1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
6
<title>Best of Ubuntu Forums Community Tutorials</title>
9
<firstname>duanedesign</firstname>
18
<pubdate>041009</pubdate>
21
<chapter id="security-chapter">
22
<title>Ubuntu Security</title>
25
<title>Uncomplicated Firewall</title>
27
<para>I looked for a current how-to for UFW and when I did not see one I
28
wanted to add one.</para>
30
<para>(important note: UFW is not the firewall. UFW just configures your
33
<para>in most cases I recommend doing the following immediately:</para>
35
<para><code><code>sudo ufw default deny </code></code></para>
37
<para><code><code>sudo ufw enable </code></code></para>
39
<para>Then fine tuning can start: Some basic commands are:</para>
41
<para>Turn on the firewall Code: sudo ufw enable Turn off the
44
<para><code><code>sudo ufw disable</code> </code></para>
46
<para>To add deny rules: blocking a port</para>
48
<para><code>sudo ufw deny port <port number></code></para>
50
<para>blocking an ip address</para>
52
<para><code>sudo ufw deny from <ip address> </code></para>
54
<para>blocking a specific ip address and port</para>
56
<para><code>sudo ufw deny from <ipaddress> to port <port
57
number> </code></para>
59
<para>advanced deny example for denying access from an ip address range
60
10.120.0.1 - 10.120.0.255 for SSH port 22</para>
62
<para><code>sudo ufw deny from 10.0.0.1/24 to any port 22</code></para>
64
<para>To add allow rules: to allow an ip address</para>
66
<para><code>sudo ufw allow from <ip address> </code></para>
68
<para>to allow a port</para>
70
<para><code>sudo ufw <port number> </code></para>
72
<para>allow a specific ip address and port</para>
74
<para><code>sudo ufw allow from <ipaddress> to any port <port
75
number> </code></para>
77
<para>advanced allow example for allowing access from an ip address
78
range 10.120.0.1 - 10.120.0.255 to port 22</para>
80
<para><code>sudo ufw allow from 10.0.0.0/24 to any port 22</code></para>
82
<para>To get the current status of your UFW rules</para>
84
<para><code>sudo ufw status To remove a deny or allow rule
87
<para><code>sudo ufw delete <rule type> from <ip address> to
88
any port <port number> </code></para>
90
<para>(note: you basically match the syntax for the creation of the rule
91
and add 'delete') You need to be careful with setting up allow and deny
92
rules that 'intersect' because the first rule matched is applied and the
93
remaining are ignored. SECNARIO: you want to block access to port 22
94
from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to
95
have access to port 22</para>
97
<para><code>sudo ufw deny from 192.168.0.1 to any port
98
22</code><code></code></para>
100
<para><code>sudo ufw deny from 192.168.0.7 to any port
101
22</code><code></code></para>
103
<para><code>sudo ufw allow from 192.168.0.0/24 to any port
106
<para>if you do the allow statement before either of the deny statements
107
it will be matched first and the deny will not be evaluated. you can
108
check this by checking ufw status</para>
110
<para><code>sudo ufw status To Action From -- ------ ---- 22:tcp DENY
111
192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY
112
192.168.0.7 22:tcp ALLOW 192.168.0.0/24 22:udp ALLOW
113
192.168.0.0/24</code></para>
115
<para>the allow is at the bottom and will be the last command evaluated
116
if it appeared above the deny rules the deny rules would not be
117
evaluated. I hope this helps you use ufw to secure your computer.</para>
121
<title>apparmor</title>
123
<para>AppArmor is designed to provide easy-to-use application security
124
for both servers and workstations. Novell AppArmor is an access control
125
system that lets you specify per program which files the program may
126
read, write, and execute. AppArmor secures applications by enforcing
127
good application behavior without relying on attack signatures, so it
128
can prevent attacks even if they are exploiting previously unknown
129
vulnerabilities.</para>
132
<para>First, by default AppArmor does very little (and thus with this
133
post I am hoping to change that ...). With a default installation
134
AppArmor protects only CUPS. You can install additional
135
AppArmor-profiles , which will get you started with a few additional
136
applications, but we must also write and customize our own
140
<para>To install some additional profiles :</para>
142
<para><screen><code>sudo apt-get install apparmor-profiles </code></screen></para>
144
<para>Although this installs some additional profiles, they are
145
permissive in that they default to the complain mode (you will need to
146
manually activate them).</para>
148
<para>Profiles are stored in <emphasis>/etc/apparmor.d</emphasis></para>
150
<para>On Ubuntu, AppArmor logs profile violations to<emphasis>
151
/var/log/messages</emphasis></para>
153
<para>Apparmor uses the kernel standard securityfs mechanism load and
154
monitor profiles.</para>
156
<para>securityfs is moutned on <emphasis>/sys/kernel/security
159
<para><emphasis>/sys/kernel/security/apparmor/profiles</emphasis> is a
160
virtualized file representing the currently loaded set of
163
<para>On Ubuntu there are no gui tools to manage or write profiles, so
164
we are talking good old command line tools and editing configuration
165
files. The configuration files are text files and ,with a little
166
reading, are fairly easy to understand.</para>
168
<para><emphasis role="bold">Profiles</emphasis></para>
170
<para>Profiles are stored in <emphasis>/etc/apparmor.d</emphasis></para>
172
<para>Profiles are names for the application they confine, using the
173
full path, dropping the first / and converting the others to a . Firefox
174
is a bit confusing because /usr/bin/firefox is a link to
175
/usr/bin/firefox-3.0, which in turn is a link to
176
/usr/lib/firefox-3.0.4/firefox.sh (On Ubuntu 9.04 Alpha).</para>
178
<para>Thus <emphasis>/usr/lib/firefox-3.0.4/firefox.sh</emphasis></para>
181
<emphasis>usr.lib.firefox-3.0.4.firefox.sh</emphasis></para>
183
<para>and is stored in
184
<emphasis>/etc/AppArmor.d/usr.lib.firefox-3.0.4.firefox.sh</emphasis></para>
186
<para>More on profiles later.</para>
188
<para><emphasis role="bold">Enforcement</emphasis></para>
190
<para>Once a profile is defined it is automatically activated when the
191
application is started. There are 2 modes of operation, complain and
194
<para><emphasis role="bold">complain</emphasis></para>
196
<para>In complain mode AA monitors applications and logs violations to
197
your profile without restricting or confining the application. I think
198
of this as "Testing" mode.</para>
200
<para><emphasis role="bold">enforce</emphasis></para>
202
<para>In enforce mode AA monitors applications and logs violations to
203
your profile. In the event of a violation, access to the resource is
204
denied and the application is confined.</para>
206
<para><emphasis role="bold">Start / Stop AppArmor</emphasis></para>
208
<para>Usage: /etc/init.d/apparmor
209
{start|stop|restart|try-restart|reload|force-reload|status|kill}</para>
211
<para>Start : sudo /etc/init.d/apparmor start</para>
213
<para>Stop : sudo /etc/init.d/apparmor stop</para>
215
<para>Reload: sudo /etc/init.d/apparmor reload</para>
217
<para>Show status: sudo /etc/init.d/apparmor status</para>
219
<para>and on ...</para>
221
<para><emphasis role="bold">Additional useful AppArmor
222
commands</emphasis></para>
225
<para>Note: In these examples, | = or. So you may use geprof or
226
aa-gprof (and on).</para>
230
url="http://www.novell.com/documentation/apparmor/index.html#21">Source
231
: Novell AppArmor Guide</ulink></para>
233
<para><emphasis role="bold">genprof | aa-genprof</emphasis></para>
236
<para><quote>Generate or update a profile. When running, you must
237
specify a program to profile. If the specified program is not an
238
absolute path, genprof searches the $PATH variable. If a profile does
239
not exist, genprof creates one using autodep.</quote></para>
242
<para>Syntax : sudo genprof <application></para>
244
<para>Example: sudo genprof firefox</para>
246
<para>This generates a profile for firefox at
247
/etc/apparmor.d/usr.lib.firefox-3.0.4.firefox.sh</para>
249
<para><emphasis role="bold">autodep | aa-autodep</emphasis></para>
252
<para><quote>Guess basic AppArmor profile requirements. autodep
253
creates a stub profile for the program or application examined. The
254
resulting profile is called approximate because it does not
255
necessarily contain all of the profile entries that the program needs
256
to be confined properly. </quote></para>
259
<para><emphasis role="bold">complain | aa-complain</emphasis></para>
262
<para><quote>Set an AppArmor profile to enforce mode from complain
266
<para>syntax : complain rule</para>
268
<para>Example : sudo complain firefox</para>
270
<para><emphasis role="bold">enforce | aa-enforce</emphasis></para>
273
<para><quote>Set an AppArmor profile to enforce mode from complain
277
<para>syntax : enforce rule</para>
279
<para>Example : sudo enforce firefox</para>
281
<para><emphasis role="bold">unconfined | aa-unconfined</emphasis></para>
284
<para><quote>Output a list of processes with open tcp or udp ports
285
that do not have AppArmor profiles loaded.</quote></para>
288
<para><emphasis role="bold">logprof | aa-logprof</emphasis></para>
291
<para><quote>Manage AppArmor profiles. logprof is an interactive tool
292
used to review the learning or complain mode output found in the
293
AppArmor syslog entries and to generate new entries in AppArmor
294
profiles.</quote></para>
297
<para>Translation: search your logs for problems and use this
298
information to modify the firefox profile.</para>
300
<para><emphasis role="bold">apparmor_parser </emphasis></para>
302
<para>This is used to load, or more commonly reload a profile into the
303
kernel. After modifying (editing) a profile use :</para>
305
<screen><code>sudo apparmor_parser -r /etc/apparmor.d/<profile></code></screen>
307
<para>Where "<profile>" is the profile to re-load.</para>
309
<para>If you prefer you can restart AppArmor (same as reload)</para>
311
<screen><code>/etc/init.d/apparmor restart</code></screen>
313
<para><emphasis role="bold">Anatomy of a Profile</emphasis></para>
315
<para>Each application you wish to confine under AppArmor is given a
316
profile. Profiles are nothing more then text files and are generated by
317
you the user sometimes with the assistance of AppArmor tools from the
318
command line or managed with any editor (gedit, nano, vim, etc). I will
319
walk you through generating a profile for firefox in the next
323
<para>Each profile is named after the application to which it applies,
324
changing the / in the path to a . (the first / is simply dropped). So,
325
/usr/lib/firefox-3.0.4/firefox.sh becomes
326
usr.lib.firefox-3.0.4.firefox.sh.</para>
330
<para>Profiles are stored in the /etc/AppArmor.d directory.</para>
333
<para>Profiles are comprised of 4 sections #include, capability
334
entries, rules, and hats.</para>
336
<para><emphasis role="bold"># include</emphasis></para>
338
<para>#include is akin to sourcing or libraries and allows you to
339
generate a list of common restrictions. Rather then writing this list
340
over and over in profiles, you can keep it in a common location and
341
incorporate it into a profile with an #include. When you update the
342
common list, all your profiles are updated.</para>
344
<para><emphasis role="bold">Capability entries</emphasis></para>
346
<para>In English, this is permission checking.</para>
348
<para>In Geek speak :</para>
351
<para>Capabilities statements are simply the word capability followed
352
by the name of the POSIX.1e capability as defined in the
353
capabilities(7) man page.</para>
356
<para><emphasis role="bold">Rules</emphasis></para>
358
<para>These are basically a set of permissions applied to files or
359
directories. The syntas is a path followed by a set of rules. [path]
360
[rules] path You may use Globing or special characters in the
363
<screen><code>* Substitutes for any number of characters, except /</code>.<code>
364
** Substitutes for any number of characters, including /.
365
? Substitutes for any single character, except /.
366
[ abc ] Substitutes for the single character a, b, or c.
367
[ a-c ] Substitutes for the single character a, b, or c.
368
{ ab,cd } Expand to one rule to match ab and another to match cd.
369
[ ^a ] Substitutes for any character except a.</code></screen>
371
<para>Rules for files include</para>
373
<screen><code>r = read
377
a = append</code></screen>
379
<para>Rules for executable (applications) include<code> </code></para>
381
<screen><command>ix = inherit = Inherit the parent's profile.
382
px = requires a separate profile exists for the application,
383
with environment scrubbing.
384
Px = requires a separate profile exists for the application,
385
without environment scrubbing.
386
ux and Ux = Allow execution of an application unconfined,
387
with and without environmental scrubbing. (use with caution if at all).
388
m = allow executable mapping.</command></screen>
390
<para>Example<code> </code></para>
392
<screen># a variable definition
393
@{HOME} = /home/*/ /root/
394
# a comment about foo.
398
/etc/ld.so.cache r, /etc/foo.conf r,
405
/tmp/foo.* lrw, /@{HOME}/.foo_file rw,
406
# a comment about foo's subprofile, bar.
413
<para>Comments :</para>
415
<para>1. Note the use of variable. This is only necessary if you mount
416
your /home partition in a non-standard location.</para>
418
<screen><code> /@{HOME}/.foo_file</code></screen>
420
<para>2. Comments start with an octothorpe (#).</para>
422
<para>3. /etc/foo/* r,</para>
425
<para>Allows read access to the files in /etc/foo /etc/** would allow
426
read access to all sub-directories in /etc</para>
429
<para><emphasis role="bold">Hats</emphasis></para>
431
<para>While an AppArmor profile is applied to an application, there are
432
times with a sub process of the program may need access differing from
433
the main program. In this event, the sup process may "change hats" or
434
use an alternate sub-profile.</para>
436
<para>A profile may have more then 1 sub-profile, however the
437
sub-profiles may not have sud-sub profiles (if that makes sense).</para>
439
<para>Right now very few applications use hats, and one example is
443
<para>For a more detailed explanation see man AppArmor man
449
<title>Securing Firefox</title>
453
<para>We have two options here, Firefox extensions OR hosts file.</para>
455
<para>1. Firefox extension : Adblock Plus</para>
457
<para>2. Hosts file. I prefer a hosts file as it protects more then just
458
Firefox. Here is how I do it :
459
http://ubuntuforums.org/showthread.php?t=241460#2</para>
463
<para>Go to your Firefox menu -> Preferences -> Privacy Tab
464
UNSELECT "Accept cookies from sites" All cookies are now blocked.</para>
466
<para>Javascript/Flash</para>
468
<para>Javascript/Flash are a cross platform programing languages
469
commonly used on the web. They add functionality, but also allow browser
470
hijacks. Install NoScript To configure, right click on the NoScript icon
471
(lower right) and select options.</para>
473
<para>Customize Google</para>
475
<para>That's right, google is feeding you adds Install this extension.
476
Customize Google Then : Tools -> Customize Google Options Go through
477
each category on the Left and tic off "Remove Adds" (and anything wlse
478
you might like).</para>
480
<para>Secure Private Data</para>
482
<para>1. Go to your Firefox menu -> Preferences -> Security Tab
483
Set a "Master Password". This will protect others from displaying your
484
passwords. If you have a sensitive password like to the Ubuntu Forums or
485
your Bank, BEST NOT TO STORE IT AT ALL. Hey, while you are there, check
486
out the password strength meter.</para>
488
<para>2. Install SafeHistory. Safe History will clear your private
489
information when you close Firefox.</para>
491
<para>3. Install SafeCache to be safer against CSRF attacks.</para>
493
<para>How to Whitelist</para>
495
<para>OK, now you will likely find Firefox somewhat restrictive. The
496
goal here is to allow "normal" functioning. In order to log into forums
497
or your banking sites we need to allow Cookies and Java. We will do this
498
ONLY for specific sites we trust via white lists.</para>
500
<para>1. Cookies - Firefox options -> Privacy tab Copy the Ubuntu url
501
from your browser : http://ubuntuforums.org/ Go to "Cookies" -> click
502
the "Exceptions" button -> paste ubuntu url -> click "Allow for
506
<para>For secure sites like Banking you will need to allow multiple
507
url (https), usually one from the home page, then one from the log in
508
page, and sometimes from the next page as well. So if you are having
509
problems, keep adding url to the white list.</para>
512
<para>2. Java - Right click on the NoScript icon -> Allow
515
<para>How to Surf Anonymously ~ Privoxy/TOR</para>
517
<para>Ubuntu wiki TOR
518
http://wiki.noreply.org/noreply/TheO...er/TorOnDebian If you use TOR and
519
have the capacity, consider contributing a TOR server (a few more
520
servers would speed things up for everyone).
521
http://en.linuxreviews.org/HOWTO_setup_a_Tor-server</para>