Just wanted to share my setup and see if anyone has suggestions or feedback. Also share yours.

Phone : GrapheneOS(pixel 7a)

  1. No google play service on my main profile. Rethink DNS (NextDNS DoH) blocks ads, trackers, and all Google & Facebook DNS (except WhatsApp).

  2. Some FOSS apps like Aurora Store & NewPipe need Google servers, so I have excluded them in rethink dns.

  3. Work Profile (with Island) with GrapheneOS’ sandboxed Play Services, but I use it maybe once or twice a month only for apps that absolutely need it. It stays turned off most of the time. If an app works on main profile without any issues, will use it. If not, will try to use it in firefox (as lack of play services doesn’t matter). If only app is available (and not web version) and it doesn’t work on main profile, will use it in work profile.

  4. Hardened Firefox fork(Ironfox) for private browsing. Main Firefox for a few services where I have to stay logged in and don’t have apps or want to use their apps.

  5. Network & Sensor Restrictions: If an app works offline, I block its internet access. Also, disabled sensors for apps that don’t need them.

  6. Mostly use foss apps from f-droid(droidify).

  7. Email: moved from gmail to protonmail

PC/laptop: Arch linux kde on pc and fedora kde on laptop.

  1. Not much to say. Most used apps are firefox and Zed. I allow data collection on kde as I want them to improve it.

Home Server: Raspberry Pi 4B

  1. SSH hardening: Non standard ssh port(yes, I opened the port externally because I depend on my home server and need to access it remotely). SSH keys or password+totp, Fail2Ban, ufw.
  2. Services running: Arr setup(jellyfin, prowlarr, radarr,sonarr, qbittorrent), pihole, Immich, Authelia(for now). All data sensitive services behind authelia with totp.
  3. Nginx Geo-blocking: Only allows access from my country IPs
  4. Weekly backups because data loss sucks.

Network & Router: OpenWRT (TP-Link)

  1. Not much to say: Running default firewall rules with network-wide ad/tracker blocking via pihole and some ports opened.
  • sludge@lemmy.ml
    7·
    2 months ago

    Have you considered running Wireguard or Headscale instead of keeping SSH open? I don’t know how big an issue it is since you’ve changed the SSH port and use keys, but opening SSH in any respect freaks me out.

    • pathief@lemmy.world
      1·
      2 months ago

      You can (and should) disable password authentication and force the use of public/private keys. Op did this, seems fine.

      SSH is very handy and the industry standard.

    • N0x0n@lemmy.ml
      1·
      2 months ago

      Same thought here ! Wireguard being based on private/public key, even if the port is open every request that doesn’t have a valid private/public key gets dropped !

      From a bot’s perspective this means the port is closed !

      I’m not an export in the field but there’s also a way to only use key-based connection with SSH, but I’m not sure how good/secure it is compared to wireguard.

      As you said, I’m also too scared to let a open SSH server running on my small home lab 😅 !

      • JustAnotherKay@lemmy.world
        2·
        2 months ago

        Key-based connection with SSH

        I’m not certain on how secure this is, but what you’re referring to is usually called “Passwordless SSH”

  • Libb@jlai.luEnglish
    71·
    2 months ago

    Not much

    • Full disk encryption on my computers.
    • Password manager, for strong & unique passwords everywhere
    • Linux as my OS
    • Firewall.
    • Backups: local (encrypted) and remote (encrypted).
    • Computers are all wired to the network, no WiFi.
    • Also, I use my phone as a… phone and for little else.
      I mean, there is a 2FA app and the few mandatory apps I must have access to (finance, and banking) and that is it. No social, no games, no nothing. Not even email is configured on that trash piece of corporate spyware. I sincerely consider it a threat to our privacy so I don’t trust it beside what I have no option to trust it with. I also suppose that this device, even though I deactivated the setting, is constantly listening to what we say nearby. So, when I don’t need it, I store it in a thick box to reduce whatever it may be recording.
    • I use as little digital tools as I can. I went back to analog (ie, for my agenda and I hardly see any reason to go back to digital). I take all my notes longhand too, and it’s been more than a year I have not read an ebook as I went back to analog there too. Why? No spying, no tracking of what I read and what I write. And no sudden ‘termination’ of services or ‘removal’ of a book from my device for any reason.
      • Libb@jlai.luEnglish
        1·
        2 months ago

        Either someone randomly downvoted (ok, bye). Or someone thinks downvoting me is punishing me in some way for daring say something they don’t agree with (no idea how that could be punishing me, but hey). Or someone is too lazy to explain their reasoning. In any case, I don’t think it’s worth much consideration.

        And, yep, as far as I’m concerned I consider this an OK approach. Not faultless, but usable ;)

    • N0x0n@lemmy.ml
      1·
      2 months ago

      Another use case for your phone: encrypted backup for docker containers ! Nowadays they come with a lot of spare space (over 120 GB). Encrypted, scrambles file/directory names and archived !

      I wouldn’t backup any critical data this way though ! It’s more an “in case” emergency backup for docker database and config volumes !

      • Libb@jlai.luEnglish
        1·
        2 months ago

        I’ve heard the name, but don’t know what a docker is used for. Kinda like a vm? Not really a geek, I’m afraid ;)

  • TranquilTurbulence@lemmy.zipEnglish
    2·
    2 months ago

    Here are my privacy/security tips roughly in the order of importance.

    Unique password that have upper case, lower case, numbers and special characters. Also, most passwords are at least 16 characters long.

    NextDNS on my mobile devices for ad blocking and privacy.

    Linux on my laptop + Firefox and uBock Origin.

    No Whatsapp, or Telegram. I prefer to use Signal. If someone insists on using some spyware messenger, I’ll just SMS them.

    No Meta, Xitter or other major platforms allowed. When using social media, I don’t share anything too personal. Also, no photos of me or anyone I know.

  • SomeLemmyUser@discuss.tchncs.de
    2·
    2 months ago

    My setup is similar. Graphene differences: Shelter instead oft Island Fenec instead of iron fox (mainly cause its available in fdroid and I’m to stupid to do code reviews of “random.” Github apps myself Mulvad instead of next DNS Neostore+fdroid

    For home I use Debian as my arch broke to often. (But sadly still one Microsoft gaming PC for vive wireless and league)

    Freetube instead of YouTube

    OPNsense router with ET blacklists, VPN for everything non gaming related and an u6 pro as AP so I can have different wifis for direct/VPN/(maybe home assistant in the future)

    Also no arr setup and nothing at all opened to the outside