t0m5k1

Open media vault everything you need.

Said the bot

The onion router was a clue in itself as to how you connect to the Internet, especially when you need to hide. Add more than a normal vpn into the mix, proxies, ssh tunnels, dns tunnels, net cat, and maybe i2p. Once done, you could even fire off an ion cannon in a particular orbit if you fancy.

Just bear in mind that some vpn companies are owned by companies who also own other companies that own large networks, so they don’t necessarily need the vpn to log traffic to get your meta data.

What env vars are you using for the docker and what’s in the config.php?

What’s a nice guide?

Follow this to get it installed and follow the configuration steps to set it up as you need it (I wouldn’t bother forwarding to another server but setup root hints instead and add a timer to keep them upto date):

https://wiki.archlinux.org/title/Unbound#

Then add these configurations to get doh or dot working:

https://wiki.archlinux.org/title/DNS_over_HTTPS_servers#Unbound

If you want a spoon-fed guide, then a search engine may help, but really, it’s quite easy.

If you don’t have a cert you can use let’s encrypt via certbot:

https://wiki.archlinux.org/title/Certbot

I think you might get part of the way but may still find you get detected. Foss DPI projects will not be able to implement the methods used by say fortinet,sonicwall, f5, juniper, Cisco, a10, and others. This is because they all use proprietary DPI created in house. They’re not going to use Foss DPI for obvious reasons, you’ll be able to create workarounds for detection and implement that in a bad payload.

Text can be in a file. All you do is add to the file and sync. Then add different files and sync.

Syncthing

goes without saying.

Bitwarden+vaultwarden, harden the chosen VPS, set SSH to use keys only, then setup fail2ban for webserver and ssh Also consider putting ffsync on it as well for extra browser benefits.

Not all domain providers will allow you to change the nameservers of a domain they sold to you as they want to sell you the rest of what you need for extra $$$

You can only have 2 name servers on a domain and it is not advisable to make them point to different DNS providers as they will both need to be authoritative and by having 2 different providers will mean you get 2 different SOA which will break fundamental DNS.

to change the nameservers will either be simple or hard, depending on the domain name provider it might take 24 hours for them to change the name servers or they may allow you to change them via web UI which could be just a 2 hour wait.

Mind-blown. I was already thinking for such a long time that the distrobox approach just didn’t seem right at all for the purpose of security. But somehow my limited search never bear any results on how I should go about it. Perhaps I didn’t do a good job on googling or somehow missed a (couple of) keywords to be effective at searching for this. And I seem to have finally found ‘the holy-grail’; for which all credits obviously go to you!

TBH I don’t use google search as all the results are there by SEO and algorithms, If I need a file type on a site …then it’s a different matter lol. I use DDG mainly and all I searched for was “brave browser in a container”

For more take a peak here: https://hub.docker.com/

I will definitely! Are there any keywords beyond the ones mentioned in your excellent comments that I would need for an endeavor as such?

I’d suggest following a good guide for your OS to get a container framework running say docker (seeing as I linked to the hub there): https://docs.docker.com/engine/install/fedora/

Once the “Engine” is installed move on to the next sections to learn how to use it, bear in mind you really don’t need to make your own repo or pay a subscription as what you want is already out there provided by others.

Once you get things working and you have an application working in docker go check out the sites for the apps you use, check their github repos and you might find links to “Docker image” and then that means you can plonk it in a container, job done. For the applications you can’t easily find an image for consider going deeper and making your own, just follow the other examples you’ve used and to share them open a repo on github or gitlab.

Words can’t describe the epiphany I’m currently experiencing! Thanks again so much! I wish you and your loved ones the best! Heck, I would be fine with buying you a beer (or a cup of coffee :P ) or whatever. Please feel free to make use of ‘these services’ :P .

Thanks for the kind words, I try to share what I know with as many as possible to make things easier as at the end of the day we all wanting the same things really. Might have to take you up on the beer offer lol …Cheers.

I’ve only ever had issues with the sync feature. I see many people have issues with rewards but I’m not into monetisation and have always just disabled the rewards part of it.

Chromite/Bromite is primarily an android browser, even on windows it looks and behaves just like a mobile app.

Whilst I like the feature set as an alternative to Brave the fact they refuse to fix the PWA situation as it’s “Of no interest” to the dev is a no go for me.

I’ve been enjoying your responses a lot! I just wanted to express my gratitude one more time!

Thanks man, means a lot these days.

What I am afraid of is how secure (continued) operation within containers would be. So even if Brave (or whichever browser for that matter) is not the culprit, the rest of the container environment might endanger the rest of my system.

If your container for brave is running but the browser itself is closed, there is no way for to happen within the container because the software that would be connected to the internet is closed/quit/stopped. In fact that container should be reported as down by whichever management subsystem is provided by said container (portainer, lxd, systemd-namespaces, etc)

So I’ve mostly been using well-integrated ‘pet-containers’ like the ones known from Distrobox (with a relevant recent feature). Aside from those I’ve been exposed to the earlier article and to this video. These ‘expositions’ have made me go from a Distrobox-enjoyer to a pessimist that doesn’t dare to come close to them until I’ve better educated myself on them

I think you should look more into what containers are and can do, You previously said that your system is low power but distrobox is making loads of of full OS/distro containers which for the most part act like a VM. Distrobox is a good way to test drive a distro OR allow a dev to ensure the app they’ve made works on their target distro’s for chosen use case.

All you really need to do is run a single application within a container, not a whole distro!/os Why do I say this? Well resource consumption for one and why replicate an entire distro/os when an app can be run inside a container: https://bacchi.org/posts/brave-in-docker/

Additionally I spoke about attack vectors, running another distro/OS inside a docker may well have samba, ssh running by default, If the container for that is not firewalled that is is an attack vector that will allow RCE and exploits be run inside that container!

Aside from those I’ve been exposed to the earlier article and to this video.

The first minute of that video talks of nginx webserver image, That is a webserver running inside a container, with distrobox you have the rest of the OS inside the container as well as nginx. Do you get what I say now?

I suggest you use the above link I gave to look into running just a browser within a container, drop distrobox (unless you need to test drive distros) and learn about running a single application within a container, when you can do that find a container framework that provides the security you want/like then run your “untrusted” applications in containers and rejoice with a slightly faster machine.

EDIT: Additionally wolfi is based on Alpine, This is a popular server distro, If you want to install wolfi you’ll need to know how to install alpine, which is similar to installing gentoo as it uses bootstrap images, don’t be surprised if the desktop experience is a bit …erm lacking as that is not the focus of alpine or wolfi ! Good luck

Valid response, but why do you need to protect the OS from the browser when the browser (Brave) is already sandboxing and the browser is not an attack vector that can be directly exploited to gain access/root on your OS?

What I mean is that the tabs themselves are sandboxed to protect accounts that are opened in each from being breached, the bowser itself is obfuscating your fingerprint and blocking known bad actor sites etc so this leaves only what you manually download and here the browser will warn you if a given download has the potential to harm.

So unless you are downloading files from very questionable locations I can’t see the need for a containerised browser.

Containers are good and yes have flaws but the main purpose of them is to add another layer between the application and the OS so if application is exploited the attacker has to break another wall/layer to get to the real root.

I know in April 2021 the was a PoC that used JavaScript to reverse the effect of a patch which allowed an attacker to break out of the chromium sandbox, but that was never used and if it was the attacker would first need to breach a site to deploy the code that you would then execute by visiting the site or it would be fed to you via a phishing attempt. Both of these delivery methods would need to be very stealthy and fast. currently there are 4 known CVEs for brave: (sorry for long link)

https://www.cvedetails.com/vulnerability-list.php?vendor_id=16266&product_id=36540&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=3&sha=74c1df28c6d85bd121726a90109559ec94ea3549

None of these provide an attack vector that will allow access.

Question: Why do you think need such high security for a browser?

Clam av on access scan: https://wiki.archlinux.org/title/ClamAV#OnAccessScan

ClamFS: https://github.com/burghardt/clamfs

Man you’ve gone down a security worm hole that makes me wonder if you should really be running qubes-OS rather than Fedora 🤣.

Seriously if you need more than the chromium sandbox for brave and want simplicity just use firejail.

The article you linked to is a wonderfully detailed write up but it is more geared towards those using containers that will be providing services (web, sql, etc) if you just want a browser in a secure container then any of the implementations will be fine for you. The browser is not a vector used to gain access to your OS directly but what you download potentially is so with that in mind your downloads folder should really be a CLAMFS folder or a target folder for on-access scanning by clamav.

Yes, I could say come to arch but you seem happy in fedora 😉

I’ve not used GNOME for over a decade and have not used GNOME web(epiphany) for even longer lol. I’ll stick with brave as it fits my needs.