7 Oct
2019
7 Oct
'19
11:58 p.m.
Hello,
This is a follow up email in the hope that someone as confused
as me might find it useful.
I have solved my computer security issues for now using the following
script.
-----------------------------------------------------------------------------------------------
#!/bin/sh
sudo apt install -y apparmor
sudo apt install -y apparmor-profiles
sudo apt install -y apparmor-profiles-extra
sudo apt install -y apparmor-utils
sudo aa-enforce /etc/apparmor.d/*
fireholpath="/usr/sbin/firehol"
sudo apt remove -y ufw
sudo apt install -y firehol
sudo crontab -u root -l > temp.txt
if grep 'firehol' temp.txt;
then
echo "no need to update crontab"
else
echo "updating crontab"
echo "@reboot $fireholpath start" >> temp.txt
sudo crontab -u root temp.txt
fi
sudo firehol start
---------------------------------------------------------------------------------------------
I don't know how smart the above script is , but it works for me.I found
that the default firewall with linux mint (ufw) was not working
effectively.At least with the default settings it comes with.My
computers were getting hacked through using firefox with attackers
gaining root access in about 20 minutes no matter how strong the
password was.In such times, changing the hostname and password helped
things temporarily.
Enjoy your linux.
regards Peter
8 Oct
8 Oct
12:46 a.m.
Peter Wolf via luv-beginners wrote:
This is a follow up email in the hope that someone as
confused as
me might find it useful.
I have solved my computer security issues for now using the following
script.
Looks reasonable to me. Here are a couple of nitpick refinements.
#!/bin/sh
sudo apt install -y apparmor
sudo apt install -y apparmor-profiles
sudo apt install -y apparmor-profiles-extra
sudo apt install -y apparmor-utils
FYI you can combine these onto one line.
sudo aa-enforce /etc/apparmor.d/*
The "extra" profiles, at least, are not expected to Just Work without tweaking.
You may need to selectively disable some of them, of "fix" them for you.
fireholpath="/usr/sbin/firehol"
sudo apt remove -y ufw
This is removing (maybe) your default firewall.
I presume "firehol" is a replacement, so I guess that's OK.
sudo apt install -y firehol
sudo crontab -u root -l > temp.txt
if grep 'firehol' temp.txt;
You can do
if crontab ... | grep ...; then
...however it will ignore the exit status of crontab unless you "shopt -s
pipefail", which is a bashism.
Creating a predictable temporary file can be a security issue if you are in a shared
directory (e.g. /tmp).
Therefore an easy workaround is simply to run "cd" at the top of this script,
and assume $HOME is only writable by yourself.
then
echo "no need to update crontab"
else
echo "updating crontab"
echo "@reboot $fireholpath start" >> temp.txt
sudo crontab -u root temp.txt
fi
I *strongly* discourage you from storing code in root's crontab. This lives in /var
and is very easy to lose.
Instead you can put this code in /etc/cron.d/ (or /etc/rc.local, or
/etc/cron.{hourly,weekly,monthly,yearly}).
These all live in /etc and so are version-controlled by etckeeper.
Further, your goal seems to just be "run firehol start at boot time", so I would
suggest you do this as a systemd service, so you know if it failed.
A minimal example would be
$ sudoedit /etc/systemd/system/firehol.service
[Service]
ExecStart=/usr/sbin/firehol start
Type=oneshot
[Install]
WantedBy=multi-user.target
$ sudo systemctl daemon-reload
$ sudo systemctl enable firehol.service
$ sudo systemctl start firehol.service
$ sudo systemctl status firehol.service # confirm that it started OK
My computers were getting hacked through using firefox
with
attackers gaining root access in about 20 minutes no matter how
strong the password was.In such times, changing the hostname and
password helped things temporarily.
Using apparmor to lock down firefox was a good decision; I approve.
You may be interested in:
sudo apt install firejail
firejail firefox-esr # instead of just "firefox-esr"
You will be interested in these browser plugins:
sudo apt install \
webext-https-everywhere \
webext-noscript \
webext-privacy-badger \
webext-ublock-origin \
webext-umatrix
All of them will further improve browser security, though
some of them will require you to learn how to use them.
On Debian 10 buster, webext-umatrix is broken for non-ESR firefox 69
(it enforces, you can turn it on or off, but you can't fine-tune it).
The rest all still work.
4:35 a.m.
On Tue, 8 Oct 2019 at 11:46, Trent W. Buck via luv-beginners <
luv-beginners(a)luv.asn.au> wrote:
firehol is a wrapper for iptables and according to the interwebs doesn't
have have a GUI, but is configured using easy to understand plain text
config files. Never seen it before myself until today's reference above.
ufw is the default Ubunutu firewall and is a front-end for configuring
iptables. On it's launchpad site they say "...is [a] program for managing a
netfilter firewall. It provides a command line interface and aims to be
uncomplicated and easy to use". There are GUI apps available for ufw.
I think they compare with firewallD on the red-hat/fedora side of the
things.
Given ufw/firehol manipulate iptables, Peter maybe be better off with ufw
and one of it's GUI interfaces if he doesn't fully understand what he's
doing. Close everything off and only open things you actually need with
restrictions as appropriate.
--
Colin Fee
tfeccles(a)gmail.com
fireholpath="/usr/sbin/firehol"
sudo apt remove -y ufw
This is removing (maybe) your default firewall.
I presume "firehol" is a replacement, so I guess that's OK.
sudo apt install -y firehol
999
days inactive
1000
days old
2 comments
3 participants
participants (3)
-
Colin Fee -
Peter Wolf -
Trent W. Buck