Hello, This is a follow up email in the hope that someone as confused as me might find it useful. I have solved my computer security issues for now using the following script. ----------------------------------------------------------------------------------------------- #!/bin/sh sudo apt install -y apparmor sudo apt install -y apparmor-profiles sudo apt install -y apparmor-profiles-extra sudo apt install -y apparmor-utils sudo aa-enforce /etc/apparmor.d/* fireholpath="/usr/sbin/firehol" sudo apt remove -y ufw sudo apt install -y firehol sudo crontab -u root -l > temp.txt if grep 'firehol' temp.txt; then echo "no need to update crontab" else echo "updating crontab" echo "@reboot $fireholpath start" >> temp.txt sudo crontab -u root temp.txt fi sudo firehol start --------------------------------------------------------------------------------------------- I don't know how smart the above script is , but it works for me.I found that the default firewall with linux mint (ufw) was not working effectively.At least with the default settings it comes with.My computers were getting hacked through using firefox with attackers gaining root access in about 20 minutes no matter how strong the password was.In such times, changing the hostname and password helped things temporarily. Enjoy your linux. regards Peter
Peter Wolf via luv-beginners wrote:
This is a follow up email in the hope that someone as confused as me might find it useful.
I have solved my computer security issues for now using the following script.
Looks reasonable to me. Here are a couple of nitpick refinements.
#!/bin/sh
sudo apt install -y apparmor sudo apt install -y apparmor-profiles sudo apt install -y apparmor-profiles-extra sudo apt install -y apparmor-utils
FYI you can combine these onto one line.
sudo aa-enforce /etc/apparmor.d/*
The "extra" profiles, at least, are not expected to Just Work without tweaking. You may need to selectively disable some of them, of "fix" them for you.
fireholpath="/usr/sbin/firehol"
sudo apt remove -y ufw
This is removing (maybe) your default firewall. I presume "firehol" is a replacement, so I guess that's OK.
sudo apt install -y firehol
sudo crontab -u root -l > temp.txt if grep 'firehol' temp.txt;
You can do if crontab ... | grep ...; then ...however it will ignore the exit status of crontab unless you "shopt -s pipefail", which is a bashism. Creating a predictable temporary file can be a security issue if you are in a shared directory (e.g. /tmp). Therefore an easy workaround is simply to run "cd" at the top of this script, and assume $HOME is only writable by yourself.
then echo "no need to update crontab" else echo "updating crontab" echo "@reboot $fireholpath start" >> temp.txt sudo crontab -u root temp.txt fi
I *strongly* discourage you from storing code in root's crontab. This lives in /var and is very easy to lose. Instead you can put this code in /etc/cron.d/ (or /etc/rc.local, or /etc/cron.{hourly,weekly,monthly,yearly}). These all live in /etc and so are version-controlled by etckeeper. Further, your goal seems to just be "run firehol start at boot time", so I would suggest you do this as a systemd service, so you know if it failed. A minimal example would be $ sudoedit /etc/systemd/system/firehol.service [Service] ExecStart=/usr/sbin/firehol start Type=oneshot [Install] WantedBy=multi-user.target $ sudo systemctl daemon-reload $ sudo systemctl enable firehol.service $ sudo systemctl start firehol.service $ sudo systemctl status firehol.service # confirm that it started OK
My computers were getting hacked through using firefox with attackers gaining root access in about 20 minutes no matter how strong the password was.In such times, changing the hostname and password helped things temporarily.
Using apparmor to lock down firefox was a good decision; I approve. You may be interested in: sudo apt install firejail firejail firefox-esr # instead of just "firefox-esr" You will be interested in these browser plugins: sudo apt install \ webext-https-everywhere \ webext-noscript \ webext-privacy-badger \ webext-ublock-origin \ webext-umatrix All of them will further improve browser security, though some of them will require you to learn how to use them. On Debian 10 buster, webext-umatrix is broken for non-ESR firefox 69 (it enforces, you can turn it on or off, but you can't fine-tune it). The rest all still work.
On Tue, 8 Oct 2019 at 11:46, Trent W. Buck via luv-beginners < luv-beginners@luv.asn.au> wrote:
fireholpath="/usr/sbin/firehol"
sudo apt remove -y ufw
This is removing (maybe) your default firewall. I presume "firehol" is a replacement, so I guess that's OK.
sudo apt install -y firehol
firehol is a wrapper for iptables and according to the interwebs doesn't have have a GUI, but is configured using easy to understand plain text config files. Never seen it before myself until today's reference above. ufw is the default Ubunutu firewall and is a front-end for configuring iptables. On it's launchpad site they say "...is [a] program for managing a netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use". There are GUI apps available for ufw. I think they compare with firewallD on the red-hat/fedora side of the things. Given ufw/firehol manipulate iptables, Peter maybe be better off with ufw and one of it's GUI interfaces if he doesn't fully understand what he's doing. Close everything off and only open things you actually need with restrictions as appropriate. -- Colin Fee tfeccles@gmail.com
participants (3)
-
Colin Fee -
Peter Wolf -
Trent W. Buck