Kicksecure ™

Download

On Computer USB Installation Debian morph to Kicksecure Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Server Security Guide for Kicksecure, Linux, and Kicksecure Hardening

User Account Password Security[edit]

An adversary might connect a keyboard to a server and attempt to login into a virtual console. See also Virtual Consoles Usage Documentation and Protection against Physical Attacks, Virtual Consoles.

The user should set a password for account user. If using user-sysmaint-split, the user should also set a password for account sysmaint.

If logging in passwordless over SSH using public key authentication, the user might be tempted to Locking a Password. However, then recovery using a virtual console over a KVM switch (such as PiKVM) will be no longer possible.

Confidential Computing[edit]

Confidential computing is an advanced security technology that protects data while it's in use, complementing existing protections for data at rest and in transit. The goal is to isolate sensitive data from unauthorized access, even from the cloud provider or system administrators.Confidential Computing (developers)

To the best of the author's knowledge, reasonably secure confidential computing is not currently achievable with Freedom Software. Technical details are available on the wiki pages Confidential Computing (developers) and Verified Boot.

E-Mail Delivery[edit]

DMARC Strict Alignment[edit]

Consider using DMARC strict alignment:

• aspf=s;
• adkim=s
• relaxed alignment aspf=r; / adkim=r might lead to spammers sending e-mails impersonating the domain name and DMARC passing anyhow.
• Illustrative examples on DMARC Strict Alignment

Tools[edit]

• https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/
• https://report-uri.com/account/reports/dmarc/
• https://www.mailhardener.com/dashboard/dmarc-reports
• https://www.mailhardener.com/tools/dkim-validator
• https://tools.socketlabs.com/
• SPF/DKIM/DMARC/DomainKey/RBL Online Test
• https://github.com/6point6/dmarc_checker

DKIM Header Injection Attack[edit]

Introduction:

• https://prog.world/dkim-replay-attack-on-gmail/
• https://utcc.utoronto.ca/~cks/space/blog/spam/DKIMSpamReplayAttack
• https://wordtothewise.com/2014/05/dkim-injected-headers/
• https://www.zdnet.com/article/dkim-useless-or-just-disappointing/

Mitigation:

• https://halon.io/blog/the-dkim-replay-attack-and-how-to-mitigate
• https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html
• https://proton.me/blog/dkim-replay-attack-breakdown
• https://security.stackexchange.com/questions/265408/how-many-times-need-e-mail-headers-be-signed-with-dkim-to-mitigate-dkim-header-i
• https://github.com/rspamd/rspamd/issues/2136

Future:

• https://datatracker.ietf.org/doc/draft-kucherawy-dkim-anti-replay/

DKIM Replay Attack[edit]

• https://wordtothewise.com/2014/05/dkim-replay-attacks/
• https://tools.wordtothewise.com/rfc/6376#section-8.6
• https://www.socketlabs.com/blog/dkim-replay-attacks-preventive-measures-to-protect-email-deliverability/

Could a DKIM replay attack be resolved by enforcing In theory, yes. In practice, unsupported by DMARC. See DMARC Alignment: Enforce messages pass BOTH SPF and DKIM. And unlikely to be ever implemented since this would break the e-mail forwarding use case.

DKIM Required[edit]

Is SPF + DMARC sufficient or would this lead to ending up in the spam folder?

• DMARC will pass (success, not a failure) when either SPF or DMARC has pass.
  • Such as pass (as in DMARC reports) however does only indicate that DMARC was pass. The e-mail could still end up being rejected for being spam or end up in the spam folder.
• Quote https://emfluence.com/blog/how-dkim-affects-email-deliverability:

  Yahoo! requires DKIM to sign up for their Feedback Loop (where they keep track of spam complaints). That means anyone who doesn’t have DKIM set up isn’t capturing spam complaints at Yahoo!, and because of that, those email addresses aren’t being suppressed automatically. That could put you on the road to being blocked or blacklisted by Yahoo!

• https://dmarcly.com/blog/can-i-set-up-dmarc-without-dkim doesn't mention spam.
• Quote https://support.google.com/a/answer/174124?hl=en:

  Without DKIM, messages sent from your organization or domain are more likely to be marked as spam by receiving mail servers.

e-mail self hosting is hard[edit]

• https://www.reddit.com/r/selfhosted/comments/xoi5im/google_smtp_low_domain_reputation/
• and google postmaster tools don't help https://www.tablix.org/~avian/blog/archives/2019/04/google_is_eating_our_mail/
• https://superuser.com/questions/1718259/google-bounce-email-with-error-550-5-7-1-our-system-has-detected-that-this-messa
• https://support.google.com/mail/thread/13395379/domain-reputation-got-bad-and-not-restoring-for-1-5-months-all-messages-bounced-back-with-550-5-7

rain dance required:

• https://www.mailmonitor.com/repair-a-bad-domain-reputation-with-gmail/

SPF[edit]

SPF mostly ignored:

• "SPF is terrible, but was necessary"
  • https://security.stackexchange.com/questions/115981/why-do-email-that-didnt-pass-spf-checks-go-to-my-mailbox

Headers[edit]

View e-mail headers:

• For example in Thunderbird: select an e-mail -> View -> Message Source

There are two different "From" fields in an e-mail.

• A) 'MAIL FROM' https://en.wikipedia.org/wiki/Bounce_address
• B) 'From' header https://en.wikipedia.org/wiki/Email#Message_header

Very good explanation here: https://www.xeams.com/difference-envelope-header.htm

Checking DKIM Signatures on the Command Line[edit]

Might be mostly only useful for learning and testing purposes.

Install dkimverify.

dkimverify < e-mail.eml

Abuse Notifications[edit]

• consider signing up for https://www.abuse.net/addnew.phtml

Standard E-Mail Addresses[edit]

• a number of standard e-mail addresses should redirect to the inbox of the server administrator

Miscellaneous Server Tests[edit]

• See also Website and Server Tests.
• https://www.ssllabs.com/
• https://www.hardenize.com/
• https://www.sshaudit.com/
• https://hstspreload.org/
• https://securityheaders.com/
• https://clickjacker.io
• https://www.validbot.com/
• https://realfavicongenerator.net/
• https://sitecheck.sucuri.net/
• https://hostedscan.com/
• https://talosintelligence.com/
• https://www.debugbear.com/resource-hint-validator
• https://www.debugbear.com/test/website-speed
• https://developers.google.com/search/docs/appearance/structured-data
• https://pagespeed.web.dev/
• https://www.giftofspeed.com/gzip-test/
• https://gtmetrix.com/
• https://www.webpagetest.org/
• https://technicalseo.com/tools/robots-txt/
• https://www.cloudflare.com/ssl/encrypted-sni/

See Also[edit]

• https://help.ubuntu.com/lts/serverguide/console-security.html
• Website Tests
• Browser Tests

Footnotes[edit]

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!