONLY be accessible at home, not over the internet. If there is a vulnerability, zero-day, or some other attack vector for Nextcloud, then I simply don’t want my home network or personal data exposed or at risk. Also, unlike using a cloud-hosted instance of Nextcloud, self-hosting allows you to maintain complete and total ownership, and privacy of your files. I’ll walk you through the entire process of setting up Nextcloud on your own server, whether that be an old PC or laptop you have lying around, or a dedicated server.

We’ll also set up full disk encryption using LUKS, ensuring that everything stored on the server is encrypted at rest. Using a custom domain name, we’ll also make use of Let’s Encrypt for our SSL certificate, providing encryption in transit. The setup will allow for local syncing when connected to your home network, such as over WiFi, with offline access to files via mobile apps like Strongbox for iPhone or KeepassDX for Android.

If you are new to terms such as RAID, then don’t worry. Just treat this as a learning exercise, and feel free to contact me if you have questions.

Overview

Disclaimer: You need to have a basic knowledge of Linux, as I won’t walk through every step of the initial setup, such as configuring a static IP address or logging in via SSH. If you’re unfamiliar with the basics of Linux, this may not be suitable for you.

Server

Before you get started, you need to decide where to install Ubuntu, which we’ll use to run our Docker image of Nextcloud. This can be a spare laptop, server, or a desktop PC you have lying around. I will say that you want this to be powered on all the time, so if you have a noisy server, leaving it running in your home office is probably going to drive you insane very quickly. I’m fortunate to have a small area in a part of the house that is well insulated and soundproofed, so noise isn’t as much of a factor. I’ve read reports of some people successfully using a Raspberry Pi with NextcloudPi, but I don’t have any experience with that.

I run VMware vSphere 8 thanks to my vExpert license, on my two Supermicro SYS-E300-9D servers, which support 10GbE networking, and are very small and compact. Obviously this is overkill for just a Nextcloud deployment, but I also use this for other virtual machines on my home network.

The choice of server may determine your storage options too, which I’ll discuss next. The reason I use VMware is so I can present an NFS (Network File System) volume from my NAS to VMware, and then create a large virtual disk for my Nextcloud data drive. The reason I do this, and not present the NFS volume directly to my Nextcloud machine, is so I can use LUKS disk encryption which only applies to block devices (HDD, SSD, iSCSI, virtual disks, etc.)

Proxmox

You don’t even need VMware vSphere to do this. A free and open-source alternative is Proxmox VE. Proxmox uses KVM for virtual machines, and LXC for containers. It’s an excellent alternative to running VMware vSphere, and allows you to run other virtual machines or containers in the future.

No matter which option you choose, I’ll assume you are using Ubuntu 22.04, rather than using Proxmox LXC or TrueNAS Scale containers. If you choose the latter, go for it.

Storage

One of the key benefits of self-hosting Nextcloud is you can use your own storage, whether that be an internal SSD or HDD, or something more significant like a NAS. I personally need a lot of storage capacity, so I use a Synology 8-Bay DiskStation DS1823xs, with six 16TB Seagate Ironwolf Pro drives. Configured in a RAID 6 storage pool, this gives me around 58TB of usable storage. However, for a long time I was using a used QNAP TS669 Pro with six 4TB drives (RAID 10).

If you don’t need a large amount of storage capacity like that, then you could even opt for a 2-bay NAS such as the Synology DS223j which costs less than $190 (US). At least with RAID 1 (disk mirroring) you’ll get some redundancy, and it’s a good introduction to using a NAS.

TrueNAS, as mentioned earlier, is another option, where you can repurpose an old PC or server, and build your own NAS. I tried this once, but found that having a PC case crammed full of disks was a cable management nightmare, so I decided just to pull the plug and go with the Synology NAS. However, if this is the direction you want to go in, check out TrueNAS Scale since this also allows you to run containers or virtual machines on the same platform.

1. Ubuntu Installer

By this stage, I will assume you are ready to install Ubuntu 22.04 somewhere, whether that be on a virtual machine or some other device. Here are the initial steps:

Download and mount the Ubuntu 22.04 Server ISO
- Download the ISO from the official Ubuntu website.
Update the the new installer
- If prompted, select ‘Update the the new installer’
Choose Ubuntu Server (minimized)
- During the installation process, select the Ubuntu Server (minimized) option to reduce unnecessary packages.
Network Configuration
- Select the network adapter and change from DHCP to Static (Edit IPv4 > Manual)
- Set to a static IP for your network range (example below)
Enable Disk Encryption (Optional)
- When you boot the machine, you’ll need to enter this passphrase.
Do NOT Select ‘Nextcloud’ from the ‘Featured Server Snaps’ Screen
- We’ll be installing Nextcloud manually.

Note: Once Ubuntu Server is installed, you should be able to connect over SSH.

2. Server Setup

Setting the Timezone

First, set your server’s timezone to ensure logs and scheduled tasks run at the correct times. Replace America/New_York with your local timezone:

sudo timedatectl set-timezone America/New_York

Updating the System

Update your package lists and upgrade existing packages:

sudo apt update -y
sudo apt upgrade -y

Install required packages:

sudo apt-get install net-tools vim

Setting Up the Firewall

Usually I’d recommend using UFW (Uncomplicated Firewall), but Docker bypasses UFW rules because it manipulates iptables directly. Since we chose a minimal Ubuntu Server installation, UFW isn’t installed. Instead we’ll use firewalld. Docker integrates with firewalld, as stated on their website, Docker automatically creates a firewalld zone called docker, with target ACCEPT.

Install firewalld
```
sudo apt install firewalld
```

Enable and Start firewalld

sudo systemctl enable firewalld
sudo systemctl start firewalld

Note: We don’t need to open HTTP or HTTPS (SSH is enabled by default) since Docker handles this as previously mentioned.

Installing Docker

Since we’ll be using Docker to run Nextcloud, we’ll install Docker and Docker Compose:

sudo apt install -y apt-transport-https ca-certificates curl gnupg lsb-release

Add Docker’s official GPG key:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

Set up the stable Docker repository:

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] \
  https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Update package lists again:

sudo apt update

Install Docker Engine and Docker Compose:

sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin

Configuring the Hosts File

Add your server’s IP address and hostname to the /etc/hosts file:

sudo vi /etc/hosts

Note: You’ll want to ensure your internal DNS resolves to these hostnames. See the section below on split DNS to handle external / internal name resolution.

Add the following line, replacing with your server’s IP and desired hostname:

192.168.1.146 your_domain_name

Note: Use your own IP address and hostname here.

Enabling Automatic Updates

Set up unattended upgrades to keep your system up to date:

Install unattended-upgrades

sudo apt install -y unattended-upgrades

Enable automatic updates

sudo dpkg-reconfigure -plow unattended-upgrades

Configure /etc/apt/apt.conf.d/50unattended-upgrades This file controls which packages get updated. It should already be pre-configured, but you can review it or modify it if necessary. Just remove the // to uncomment the lines you want.

sudo vi /etc/apt/apt.conf.d/50unattended-upgrades

Example:

Unattended-Upgrade::Allowed-Origins {
     "${distro_id}:${distro_codename}";
     "${distro_id}:${distro_codename}-security";
     // Extended Security Maintenance; doesn't necessarily exist for
     // every release and this system may not have it installed, but if
     // available, the policy for updates is such that unattended-upgrades
     // should also install from here by default.
     "${distro_id}ESMApps:${distro_codename}-apps-security";
     "${distro_id}ESM:${distro_codename}-infra-security";
     "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Check the status of unattended-upgrades

sudo systemctl status unattended-upgrades

Test with --dry-run

sudo unattended-upgrades --dry-run --debug

Adding a Data Disk with LUKS Encryption

At this stage of the setup, we’ve got Ubuntu installed, but I’ll assume the system (OS) disk won’t have enough capacity for our file sync data. I’ll refer to this as the Nextcloud data disk. In my setup, my Nextcloud virtual machine has a 100GB system disk and an additional 4TB disk for Nextcloud data.

As I mentioned earlier, LUKS disk encryption only applies to block devices (HDD, SSD, iSCSI, virtual disks, etc.). My preference is to use a virtual disk, whether you are using Proxmox or VMware, as it simplifies the setup without the need for iSCSI or other complications. If you’re using a physical server, desktop PC, or laptop with physical disks installed, that’s perfectly fine too.

Note: In my example below, my 4TB data disk is presented as /dev/sdb to Ubuntu.

Encrypting the Disk

Note: In the following steps, replace /dev/sdb with the actual device name of your data disk.

Check the device name for your data disk
```
sudo fdisk -l
```
Prepare the data disk for LUKS
```
sudo cryptsetup luksFormat /dev/sdb
```
This initializes LUKS encryption on the device /dev/sdb. During this process, you are prompted to enter a passphrase (keep this secure, such as inside your password manager). This passphrase is stored in key slot 0, which is the first slot of the LUKS header. This is important because without at least one valid key, the encrypted volume cannot be unlocked. For automatic unlocking during system boot, we’ll add an additional key to the LUKS header (key slot 1).

Open the encrypted volume:

sudo cryptsetup luksOpen /dev/sdb datacrypt

Format the encrypted partition:
```
sudo mkfs.ext4 /dev/mapper/datacrypt
```

Note: I named the encrypted volume datacrypt but you can choose your own volume name here.

Creating a Key File for Automatic Unlocking

Create a key file and add it as an additional key to your LUKS partition:
```
sudo dd if=/dev/urandom of=/root/luks.key bs=1024 count=4
```
Set permissions:
```
sudo chmod 600 /root/luks.key
```
Add key to LUKS (remember to change /dev/sdb to the correct device path):
```
sudo cryptsetup luksAddKey /dev/sdb /root/luks.key
```

Configure /etc/crypttab

Edit the /etc/crypttab file to set up automatic decryption at boot:
```
sudo vi /etc/crypttab
```
Add the following line (remember to change /dev/sdb to the correct device path):
```
datacrypt /dev/sdb /root/luks.key luks
```

Mounting the Encrypted Disk

Create a mount point and add an entry to /etc/fstab:
```
sudo mkdir /data
```
Edit /etc/fstab:
```
sudo vi /etc/fstab
```

Add the following line:

/dev/mapper/datacrypt /data ext4 defaults 0 2

Rebooting and Verifying

Reboot the system and verify that the disk is mounted:
```
sudo reboot
```
After reboot, you should see the /data mount for the new disk:
```
df -h
```

Setting Permissions

Ensure that the web server user (www-data) owns the data directory:
```
sudo chown www-data:www-data /data -R
```

3. Installing Nextcloud (Docker)

Creating a Docker Compose File

Create a directory for Nextcloud and navigate to it:
```
sudo mkdir -p /data/nextcloud
```
Change to the Nextcloud directory:
```
cd /data/nextcloud
```
Create a docker-compose.yml file:
```
sudo vi docker-compose.yml
```
Add the following content to docker-compose.yml:

services:
  nextcloud:
    build: .
    container_name: nextcloud
    restart: always
    ports:
      - "443:443"
    volumes:
      - /data/nextcloud/html:/var/www/html
      - /etc/letsencrypt/live/your_domain_name/fullchain.pem:/etc/ssl/certs/ssl-cert.crt:ro
      - /etc/letsencrypt/live/your_domain_name/privkey.pem:/etc/ssl/private/ssl-cert.key:ro
    environment:
      - NEXTCLOUD_DATA_DIR=/var/www/html/data
      - NEXTCLOUD_TRUSTED_DOMAINS=your_domain_name your_ip_address
    depends_on:
      - db
      - redis

  db:
    image: mariadb:10.11
    container_name: nextcloud_db
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=your_db_root_password
      - MYSQL_PASSWORD=your_db_password
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
    volumes:
      - /data/nextcloud/db:/var/lib/mysql

  redis:
    image: redis:alpine
    container_name: nextcloud_redis
    restart: always
    volumes:
      - /data/nextcloud/redis:/data
    command: ["redis-server", "--unixsocket", "/tmp/redis.sock", "--unixsocketperm", "770"]

Replace the following:

Configuration	Value
`your_domain_name`	Replace with your own domain name (e.g., `nextcloud.domain.com`)
`your_ip_address`	Replace with the local IP address of your server
`your_db_root_password`	Replace with a strong root password for MariaDB
`your_db_password`	Replace with a strong password for the Nextcloud database user

Note: We’re using the recommended version of MariaDB 10.11 according to the system requirements

Configure Nextcloud to Use Apache

Create Dockerfile:
```
sudo vi /data/nextcloud/Dockerfile
```

Add the following:

FROM nextcloud
RUN a2enmod ssl
COPY nextcloud.conf /etc/apache2/sites-available/nextcloud.conf
RUN a2ensite nextcloud.conf

Create `nextcloud.conf’:
```
sudo vi /data/nextcloud/nextcloud.conf
```
Add the following:

<VirtualHost *:443>
    ServerName your_domain_name

    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/ssl-cert.crt
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert.key

    <Directory /var/www/html/>
        AllowOverride All
        Require all granted
        Options FollowSymLinks MultiViews

        <IfModule mod_dav.c>
            Dav off
        </IfModule>
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/nextcloud-error.log
    CustomLog ${APACHE_LOG_DIR}/nextcloud-access.log combined

    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    </IfModule>
</VirtualHost>

Note: Replace your_domain_name with your actual domain name.

4. Setting Up Let's Encrypt SSL Certificate

We won’t be exposing our Nextcloud server to the internet, however, we do need to use an external domain name if we want to use LetsEncrypt, and take advantage of a trusted SSL certificate. The last thing we want is to deal with self-signed certificate warnings on each of our devices accessing Nextcloud!

Domain Names

I recommend using with Namecheap or Njalla to register a custom domain. Remember, you won’t be using this to access Nextcloud over the internet, but it will be used internally (e.g. nextcloud.yourdomain.com) and to obtain valid SSL certificates for HTTPS from LetsEncrypt.

I also recommend using Cloudflare to manage the DNS (Domain Name System) for your custom domain. In the next section, I guide you through obtaining a Cloudflare API key which we’ll need in order to obtain our SSL certificates without making the server accessible from the internet.

If our server were accessible from the internet, we would have just used certbot to simply create and renew our SSL certificates. As we are doing things a little differently for added security, we’ll use the DNS-01 challenge method which involves proving control over a domain by adding specific DNS TXT records. I use CloudFlare to host the DNS for my domain names, which I’ll use in my example below.

Internal DNS

Let’s say my Nextcloud instance is on nextcloud.psysecure.com. Since I won’t be opening up my firewall to allow this over the internet, I don’t need to add a DNS record in Cloudflare. However, I do want my internal devices to resolve that to an internal IP address. For my home network I use two PiHole servers (virtual machines) but these could also be installed on a Raspberry Pi. They have a ‘Local DNS’ setting, that allows you to add internal DNS records, so nextcloud.psysecure.com would point to the internal IP address of your Nextcloud server (E.g. 192.168.100.146).

Installing Certbot and DNS plugin:

sudo apt update
sudo apt install -y certbot python3-certbot-dns-cloudflare

Obtain CloudFlare API Key

Log into CloudFlare and go to https://dash.cloudflare.com/profile/api-tokens
Choose ‘Use Template’ next to ‘Edit zone DNS’
In Zone Resources > Include > Specific Zone, choose your domain that you’ll use for Nextcloud.
Click ‘Continue to Summary’
Create Token
Save this API token in your password manager, don’t lose it!

Configure DNS API Credentials

Create a credentials file with your DNS API token or keys:

sudo mkdir /etc/letsencrypt/dns
sudo vi /etc/letsencrypt/dns/cloudflare.ini

Add your API credentials to the file:

dns_cloudflare_api_token = your_cloudflare_api_token

Change permissions:

sudo chmod 600 /etc/letsencrypt/dns/cloudflare.ini

Note: Replace your_cloudflare_api_token with your CloudFlare API key

Request the Certificate

sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /etc/letsencrypt/dns/cloudflare.ini \
  --dns-cloudflare-propagation-seconds 60 \
  -d your_domain_name

Note: Replace your_domain_name (E.g. nextcloud.domain.com)

Starting the Containers

sudo docker compose up -d

Verify the containers are running:

sudo docker ps

You should see two running containers, for example:

CONTAINER ID   IMAGE                 COMMAND                  CREATED         STATUS                  PORTS                                           NAMES
4678a7c04652   nextcloud-nextcloud   "/entrypoint.sh apac…"   5 seconds ago   Up 2 seconds            80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   nextcloud
e3158965d2d5   redis:alpine          "docker-entrypoint.s…"   5 seconds ago   Up Less than a second   6379/tcp                                        nextcloud_redis
7f94e9dce0ab   mariadb:10.11         "docker-entrypoint.s…"   5 seconds ago   Up 3 seconds            3306/tcp                                        nextcloud_db

5. Finalizing Nextcloud Setup

Open a web browser and navigate to http://your_server_ip to complete the Nextcloud setup. You will be prompted to create an admin account and configure the database connection. I recommend creating a random username (not admin), similar to my example below. Don’t lose this, store it in your password manager!

Click ‘Storage & database’
Select ‘MySQL/MariaDB’

Configuration	Value
Database account	nextcloud
Database password	The `your_db_password` you set in `docker-compose.yml`
Database name	nextcloud
Database host	db

Click Install!

Note: Access your Nextcloud instance via https://your_domain.com and verify that everything is working correctly.

Enable Redis for Memcache

Edit config.php

sudo vi /data/nextcloud/html/config/config.php

Add the memcache settings to the end of the config

# Existing config above
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
 'host' => '/tmp/redis.sock',
 'port' => 0,
 'timeout' => 1.5,
  ),
);

Errors and Warnings

By this stage you should be logged into Nextcloud. If you click on the user icon (top right) and choose ‘Administration Settings’ you might see a list of errors and warnings. Don’t panic, we’ll fix these!

1. Error: Some files have not passed the integrity check. List of invalid files… Rescan… For more details see the documentation.

This error is related to this issue, since Docker leaves a .lock file behind. We just need to remove it, as follows:

Access the Nextcloud Docker container:
```
sudo docker exec -it nextcloud bash
```
Navigate to the Nextcloud installation directory:
```
cd /var/www/html
```
Remove the extra file causing the issue:
```
rm nextcloud-init-sync.lock
```
Exit the container:
```
exit
```
Click ‘Rescan’ in the Nextcloud Administration Settings and this error will go away.

2. Warning: Server has no maintenance window start time configured.

To configure a maintenance window, just edit config.php and add 'maintenance_window_start' => 1, to the end.

sudo vi /data/nextcloud/html/config/config.php

Add this configuration line

  'maintenance_window_start' => 1,

3. Warning: One or more mimetype migrations are available. Occasionally new mimetypes are added to better handle certain file types.

Run occ maintenance:repair --include-expensive as instructed by the warning, inside our Nextcloud container:

sudo docker exec -u www-data -it nextcloud php occ maintenance:repair --include-expensive

Note: You can run other occ commands in the same way, in case you have other warnings that require this command to fix.

4. Warning: Detected some missing optional indices. Occasionally new indices are added (by Nextcloud or installed applications) to improve database performance.

Run occ db:add-missing-indices as instructed by the warning, inside our Nextcloud container:

sudo docker exec -u www-data -it nextcloud php occ db:add-missing-indices

5. Warning: RuntimeException image not found: image:apps/whiteboard.svg webroot: serverroot:/var/www/html

Hopefully they’ll fix this one. At the time of writing this guide, I found this issue which discusses the warning. To fix, they recommend installing the Whiteboard app, then disabling it.

6. Warning: Phone Region Not Set

sudo vi /data/nextcloud/html/config/config.php

Add this to the end:

'default_phone_region' => 'US',

Useful Docker Commands

Verify Docker installation

sudo docker run --rm hello-world

List all containers

sudo docker ps -a

Note: -a shows all containers, otherwise it’ll just show running.

Remove container

sudo docker rm <container_id>

Bring Down All Docker Compose Services

sudo docker compose down

Bring Up and Rebuild All Docker Compose Services

sudo docker compose up --build -d

Check Logs for Specific Container

sudo docker logs nextcloud
sudo docker logs nextcloud_db
sudo docker logs nextcloud_redis

Execute a Command Inside a Running Container

sudo docker exec -it nextcloud bash

Restart a Specific Container

sudo docker restart nextcloud

List all images

sudo docker images

Restart Docker Service

sudo systemctl restart docker

Venturing into AI Security with Locally Hosted LLMs

Sat, 03 Aug 2024 05:00:00 +0000

“we believe that AI is more of a net positive for defenders than it is for adversaries.”

- Red Canary

The term ‘AI security’ can mean different things to different people. ‘Artificial intelligence’ encompasses various interconnected fields and applications, including machine learning, deep learning, Large Language Models (LLMs), image generation, and even deepfakes.

For those of us that live in the world of cybersecurity, AI will likely mean leveraging AI to help defend against cyber threats, and for the adversary, using AI not only helps with crafting more sophisticated social engineering campaigns but also assists in the development of malware or even in automating responses. A study from 2023 highlights just how LLMs are being used in social media botnets, with accounts amassing hundreds of thousands of followers which is undoubtedly used by nation states to spread disinformation, since these accounts have the ability to post ‘trending’ content very easily.

So you can see ‘AI security’ is already a vast topic, but for this blog post I’m going to focus on using LLMs to bolster security tooling and processes, and to leave you with an understanding of how adversaries are using LLMs in cyber warfare. Also, this is a relatively new area for me, so I figured that I’d simply turn my own notes into this blog, which will hopefully help you too!

Large Language Models are AI systems trained on massive datasets of text. As you’ll see with recent developments in AI, some advanced models, often referred to as multimodal models, can process text, audio (voice / music) and images. They can understand and generate human-like text, answer questions, and even write code (and do it very well!). Think of LLMs as incredibly smart text prediction engines on steroids. ChatGPT by OpenAI and Claude by Anthropic are prime examples, but they’re just the tip of the iceberg.

What’s really interesting is the rise of open-source LLM projects. Tools like Ollama, KoboldCpp, Llamafile, and LocalAI are bringing powerful language models to your local machine. This means you can run AI without relying on cloud services or worrying about data privacy issues. This is a game-changer for privacy enthusiasts, but also for defenders and potential threat actors.

For defenders, imagine having an AI assistant that can analyze logs, spot patterns in threat data, or even help write and optimize security rules. It’s like having a tireless analyst who never needs coffee breaks. These tools can help security operations teams sift through the noise and focus on what really matters. I know that sounds like a marketing pitch from a security vendor, but what I’m talking about is all open source, and locally hosted.

But we do have a problem. Adversaries have access to these tools too. They are starting to use LLMs to generate more convincing phishing emails, craft malware that’s harder to detect, or even automate parts of their attack chains. These threats are very real and already in play. I’ve personally used AI to craft ransomware as part of a research project, and you can bet threat actors are not sitting on their hands, but are actively exploiting these capabilities today. Cybercriminals and state-sponsored hackers are quick to adopt new technologies, and AI is no exception.

This rapid adoption of AI by threat actors makes it absolutely crucial for defenders to stay ahead of the curve. We need to be leverage these same technologies to enhance our detection capabilities, automate our responses, and predict new attack vectors before they’re exploited.

AI Cyber Warfare

How are the bad guys are using this tech? Adversaries aren’t just sitting on their hands while we beef up our defenses. They’re weaponizing LLMs in some pretty clever (and concerning) ways. For starters, they’re using these models to generate more convincing phishing emails. These are highly personalized, contextually accurate messages that can fool even the most vigilant users. They’re also leveraging LLMs to write malware, making it easier for less skilled attackers to create sophisticated threats. Some adversaries are using LLMs to analyze stolen data more efficiently, potentially de-anonymizing data breaches by using LLMs to perform correlation as discussed in this study.

Perhaps most concerning is the use of LLMs in disinformation campaigns. As I mentioned earlier, there’s evidence of LLM-powered social media bots amassing huge followings and spreading targeted misinformation. This isn’t just about stealing data or breaching systems anymore, but manipulating perceptions and influencing behaviors on a massive scale.

Locally Hosted LLMs

This is where things get interesting for both defenders and adversaries. I’ve already mentioned Ollama, LlamaFile, KoboldCpp, and LocalAI, but if you are just getting started with local LLMs, then you might also want to check out LM Studio, another open source project that runs on Windows, Mac, or Linux. There is also Text Generation Web UI which provides a local web UI.

If you’re serious about running LLMs locally, you’ll need some serious GPU power. I use an NVIDIA 3080Ti, but even that struggles with the larger models. The important resource for LLMs is VRAM, and you’ll lots of it! While your main system RAM is pretty fast, the bottleneck comes from sending data between the GPU and system RAM. When your graphics card runs out of VRAM, you’ll hit extreme slowdowns.

If you want to run the larger models, you’ll need something like an RTX 4090 with 24GB of VRAM. For even more power, there’s the RTX 6000 Ada with 48GB. Just be prepared for the price tag, these cards aren’t cheap, and at over $7,000 you might need a very good explanation for your significant other!

Models - Size Matters

When it comes to running LLMs locally, the size of the model matters a lot. If you’re working with a lower-end GPU, you’ll need to stick with smaller models. A great example is Vicuna-13B, available on Hugging Face. This model, with its 13 billion parameters, offers a good balance between performance and resource requirements. It can run on GPUs with as little as 16GB of VRAM, making it accessible for most with mid-range graphics cards.

As a privacy nerd, I don’t often talk about Meta in a positive light, but a very recent development has tilted the open source LLM landscape on it’s axis with the ridiculously huge 405B version of Llama 3.1. This instruction-tuned model comes in three sizes: 8B, 70B, and the 405B version. The 8B model is perfect for those with limited GPU resources, while the 70B strikes a balance between capability and hardware demands. The 405B version? 405B needs almost 1TB of VRAM! 810GB for the model itself (in FP16 precision), plus another 123GB for the KV cache when using the full 128K token context. That’s 933GB total.

For reference, even a high-end professional GPU like the RTX 6000 Ada, which I mentioned earlier, ‘only’ has 48GB of VRAM. You’d need about 20 of these cards to have enough memory for Llama 3.1 405B. And no, you can’t just slap 20 GPUs in a PC and call it a day. Even if you could physically fit them, the power requirements and heat generation would be insane, not to mention the software challenges of coordinating that many GPUs. If you have several million dollars at your disposal, with your own data center, then you’d need multiple NVIDIA H100 GPUs (with 80GB of VRAM each), with at least 1TB of system RAM (probably more), several terabytes of fast NVMe storage, industrial-grade cooling, and a power supply that could probably jump-start a small city. Companies like Meta are running these models on massive GPU clusters, possibly spread across multiple data centers. Did I mention the H100 GPU sells at over $41,000? We’d need at least 12 of these, so that’s over half a million US dollars.

For us mere mortals, if you want to play with LLMs locally, you’re better off with smaller models. They’re still incredibly powerful and won’t require you to take out a second mortgage (or get a loan from Elon Musk).

Openhermes2.5-mistral

Openhermes2.5-mistral is my favorite model for running locally. It’s based on the Mistral 7B architecture and, in my opinion, is probably the best local model for mid-range PCs right now. Openhermes2.5 excels at following instructions, engaging in open-ended dialogue, and even tackling some coding tasks. If you have a lower spec machine, you can also run quantized versions of the model.

Think of quantization as a compression technique for models. It’s like taking a high-resolution photo and compressing it to save space. You might lose some detail, but the image is still recognizable and takes up much less storage. In the world of LLMs, quantization reduces the precision of the model’s weights. Instead of using 32-bit or 16-bit floating-point numbers, a quantized model might use 8-bit integers or even 4-bit integers. This dramatically shrinks the model’s size and memory footprint.

I won’t go too far down the rabbit hole of this model, but for more information, @Teknium1 the co-founder of Nous Research, shares benchmarks which shows just how capable this model is.

AI Security Examples

Now that I’ve covered the basics of LLMs and local hosting, and hopefully that’s enough to get you started, I want to get back to how this can be used for AI security. Having conversations with chatbots is fun, but it’s not going to help us much as it relates to AI security. I see this falling into four areas:

Using AI to defend against cyber threats
Understanding threats and how adversaries use AI for malicious purposes
Securing AI systems themselves (including data privacy)
The ethical implications of AI in security
Using AI to assist in OSINT investigations

For the purposes of this blog, let’s focus on the first two. I believe the best way to defend against cyber threats is to unlock the power of these local LLMs using Python. Once we can use LLMs within our code, we can then start using models like Openhermes2.5-mistral to help with threat analysis, and as mentioned earlier, ‘sift through the noise’. From there, we’re only limited by your imagination. Perhaps you want to write some Python code to perform malware behavior analysis, or just use the LLM to improve incident response playbooks. The world really is your oyster!

Example 1: Ollama with Python

I didn’t plan to make this a technical ‘how-to’, but I did want to provide you with the foundations of AI security, and in my opinion, why locally hosted LLMs are a critical factor.

In the resources section below, I’ve included a great tutorial by Tech With Tim, on how to install Ollama and use a locally hosted model with Python. You can also run OpenHermes 2.5 in Ollama with ollama run openhermes as shown here.

Example 2: Ollama API

Now this is where things get interesting. Ollama has an API, so with a simple curl request, you can interact with your locally hosted model.

curl http://localhost:11434/api/generate -d '{
  "model": "openhermes",
  "prompt": "Write some python code to convert CSV to JSON"
  "stream": false
}'

Example 3: PrivateGPT for File Analysis

This is a hidden gem. PrivateGPT is another tool that you can use to attach files into your LLM requests. I can see this as a powerful ally in analyzing malware, log files, etc. You can find the full docs here, and then start ingesting files. A full list of supported file formats can be found here.

Summary

There is so much more I could have covered here, from using Whisper to transcribe audio into text, before ingesting into PrivateGPT, to using a combination of LLMs with Python. This is still a relatively new area of cybersecurity, and I find it really exciting as we’ll see models become more efficient, and open source projects like these continue to emerge.

AI security isn’t just a buzzword. By leveraging locally hosted LLMs, we put ourselves in the same playing field as our adversaries, potentially leapfrogging them. Red Canary’s 2024 Threat Detection Report said it best with “we believe that AI is more of a net positive for defenders than it is for adversaries.” This is only true if cybersecurity professionals start to leverage open source tooling like I’ve mentioned here, to start doing some really innovative things to bolster our cyber defenses.

These models, running on our own hardware, give us the power to analyze threats, automate responses, and even predict attacks before they happen. But remember, the tool is only as good as the person wielding it. As you dive into AI-powered security, keep experimenting, keep learning, and most importantly, keep questioning. AI security is evolving rapidly, and staying ahead means staying curious.

Further resources

Using the TOR Browser over VPN

Sat, 15 Jun 2024 05:00:00 +0000

“The onion routing protocol, it’s not as anonymous as you think it is. Whoever’s in control of the exit nodes is also in control of the traffic. Which makes me… the one in control.”

- Elliot Alderson (Mr.Robot)

The quote above isn’t entirely accurate. I covered this during podcast episode 008, but thought I’d revisit this much-debated topic once more.

The TOR Browser connects to the TOR network by first connecting to an entry node (or entry guard). Traffic is encrypted as it passes through each node in the network. From the entry node, it connects to a middle relay, which then connects to an exit node. This is why it’s called The Onion Router, as it functions like layers of an onion. The only traffic that is unencrypted is from the exit node to the destination web server.

If Elliot is in control of the exit node, he will see encrypted traffic coming from the middle relay, and he WILL also see the unencrypted traffic to the web server in plain text, unless the connection to the web server is secured with HTTPS. The unencrypted traffic from the exit node to the destination web server does not contain the client’s IP address. The exit node can see the contents of the traffic (if it is not encrypted by other means like HTTPS), but it does not reveal the client’s IP address though. The entry node in the TOR network knows the client’s IP address, but it does not have the capability to decrypt the entire traffic or see what websites are being visited.

TOR or VPN?

Understanding the differences between TOR (The Onion Router) and VPNs (Virtual Private Networks) is important. Both can enhance your online anonymity (also read my other blog), but they do so in different ways, and both have their merits for different threat models and use cases.

TOR (The Onion Router)

The key point to remember about TOR is that it’s a decentralized network, designed to anonymize internet traffic by routing it through multiple nodes. By using a decentralized approach, this means that no single node has control over the entire network, making it a ‘trustless’ system. This means that no single node in the TOR network can know both the source and the destination of the data. Instead, each node only knows the node immediately before and after it.

When using TOR, your internet traffic is encrypted and routed through this series of nodes, with each node peeling away a layer of encryption, like an onion. This process helps to obscure your real IP address from the sites you visit.

Security Points in TOR:

Entry Node: The entry node is the first node your client connects to. It knows your client’s IP address but not the final destination.
Middle Nodes: These nodes exist between the entry and exit nodes and only know the previous and next hop.
Exit Node: The exit node is the last node and connects to the final destination.

As Elliot mentioned in Mr. Robot, TOR isn’t without risks. A threat actor controlling both the entry and exit nodes can perform traffic correlation attacks, correlating (linking) the source and destination IP addresses. Additionally, ISPs can detect TOR because TOR node IP addresses are public. Just because your ISP knows you are using TOR isn’t a bad thing per se, but in some regions around the world, this could be a bad thing.

VPN (Virtual Private Network)

VPNs are very different and operate with a centralized model. When you use a VPN, you are routing your internet traffic through the provider’s VPN server, essentially creating a tunnel, so websites you visit only see the source IP of the VPN server (not your real IP). While this can provide a high level of privacy from the service you are visiting, it also shifts trust to the VPN provider.

Security Points with VPN:

Using a VPN means you are shifting trust from your ISP to the VPN provider. This provider has the potential to see your real IP address and, if it logs data, your browsing activities. We must always assume, no matter what the VPN provider’s marketing says, that they do have the ability to log your traffic.
Your ISP can see that you are connecting to the IP address of the VPN server, but not what websites you are visiting (provided DNS is set up correctly!).
The website or service you are visiting only sees the VPN server IP address.

When you boot your computer, or even a phone or tablet, many background services start to ‘chatter,’ whether that’s Dropbox, Google, Adobe, Microsoft, Apple, and so on. If you connect to a VPN after your computer boots, using a VPN client, then these services have already revealed your real IP address. It’s not only important to use an always-on VPN, but to also minimize how many services are starting with your computer. If you use Windows, look at the tray icons by the clock. Each one of those is establishing a connection to the cloud, not to mention many services that run as part of your operating system (Windows, Mac, or Linux).

Comparing the Two

The choice between using TOR or a VPN (or both) largely depends on your specific threat model, and your security and privacy goals. As mentioned previously, VPNs are not, and should not be used for anonymity. Unless, of course, you want basic anonymity from the websites you are visiting. Remember, a subpoena or court order can force your VPN provider to start logging traffic and to reveal your real IP.

TOR is more suitable for scenarios where anonymity is critical, such as avoiding government surveillance or protecting the identity of activists and journalists. Since TOR is a decentralized model, unlike using a VPN provider, a subpoena or court order won’t cut it. The downside? It’s slow and often blocked by legitimate sites since ‘TOR must be bad,’ although I disagree.

Using TOR over VPN

So which is safer, using TOR over VPN or without VPN? If you choose to use TOR over VPN, first be careful your VPN client isn’t leaking your data. OpenVPN or services from trusted VPN providers such as Proton should be safe, but there is still a possibility of something going wrong. If you use VPN on pfSense, then all your traffic is routed over the VPN, including TOR.

The answer really lies in whom you are shifting the trust to. If you use TOR over VPN, you are shielding the fact that you are using TOR from your ISP, but now your VPN provider can see that you are using TOR. Personally, I trust Proton more than my ISP. I do know that my ISP monitors traffic and even sells it!

The Complete Setup Guide to pfSense for Privacy and Security

Thu, 13 Jun 2024 05:00:00 +0000

Introduction
Step 1: Installation
Step 2: Initial Setup
Step 3: pfSense WebConfigurator
Step 4: Internet Connectivity
Step 5: pfSenes Client VPN Setup
Step 6: Always-on VPN
Summary

Introduction

This is the complete guide for installing pfSense, for privacy and security enthusiasts. I strongly recommend reading the first part, The Foundations of Digital Privacy - Beyond VPN, as it provides essential background on VPNs, the distinction between anonymity and privacy, and the use of secure DNS through DNS over HTTPS (DoH) and DNS over TLS (DoT).

In this guide, I’ve included a video that walks through the initial setup of pfSense on a Qotom Mini PC. Since 2019, I have been using a Qotom Mini PC for pfSense, starting with the Qotom 4 Q355G4, which served me well for several years. Recently, I upgraded to the Qotom Q555G6-S05, which offers improved performance and features. This guide will focus on setting up pfSense using the Qotom Q555G6-S05, but the steps are generally applicable to other hardware as well. It’s important to note that RAM isn’t usually included with the Qotom Mini PC so you’ll need to add this. I recommend the Crucial RAM 16GB DDR4 3200MHz CL22 SoDIMM. As of March 2024, purchasing these components comes in at just under $320 USD. You’ll also need an SSD drive, but these are cheap, typically costing another $20-$30 for around 120GB of capacity, which is more than enough for pfSense.

For less than $350 USD, you’ll have a 6-port pfSense router with 16GB of RAM, and an Intel Core i5-7200U Processor. A similarly configured Protectli VP4650 cost $794 USD, although this has 2.5G network ports. Both Qotom and Protectli support AES-NI which offloads AES instructions to the CPU, providing performance improvements and security, lowering the risk of side-channel attacks.

Protectli are certainly a credible name for pfSense, but it’s a lot more expensive. I’ll let you decide, but this setup guide should apply to both. One thing I’ll add here is that you should install pfSense yourself, instead of purchasing a router with pfSense pre-installed. Call me paranoid, but if you have already made the decision to run pfSense, you should know how to install it.

Shopping List

Item	Link
Qotom Q555G6-S05 (my recommendation)	Amazon Link
Crucial 16GB DDR4 3200MHz SoDIMM	Amazon Link
SSD Drive	Amazon Link
USB Flash Drive	Amazon Link
pfSense USB Installer	pfSense Link
Spare monitor and keyboard for the setup	-

IP Addressing

Before proceeding with the installation, it’s best to decide on your IP configuration which will include the IP address of your pfSense router, DHCP ranges, and your DNS server IP (if you have one already). If you are looking to configure VLANs to segment different networks, such as guests, work, private, kids, IoT, and so on, providing you have a managed network switch capable of VLAN tagging, you should also decide this now.

In most cases, you’ll already have all of this information, especially if you are replacing an existing router, whether that is the ISP provided router, or your own. Use this example list to create your own, so you have this to hand during setup:

Example IP Checklist:

Item	IP Address	Description
pfSense LAN	192.168.1.1	This will be your gateway IP
LAN DHCP Range	192.168.1.100 - 192.168.1.150	Your primary LAN DHCP Range
Work VLAN	192.168.20.1	This will be the subnet and gateway for your work VLAN network
Work DHCP Range	192.168.20.100 - 192.168.20.110	Your work VLAN DHCP Range
Guest VLAN	192.168.50.1	This will be the subnet and gateway for your work VLAN network
Guest DHCP Range	192.168.50.100 - 192.168.50.110	Your work VLAN DHCP Range

Note: In the screenshots you’ll see throughout this guide, I use 192.168.4.0/24, which is my setup network dedicated for lab / testing. Just replace these with your own IP configuration.

Step 1: Installation (pfSense 2.7.2)

Download the Installer

The first step is to download the pfSense installer. Make sure to select AMD64 (64-bit) architecture, USB Memstick Installer, and VGA console. I’ve included a screenshot below.

Verifying the SHA256 Checksum

Verifying the SHA256 checksum of the pfSense installer is a crucial step in the installation process to ensure the integrity and authenticity of the file. This verification step confirms that the downloaded installer has not been tampered with and matches the official version provided by Netgate.

Windows

Open a command prompt (Start > type CMD)
cd Downloads (or wherever you downloaded the pfSense installer to)
Type certutil -hashfile pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz SHA256

Linux

Open a terminal window
cd ~/Downloads (or wherever you downloaded the pfSense installer to)
Type sha256sum pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz

Mac

Open a terminal window
cd ~/Downloads (or wherever you downloaded the pfSense installer to)
Type shasum -a 256 pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz

This will display the hash (e.g. 7c68b40c02f06f17146e2f1d5899e2f4a2bcfd98803f06fef8ecf3e2d0f63dcb). Manually compare the displayed hash to the one provided on the pfSense website or in the .sha256 file. If the hashes match, it confirms that the file integrity is intact and the file has not been tampered with.

Creating the USB Installer

You’ll need to extract pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz, which contains the .img file we need to create the USB Installer. I recommend 7zip if you are using Windows (just right click > 7-Zip > Extract here) or if you’re using Linux (or Mac), do the following:

Linux / Mac

Open a terminal window (Linux)
Type gunzip pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz

Next, use Etcher to create your USB flash drive installer.

Step 2: Initial Setup

At this stage, you should have the USB installer inserted in the Qotom Mini-PC, and a keyboard and monitor attached. I’ve created a video of the initial setup process for you to follow along.

Note: The numbering of the network ports on the Qotom Mini-PC is right to left. The furthest right port is igb0 (WAN), igb1 (LAN) next, and so on.

Router Bridge (Modem) Mode

Before you connect your ISP modem/router to the WAN port on the pfSense router, you’ll need to make sure the internet router is configured in bridge mode (or modem, or pass-through mode). Before you do this, know that if you use your existing router for WiFi, DHCP, NAT, or port-forwarding, then these will be disabled since we’re going to do this on pfSense.

Bridge mode disables the NAT feature on the modem, allowing the router to function as a modem. By enabling bridge mode, pfSense receives the public IP address from your ISP, avoding a double NAT scenario where your pfSense uses an internal IP. This process can vary depending on the ISP and the specific router they provide, so I recommend you search for how to do this with your specific ISP / router.

Most ISP routers assign the public IP address based on the MAC address of the router. This means that if you simply unplug from the WAN port of your existing router, then plug into the WAN port (igb0) of pfSense, the ISP router will likely need to be rebooted before it’ll assign a new public IP address (since it now has a new MAC address).

In summary, you’ll be doing the following:

Open a web browser and enter the IP address of your ISP-supplied router. This is often 192.168.1.1 or 192.168.0.1, but check your device’s manual for the actual IP address.
Use the credentials provided by your ISP (or on the device label). If you’ve changed the password and can’t remember it, you may need to reset the device to factory settings.
Search for an option labeled as “Bridge Mode,” “Modem Mode,” or “IP Passthrough.” This is often found in the “Advanced,” “Network,” or “WAN Setup” menus.
Follow the on-screen instructions to enable bridge mode.
Ensure all changes are saved, and manually reboot the router if it doesn’t automatically do so.
After enabling bridge mode, connect it to your pfSense WAN port (igb0).

Step 3: pfSense WebConfigurator

The WebConfigurator is the web UI for accessing pfSense. If you followed the video, you should now be connected to the web (E.g. http://192.168.1.1 or similar)

Change the admin password

The first step is to change the default username (admin) and password (pfsense).

Go to System > User Manager
Click the edit icon for the admin user
Enter the new password and again for confirm
Click Save

Change pfSense DNS to Quad9

Next, we’ll update pfSense to use Quad9 as its DNS servers. Keep in mind, this change applies to the DNS servers pfSense uses internally and may not directly affect the DNS servers your clients use. We’ll address client DNS configuration separately at a later stage.

Go to System > General Setup
Change both DNS server entries as per the table below (you can optionally add a third entry for IPv6)
Click Save

IP Address	DNS Server
9.9.9.9	dns.quad9.net
149.112.112.112	dns.quad9.net
2620:fe::fe	dns.quad9.net

These settings are also available on the Quad9 website: https://www.quad9.net/service/service-addresses-and-features/

Disable IPv6 (optional)

I’ve chosen to disable IPv6 features on my pfSense firewall as I don’t require them. If you rely on and utilize IPv6, feel free to skip this section. However, I’ll proceed under the assumption that most setups won’t need IPv6. Should you employ IPv6, it’s crucial to bear in mind the necessity of configuring both IPv4 and IPv6 rules within your firewall settings.

Go to System > Advanced, then click on the Networking tab
In IPv6 Options, de-select ‘Allow IPv6’
Click Save

Configure DHCP for LAN

Next we’ll configure the DHCP server for your LAN. Unless you have a separate DHCP server, I’ll assume your ISP provided router (or another router) was doing this before. Later on, if you decide to use VLANs for different networks, we can use the pfSense DHCP server for each VLAN too.

You’ll need to decide the address pool range, which in most cases you copy from your existing router. Just remember to disable DHCP on your existing router before enabling the DHCP server on pfSense, otherwise devices on your network will get IP addresses from both pfSense and your other router, leading to conflicts and other problems.

Note: If you get this message “ISC DHCP has reached end-of-life and will be removed in a future version of pfSense. Visit System > Advanced > Networking to switch DHCP backend.” just go System > Advanced > Networking, and switch the server backend to “Kea DHCP” then click Save at the bottom of the screen.

For DNS, pfSense is equipped with the Unbound DNS Resolver by default, which is capable of handling DNS requests for your network.

Go to Services > DHCP Server
Enter your address pool range (e.g. 192.168.1.100 - 192.168.1.199)
DNS Servers: Add the IP address of pfSense (e.g. 192.168.1.1)
Gateway: Add the IP address of pfSense (e.g. 192.168.1.1)

Step 4: Internet Connectivity

Before we go any further, we should get pfSense connected to the internet. If you have an existing router, turn this off, unplug the cable from the WAN port and connect it to ibg0 which is the first port on the right. Make sure the ISP supplied router / modem is in ‘bridge mode’ (you may need to reboot the internet modem) before pfSense is able to assign the WAN IP address.

The WAN IP address is then assigned to the pfSense WAN port (igb0), and it binds to the physical MAC address of your pfSense router. This can be changed (or spoofed) by clicking on the WAN interface link from home page of pfSense (Dashboard), if you want to enter another MAC address. This is a more advanced use-case, so typically you’ll just leave this.

From the pfSense Dashboard > Interfaces, you should now see you have a public WAN IP address assigned.

NAT

By default pfSense uses ‘Automatic Outbound NAT’, which automatically creates NAT rules for each of your network interfaces (such as the LAN, and loopback) so you can access the internet without manually adding these. This is fine for most setups, but our approach is more intentional and allows for a more secure configuration since only the networks we specify can mapped to an external interface (WAN or VPN).

Also, by default pfSense creates NAT rules for loopback addresses (127.0.0.0/8 for IPv4 and ::1/128 for IPv6). These addresses are designed for internal communication within the device itself and, under typical circumstances, do not require NAT rules since this traffic is not meant to be routed externally. Simplifying our NAT setup by removing these rules will result in a cleaner, more intentional configuration, reducing unnecessary complexity.

In this section, we’ll switch this to ‘Manual Outbound NAT’, and remove any unnecessary mappings.

Go to Firewall > NAT > Outbound, then select ‘Manual Outbound NAT’, and click Save.
Click Apply Changes

Once you’ve done this, you’ll have something similar to the screenshot below:

By default it creates NAT rules for ISAKMP (port 500) which you only need for IPSEC VPN and site-to-site setups. Since we’re not using IPSEC, let’s go ahead and delete any mappings for port 500.

For each rule with a destination port of 500, click the trashcan icon
Click Apply Changes.
Remove the two mappings for 127.0.0.0/8 and ::/128
Click Apply Changes.

Now only one rule will remain, which maps your LAN (E.g. 192.168.1.0/24) to the WAN interface. Later in this guide, we’ll change this to a VPN interface such as Mullvad or ProtonVPN.

Firewall

Next we’ll visit the firewall configuration. Initially, the two networks you will focus on are the WAN and LAN. First, unless you are utilizing IPv6 on your network, we’ll simplify this and delete the ‘Default allow LAN IPv6 to any rule’, which allows any IPv6 addresses on your LAN, to any (the internet).

Deleting rules:

Go to Firewall > Rules, and select the LAN tab
Click the trashcan icon next to the ‘Default allow LAN IPv6 to any rule’, click OK
Click Apply Changes.

Firewall rules:

Go to Firewall > Rules, and select the LAN tab
Select the edit (pencil icon) for the ‘Default allow LAN to any rule’ which should be the last one
Scroll down to ‘Extra Options’ and click ‘Display Advanced’
Scroll down and change ‘Gateway’ to ‘WAN_DHCP’
Click Save, then Apply Changes.

Now you should have internet access, providing your client machine has DNS. You can test internet connectivity by pinging a known public IP (e.g. 9.9.9.9)

ping 9.9.9.9

If this works and your client machine can resolve DNS, then you have internet access. Next we want to make sure we only use VPN for all devices on the LAN.

Step 5: pfSense Client VPN Setup

In this step, we’ll setup our preferred VPN provider, create a dedicated interface for the VPN, and then go back to the NAT and Firewall rules to make sure all traffic is routed over VPN. This will vary slightly depending on the VPN provider, and most offer their own guides for pfSense. For the purpose of this guide, we’ll use ProtonVPN.

ProtonVPN Configuration

First, let’s gather the information we need from ProtonVPN, such as the username, password, VPN server IP address, and VPN certificate.

Login to your ProtonVPN account (ProtonVPN Account) and click Downloads
Scroll down to ‘OpenVPN configuration files’, then choose ‘Router’
Leave Protocol as ‘UDP’
Scroll down to your preferred country configuration (E.g. United States)
Select a VPN location to download (E.g. US-NY#62)
Click Download and save the .ovpn file to your computer
Next, go to Account
Copy the username and password from ‘OpenVPN / IKEv2 username’

I like to save Proton’s OpenVPN configuration files to my computer in case I want to switch to another server later. This way I have an offline copy of my preferred VPN servers.

Open the .ovpn configuration file in Notepad or similar, and along with the username and password, take note of the following:

OpenVPN / IKEv2 username
OpenVPN / IKEv2 password
VPN server IP address (E.g. in the line remote 146.70.72.130 1194)
Cipher (E.g. in the line cipher AES-256-GCM)
Tun MTU (E.g. in the line tun-mtu 1500)
CA Certificate (see below)
TLS Key (see below)

With the OpenVPN configuration file open, look for the section that starts with <ca> and ends with </ca>, and copy the text between these tags. You’ll have something similar to this example:

The first step is to import the CA (Certificate Authority) certificate from ProtonVPN. To do that, we need to obtain the OpenVPN configuration file which will contain all the information we need.

Also, you need the TLS key which is also in the configuration file:

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
baee5f846946880c12fe4189e8d8befd
e19a8e6b8b0f9b27f7e9c2e3a398e648
3c6be7a289b0d8d664c1d1e92e48a889
fb59124f0d0d67d50c9e93fad8c4d617
d0f6c5d5e0a0742c2d2fba344d9fb4b9
a7bfd29a8e5c9c2c8a82e939f5f3245a
aed40ba0b0b0a50686fca489bcc63766
2dfced8463bdf2ac22b4d8aec41f2b91
d2aab96ff676e614a3b4f1f6e4b0998b
7f62aee9f2a4c1874c5f1f6e8e4d85c6
b1d585b5efb88e48959d0d99db2e4d8f
6aecd4d8e64f1234567890abcedef012
3456789abcdef0123456789abcdef012
fedcba9876543210fedcba9876543210
0123456789abcdef0123456789abcdef
fedcba9876543210fedcba9876543210
-----END OpenVPN Static key V1-----
</tls-crypt>

Adding ProtonVPN CA Certificate

Now, we’ll import the CA certificate into pfSense.

Go to System > Certificates, and click on the Authorities tab
Click Add
Descriptive Name: ‘ProtonCA’ or something similar
Change ‘Method’ to ‘Import an existing Certificate Authority’
Leave Trust Store and Randomize Serial unchecked
Paste the certificate in ‘Certificate Data’ including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- text
Click Save

OpenVPN Client Setup

Now we’ve imported the CA certificate from Proton, we can continue to the OpenVPN client setup. For entries that are left blank, I’ve not included them below.

Go to VPN > OpenVPN, and select the Clients tab
Click Add, and use the settings in the table below:

Description	ProtonVPN or something similar
Server mode	Peer to Peer (SSL/TLS) - default
Device mode	tun - Layer 3 Tunnel Mode - default
Protocol	UDP on IPv4 only - default
Interface	WAN - default
Local port	blank - default
Server host or address	`146.70.72.130`
Server port	1194 - default (You can change this if desired, to one of the other supported ports in the `ovpn` configuration file)
Proxy host or address	blank - default
Username	- Obtain from ProtonVPN (Account > OpenVPN / IKEv2 username)
Password	- Obtain from ProtonVPN (Account > OpenVPN / IKEv2 password)
Authentication Retry	Disabled - default (do not select this)
TLS Configuration	Use a TLS Key - default (this should be selected)
Automatically generate a TLS Key	Disabled (uncheck this)
TLS Key	Paste TLS key you obtained earlier, including the `-----BEGIN OpenVPN Static key V1-----` and `-----END OpenVPN Static key V1-----` text
TLS Key Usage Mode	TLS Authentication - default
TLS keydir direction	Use default direction - default
Peer Certificate Authority	ProtonCA (this is the name of the CA certificate you added in the last step)
Data Encryption Algorithms	AES-256-GCM (this should be the only option on the right hand side)
Fallback Data Encryption Algorithm	AES-256-CBC (256 bit key, 128 bit block) - default
Auto digest algorithm	SHA512 (512 bit)
Hardware Crypto	Intel RDRAND engine - RAND
Allow Compression	Decompress incoming, do not compress outgoing (Asymmetric)
Compression	Disable Compressions [Omit Preference]
Pull DNS	Enable ‘Add server provided DNS’

Go to Status > Services
For ‘openvpn’ press the start (play) button
Go to Status > OpenVPN

You should see that the VPN connection status is ‘Connected (Success)’. If this shows as ‘down’ or ‘pending’, you can check for errors in Status > System Logs > OpenVPN.

Step 6: Always-on VPN

If you’ve made it this far, congratulations! You’ve not only got pfSense as your primary router, but it’s running a VPN client connected to your VPN provider. All that remains, is to configure pfSense to route all outbound traffic from the LAN, to your VPN provider instead of the WAN port. This is where the magic happens, and because of the way we’ve setup routing, it acts as a ‘kill-switch’, should your VPN connection go down, it won’t default to the WAN interface.

In this final step, there 3 areas to configure:

Create an interface for the VPN (E.g. ProtonVPN)
Configure NAT (outbound) to use the new interface instead of the WAN interface
Configure the LAN firewall rule to specify the VPN interface as the LAN gateway.

Create VPN Interface

We need to configure our VPN (E.g. ProtonVPN) as an interface. This will allow for the NAT and firewall rule configuration in the next steps to use this interface to route to the internet (via VPN).

Go to Interfaces > Assignments
Under ‘Available network ports’, select ‘ovpnc1 (ProtonVPN)’ or whatever your VPN client was named, then click Add.
Click on the new interface (e.g. OPT1)
Select ‘Enable interface’
Change Description: ProtonVPN (or similar)
Click Save, then Apply Changes

NAT Configuration

Now we have our interface, we’ll configure outbound NAT to use it as the external connection.

Go to Firewall > NAT
Select the ‘Outbound’ tab
Select the edit (pencil icon) for the NAT rule which matches your LAN subnet (e.g. 192.168.1.0/24)
Change the interface from ‘WAN” to ‘ProtonVPN’ (or your VPN interface name)

LAN Firewall Default Rule

Go to Firewall > Rules
Sekect the ‘LAN’ tab
Select the edit (pencil icon) for the ‘Default allow LAN to any rule’ which should be the last one
Scroll down to ‘Extra Options’ and click ‘Display Advanced’ (if it’s not already showing)
Scroll down and change ‘Gateway’ to ‘PROTONVPN_VPNV4’ (or the one for your VPN interface)
Click Save, then Apply Changes.

VLANs

A quick note on VLANs. To achieve this, you would:

Set up VLANs on your managed switch and configure corresponding interfaces in pfSense. Hint: You can use VLAN tagging to ‘trunk’ multiple VLANs using the single LAN port.
Create DHCP servers for each VLAN to manage IP address allocation.
Configure firewall rules to control traffic between each VLAN and the internet.
Set up your Ubiquiti access points to broadcast multiple SSIDs, each tagged with the appropriate VLAN ID.
Adjust pfSense’s NAT and firewall settings to ensure the correct routing of traffic, directing some through the VPN and others through the WAN as needed.

Summary

I hope you found this guide useful and easy to follow. I know there is a lot involved in setting up pfSense, especially given the extra configuration required to route all of your LAN traffic through the OpenVPN client in pfSense. However, I hope the enhanced privacy and security you gain makes it all worth it!

One of the powerful features of pfSense is the ability to set up multiple VLANs. By segmenting your network, you can create separate segments for different types of traffic, such as guest, work, private, and IoT devices. When paired with supported access points like those from Ubiquiti, you can configure multiple WiFi networks (SSIDs) within your environment. This allows you to assign specific VLANs to each SSID, enabling some networks to route traffic through the VPN for added privacy, while others can use the WAN for direct internet access. Perhaps this warrants a part two? If this would be useful, let me know.

If you encounter any mistakes or have suggestions for improvements, please feel free to contact me. Your feedback is valuable and helps make this guide even better for everyone.

The Foundations of Digital Privacy - Beyond VPN

Sun, 04 Feb 2024 05:00:00 +0000

Introduction
VPNs Are Not For Anonymity
DNS the Right Way
Summary

Introduction

Welcome to part one of ‘The Foundations of Digital Privacy’ series, where we delve into the core principles of securing your digital life. Unlike other setup guides, this series is designed to arm you with a comprehensive understanding of digital privacy that precedes technical application. This foundational knowledge serves as the critical first step on your journey toward a more secure and private online presence. In the next part, we’ll dive into the technical specifics of configuring pfSense for privacy enthusiasts.

Here. Take a cookie. I promise, by the time you’re done eating it, you’ll feel right as rain.

The Oracle

Like Neo in “The Matrix”, by the time you finish reading this blog post, you’ll walk away with a transformation of your own; the desire to adopt an always-on VPN with pfSense, integrate Unbound as your DNS resolver, and switch to Quad9 for DNS.

The motivation for this stems from a simple concern: the unsettling ease with which our online activities can be tracked and logged by virtually every website and service we interact with. Tracking that compiles a detailed record of our movements online, posing risks of exposure in data breaches or even through simple tools like whois lookups, which can reveal the approximate location tied to an IP address. The text below is from a whois lookup for an IP address based in the United Kingdom, showing just how accessible this information can be:

inetnum:        81.102.160.0 - 81.102.163.255
netname:        VMCBBUK
descr:          BASFORD
country:        GB
admin-c:        NNMC1-RIPE
tech-c:         NNMC1-RIPE
status:         ASSIGNED PA
mnt-by:         AS5089-MNT
remarks:        Virgin Media Consumer Broadband UK
remarks:        Report Abuse via http://www.virginmedia.com/netreport
notify:         
notify:         Email Abuse & Blacklist & SPF contact <>
created:        2022-07-25T05:45:38Z
last-modified:  2022-07-25T05:45:38Z
source:         RIPE

The IP address is allocated to a user in Basford, a small village in the United Kingdom. This allocation comes from a range designated for Virgin Media Consumer Broadband. Given Basford’s size, it significantly narrows down the potential location of the IP address to a few miles. While not all internet providers allocate their IP ranges similarly, Virgin Media’s approach demonstrates one method of assignment.

Digital Footprints

Consider the following: when you power on your Windows PC, Mac, or Linux machine, it begins to communicate with various online services. For instance, if you use Dropbox, the process associated with the Dropbox tray icon launches with your system’s startup, initiating communication with Dropbox’s cloud servers for data synchronization, update checks, and more. This activity, linked to your Dropbox account, is recorded along with your internet IP address. Your email address, username, and billing information are also associated with your identity, marking just one element of your digital footprint. The scenario extends to other applications that launch at startup, such as Adobe Creative Cloud, Microsoft Office, Firefox, and Google Chrome. Specifically, being logged into Google Chrome triggers background processes that communicate with Google’s cloud servers, capturing your IP, username, email, among other details, before you open the browser!

This illustrates why VPN client software alone is not sufficient for privacy. By the time the VPN service establishes a connection, even when it’s set to connect on start-up, your digital footprint had already begun to form with your real IP address. This extends to other devices on your network, including phones and gaming consoles, further expanding your digital trail.

VPNs Are Not For Anonymity

The amount of misinformation surrounding VPNs is staggering, potentially leaving newcomers to online privacy feeling overwhelmed and confused. To set the record straight:

VPNs do NOT provide anonymity.

When you route all of your online activities through a VPN tunnel, say to a server in New York, it appears as if all of your activities originate from that VPN server, and not your home internet connection. This means that instead of logging your real IP address, provided by your internet provider, these services log the IP address of the VPN server. Most reputable VPN providers claim to have a no logging policy, which means they do not keep records of your activities. However, they do ‘technically’ have the capability to enable logging. Should law enforcement or another government entity secure a court subpoena for your VPN provider (see here), they could compel the provider to start logging activities associated with your account. Thus, everything you conduct over the VPN could potentially be monitored and recorded.

For certain individuals, depending on their security concerns, this possibility represents a significant risk. However, it’s important to remember that anonymity is not the primary purpose of a VPN. For that, consider TOR.

So if VPNs don’t provide anonymity, then what are they for? Simply put, without one, your internet provider can monitor all of your browsing activity. That said, these days every service and site you access will very likely use HTTPS, so anyone snooping on your internet connection, such as your internet provider, won’t see the contents of your traffic, only what sites and services you visit. They can do this thanks to DNS, more on that in a moment.

Internet providers in Europe and other parts of the world have issued warnings to users about torrenting or pirating movies, music, and other activities. These warnings are part of efforts by ISPs to curb copyright infringement, following requests from copyright holders. For instance, users have reported receiving piracy warnings from their ISPs, which typically inform them that their internet connection was used to download and share copyrighted material. The notices detail the alleged infringement, including the time, date, and the content involved.

Companies like Warner Bros. have been involved in targeting file-sharers directly, even those using ISPs not participating in formal anti-piracy schemes like the Six Strikes in the United States. Warner Bros. and many other companies have been known to work with companies like Digital Rights Corp to send DMCA notices along with settlement offers to alleged infringers. These notices often include a payment option to settle alleged copyright infringements, effectively acting as a deterrent against future unauthorized sharing of copyrighted content.

This process does not require the ISP to monitor your browsing activity directly; instead, it relies on the visibility of your IP address in a public peer-to-peer (P2P) network. That’s why using a VPN can be crucial for privacy since a good VPN hides your real IP address and replaces it with one from their server, making it much harder for anyone monitoring a torrent swarm to trace activity back to you specifically.

Nothing to Hide

The “nothing to hide” argument is flawed because it fundamentally misunderstands the essence and importance of privacy. Privacy is not merely about concealing any wrongdoing; it is a core component of human dignity and autonomy. This argument assumes that privacy is only of concern to those who have something to hide, ignoring the fact that privacy rights enable individuals to control their personal information and protect themselves from potential abuses of power. It neglects the complexity of how personal data can be misused, irrespective of one’s innocence, such as for surveillance, identity theft, or unwarranted profiling. In a society where every action can be monitored, scrutinized, or taken out of context, individuals may self-censor or alter their behavior, not out of guilt, but out of fear.

If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.

- Cardinal Richelieu

It’s also well-documented that many internet providers collect, sell, and even share user data, including browsing habits, with third parties. A report from the Federal Trade Commission (FTC) highlighted concerning practices among ISPs, such as collecting extensive personal and browsing data, grouping consumers using sensitive characteristics (e.g., race, sexual orientation), and sharing real-time location data with third parties. Despite some ISPs promising not to sell personal data, the report found that the data could still be monetized and used by affiliates, often hidden in the fine print of privacy policies.

Protecting our online privacy involves more than just using a VPN; DNS also plays a crucial role in this process.

DNS, The Right Way

The Domain Name System (DNS) is crucial to navigating the internet, even when using a VPN. Whenever you access a website, your device queries DNS to convert the domain name (like www.duckduckgo.com) into an IP address, which is necessary to connect to the desired web service. Routers supplied by your ISP will default to their own DNS servers, meaning DNS queries are managed by the ISP, which results in logging, analysis, and sharing of your online activities. So while nearly every website you visit now establishes an encrypted connection (HTTPS), your ISP will still know which sites you visited, when you visited them, your location, and they are doing this to sell (monetize) what you do on the internet.

Having established the importance of switching from the ISP-provided DNS server to enhance privacy, it’s worth noting that there are several reputable DNS providers available, such as NextDNS, OpenDNS, Cloudflare, and DNS.WATCH. Having experimented with each of them, I recommend Quad9.

Quad9 is a nonprofit organization based in Zurich, Switzerland, and receives funding from sponsors such as IBM, Packet Clearing House, and the Global Cyber Alliance. They ensure that no data containing your IP address is logged in any of the Quad9 systems and provide DNS encryption for enhanced privacy. Importantly, from a security standpoint, Quad9 offers the option of filtered DNS. This service, based on their threat feeds, blocks potentially malicious traffic from malware and other threats, adding an extra layer of security.

Do note, however, that if you switch from your ISP’s DNS to a service like Quad9, your ISP can still potentially see which websites you visit, but not through DNS queries. By using Quad9, your DNS queries are directed away from your ISP, thus preventing the ISP from logging these queries directly. Incorporating recursive DNS into the setup also adds an additional layer of obscurity. This is because resolving domain names through a process that traces the query back to the root DNS servers can make it more difficult for outside observers to track your specific browsing habits based on DNS queries alone. Later in this series, we’ll use Unbound to achieve this.

Nevertheless, unless your internet connection is encrypted through a VPN or similar technology, your ISP can still observe your internet traffic due to the inherent nature of how ISPs route internet packets. This raises an important question, ‘Is this sufficient?

DNS encryption

Since its inception, the Domain Name System (DNS) has traditionally utilized UDP port 53, a practice that continues to this day. However, the rise of digital surveillance and sophisticated cyber threats has necessitated the development of more secure methods of DNS querying. Encryption stands at the forefront of these efforts, offering a shield against prying eyes. DNS encryption techniques, such as DNS over HTTPS (DoH) and DNS over TLS (DoT), provide a crucial layer of security, ensuring that DNS queries and their responses are shielded from interception and manipulation. This not only enhances user privacy but also plays a significant role in the overall security of internet communications. Let’s delve into these encryption protocols and their implications for online privacy.

DNS over HTTPS (DoH)

DNS over HTTPS (DoH) represents a significant advancement in DNS query privacy and security. By utilizing the secure HTTPS protocol, DoH encrypts DNS queries and responses, effectively shielding this data from eavesdropping and manipulation by intermediaries. This encryption ensures that DNS traffic is indistinguishable from regular HTTPS traffic, complicating efforts by unauthorized parties to monitor which websites a user is attempting to access.

A key aspect of DoH is its use of HTTPS (specifically, TCP port 8443), which prevents governments and other intermediaries from monitoring or blocking DNS traffic. However, this has raised concerns among privacy-focused organizations, including Quad9. They caution that certain governments might escalate censorship efforts, potentially blocking all traffic not passing through their designated inspection proxies. Such actions could severely threaten internet freedom, indicating a move towards more controlled and monitored internet access.

DNS over TLS (DoT)

Transitioning to another layer of DNS security, DNS over TLS (DoT) offers a distinct approach to encrypting DNS queries. Unlike DoH, which integrates DNS queries within the broader HTTPS traffic, DoT encrypts DNS information through the Transport Layer Security (TLS) protocol. Operating on TCP port 853, DoT provides a robust encryption layer, protecting DNS requests and responses from being intercepted or altered.

The key distinction between DoH and DoT centers on their operational approaches and the specific ports they use. DoT is tailored to secure the DNS query process itself, without mingling it with other web traffic. However, the reliance on TCP port 853 could potentially make DoT traffic more detectable and subject to blocking by restrictive networks, which may limit its utility in environments with heavy internet censorship.

The choice between DoH and DoT will ultimately depend on the evolution of DNS security and the specific threat model you face. Factors such as your geographical location, the prevailing censorship and surveillance practices in your country, and the threats you encounter will significantly influence this decision. Remember, my focus is on ‘practical’ privacy, and simply using Quad9 DNS with a VPN might be more than sufficient for most. I just want to ensure you are aware that the topic extends beyond VPNs (hence the title!).

Encrypted Client Hello (ECH)

While we are discussing DNS encryption options, it’s important I mention the Encrypted Client Hello (ECH) extension for TLS. ECH enhances privacy by encrypting additional metadata that could be exposed during the TLS handshake. While both DoH and DoT encrypt DNS queries, ECH addresses a separate aspect of TLS communications, offering further protection by encrypting information that could reveal the specific website being accessed, beyond the DNS query itself. Confused yet? Don’t worry, I just wanted to mention it. If you want to read more about ECH, then check out this blog post.

If you are using Firefox version 118 or above AND using DoH, then ECH is enabled by default.

DNSSEC

DNSSEC (Domain Name System Security Extensions), isn’t about encryption, it’s about ensuring the integrity of data, a distinction often overlooked due to its name. Essentially, DNSSEC verifies that the digital signatures on DNS data, match, confirming that the data originates from its rightful source and remains unchanged during transit. DNSSEC may slow down DNS queries, although the impact is often minimal and depends on various factors including the resolver’s implementation and network conditions. It’s worth noting that Quad9 integrates DNSSEC validation within their recursive DNS process, alleviating the need to enable it in pfSense.

Unbound (Recursive DNS)

Alright, I’ve brought up Unbound already, so let’s dive into that a bit more. Unbound is a DNS resolver that sets itself apart from standard DNS servers by functioning primarily as a ‘recursive’ DNS resolver. Unlike traditional DNS servers, which often act as mere forwarders, sending your DNS queries up the chain to other servers until an answer is found, Unbound takes on the task of performing the full journey of a DNS query itself. This means it starts at the root DNS servers (.) and works its way down through the hierarchy of domain names until it locates the specific server hosting the DNS records for the domain you’re trying to reach (www.duckduckgo.com). This recursive approach not only enhances privacy by minimizing the number of servers that see your DNS queries but also improves security by directly validating DNSSEC signatures, ensuring the authenticity and integrity of the DNS data it retrieves.

By operating as a recursive DNS resolver, Unbound provides several key benefits over standard DNS servers. First and foremost; security.

You see, Unbound can effectively protect against DNS spoofing and cache poisoning attacks by verifying DNSSEC signatures, a level of security that is not inherently provided by many standard DNS services. Its ability to perform the entire name resolution process internally also means that Unbound can optimize DNS query paths for better performance, caching responses aggressively to speed up access to frequently visited domains.

Also, luckily for us, pfSense uses Unbound as the DNS resolver by default.

Note: I mentioned earlier that Quad9 already performs DNSSEC validation, which could alleviate the need to enable DNSSEC directly in pfSense. This is true. However, it’s important to understand that for you to fully benefit from Unbound’s DNSSEC validation capabilities (integrated within pfSense), DNSSEC must be explicitly enabled in pfSense. This ensures that DNSSEC validation occurs both externally (via Quad9) and internally (within your network).

Summary

Feeling right as rain yet? I’ve covered quite a bit, from the reality that VPNs aren’t a one-stop-shop for anonymity to wrapping our heads around DNS and its importance in keeping our digital lives private. Before we dive into setting up pfSense, I wanted to ensure you understand the rationale behind the ‘why’ of our approach. As you can now appreciate, it’s not as simple as going with whatever VPN suggests. Even when delving into DNS encryption (DoT, DoH), ECH, and DNSSEC, we see it's also not as straightforward as picking 1.1.1.1 for DNS, just because it's easy to remember!

In part two, it’s time to roll up our sleeves and dive into the hands-on setup of pfSense. This is where we shift from theory to the fun stuff. We’ll walk through setting up that always-on VPN, getting Unbound to do the heavy lifting on DNS, and switching over to Quad9 for that extra layer of security. Then, I’ll show you how to run one or more VPN connections for an always-on VPN configuration with OpenVPN.

If you’ve actually read all of this and understood it, then give yourself a pat on the back! And if you’re now utterly confused, don’t worry! Just follow the steps in part two (coming soon), and it’ll all start to make sense.

See you soon!

Secure Settings for Firefox

Fri, 24 Nov 2023 17:01:35 +0000

Firefox Release 122.0 (January 23, 2024)

I’ve been using Firefox as my primary browser since 2010, and here are my recommended settings to further enhance your security and privacy:

Preferences

1. Downloads (Preferences > General)

Disable automatic downloads by enabling the prompt to ‘Always ask you where to save files’.

2. Home (Preferences > Home)

Set the default homepage to https://duckduckgo.com
Disable all Firefox Home content by deselecting Web Search, Top Sites, Highlights, and Snippets.
Ensure New Tabs is set to ‘Blank Page’

3. Search (Preferences > Search)

Set Default Search Engine to DuckDuckGo
Disable Search Suggestions (optional) - I recommend only enabling ‘Show search suggestions in address bar results’
Set Search Shortcuts to DuckDuckGo only (deselect or remove the others)

4. Browser Privacy (Preferences > Privacy & Security)

Set Enhanced Tracking Protection to Strict

If this breaks too many sites, go ahead and change it back to Standard. Use what works for you.

Enable ‘Delete cookies and site data when Firefox is closed’
Click on Manage Exceptions and add any sites you want to retain cookies for. I do this for sites I use every day, and you can wildcard entire domains (E.g. https://twitter.com)
Deselect all items in Login and Passwords. I never use the browser to store these things, instead use KeePassXC or BitWarden.
Select ‘Use custom settings for history’ in the History dropdown, and deselect all options. Cookies for sites we enabled in Manage Exceptions will still be kept.

Under Address Bar, select only Bookmarks and deselect everything else.
For each of the following permissions, click on ‘Settings…’ and then select ‘Block new requests…’ at the bottom of each
- Location
- Camera
- Microphone
Finally, deselect all options in Firefox Data Collection and Use.

Note: I don’t add / change my bookmarks very often, so I simply export them to an HTML file as a backup every now and then.

Recommended Add-Ons

I don’t like to add too many add-ons, since the more you add will increase the potential of one of them being vulnerable to attack or making your browser more unique (it’s fingerprint). Panopticlick is a useful tool to see how unique your browser fingerprint is.

Here are the 3 essential add-ons, that I would install without question:

Secure Settings for Brave

Thu, 23 Nov 2023 17:01:35 +0000

Brave Release 1.62.153 (Jan 25, 2024)

On-Startup (Get Started > On-Startup)

Change “Continue where you left off” to “Open the New Tab page”

Appearance

Disable:

Show Brave News button
Show Brave Wallet button
Show Sidebar button
Show VPN button

**Disable: **

Show autocomplete suggestions in address bar Top Sites Browsing History Bookmarks

Privacy & Security

Private Windows with Tor Connectivity in Brave are just regular private windows that use Tor as a proxy. Brave does NOT implement most of the privacy protections from Tor Browser.

Disable:

Allow privacy-preserving product analytics (P3A)
Automatically send daily usage ping to Brave
Private window with Tor

Clear Browsing Data

On exit: All

Site and Shields Settings

Location > Don’t allow sites to see your location Camera > Don’t allow sites to use your camera Microphone > Don’t allow sites to use your microphone Notifications > Don’t allow sites to send notifications

Additional permissions: Automatic downloads > Don’t allow sites to automatically download multiple files USB devices > Don’t allow sites to connect to USB devices File editing > Don’t allow sites to edit files or folders on your device Clipboard > Don’t allow sites to see text or images on your clipboard

Cookies and Site Data: Block third-party cookies - enabled Enable: Clear cookies and site data when you close all windows

Sites that can always use cookies Add sites here that you always use (E.g. email, Twitter) - Don’t go crazy, it’s best to keep this to a minimum!

By default the following URLs are allowed: https://[*.]firebaseapp.com https://accounts.google.com

Note: You can’t delete them unless you disable the use of third-party cookies for legacy Google Sign-In and Facebook logins and embedded posts.

Go to: brave://settings/socialBlocking Disable:

Allow use of third-party cookies for legacy Google Sign-In
Allow Facebook logins and embedded posts
Allow Twitter embedded tweets

Shields

Allow use of third-party cookies for legacy Google Sign-In Allow Facebook logins and embedded posts Allow Twitter embedded tweets

Autofill and passwords

Disable:

Allow auto-fill in private windows

Payment methods Disable:

Save and fill payment methods
Allow sites to check if you have payment methods saved

System

Use WireGuard protocol in Brave VPN - enabled

Note: brave://about/ will show all possible settings

Recommended Add-Ons

Here are the 3 essential add-ons, that I would install without question:

uBlock Origin

Why I Prefer Firefox for Better Online Security

Wed, 22 Nov 2023 17:01:35 +0000

I have to cringe when I see a fellow IT professional use their web browser, only to see the screen is populated with ads. It’s not the content of these advertisements that I dislike, well actually it’s that too, but the third-party tracking cookies that are part of the payload. I just feel my peers should know better. Aside from the tracking cookies that are often part of the ad, much like the soldiers that hid inside of a wooden horse to enter the city of Troy, these ads sometimes contain malware. But why should you care?

In 2020, The New York Times published a series of articles called The Privacy Project, and one such article highlighted this very issue, Why You Should Take a Close Look at What Tracks You. It happens in the physical world as well, with Bluetooth and WiFi beacons in stores and shopping centers, and automatic license-plate readers (ALPR) on our roads, parking lots, venues, and even our neighborhoods.

I don’t like being tracked. But it’s more than tracking, it’s a psychological profile being used to serve what they call ‘relevant ads’. I can’t blame them really. I mean, why serve an advertisement for Arby’s to a vegetarian?

Have you ever purchased something in a pharmacy, and then later that day you see ads on Facebook or other websites, for that exact same thing? Perhaps you thought your phone was listening? More likely what happened is that phone number you gave the pharmacy for reward points, is linked to your Facebook profile. Yes, Meta are involved in data collection here too.

The nothing to hide argument is also ridiculous so I won’t even entertain that here. The fact is that our data is being collected. Even the data we willingly hand over, perhaps for an online order, will invariably end up in a data breach at some point in time. I don’t want my personal information in the wrong hands, with scammers or identity thieves. If it’s being collected, then you must assume it will eventually be exposed. Did you know that insurance companies harvest and process this data too? And, depending on how they profile you it can increase your insurance premium.

This is just scratching the surface. Like security, achieving privacy online is a fine balance. If you go too far then it results in what we are trying to do, an impossible task. Not enough, and you may think why bother at all?

Now let’s explore our risk profile here. If you are online, then you are not anonymous. The Tor Browser goes pretty far towards anonymity, but it’s not foolproof. VPNs are great, but these are more akin to smoke and mirrors. Don’t ever think a VPN will make you truly anonymous online either. The nirvana we are trying to attain is just a good balance. We want to block ads, block malware, and make it more difficult for websites to track our behaviors. It really doesn’t have to be more complicated than that, for most of us anyway.

Disclaimer

The content on this site is aimed at practical privacy and security - the kind of privacy measures you’d expect the average internet user to adopt, not someone in witness protection or fleeing their country in danger of their life! Extreme privacy requires more than a VPN and well configured web browser, therefore it’s not in the scope of this article. I recently saw a Reddit post by someone fleeing a sex trafficking situation, in genuine fear for their life. If that is you, then look into using Tails on a bootable USB stick, erase and throw away your phone and SIM card, buy a burner phone with cash, and use a pre-paid SIM card in an alias name. Use cash only, gift Visa cards purchased with cash, or privacy.com. Always use a VPN. And, that is just the start.

Psysecure by Ray Heffer, CISO advisor and cybersecurity expert.

Self Hosting Nextcloud for Privacy, the Right Way (September 2024)

Table of Contents

Introduction

Overview

Server

Proxmox

Storage

1. Ubuntu Installer

2. Server Setup

Setting the Timezone

Updating the System

Setting Up the Firewall

Installing Docker

Configuring the Hosts File

Enabling Automatic Updates

Adding a Data Disk with LUKS Encryption

Encrypting the Disk

Creating a Key File for Automatic Unlocking

Configure /etc/crypttab

Mounting the Encrypted Disk

Rebooting and Verifying

Setting Permissions

3. Installing Nextcloud (Docker)

Creating a Docker Compose File

Configure Nextcloud to Use Apache

4. Setting Up Let's Encrypt SSL Certificate

Domain Names

Internal DNS

Installing Certbot and DNS plugin:

Obtain CloudFlare API Key

Configure DNS API Credentials

Request the Certificate

Starting the Containers

Verify the containers are running:

5. Finalizing Nextcloud Setup

Enable Redis for Memcache

Errors and Warnings

1. Error: Some files have not passed the integrity check. List of invalid files… Rescan… For more details see the documentation.

2. Warning: Server has no maintenance window start time configured.

3. Warning: One or more mimetype migrations are available. Occasionally new mimetypes are added to better handle certain file types.

4. Warning: Detected some missing optional indices. Occasionally new indices are added (by Nextcloud or installed applications) to improve database performance.

5. Warning: RuntimeException image not found: image:apps/whiteboard.svg webroot: serverroot:/var/www/html

6. Warning: Phone Region Not Set

Useful Docker Commands

Verify Docker installation

List all containers

Remove container

Bring Down All Docker Compose Services

Bring Up and Rebuild All Docker Compose Services

Check Logs for Specific Container

Execute a Command Inside a Running Container

Restart a Specific Container

List all images

Restart Docker Service

Venturing into AI Security with Locally Hosted LLMs

AI Cyber Warfare

Locally Hosted LLMs

Models - Size Matters

Openhermes2.5-mistral

AI Security Examples

Example 1: Ollama with Python

Example 2: Ollama API

Example 3: PrivateGPT for File Analysis

Summary

Further resources

Using the TOR Browser over VPN

TOR or VPN?

TOR (The Onion Router)

VPN (Virtual Private Network)

Comparing the Two

Using TOR over VPN

The Complete Setup Guide to pfSense for Privacy and Security

Table of Contents

Introduction

Shopping List

IP Addressing

Step 1: Installation (pfSense 2.7.2)

Download the Installer

Verifying the SHA256 Checksum