Peter Wolf via luv-beginners wrote:
This is a follow up email in the hope that someone as confused as me might find it useful.
I have solved my computer security issues for now using the following script.
Looks reasonable to me. Here are a couple of nitpick refinements.
#!/bin/sh
sudo apt install -y apparmor sudo apt install -y apparmor-profiles sudo apt install -y apparmor-profiles-extra sudo apt install -y apparmor-utils
FYI you can combine these onto one line.
sudo aa-enforce /etc/apparmor.d/*
The "extra" profiles, at least, are not expected to Just Work without tweaking. You may need to selectively disable some of them, of "fix" them for you.
fireholpath="/usr/sbin/firehol"
sudo apt remove -y ufw
This is removing (maybe) your default firewall. I presume "firehol" is a replacement, so I guess that's OK.
sudo apt install -y firehol
sudo crontab -u root -l > temp.txt if grep 'firehol' temp.txt;
You can do if crontab ... | grep ...; then ...however it will ignore the exit status of crontab unless you "shopt -s pipefail", which is a bashism. Creating a predictable temporary file can be a security issue if you are in a shared directory (e.g. /tmp). Therefore an easy workaround is simply to run "cd" at the top of this script, and assume $HOME is only writable by yourself.
then echo "no need to update crontab" else echo "updating crontab" echo "@reboot $fireholpath start" >> temp.txt sudo crontab -u root temp.txt fi
I *strongly* discourage you from storing code in root's crontab. This lives in /var and is very easy to lose. Instead you can put this code in /etc/cron.d/ (or /etc/rc.local, or /etc/cron.{hourly,weekly,monthly,yearly}). These all live in /etc and so are version-controlled by etckeeper. Further, your goal seems to just be "run firehol start at boot time", so I would suggest you do this as a systemd service, so you know if it failed. A minimal example would be $ sudoedit /etc/systemd/system/firehol.service [Service] ExecStart=/usr/sbin/firehol start Type=oneshot [Install] WantedBy=multi-user.target $ sudo systemctl daemon-reload $ sudo systemctl enable firehol.service $ sudo systemctl start firehol.service $ sudo systemctl status firehol.service # confirm that it started OK
My computers were getting hacked through using firefox with attackers gaining root access in about 20 minutes no matter how strong the password was.In such times, changing the hostname and password helped things temporarily.
Using apparmor to lock down firefox was a good decision; I approve. You may be interested in: sudo apt install firejail firejail firefox-esr # instead of just "firefox-esr" You will be interested in these browser plugins: sudo apt install \ webext-https-everywhere \ webext-noscript \ webext-privacy-badger \ webext-ublock-origin \ webext-umatrix All of them will further improve browser security, though some of them will require you to learn how to use them. On Debian 10 buster, webext-umatrix is broken for non-ESR firefox 69 (it enforces, you can turn it on or off, but you can't fine-tune it). The rest all still work.