From 7c418be9a823a66d3d90331ad2884205103ef13d Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sun, 28 Aug 2016 01:00:10 +0200 Subject: [PATCH] Update README.md --- README.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 07bb433..d72329f 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ Algo VPN (short for "Al Gore", the **V**ice **P**resident of **N**etworks everyw ## Included Roles -Ansible scripts are organized into roles, each of which provides one discrete set of functionality. The roles used by Algo are described in detail below. +Ansible scripts are organized into roles. The roles used by Algo are described in detail below. ### Required Roles @@ -40,23 +40,23 @@ Ansible scripts are organized into roles, each of which provides one discrete se ### Optional Roles * **Security Enhancements** - * Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure your server is always patched to avoid the latest vulnerabilities. - * Minimizes the exposure of SUID binaries, restricts core dumps, and modifies kernel features to limit possible attacks. - * Modifies SSH to only use modern ciphers and a seccomp sandbox, and restricts access to many legacy and unwanted features, like X11 forwarding and SFTP. - * Configures IPtables to block traffic that might pose a risk to VPN users, such as [SMB/CIFS](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834). + * Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure available patches are always applied + * Modify operating system features like core dumps, kernel parameters, and SUID binaries to limit possible attacks + * Modifies SSH to use only modern ciphers and a seccomp sandbox, and restricts access to many legacy and unwanted features, like X11 forwarding and SFTP + * Configures IPtables to block traffic that might pose a risk to VPN users, such as [SMB/CIFS](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834) * **Ad Blocking and Compression HTTP Proxy** - * Installs [Privoxy](https://www.privoxy.org/) with an ad blocking ruleset. - * Installs Apache with [mod_pagespeed](http://modpagespeed.com/) as an HTTP proxy. - * Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations. + * Installs [Privoxy](https://www.privoxy.org/) with an ad blocking ruleset + * Installs Apache with [mod_pagespeed](http://modpagespeed.com/) as an HTTP proxy + * Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations * **DNS Ad Blocking** - * Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains. - * Constraints dnsmasq with AppArmor and cgroups CPU and memory limitations. + * Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains + * Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations * **Security Monitoring and Logging** - * Configures [auditd](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html) and rsyslog to log data useful for investigating security incidents. - * Logs are aggregated and emailed to the address in `config.cfg` on a regular basis. + * Configures [auditd](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html) and rsyslog to log data useful for investigating security incidents + * Emails aggregated Logs to a configured address on a regular basis * **SSH Tunneling** - * Adds a restricted `algo` group to `sshd_config` with no shell access and limited forwarding options. - * Creates one local account per user and creates an SSH public key for each. + * Adds a restricted `algo` group to SSH with no shell access and limited forwarding options + * Creates one limited, local account per user and an SSH public key for each ## Usage