Of course Linux is relatively secure with its obscurity, trusted repository, and whatnot. But how can we make it even more so? Here is the thread for that. I will list the following techniques, so feel free to add onto them: - Grsecurity/SELinux/AppArmor - FireJail/Docker - custom firewall rules - OSSEC - Compile your own hardened kernel - Possible detection tool or AV like RKHunter or Comodo - uBlock Origin, WOT, and other browser extensions - VirusTotal in case of suspicious executable - DNS, HOSTS, and other system config
This is a good thread. It will help us "me" learn more about Linux. I have the bottom 3 and a Firewall installed. Still a lot more to learn and do.
For me the main hardening centers around the browser, since it is the main avenue of attack, and by running Chromium, Linux provides it with its very strong sandboxing, especially the seccomp-bpf sandbox. In addition, I run Chromium: 1. Firejailed with the private.keep option, so all changes during the browsing sessions are wiped clean when it's closed. 2. Block 3rd-party cookies 3. Disable most of the web services 4. Click-to-play plugins 5. Extensions: uBlock Origin blocking 3rd-part frames globally, and HTTPS Everywhere. Other than that, I use UFW, default deny both incoming and outgoing, with my own custom made rules.
I found a video youtube about installing and using Firejail. Seems pretty straight forward. https://www.youtube.com/watch?v=xUW0L2Yj_us&index=1&list=LL2PxpC4xFu18nezAynUUQ-g
The browser is the weak point so disabling Java and Flash plugins goes a long way towards securing a system. Encrypt your hard drive. Use a router. Use iptables. Use signed software from the authorized repository. Use Chromium or use Firefox with Firejail. I use Chromium with uMatrix, LastPass, 2 factor authentication, strong passwords and PasswordAlert. The distro you choose has a lot to do with how secure the system is. Developers harden the kernel in many different ways and they react to vulnerability by making adjustments. Probably the most secure distros are: Qubes - everything runs in a virtual environment for the severe paranoid. Hardened Gentoo - you can make the kernel as hard as is possible but is difficult to install imo. Alpine- lightweight w/grsec/pax built into the kernel. Poor documentation with some leading to dead ends. Mempo- hardened Debian w/grsec/pax built in. Tails- privacy focused, boots off cd every time. Mainstream distros Ubuntu, Fedora, Debian and OpenSuse are secure as the developers write security features into their kernels and quickly respond to security vulnerabilities. With these there is a trade of somewhat over the strictly security focused distros but with more available software and they are easier to get started and use. Look at Mint. They remove AppArmor and delay updates so the user experience isn't blemished by an errant update. Hell it doesn't even come with the firewall enabled. Yet their forums, which are pretty active, are not filled with people saying they are infected. There isn't even a security sub-forum. Of course the kernel is hardened (sans AppArmor) as its an Ubuntu rewrite so there is some security baked in.
I'm of a belief that you don't need to sandbox it yet again. OTOH if firejail adds another layer of security without slowing or disrupting your browser experience................... I don't use it because SELinux interferes with it. The Chrome sandbox is much stronger on Linux than on Windows since the sandbox can only be as strong as the OS allows. https://code.google.com/p/chromium/wiki/LinuxSandboxing chrome:sandbox Sandbox Status SUID Sandbox No Namespace Sandbox Yes PID namespaces Yes Network namespaces Yes Seccomp-BPF sandbox Yes Seccomp-BPF sandbox supports TSYNC Yes Yama LSM enforcing No You are adequately sandboxed.
Thanks for this. I can't get Chrome to launch with firejail. I keep getting errors for some reason. Only FF launches with it. firejail chrome Parent pid 9271, child pid 9272 Child process initialized /bin/bash: chrome: command not found parent is shutting down, bye...
I was able to run Firejail on Mint. Try Wat0114's suggestion or in the Firejail thread there's something about adding debug to the command but I don't remember exacty.
Does anyone know anything about firefox sandboxing on linux? I have been using chrome for ages and know aboutbits sandboxing (altough I didnt know it was more powerfull on linux) but want to switch to firefox due to privacy reasons. Is it similiar to chrome in terms of sandboxing on linux?
Thanks, that worked, but with errors. Code: Parent pid 3320, child pid 3321 Child process initialized GLib-GIO-Message: Using the 'memory' GSettings backend. Your settings will not be saved or shared with other applications. ** Message: Remote error from secret service: org.freedesktop.Secret.Error.IsLocked: Cannot get secret of a locked object [1:1:0824/064444:ERROR:extension_downloader.cc(693)] Invalid URL: '' for extension nnjnbmmegdjndlcmeajcldfcmilogjal ** Message: Remote error from secret service: org.freedesktop.Secret.Error.IsLocked: Cannot create an item in a locked collection [1:196:0824/064445:ERROR:get_updates_processor.cc(243)] PostClientToServerMessage() failed during GetUpdates [1:2:0824/064501:ERROR:channel.cc(300)] RawChannel read error (connection broken)
it's not unusual to get some errors, as ong as the application is launched in the firejail. Try using the Debug switch: firejail --debug google-chrome-stable then you should see expected results similar to: Code: $ firejail --debug google-chrome-stable Command name #google-chrome-stable# Using the local network stack Parent pid 29887, child pid 29888 Initializing child process PID namespace installed Mounting read-only /bin, /sbin, /lib, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /tmp/firejail/mnt directory Create the new utmp file Mount the new utmp file Disable /home/lost+found Disable /home/username Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /sys/kernel/uevent_helper Disable /proc/irq Disable /proc/bus Disable /proc/kcore Disable /proc/kallsyms Mounting a new /boot directory Disable /dev/port Username wat0114, groups 100, 7, 10, 90, 91, 92, 95, 98, Starting google-chrome-stable execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: google-chrome-stable Child process initialized I have not shown several of the errors I get as well, but Chrome runs fine in the firejail for me.
Firejail Quote: You'll notice that seccomp and caps are disabled in the Chromium profile but several critical folders and files are blacklisted. You are free to add more. I've created the following myrules.inc file in ~/.config/firejail which I included in nearly every profile: Code: read-only ${HOME}/.config/firejail/* blacklist ${HOME}/.config/autostart blacklist ${HOME}/.kde4/Autostart blacklist ${HOME}/.kde/Autostart blacklist ${HOME}/.wine blacklist ${HOME}/.conky blacklist ${HOME}/.gramps blacklist ${HOME}/.dropbox blacklist ${HOME}/.dropbox-dist blacklist ${HOME}/.dropbox-master blacklist ${HOME}/Dropbox blacklist ${HOME}/moneyplex blacklist ${HOME}/.conkyrc read-only ${HOME}/.bashrc read-only ${HOME}/.bash_profile blacklist ${HOME}/.bash_history read-only /etc/passwd blacklist /etc/shadow EDIT: I recommend to create the directory ~/.config/firejail and copy the existing profiles from /etc/firejail to that new directory. Those profiles take precedence over the ones in /etc/firejail. Thus, you can modify them without having them overwritten when Firejail gets updated.
Firefox is in the process of implementing the same sandbox as Chrome on Linux but its not quite there yet, they still have issues.
An overview is https://wiki.mozilla.org/Security/Sandbox . On Windows the sandbox should already be enabled for Nightly. I don't know, though, how this fits with Servo which is intended to become the new rendering engine in Firefox:
Hmm.... what? Linux doesn't do "security through obscurity".... at all.... Thanks for linking my custom firewall rules Here's what I do: * GRsecurity + PAX, with "softmode" set to "0" (making mitigations opt-out rather than opt-in); * Firejail for almost all apps, with numerous flags; * GUFW, a mix between my custom rules and other rules (will be in my Github repo soon); * uBlockOrigin, Disconnect, RequestPolicy, https-everywhere, NoScript; I don't use detection tools, their dumb unless you have a server and/or don't want to pass malware to people. The only tool I use is rkhunter, this tool is actually useful I encrypt my drive. FDE, with twofish-xts-plain64, and an iter-time of 5000, which means 10 seconds between each passphrase attempt, making brute-force attacks useless. VirusTotal? Why? If the user only uses the trusted repositories there's no need to scan an executable file at all. Maybe for a PDF or such? But then, Firejail and GRSec should take care of any exploit. I'll do some research on OSSEC. Chrome's sandbox can't be trusted. Firefox's sandbox neither. Both can by bypassed.
I've just been starting to read about this subject. Do you think it to be useful in light of the development mentioned in the other topic (patches not being available in the future). I had trouble allowing my VPN client to be executed from my home folder. It uses openvpn, openssl and other dependencies. Is this something that can easily be solved?
I'm not sure I understand what you mean. If you currently use the LTS GRSec Kernel (3.14), you can still use kernel.pax.softmode=0. And even when the LTS branch is no longer available, you will either be using the latest publicly availalbe LTS kernel of your distro (which should still allow kernel.pax.softmode=0) or the testing versions, which also allow kernel.pax.softmode=0. So IMO you should be fine either way, softmode=0 will work regardless of the LTS branch not being publicly available. See this article to learn how to set permissions to problematic executables https://wiki.archlinux.org/index.php/Pax Remember, don't start giving "pemrs" permissions right away, because this is how executables are handled if "kernel.pax.softmode" is set to "1" (meaning all mitigations are off and opt-in). Most problematic execuables can be allowed under "kernel.pax.softmode=0" by giving the executables the following permission: "m". Remember that uppercase letters (PEMRS) mean mitigations are ON; and lowercase letters (pemrs) mean mitigations are OFF.
Agreed I wonder why you need Disconnect, RequestPolicy and Noscript. - Disconnect: Its filter lists are also available in uBlock Origin. Together with the other available filterlists and hosts files uBlock Origin blocks considerably more. - RequestPolicy: Its functionality can be completely replaced by chosing default deny in Dynamic Filtering. See also the various available blocking modes. - Noscript: Can also be replaced in uBlock Origin if you block inline and 1st party scripts. (Althoug it might make sense to keep Noscript installed and allow scripts globally: Its XSS and clickjacking protection would still be activated.) Advantage: the less extensions you use the less unique is your browser ( -> fingerprinting).
I think I didn't understand myself but your explanation helps. Thanks. Thanks again, I will try when I have a better understanding of how things work. It's just that using a VPN is the first thing I do when using a freshly installed system.
- I keep disconnect here so that I'm able to see, with a more generic "filter" naming, what is trying to deliver ads, or content, or social tracking. - I wouldn't want to replace RequestPolicy because there are a few ads that I agree to display on some websites that I support and/or that I bennefit from. Overall, RequestPolicy is my first line of defense. It blocks all scripts and I can chose what to allow in a more deeper way than NoScript. If there are ads that I want to display on a page, I allow them through uBlockOrigin. NoScript is here because RequesPolicy sometimes doesn't forbid some javascript requests, and NoScript does.