Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Mon 19 Nov 2018, 16:02
All times are UTC - 4
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Security/Privacy
Firejail, Firetools (GUI) & AppArmor - Hardening Bionicdog
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [6 Posts]  
Author Message
labbe5

Joined: 13 Nov 2013
Posts: 1480
Location: Canada

PostPosted: Thu 23 Feb 2017, 15:16    Post subject:  Firejail, Firetools (GUI) & AppArmor - Hardening Bionicdog
Subject description: using firejail for accessing sensitive content when browsing
 

After compiling firejail (very few dependencies) or installing it with .deb binaries, you start browsing with this command line for highest security :

I use Firefox, but you can use a number of browsers with firejail.

$ firejail --private --dns=8.8.8.8 --dns=8.8.4.4. --caps.drop=all firefox -no-remote

For DNS, i use Google Public DNS, and the browser cannot access a number of processes.

This set up is for accessing bank accounts or other sensitive content.

When you are finished with your browsing, you look for client number of firejail with :
firejail --list

And you shutdown your contained firefox with :

firejail --shutdown=client number

Coupled with a VPN, such as VPNBook, you have a very secure browsing.

After installing OpenVPN, you use this command line to have a Virtual Private Network :
sudo openvpn --config vpnbook-ca1-tcp443.ovpn --auth-nocache

Depending on your downloaded bundle, it can be US, or CA, or other countries. In this instance it is the canadian bundle.

--auth-nocache means that the password is not cached in plain text.

More info at the firejail website.

Last edited by labbe5 on Sun 28 Oct 2018, 11:40; edited 2 times in total
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 1480
Location: Canada

PostPosted: Sun 23 Apr 2017, 09:51    Post subject: Do My Command utility  

Using Do My Command utility that is part of Dog-based OS, you can have firejail firefox up and running in a click.

Just save your command line at the bottom of the file provided by the utility and click Play. Your command line will be kept for other sessions.

Using public DNS servers from DNS.Watch, for maximum privacy :

$ firejail --private --dns=84.200.69.80 --dns=84.200.70.40 --caps.drop=all firefox -no-remote

The best is to couple Firejail with Openvpn.
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 1480
Location: Canada

PostPosted: Fri 19 May 2017, 21:51    Post subject: more on Firejail
Subject description: integration with desktop environment
 

https://firejail.wordpress.com/2017/05/15/linux-mint-sandboxing-guide/

Here is another review/guide to help you understand and use firejail :
https://linuxconfig.org/protect-your-system-run-your-browser-in-firejail

Up to now, we had to prefix a command with firejail, such as firejail firefox in a terminal to have it sandboxed, but now there is full integration with desktop environnment.

Once you have installed firejail (now version 0.9.46), you need to complete installation with :

firecfg --fix-sound
and
sudo firecfg

Here is why :
First command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9. The second command integrates Firejail into your desktop. You would need to logout and login back to apply PulseAudio changes.

It is a major change, making Firejail as simple to use as it can be :
Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. The integration applies to any program supported by default by Firejail. There are about 250 default applications in Firejail version 0.9.46, and the number goes up with every new release. We keep the list in /usr/lib/firejail/firecfg.config file.

Just for fun, start several programs by clicking your desktop manager menus, then open a terminal and run the following command:

firejail --top

This command tells you what programs are running in a Firejail sandbox. If your program was not sandboxed automatically, use the old method of prefixing your program with “firejail” command:

Finally :
Run sudo firecfg every time you install a new program.

Security is the name of the game.

Last edited by labbe5 on Tue 11 Jul 2017, 10:12; edited 1 time in total
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2645

PostPosted: Fri 19 May 2017, 22:56    Post subject:  

Thanks for all this detail labbe5

All a dark science from my perspective. I already have firejail up and running with skype and firefox .desktop files changed to use that by default (firejail prefix to commands).

I tried installing openvpn out of the Debian repository (I run a Debian jwm/rox type frugal boot setup) and then ran the command you suggested, but that came back with a error report
Code:
root@debian:/home/user# openvpn --config vpnbook-ca1-tcp443.ovpn --auth-nocache
Options error: In [CMD-LINE]:1: Error opening configuration file: vpnbook-ca1-tcp443.ovpn

So looks like there's a lot more to do/configure on the VPN front that I know next to nothing about and need to get my head down to do some studying.
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 1480
Location: Canada

PostPosted: Mon 31 Jul 2017, 13:43    Post subject: Firetools
Subject description: GUI for Firejail
 

http://www.linuxandubuntu.com/home/firejail-a-namespace-separation-security-sandbox

There are certain files required in order for Firejail to work properly (actually for Firetools to work properly).

For Dog-based OS :

Git and Compiler :
sudo apt-get install git build-essential

Qt5 :
sudo apt-get install build-essential qt5-default qt5-qmake qtbase5-dev-tools libqt5svg5 git

To install GUI, enter commands :

git clone https://github.com/netblue30/firetools
cd firetools
/configure --prefix=/usr && make && sudo make install

Firejail is now available in standard Ubuntu repositories, but for latest version, you still need to compile it (each new version contains new profiles, which are security rules followed by apps).
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 1480
Location: Canada

PostPosted: Sun 28 Oct 2018, 12:47    Post subject: Hardening a newly installed Bionicdog
Subject description: how to use Firejail & AppArmor
 

A newly installed Bionicdog does not have AppArmor installed, nor Firejail, but they are both the easiest way to protect your system against sophisticated hacks.

How to install AppArmor

First check by yourself that apparmor is not installed with :
apt-cache policy apparmor

Having done that, you install apparmor and following packages :
apt install apparmor apparmor-profiles-extra apparmor-profiles apparmor-utils.

When it is done, you enforce profiles :
aa-enforce /etc/apparmor.d/*

When it is done, you can check apparmor status :
sudo aa-status

It looks like this :
apparmor module is loaded.
51 profiles are loaded.
51 profiles are in enforce mode.
/usr/bin/irssi
/usr/bin/pidgin
/usr/bin/pidgin//launchpad_integration
/usr/bin/pidgin//sanitized_helper
/usr/bin/totem
/usr/bin/totem-audio-preview
/usr/bin/totem-video-thumbnailer
/usr/lib/chromium-browser/chromium-browser
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
/usr/lib/chromium-browser/chromium-browser//lsb_release
/usr/lib/chromium-browser/chromium-browser//sanitized_helper
/usr/lib/chromium-browser/chromium-browser//xdgsettings

Bionicdog can be even more hardened with Firejail. Download latest version on Sourceforge, because version from Ubuntu repositories will not work with latest Firefox.

Now use Slim to change from root to puppy the easiest way :
apt install slim
exit x
Once you are puppy user, now you can use firejail in your terminal.

For example, you want to start Firefox :
The simplest command is : firejail firefox. It is better than nothing. But we can do more, much more to secure Firefox without compromising functionality.

Firefox in complete isolation :
firejail --seccomp --caps.drop=all --nonewprivs --private --private-dev --private-tmp --dns=1.1.1.1 --dns=1.0.0.1 --whitelist=/home/puppy/Downloads firefox -no-remote
You will not see any change, but you are more safe using Firefox this way.

To autostart Firefox :
Here is the path : /home/puppy/.config/openbox
Click on autostart to open the file and add at the bottom :
firejail --seccomp --caps.drop=all --nonewprivs --private --private-dev --private-tmp --dns=1.1.1.1 --dns=1.0.0.1 --whitelist=/home/puppy/Downloads firefox -no-remote &

Adding & is all you need to do, then save.

Firefox, or other browsers, are better hardened to the maximum, the more so when you use your browser to do financial transactions.

When using internet-facing apps, a good habit is to use Firejail.
To block access to the internet while using an app, add --net=none

Try it yourself with Firefox. It will result in a lost connection. Some apps do not need to have internet access to function properly, but may attempt to connect to a server.

What more can be done? Use ufw. Uncomplicated Firewall.
Install it with apt install ufw. Gufw is the GUI for ufw, but stick to the command line for Bionicdog.
After installation, as root, you do : ufw enable. Most users are ok with that.
in is denied by default.

After you have hardened Bionicdog, reboot.

You are no longer the low-hanging fruit. You have multiple layers of security that need to be overcome for you to be hacked and your system be compromised.

For added security and privacy, use a VPN. There is AirVPN managed by privacy activists, or ProtonVPN that are on top of any list, AirVPN having a GUI called Eddie available for Linux users, with which you can easily use Tor, SSL and change protocols.

In spite of all this, phishing, spear phishing, evil twins wifi access point can compromise all you have done.

Credentials (username, passwords), hackers are after them in all possible ways. Add 2FA when possible. The use of social media does not help keep you private ans secure, but it is your choice to use them.

When possible use encryption, and some useful addons, such as NoScript, HTTPS Everywhere, uMatrix, uBlock origin.

Now your Bionicdog installation is hardened.
Congrat!
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [6 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Security/Privacy
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0684s ][ Queries: 14 (0.0086s) ][ GZIP on ]