Cybersecurity

9843 readers

203 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

Local area network anonymity hardening tool for Linux (lemmy.world)

submitted 2 days ago by Nikolas5476@lemmy.world to c/cybersecurity@sh.itjust.works

6 comments fedilink hide all child comments

Source code and details: https://github.com/nikolas-trey/LANGhost

Description

LANGhost is a Linux anonymity hardening layer for systems managed by NetworkManager. It minimizes identity leakage across multiple network surfaces during connection setup, enforces privacy-focused connection configurations, and implements a fail‑closed mechanism that terminates or isolates connectivity when runtime checks detect unsafe conditions.

What it does

Randomizes MAC policy before activation.
Assigns a randomized DHCP hostname before activation.
Applies a per-activation identity seed for NetworkManager-derived identifiers.
Hardens DHCP identity behavior.
Enables stronger IPv6 privacy behavior and stable-privacy address generation.
Disables local discovery features that can expose system identity on managed links.
Quarantines interfaces with tc drop filters during setup.
Verifies runtime state after activation and triggers a kill switch on failure.

top 6 comments

sorted by: hot top controversial new old

[–] redsand 1 points 1 day ago (1 children)

Does tails do all of this already? If not they would find this interesting. Maybe Kali too

[–] Nikolas5476@lemmy.world 2 points 1 day ago

For Tails, there's no gap to fill because it already handles MAC randomization and DHCP hardening as part of a purpose-built amnesic system where no identity persists across sessions. Kali is a persistent, general-purpose Linux system managed by NetworkManager, which is exactly LANGhost's target environment. Out of the box Kali does nothing special about MAC randomization, DHCP hostname, IAID, or LLMNR/mDNS. A penetration tester connecting to a client network or a hotel LAN during an engagement leaks the same identifiers any stock Ubuntu machine would. LANGhost would be a genuine improvement for that use case.

[–] It_is_gaslighting@discuss.tchncs.de 4 points 2 days ago (1 children)

So for educational purposes I have a few questions: what is a suitable use-case for this: a hotel LAN? Guest wifi at home? Or what is the perfect use-case?

[–] Nikolas5476@lemmy.world 4 points 2 days ago (1 children)

The perfect use case is untrusted public networks where you want to avoid tracking. It's just another layer of defense and i highly recommend using a VPN alongside this.

[–] It_is_gaslighting@discuss.tchncs.de 1 points 2 days ago (1 children)

Thanks for clarifying. I use tailscale and set up my home LAN as exit node. So this would harden the steps before the wireguard connection buildup (within tailscale VPN), when connecting to a public network, right? Now lets assume I have an other VPN provider, do you think it's better to use it directly (choose between tailscale and the other VPN) or chained after the tailscale exit node? Sorry if being a bit off topic.

[–] Nikolas5476@lemmy.world 5 points 2 days ago

LANGhost hardens exactly the window between "network interface comes up" and "WireGuard tunnel is established." Without it, your real MAC, hostname, and DHCP identifiers are visible to the public network operator during that bootstrap phase, before any application traffic is protected by the tunnel. I recommend not adding unnecessary complexity by chaining Tailscale and another VPN. A second VPN would only add value if you specifically need to hide your home IP from destination servers.