Good Practice to Secure Computer Terminal?

Question

I am currently trying to set up a computer terminal from scratch at home. The use of it is basically as a terminal to connect to cloud servers hosted remotely in the internet.

I am trying my best to make it secure. Do you mind pointing out what I have missed to make the terminal more secure?

Thank you very much in advance.

Somethings I have thought of are:

Common security setup:

• Clean OS installation (Using secure OS such as CentOS 7)
• Install all necessary tools within a VM OS
• OS and VM OSes hardening
• Virus scanner
• OS monitoring
• Log summarizer and alert

Physical Infrastructure:

• OS installation physically on the terminal
• The terminal is connected to internet behind a physical router and firewall

Answer 1

1. To encrypt the hard-drive, e.g. via BIOS (if it's known to be strong), via LUKS (default Redhat software disk encryption). It protects against stealing of harddrives.

2. For the terminal you could use Fedora instead of Centos as there's much newer GTK3 so if you are using GTK3 applications they will benefit a lot. There are also plenty of tools built-in which are newer and more usable on the terminal.

3. Keep the SELinux and Firewall enabled

If you plan to connect to this PC from outside world then the most usable way is to use X2GO over SSH and XFCE desktop. SSH is safer to be exposed than home router VPN, Centos VPN (any kind of) or anything else. You can limit brute-force on the SSH by using strong passwords or keys or iptables connection limit.

Answer 2

The first part of your question doesn't make sense. Do you plan on connecting to your computer at home and then have it forward requests to cloud servers? Or are you just talking about making a cloud server yourself that is accessible over the internet (or wide-area network, aka WAN).

Assuming it's the latter, it is fairly easy to setup a decently secure file server, or ftp server (file transfer protocol), where you allow users with the correct credentials to access files stored on physical drives in your computer.

With that in mind, some thoughts:

Operating System:

CentOS7 may be secure, but almost every popular operating system (yes, including windows) is reasonably secure for general use given that it is kept up to date with the most recent security patches and updates.

Personally, I would look into FreeNAS, which is based off of FreeBSD, and if you have a computer with plenty of RAM, you can setup full disk encryption, configure raid arrays, and access a preconfigured control panel to access drive information or ssh into the system from a web browser.

If you want something less specialized, I have used Ubuntu server edition in many projects with limited problems. And it also allows for full-disk encryption.

I don't get the VM part, there's something to be said about security through isolation, where every application you run is in it's on virtual machine. Although for most uses this is probably way overkill. If you're interested, look into the Qubes OS: https://www.qubes-os.org/

Antivirus gets less and less effective everyday, and although I could start a flame war on why antivirus is useless on linux machines, I'll just say don't worry about it. Windows on the other hand is a different story, but even then Windows 10 has its own built in AV. But keep in mind that dynamic attacks always have a change to succeed against static defenses.

In place of antivirus, make sure your physical firewall's security is hardened, and either install a software firewall on your operating system or enable the firewall that is probably included when you install the os.

Finally, in terms of logs, any Unix system keeps all sorts of logs, and any Apache webserver will do the same. But note that logs do nothing if you aren't proactive about checking them and mitigating threats that may arise.