Peter Wolf via luv-beginners wrote:
This is a follow up email in the hope that someone as
confused as
me might find it useful.
I have solved my computer security issues for now using the following
script.
Looks reasonable to me. Here are a couple of nitpick refinements.
#!/bin/sh
sudo apt install -y apparmor
sudo apt install -y apparmor-profiles
sudo apt install -y apparmor-profiles-extra
sudo apt install -y apparmor-utils
FYI you can combine these onto one line.
sudo aa-enforce /etc/apparmor.d/*
The "extra" profiles, at least, are not expected to Just Work without tweaking.
You may need to selectively disable some of them, of "fix" them for you.
fireholpath="/usr/sbin/firehol"
sudo apt remove -y ufw
This is removing (maybe) your default firewall.
I presume "firehol" is a replacement, so I guess that's OK.
sudo apt install -y firehol
sudo crontab -u root -l > temp.txt
if grep 'firehol' temp.txt;
You can do
if crontab ... | grep ...; then
...however it will ignore the exit status of crontab unless you "shopt -s
pipefail", which is a bashism.
Creating a predictable temporary file can be a security issue if you are in a shared
directory (e.g. /tmp).
Therefore an easy workaround is simply to run "cd" at the top of this script,
and assume $HOME is only writable by yourself.
then
echo "no need to update crontab"
else
echo "updating crontab"
echo "@reboot $fireholpath start" >> temp.txt
sudo crontab -u root temp.txt
fi
I *strongly* discourage you from storing code in root's crontab. This lives in /var
and is very easy to lose.
Instead you can put this code in /etc/cron.d/ (or /etc/rc.local, or
/etc/cron.{hourly,weekly,monthly,yearly}).
These all live in /etc and so are version-controlled by etckeeper.
Further, your goal seems to just be "run firehol start at boot time", so I would
suggest you do this as a systemd service, so you know if it failed.
A minimal example would be
$ sudoedit /etc/systemd/system/firehol.service
[Service]
ExecStart=/usr/sbin/firehol start
Type=oneshot
[Install]
WantedBy=multi-user.target
$ sudo systemctl daemon-reload
$ sudo systemctl enable firehol.service
$ sudo systemctl start firehol.service
$ sudo systemctl status firehol.service # confirm that it started OK
My computers were getting hacked through using firefox
with
attackers gaining root access in about 20 minutes no matter how
strong the password was.In such times, changing the hostname and
password helped things temporarily.
Using apparmor to lock down firefox was a good decision; I approve.
You may be interested in:
sudo apt install firejail
firejail firefox-esr # instead of just "firefox-esr"
You will be interested in these browser plugins:
sudo apt install \
webext-https-everywhere \
webext-noscript \
webext-privacy-badger \
webext-ublock-origin \
webext-umatrix
All of them will further improve browser security, though
some of them will require you to learn how to use them.
On Debian 10 buster, webext-umatrix is broken for non-ESR firefox 69
(it enforces, you can turn it on or off, but you can't fine-tune it).
The rest all still work.