Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to stay safe on public wifi?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 989

PostPosted: Sat Oct 15, 2016 12:14 pm    Post subject: How to stay safe on public wifi? Reply with quote

I'm going to try a co-working space where I'll be on public wifi. My firewall blocks all inbound connections. Is there anything else I should do to stay safe?
Back to top
View user's profile Send private message
albright
Advocate
Advocate


Joined: 16 Nov 2003
Posts: 2541
Location: Near Toronto

PostPosted: Sat Oct 15, 2016 12:16 pm    Post subject: Reply with quote

Quote:
My firewall blocks all inbound connections


why not then just turn off you wifi interface?
_________________
.... there is nothing - absolutely nothing - half so much worth
doing as simply messing about with Linux ...
(apologies to Kenneth Graeme)
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 989

PostPosted: Sat Oct 15, 2016 12:42 pm    Post subject: Reply with quote

You mean connect via ethernet? Is that less perilous than wifi? I'd still be on the same network of course.
Back to top
View user's profile Send private message
bentii
n00b
n00b


Joined: 15 Oct 2016
Posts: 2

PostPosted: Sat Oct 15, 2016 12:44 pm    Post subject: Reply with quote

grant123 wrote:
I'm going to try a co-working space where I'll be on public wifi. My firewall blocks all inbound connections. Is there anything else I should do to stay safe?

You could use a VPN to home or work( if they have one ) to stay safe from snoopers.


albright wrote:
Quote:
My firewall blocks all inbound connections


why not then just turn off you wifi interface?


It probably drops all inbound connections and only allow RELATED,ESTABLISHED ones through, it's a pretty common firewall setup.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43383
Location: 56N 3W

PostPosted: Sat Oct 15, 2016 3:13 pm    Post subject: Reply with quote

grant123,

The problem with shared (public) wifi is that everyone on the same network shares the same wifi key, so wireshark will show you what everyone else on the network is doing.

Wired isn't much safer if you are connected to a hub, not a switch, everyone gets all the packets on the hub.
A switch is slightly safer, in that packets are (normally) only sent to the port that needs them. Its possible to configure a switch to do port replication, so your traffic can be monitored.

You need a layer of encryption that's private to you when you are using an untrusted network. That's what a Virtual Private Network is for.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1751

PostPosted: Sun Oct 16, 2016 7:56 pm    Post subject: Reply with quote

Quote:
Its possible to configure a switch to do port replication, so your traffic can be monitored.
It's also possible to ARP spoof the gateway or overflow it's memory turning it into a hub. Works well enough with quite a lot of cheaper devices.

And finally there are devices like gateways and routers all along the ISP's network which forward your traffic and allow intercepting it. So, regardless of the connection you're using there is always a way to sniff on you. If you want to send anything confidential over any sort of public network (e.g. one you don't manage and control yourself), use an encrypted VPN on top of it.
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6746
Location: Blighty

PostPosted: Mon Oct 17, 2016 10:21 am    Post subject: Reply with quote

Re the topic - "How to stay safe on public wifi?"

I dislike the assumption that non public wifi (which includes physical cable connection) is safe.
Trust no-one.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3385

PostPosted: Fri Oct 21, 2016 12:32 pm    Post subject: Reply with quote

Firewalling is all well and good, but it's only one layer. When I'm not on a trusted network with my laptop, I run NO services. Boot the laptop, login, start and xterm, "netstat -tupan" and the only thing you'll see is dhcp.

It's of questionable value these days, but running something like https-everywhere is a good idea, too.

And, as others have said, a VPN.

Finally, keep in mind that you're not home, and act appropriately, because there is a distinct possibility that all else will fail.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 989

PostPosted: Fri Oct 21, 2016 1:17 pm    Post subject: Reply with quote

If a firewall is blocking all incoming requests, what are some dangerous scenarios I could run into besides snooping?
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7160
Location: almost Mile High in the USA

PostPosted: Sat Oct 22, 2016 6:56 am    Post subject: Reply with quote

If you don't trust the owner of the wifi, they could do routing tricks or dns tricks too.

For the most part if you can understand your SSL certificates or use VPN on a untrusted network, you're probably OK. I ended up setting up a VPN on my home machine with two way key verification to make sure I don't have MITM when accessing my VPN, but I only use this when I completely don't trust the network. Usually I have some trust (it's usually the routing hacks, dns cheats, and port blocking that may need to be worked around) and just use SSL over the network and it's good enough for most other things.

I don't know if the intent of the query is also including services that might be running on your Gentoo box, but you can disable those if you're not comfortable with leaving them on and someone on the same AP/LAN is nmapping you. Up to you, hopefully your machine is up to date and those services are not insecure.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5855

PostPosted: Sat Oct 22, 2016 6:56 pm    Post subject: Reply with quote

If you have any possibility of using IPv6, configure it correctly. The kernel default is geared toward ease of use, not privacy.

For dhcpcd, putting this in its config is a good idea (to get rid of predictable MAC-based addresses):
Code:
slaac private


Put these in /etc/sysctl.d to make the system use random temporary addresses for outgoing connections. Daemons won't listen on temp addresses usually, so it makes it harder to scan you for open ports:
Code:
net.ipv6.conf.all.use_tempaddr=2
net.ipv6.conf.default.use_tempaddr=2


And if you have an iptables firewall, make sure you have a corresponding ip6tables one.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum