Firewall in Trisquel?

46 respostas [Última entrada]
Ronald
Desconectado
Joined: 07/11/2013

Hello,

How can check my firewall settings? I don't know even if it's installed :) Sorry for my newbie questions but I am a novice user who like free software philosophy.
I checked the documentation but I did not find the answer there. Should I install some other security programs?

What articles/books etc. should I read to gain more knowledge about Linux systems?

Best regards,
Ronald

Darksoul71
Desconectado
Joined: 01/04/2012

Hi there,

a good starting point might be the wiki entry over at Ubuntu for the uncomplicated firewall:
https://help.ubuntu.com/community/UFW

IIRC Trisquel does not have UFW (or anything else) installed per default as firewall.

HTH,
Holger

elbendecido
Desconectado
Joined: 01/08/2014

Hi, I recommend gufw, is very intuitive and easy for beginners.

Legimet
Desconectado
Joined: 12/10/2013

Use UFW for your firewall, or GUFW as a GUI.

Also get AppArmor, which restricts applications to only access certain resources. It comes installed by default on Trisquel, but you will have to activate the profiles. See the Ubuntu wiki:
https://wiki.ubuntu.com/AppArmor

I don't know of any GUI for AppArmor, though.

lembas
Desconectado
Joined: 05/13/2010

You don't need a firewall or any other security programs. You might want to remove the ssh server though if you don't use it.

For reading, check out https://www.gnu.org/philosophy/

Darksoul71
Desconectado
Joined: 01/04/2012

@lembas: Why on Earth would one not need to use a firewall ?
Because one can always trust open-source programms ?

@Legimet: AppArmor is not exactly what I would consider the right security tool for a novice user. Or would you ?

Legimet
Desconectado
Joined: 12/10/2013

I'm not much of a novice user to Debian-based distros (although I'm new to Trisquel), but AppArmor is still easy to use, just run
sudo aa-enforce /etc/apparmor.d/*

This should enforce all AppArmor profiles (although IIRC the chromium profile stops chromium from working). You should have apparmor-profiles and apparmor-utils.

lembas
Desconectado
Joined: 05/13/2010

I too always doubt open source programs but like free software.

Why do you think he needs one?

Darksoul71
Desconectado
Joined: 01/04/2012

Simple...for the same reason one should not run closed-source software or install precompiled software from PPAs: Security... :)

Ronald
Desconectado
Joined: 07/11/2013

Thank you for your response. GUFW installed, very easy to use :)
I've also installed in Abrowser HTTPS Everywhere. Is it worth it to use?

GNUser
Desconectado
Joined: 07/17/2013

To clarify, many GNU/linux distros don't install a firewall in default install. IN my opinion that is a bad choice, because while many people who came from windows have no idea about SSH, most know about firewall and will activate it if they have one. Also, I have already expressed why I think it is necessary to have a firewall in your system.
Gufw is very easy to use and still allows you to manage everything you might want to. So, good thing you followed that advice Ronald.

HTTPS Everywhere is a MUST. It will make sure that you use encryption on thousands of websites, which will prevent anyone watching your connection from knowing what you are doing. Note, they can still see what websites you connect to. For example, using http one can see you used duckduckgo to search for baby kittens for example. Using https one can see you connected to duckduckgo but can't see the search you made. So, that is a lot safer. If you want to hide which websites you visit and not be tracked online by ads and such, use the Tor browser bundle (www.torproject.org)

Also, I would suggest Noscript addon for Abrowser. Even if you allow all javascript it will prevent XSS attacks and such. So it's a must too. Add adblock edge and adblock pop-up and you are good to go.

Other good software for you to use in GNU/Linux are:
-rkhunter (really easy to use and it takes a few minutes to run);
-chkrootkit;
-ClamTK (windows viruses don't affect GNU/Linux, but it allows to know if the source you are using to get files online is as safe as you think);
-tiger;
-DenyHosts (prefer this over Fail2Ban);

Well, this is it. Remember, stay safe online ;)

FreedomOfTheOpenCode
Desconectado
Joined: 12/13/2013

That is the single most useful post on Linux security that I have ever seen (I have printed it for reference!) Where can I get this HTTPS Everywhere for Abrowser? I couldn't see it in the repo.

GNUser
Desconectado
Joined: 07/17/2013

HTTS Everywhere is a project by the EFF and the Tor Project. link is: https://www.eff.org/https-everywhere

If you are in for security you should add to that:

-Using GPG. Hard to do if your friends don't want to change the "normal way" they use to send and receive emails, but many people online use it, so, install it.
-Torbirdy is a good addon to use with GPG for anonymous email account.
-encrypt everything. For example, you can and probaly should encrypt your swap partition.
-BIOS passowrd. Even if it is "useless" in many cases, will save you from being beaten by a kid who can run faster than you.

If you want to read more about security, here is a VERY GOOD link.
http://crunchbang.org/forums/viewtopic.php?id=24722

I learned some new cool things there (even if most of it I already knew, it is a great post.)

Ronald
Desconectado
Joined: 07/11/2013

Thank You very much for your comprehensive answer. A lot of interesting and useful information :)
Currentl I'm using Abrowser + HTTPS Everywhere + Adblock but I will try to replace Adblock with Noscript (or leave both).

Regarding DenyHosts, sounds very secure but it's probalby too dificult to me :)

What about TrueCrypt? Do I have to at least encrypt my home directory?

Legimet
Desconectado
Joined: 12/10/2013

TrueCrypt is nonfree software.

Ronald
Desconectado
Joined: 07/11/2013

That's not good, I didn't know about it. Are there any free alternatives?

GNUser
Desconectado
Joined: 07/17/2013

Keep in mind that TrueCrypt is open-source, which means in a practical sense you get the same security as in a free software. The problem comes with the licensing aspect of it. So, while I do not promote its usage and encourage people to find alternatives, if one MUST use it, he is not "in danger of using a closed-source software". People argue with the ethical side of TrueCrypt, but in practical terms, it's the same as GPG for example.

onpon4
Desconectado
Joined: 05/30/2012

No, TrueCrypt isn't open source. The OSI has not accepted any version of the TrueCrypt license.

GNUser
Desconectado
Joined: 07/17/2013

By open source I meant just that: the source is available. That means one can analyze the code. The fact that OSE doesn't accept TrueCrypt as a open source project doesn't mean that the software is not "open sourced".
Now, again, I agree that TrueCrypt is not the best option when it comes to ethical and philosophical matters.

onpon4
Desconectado
Joined: 05/30/2012

"Open source" doesn't mean "the source code is available". The OSI gives a definition for "open source"; it's about the same as free software.

I'm not in support of open source, but diluting the term to include closed-source software is not good. It's not very nice, first of all (kind of like when people dilute the term "free software" the same way: "program X is free and open source, and program Y is free but not open source"), and it legitimizes false claims of proprietary software being "open source" when its source code is only available under a non-commercial and/or no-derivatives license.

quantumgravity
Desconectado
Joined: 04/22/2013

Ok then don't call it opensource, but you can't just put it in the same box like normal proprietary software, since you can study the source code, or is this wrong?
This gives you a lot more control than prop. software does, though I agree that it's not sufficient.

kopolee11
Desconectado
Joined: 06/05/2013

> Ok then don't call it opensource, but you can't just put it in the same
> box like normal proprietary software, since you can study the source
> code, or is this wrong?
> This gives you a lot more control than prop. software does, though I
> agree that it's not sufficient.
>

For what it is worth, Wikipedia refers to TrueCrypt as a
"source-available" program. (https://en.wikipedia.org/wiki/TrueCrypt)
Which does distinguish it from most proprietary/closed source programs,
even while falling short of free/open source programs.

But I agree with everyone else in this thread, TrueCrypt should be
avoided because it is not free software.

GNUser
Desconectado
Joined: 07/17/2013

While I agree with you, I don't mind mentioning it because for some people (in life or death situations, not americans and europeans trying to hide pictures of their cats) it might be the only real solution. Yes, it is "unethical" from a free software view point, but it is a reliable solution due to the fact that it works, is nearly unbreakable, and you can study the source code (even can make changes for your own use anyway, if you don't mind not sharing them with anyone). And like I said, I am talking about "please, I need to encrypt this file or i will die" situations.

Having said that, I don't mind using GPG (even if I would like to be able to "decrypt" on the fly).

quiliro@congresolibre.org
Desconectado
Joined: 10/28/2010

El dom 12 ene 2014 16:47:35 ECT, name at domain escribió:
> it is a reliable solution due to the fact that it works, is nearly
> unbreakable, and you can study the source code (even can make changes
> for your own use anyway, if you don't mind not sharing them with
> anyone).

It is NOT reliable:

"Usage Example 2: Password Recovery Combining the product with
traditional Forensic applications like Encase®, Forensic units used the
RAM dump functionality to make a snapshot of the current RAM
information and recovered the Hard-Diskencryption passphrase for
TrueCrypt’s full disk encryption."
http://wikileaks.org/spyfiles/files/0/299_GAMMA-201110-FinFisher_Product_Portfolio-en.pdf

Check other sources too:
https://duckduckgo.com/?t=trisquel&q=!leaks+truecrypt
--
Saludos libres,
Quiliro Ordóñez
600 8579

teodorescup

I am a member!

Desconectado
Joined: 01/04/2011

To be fair, physical access to a "warm" RAM would cripple any encryption.

--
I use: trisquel.info | ceata.org | fsf.org | riseup.net | duckduckgo.com | eff.org | h-node.com | torproject.org | airvpn.org | flattr.com | skepdic.com |

GNUser
Desconectado
Joined: 07/17/2013

Very true.
I have tried to make my computer clean memory on shutdown (similar to TAILS). However when I tried it, it would always freeze my computer, and I gave it up.
Using bleachbit works, but I doubt it is so thorough as the TAILS cleaning process.

teodorescup

I am a member!

Desconectado
Joined: 01/04/2011

In "please, I need to encrypt this file or i will die" situations
encryption itself won't do much, in those situations one would need to
use steganography or some form of plausible deniability.

The only feature that could be tempting in Truecrypt is the hidden
volume option; when I tested that in the past on a big HDD with lots of
files it failed miserably, thats not to say that is never working but I
completely lost my confidence of the product. This combined with the
licensing issues, I wouldn't recommend it for any user case.

--
I use: trisquel.info | ceata.org | fsf.org | riseup.net | duckduckgo.com | eff.org | h-node.com | torproject.org | airvpn.org | flattr.com | skepdic.com |

ZykoticK9
Desconectado
Joined: 04/07/2011

If anyone is interested in steganography check out steghide in the repo - powerful little program.

GNUser
Desconectado
Joined: 07/17/2013

I would agree 100% with you if it was a icon maker program or a sound editing program. But it is a SECURITY program. Having the source code is a HUGE matter in this case, even if one doesn't give a damn about ethical side of free software. In a practical sense it still gives you the assurance that no one is backdooring anything.
I agree with you 50% in that we should be careful to not fall into the "if I am not paying, it's free".
So, yeah, for the third time, I don't support or promote the use of TrueCrypt. However, in some cases, it might be still the best shot (plausible deniability for example) for some people.

Still, I think we should stick with free software, and sometimes I agree that Open Source is a acceptable thing too.

GNUser
Desconectado
Joined: 07/17/2013

ecryptfs can encrypt swap partition (see link above) but I haven't tested it yet. Don't know what else it can do.
I think when one uses GParted you can format a drive and encrypt it with a password. However, I don't know what encryption is used so I don't rely on it.

Does anyone knows if it is possible to encrypt several files at once using GPG?
Like "gpg encrypt *.* in current folder"?

quantumgravity
Desconectado
Joined: 04/22/2013

You can do that using ccrypt.

You type in the current folder:
ccrypt *
and thats it.

GNUser
Desconectado
Joined: 07/17/2013

How would that compare with GPG encryption? ccrypt apparently uses Rijndael cypher 256 bits. I wonder if that is as strong as GPG encryption.
However it's a good option thanks :)

GNUser
Desconectado
Joined: 07/17/2013

To answer my own question:

gpg -r 'keyname' --encrypt-files *.*

It will encrypt all the files in the specified folder with the public key you choose. If you have multiple files and wish to encrypt each one with a different key, just do:

gpg --encrypt-files *.*

you will be asked for each key for each file.

Legimet
Desconectado
Joined: 12/10/2013

You can use ecryptfs (see https://help.ubuntu.com/community/EncryptedPrivateDirectory). Or, if you haven't installed trisquel yet, there should be an option in the installer that says something like "encrypt home directory." (this uses ecryptfs)

ZykoticK9
Desconectado
Joined: 04/07/2011

IF you haven't installed. I'd strongly suggest using the "encrypted LVM" option (present in netinst, i don't know if it's the default installer?). Be aware the encrypted-home option will prevent Hibernation (if it's a portable system) by default [it is fixable using keys somehow]. With the LVM it's just 1 password to mount multiple encrypted filesystems, instead of being prompted for multiple passwords on boot. cryptsetup FTW. more reasons to NOT use TrueCrypt (it's not free, it's not even open source...) at http://istruecryptauditedyet.com/

kopolee11
Desconectado
Joined: 06/05/2013

On 2014-01-11 16:28, name at domain wrote:
> Thank You very much for your comprehensive answer. A lot of interesting
> and useful information :)
> Currentl I'm using Abrowser + HTTPS Everywhere + Adblock but I will try
> to replace Adblock with Noscript (or leave both).
>

Ditto about all the great info. If I may, I also recommend you look into
adding RequestPolicy. It is similar to NoScript, except that it blocks
cross-site requests instead of scripts. It can take a little while to
get used too, but it can really increase your privacy and security.
Check out https://www.requestpolicy.com/ for more info.

teodorescup

I am a member!

Desconectado
Joined: 01/04/2011

RequestPolicy is good only in theory. In practice when RequestPolicy is enabled you basically broke all sites you visit and you have to spend seconds if not minutes to establish policies for each new site you visit; also, you end up allowing "Blocked destinations" at random until you end up with the content you need from the page.

For me RequestPolicy was just a huge waste of time; a good cookie and referer control, HTTPS Everywhere, No NoScript and AdBlockPlus should be enough.

--
I use: trisquel.info | ceata.org | fsf.org | riseup.net | duckduckgo.com | eff.org | h-node.com | torproject.org | airvpn.org | flattr.com | skepdic.com |

kopolee11
Desconectado
Joined: 06/05/2013

>> RequestPolicy is good only in theory. In practice when RequestPolicy is enabled you basically broke all sites you visit and you have to spend seconds if not minutes to establish policies for each new site you visit; also, you end up allowing "Blocked destinations" at random until you end up with the content you need from the page.

To each their own. I like it because I find it also allows websites to
load a lot quicker. Just like NoScript, the more you use it the better
it gets. And generally it is pretty easy to tell what needs to be
enabled. Plus, with Web of Trust (WOT) you can get somewhat of an idea
of what to avoid enabling.
> For me RequestPolicy was just a huge waste of time; a good cookie and
referer control, HTTPS Everywhere, No NoScript and AdBlockPlus should be
enough.
>>

No arguments from me that those are all good things that everyone should
look into, and are probably enough for most people.

ssdclickofdeath
Desconectado
Joined: 05/18/2013

DuckDuckGo shows the query in the URL by default, even using HTTPS. In the settings you can change it to hide the query. The URL showing the query would look something like this: https://duckduckgo.com/q=baby20%kittens

GNUser
Desconectado
Joined: 07/17/2013

NoScript and Adblock serve different purposes.
Noscript blocks javascript and XSS attacks. Adblock blocks known ads from loading in your browsing. Use both. Also, use Adblock edge, since Adblock Plus has an anti feature (allow some ads by default).
You can complement Adblock with adblock pop-up.

As for encryption, it's really up to you, and what are youd "threat model" and "defensive strategy". You can encrypt only single files if you so wish, or you can try to encrypt an entire partition. Keep in mind that usually the more encryption you add, the less "usable and fast" your system becomes.

One thing I would like to do but don't know how is a script to run rkhunter and chkrootkit, and give me a "warnings only log". It could be a script that searched for warning lines and placed them all inside the same text file. If run everytime on boot, one could be more "on top" of his system's protection.

quiliro@congresolibre.org
Desconectado
Joined: 10/28/2010

El sáb 11 ene 2014 17:22:43 ECT, name at domain escribió:

> One thing I would like to do but don't know how is a script to run
> rkhunter and chkrootkit, and give me a "warnings only log". It could
> be a script that searched for warning lines and placed them all inside
> the same text file. If run everytime on boot, one could be more "on
> top" of his system's protection.

What is the exact expression are you looking for in each result? You
can search for those expressions with grep. It is easy.

--
Saludos libres,
Quiliro Ordóñez
600 8579

GNUser
Desconectado
Joined: 07/17/2013

It could be something like
"search for a line with [Warning] in this file, and if found, copy the entire line for that file". I will take a look at that later. But if you could provide an example I would appreciate :)

quantumgravity
Desconectado
Joined: 04/22/2013

I think this might work:

grep Warning your_input_file >> your_output_file

Grep copies every line which contains "Warning" in "your_output_file".

quiliro@congresolibre.org
Desconectado
Joined: 10/28/2010

El dom 12 ene 2014 08:38:03 ECT, name at domain escribió:
> I think this might work:
>
> grep Warning your_input_file >> your_output_file
>
> Grep copies every line which contains "Warning" in "your_output_file".

Good example. Here are others:
http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command-examples/

Remember the license if you make a script. Here is an example:
http://pastebin.com/HsJZZqWM
--
Saludos libres,
Quiliro Ordóñez
600 8579

GNUser
Desconectado
Joined: 07/17/2013

Thank you both! =D I will see about it later. I will let you guys know when I got it done ;)

ssdclickofdeath
Desconectado
Joined: 05/18/2013

How do I make gufw start with the computer?

FreedomOfTheOpenCode
Desconectado
Joined: 12/13/2013

Go to System Settings, then Startup Applications (in the Personal section).