FORTRESS LINUX!
Linux is pretty secure, but Jonni Bidwell has studied the threatscape and recommends applying reinforcements.
As humanity becomes ever more connected, so our lives and information about them move ineluctably online. In times past, the only information about citizens was held in paper records in churches or council chambers, and consisted of little more than names, occupations and dates of birth. A few conquests and burned libraries later this information moved to mainframes in government buildings, regular folks started having bank accounts and companies began to store and share customer data among themselves (and advertising agencies). You might even have found yourself in a phone directory or found your beloved in a lonely hearts column.
Fast forward to today and an average human generates gigabytes of information a day (and counting), which companies, authorities and criminals would love to get their hands on. Some of this information is stored at home, some of it we (perhaps unwisely) entrust to the clouds and some of it we don’t even pause to consider where it goes. Put a few pieces of key security credentials in the wrong hands and precious memories can be deleted, bank accounts can be emptied and identities stolen.
Linux can’t stop government-mandated three-letter agencies hoovering up your data and metadata (though it can make this trickier), and nor can it stop you handing data over to social media (though it can remove geotag and EXIF data). But it does have all sorts of tooling that can protect your systems from being compromised and your data purloined, held to ransom or worse. We’ll look at firewalls, password managers, PGP messages, SSH keys and much more. We at Virtual LXF
Towers spend a lot of our time in a web browser (Firefox BTW) and we’ll wager a lot of our readers do too, so we’ve got a whole section about safe browsing. Let’s get started.
Claims that Linux doesn’t need a virus checker are a little misleading. For one thing, there have been viruses and malware that target Linux (both explicitly and by dint of their being cross-platform). And there will continue to be more. But they’re unlikely to be a threat for home users, so long as they’re getting software from credible sources (such as your distro’s repositories), keeping it updated and being savvy about things. You should make regular backups in case the worst happens.
On the other hand, if you’re running say an email server, then you’ll have software that scans attachments for viruses, and not just Linux ones. Clamav is popular in this case, and is easy to integrate with mail transfer agents like Postfix. If you’re running questionable Windows binaries through Wine, then be aware that lots of malware works flawlessly with it. Not only might this ruin your weekend gaming plans and Lutris configurations, but it could turn your Linux fortress into a spam-spewing zombie. Without safeguards Wine programs can access files without the prefix they’re running in, so don’t assume any kind of isolation.
Wine or no, any program you run (or a program you run spawns) could delete or encrypt your home directory, or any other location you have write access too, including network drives. If your user has Sudo access, which is how most desktop distros work now, then that too could be exploited to wreak further havoc, corrupting other users’ files, installing rootkits or awakening the Old Ones. Access controls such as Apparmor and Selinux enable administrators to apply much more granular permissions to specific applications. These are included in Ubuntu and Fedora respectively, and popular applications have their own profiles to stop them doing what they shouldn’t. On Ubuntu and derivatives, you can run $ sudo aa-status to see which profiles are loaded. By default Ubuntu 20.04 activates measures for Libreoffice and the Evince PDF viewer, among others, offering some protection from poisoned documents. Fedora users can get Selinux by running sestatus . Later on, in the secure web browsing section, we’ll look at enabling the Apparmor profile for Firefox.
For a virus checker to offer protection beyond just reactive scanning of files, it needs low-level access to the applications running on your system. This makes virus checkers themselves targets for attackers. Furthermore, some of the free antivirus software on Windows is so bad (installing its own certificate authority so that it can intercept all your web traffic) that you’d be safer without it. People say Linux doesn’t need a firewall too, and for default desktop use, you probably don’t. There are no listening services to block. If you want to run a firewall – even one that has nothing to block – skip on over the page to learn about Ufw.
DANGER OF NAT SLIPSTREAMING
“It was possible for an attacker to establish a direct connection to a machine behind a NAT gateway.”
Windows ships with its firewall enabled by default. Desktop users can run a friendly firewall GUI such as ufw, or even write their own iptables or nftables rules, but distros universally leave this up to the user. A cynic might say that this is because Linux users have enough trouble with networking as it is, but the reality is that most desktop users don’t need a firewall.
This changes as soon as you start running services (such as having listening ports that the whole world can connect to). The NAT (network address translation) layer on home routers that filters traffic from its external IP address to the local network (for example 192.168.* addresses) was never meant as a security layer, but it has for years mostly worked as one. As anyone who ever tried to send a file over MSN Messenger in the early naughties will tell you, establishing a direct connection to a machine behind a NAT gateway is difficult, even more so when your machine is likewise NAT-ED.
The only way through NAT would be to forward the appropriate ports on your router. And if you want to run your home server to be accessible from the outside world you’ll still have to do this. Modern applications though, can submit their own port forwarding demands to (compliant) routers through UPNP, so that these are all arranged transparently. One such example is the
Transmission Bittorrent client, which forwards the port(s) of your choosing and enables peers to connect to you. If a peer can’t be reached, then the protocol enables the connection to work in the other direction, which thanks to the port-forwarding magic outlined previously should proceed without a hitch.
However, if a good program can do that, so too can a rogue one. To mitigate this, cautious users (and those that know they have no need of it) disable UPNP in their home router settings. A technique called NAT Slipstreaming was revealed by Samy Kamkar in November 2020. This showed it was possible for an attacker to establish a direct connection to a machine behind a NAT gateway just by tricking a user into visiting a site under their control and invoking some terrible Javascript. The attack has since been refined to allow access to not just the victim’s machine, but any device on the victim’s network. Major browsers have been patched against the flaw, which exploits the Application Layer Gateway (ALG) protocol, but the battle isn’t over. See https://samy.pl/slipstream for more information.
Disabling ALG in your router will protect you, but it’ll also stop WEBRTC programs like Zoom, Google Chat or
Nextcloud Talk from working. Incidentally, WEBRTC can reveal information about your IP address to any sites you visit. Netflix, for example, uses it as part of its checks against VPN users trying to circumvent geoblocking restrictions.
Very few home ISPS in the UK offer IPV6 connections. But should they get their act together and do so we’ll have another problem on our hands. Namely that all those devices that used to hide behind a layer of NAT could suddenly find themselves exposed to the Internet.
NAT was meant to solve the problem of IPV4 address exhaustion. With IPV6 and its huge address space this problem is obviated, and there’s no NAT. Home routers, we’d hope, ship with their own sanely configured firewalls so that home networks stay private. But you might want to look into putting a couple of network cards into an old PC and running a dedicated firewall distro such as Pfsense. Also look into flashing an old router with the Linux-based DD-WRT or Tomato. It’s not wise to do this to your main router (not only might you break things, but your ISP might only allow its own hardware to connect), but it’s simple enough to set up a secure enclave within your home network. One of the problems of increased IPV6 adoption is the possibility for shadow networks to emerge and for firewalls on one or the other protocols to be sidestepped.
That’s beyond the scope of this feature, but if you fancy fortifying your desktop Linux install with a firewall, we can help you with that. There’s no need to familiarise oneself with the arcane syntax of iptables, or its hip replacement nftables. With just a few clicks Gufw (a frontend for Ufw) will have you set up with some degree of stateful protection. Gufw is just a sudo apt install gufw away on Ubuntu. It’ll appear in the Applications Grid under Firewall Configuration. You’ll be prompted for a password when it runs since in order to do any good it must run with administrative privileges.
Firewall configuration
Gufw comes with three preconfigured profiles – Home, Office and Public – that refer to connections of increasing risk. The risks associated with using public Wi-fi are sometimes overstated, but you should exercise additional caution in those situations.
The Home profile blocks all incoming connections and enables all outgoing ones. Activate it by hitting the switch and you’ll find that day-to-day web browsing and any other business you might have with the Internet works just fine. Click the Report section to see which programs are listening and on which addresses, and use these to create firewall rules by clicking the + button at the bottom. Don’t worry about the Avahi daemon and CUPS – these services listen by default to make for easier for network browsing and printer discovery. If you followed our virtualisation feature last issue and are running VMS through Libvirt, then you might spot the DNS masquerading service listening on the local interface, which is necessary to bridge the virtual and real networks.
The issue of outgoing connections is often overlooked. But if your threat model includes users running malicious programs, then perhaps it shouldn’t be. Lots of malware is smart enough to use common port numbers to evade naive blocking strategies, but if you were paranoid you might still only enable outbound connections to ports 80 and 443, to only allow web browsing. In that situation you’d also want to restrict access so that only the web browser could make such requests too. A number of applications and games (mostly games it turns out) already have profiles set up in Gufw, so if something doesn’t work it might only take a few clicks to add an exception.
For servers you’ll have to deal with Ufw from the command line, but it’s still much easier than dealing with iptables. Ufw comes pre-installed on Ubuntu Server and can easily be installed on other distros. To set up a default policy like Gufw’s Home profile, just do:
$ sudo ufw default deny incoming $ sudo ufw default allow outgoing
As is, this isn’t very satisfactory for a server, since you’ll want to connect to the server over SSH. To enable incoming SSH connections and activate the firewall, use
$ sudo ufw enable ssh
$ sudo ufw enable
Note the warning about existing SSH connections potentially being disrupted, and be aware that any other services you’re running may be disrupted to. At least with SSH access you can easily fix those. If you want to see detailed firewall info, type
$ sudo ufw status verbose
The devastating attack on Solar Winds discovered in December 2020 shows how a single weak link can undo even the most thoughtful security regimen. Here a supply chain attack was used to ship poisoned updates to its
Orion software, used by thousands of customers worldwide to manage their infrastructure.
These customers include several US government departments and major tech companies, and since the malware it bundled was so stealthy, many of them had no way of knowing what data was stolen or for how long it was accessible. Similar attacks have targeted Windows updates (for example, the Flame malware in 2012) and more recently the Encrochat messaging system, whose update mechanism was compromised by police in 2020, leading to 800 arrests across Europe.
It might, we suppose, be taken as proof of desktop Linux’s popularity that the Linux Mint website became was the victim of an attack in 2016. While not strictly speaking a supply chain attack, the hacker was able to gain control of the website and alter the link to download ISO images to point to a modified image that included the Tsunami malware. Not only did they modify the link, but also the checksum displayed below it. It’s common for projects to provide checksums alongside their files so that people can check their downloads haven’t been corrupted (though few people do). When your system downloads packages from its repositories, checksums (usually SHA256) are used to verify their integrity.
But as the Mint hack showed this isn’t always enough, and that is why projects and packages often ship with GPG signatures as well as checksums. If you’ve ever followed the official installation instructions for Tails (The Amnesiac Incognito Live System) you’ll know about these. Since those signatures could only be generated using the private Tails signing key and we can check them using the corresponding public key (which we can check this from any number of high-profile websites or the keybase.io directory), we can convince ourselves that either the download is legitimate, or the Tails signing key has been compromised (which is unlikely). Public keys can be signed by other public keys to establish a web of trust. Pre-pandemic, hipsters would host key signing parties to further the connections in this web, but we never got invited to them.
Signature check
We can use Mint as an example of how to check GPG signatures, and you should get into the habit of doing this for anything else you download. Tools are available to do this in Windows, and there are graphical means to do it in Linux too, but we’ll show you how to it at the command line since this works anywhere. Add the Mint signing key to your GPG keyring with: $ gpg --keyserver hkp://keyserver.ubuntu.com:80--recv-key “27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09”
You’ll also find these instructions at https:// linuxmint.com/verify.php, in case you suspect we tampered with the public key in the above command. Rather than signing the whole ISO file, which would take users a long time to verify, the signature is generated using the checksum file. This is reasonable since we’re going to check that checksum in a moment, and if it checks out then, thanks to the cryptographic security of the SHA256 hashing algorithm and the sanctity of Mint’s private key, we can safely assume the ISO file hasn’t been tampered with.
On with the show, then. Place the sha256sum.txt and
sha256sum.txt.gpg files from the Mint website in the same directory as the ISO file, which you could download or copy from the DVD. Then check integrity and authenticity with:
$ sha256sum –ignore-missing -c sha256sum.txt
$ gpg --verify sha256sum.txt.gpg sha256sum.txt
The checksums file contains information for all four Mint 20.1 editions, so we use a flag in the first command to tell it not to worry about missing files. It should report good news for the Cinnamon edition (and any other editions you happen to have in that directory) after it’s churned through its 2GB bulk.
Sshhhhhhh!
We’ve already mentioned SSH (the replacement for Telnet that enables secure console logins to Linux boxes). Modern default configurations for SSH are generally fine, but if an attacker gains access to a user’s (one with root privileges, say) password then the game may well be up. Besides having SSH listen on a different port (which might reduce bots trying to log in using unimaginative credentials) we can use public key, rather than password, authentication for increased security.
This is something you should get into the habit of doing, and when you do you’ll find it makes your life much easier (at least if you spend a lot of time Sshing into things). The idea is simple: upload a public key to the remote machine, then use the associated private key to log in. To progress we first must generate both keys on the local machine. Before we can do this though run ls ~/.ssh and see if the directory (if it even exists) contains the files private and public key files id_rsa and id_rsa.pub. If these exist then you’ve already generated a key pair. So you don’t need to run: $ ssh-keygen because doing so would overwrite them. Otherwise generate the keys using the defaults – it’ll take a minute and tell you to bash the keyboard and mouse to generate entropy.
Key access can replace password authentication, but it’s also possible to adopt a “belt and braces” approach and protect your key with a password. This way if someone steals your private key, they won’t get access to your servers. The key generator will ask you for an optional password, which in most situations you should provide, but if you’re using keys for the first time don’t worry, you can always generate a new, passworded key later, and passwordless login is quite novel the first few times. Especially if you are sick and tired of typing the default credentials for your many Raspberry Pis, or forgetting what you changed them to.
If you like managed identities and such, then you can take carry around various keypairs or store them on the cloud and carefully unlock the right one at the right time. There’s a time and a place for that, but for simple things it’s much easier to have a different SSH keypair on every machine you use and upload all those public keys to all the servers you use. So now that we’ve generated our keypair we can upload the public key part to our server. You can do this manually, adding an entry in the server’s ~/.ssh/authorized_keys file, but this is cumbersome when there’s a program that will do it for us:
$ ssh-copy-id username@remotehost
TAKE NOTHING AT FACE VALUE
“You should get into the habit of checking GPG signatures for anything else you download.”
There’s no need for the username on the remote host to match your local username, but if it does you don’t need to enter it. After you’ve entered the password to confirm your identity and uploaded the public key, you should be able to log in password free. This also means on modern file managers you can browse your Pis and other remote servers hassle-free using the ssh://pi@ raspberrypi.local syntax. Once you’ve confirmed it works you can disable password authentication altogether on the server by editing /etc/ssh/sshd_ config and adding the directive Password Authentication no Over the page, we’ve got some tips for getting all your other passwords under control, as well as a quick guide to PGP email.
CREATE A MASTER PASSPHRASE
“A good technique is to join five or six random words together and come up with a mnemonic to remember them.”
We’ve talked a lot about web browsers and privacy previously in the magazine, and lots of the points raised there are security concerns too. Third-party advertising networks are regularly compromised, so blocking cookies (or using Firefox’s container to isolate them) and Javascript (for example, through Noscript) isn’t just about avoiding obtrusive ads and unnecessary tracking.
There’s only so much your browser or OS can do if you click a malicious link. So do try to avoid those. Major browsers use regularly updated safe browsing lists and sandboxing to keep users safe. And thanks largely to Let’s Encrypt, most websites you visit use HTTPS (as indicated by the friendly green padlock in the URL bar) to ensure firstly that third parties can’t snoop on your browsing (and sniff credentials off the wire) and secondly that the site you’re browsing isn’t doing some sort of impostering. But hackers are ingenious and web browsers are popular targets. Rogue extensions might harvest form data, a site you’re using (or an ad network it uses) might be compromised to serve some ungodly Javascript exploit (such as the Magecart payment skimmer) or point your DNS requests somewhere else.
So much of our data is stored online and protected only by a password, so exercising good password hygiene is critically important. If you recycle a password (even if you think you’re using an imaginative variation) from another site, and that site is compromised, then who or whatever compromised it will certainly try and use those credentials elsewhere. No service today should store passwords in plaintext, and indeed using password hashes instead has been the norm since the early UNIX days. But thanks to GPUS being so good at password cracking (and open source tools such as Hashcat and OCL) if an attacker gets hold of a list of password hashes (from a stolen database, say), then they’ll almost certainly manage to crack the simplest passwords therein.
Firefox, Chrome and many other browsers all have their own password managers built in. You may prefer to use those to take care of your passwords, then use Firefox Sync or (shudder) Google to be able to access these from other devices. We’re fans of services like Lastpass, which for a small fee can do the same thing. If you want to take responsibility for your passwords then you can use the open source Keepassxc locally and optionally sync the keyring via Nextcloud.
There can only be one (passphrase)
Whatever password manager or service you use the idea is the same. You only need to remember one passphrase, which unlocks a keyring and enables you to easily copy and paste the site password in place. However, the prospect of changing so many passwords on so many sites seems daunting, especially when faced with the possibility that leaving just a few key sites with similar passwords could be one’s undoing. But even if you just secure the important credentials, lots of risk is mitigated. You should be able to remember your master passphrase; a good technique is to join five or six random words together and come up with a mnemonic to remember them. You should then let your password manager come up with suitably random passwords for individual sites, which for the most part you needn’t remember. There will be exceptions though: some websites don’t let you paste into password fields. And some passwords you might prefer to keep in your head since you might need them in a situation where you don’t have access to the keyring.
Strong passwords alone can’t save us, and most online banking websites use a second authentication factor, commonly a text message containing a one-time code. Less common nowadays, but still around are bank-provided challenge response devices, which require your card to be inserted. Even if not mandated, many sites enable you to use 2FA, and for accounts of value you really should enable it. Unfortunately simjacking attacks are becoming more prevalent so more people are turning to the likes of Google Authenticator or hardware tokens such as Yubikey for authentication.
You can use hardware tokens for such diverse tasks as authenticating with Google, Github or your Linux box.
But to finish off we’ll combine some of the ideas from earlier and solve one of the greatest problems of the Internet age: how to get PGP email working without tears. You’ll find the acronyms PGP and GPG get confused a lot, PGP originally referred to the 1995 email standard and GPG refers to the Gnu Privacy Guard, but let’s not get bogged down in symmetric semantics. Using Pgp-signed or encrypted email won’t necessarily protect you from scams, but if more people get used to seeing emails from you with a PGP signature (and a valid one if they’d care to check), then not only might they be inspired to join the privacy party, but they might not fall pray should some rogue email purporting to be from you when in fact it came from another source.
Up until recently, Thunderbird users had to rely on a plugin such as Enigmail to provide PGP, but now (in version 78) OPENPGP is built into it. So assuming you already have your email set up in Thunderbird it’s pretty straightforward to add it. If your distro is based on (or is) Ubuntu 20.04 LTS then at the time of writing this feature isn’t included in the version of Thunderbird in the Apt repos, but is in the latest Snap or Flatpak. The idea is much the same with Enigmail if you want to stick with the version in the repos. Go to your account settings, find the End to End encryption section and click the Add Key button next to your email address. Select Create a new OPENPGP Key (if you don’t already have one).
You can choose an expiry date for your key, and in the absence of other factors the default three-year expiry period is good. The default size of 3,072 bits is good too unless you’re extra paranoid. Asymmetric keys are much larger than symmetric ones (such as the 128bit still commonly used by AES) but this doesn’t really mean they’re harder to crack. Click Generate Key and you’ll be told to generate some randomness, with keypresses, disk activity and burning sage (it’s okay not that last one). Hopefully you’ll see a friendly message that says the key was created successfully. You can use the OPENPGP Key Manager to manage your correspondents’ public keys as well as your own.
Now when you compose messages from this account, in the Security menu you’ll have the option to digitally sign your messages. You can also encrypt them, but you can’t do that until you have and are convinced by the recipient’s public key. Thunderbird will attach your own public key to PGP messages by default, but people may not (and should not) trust it out of the blue.
You should also back up and protect both parts of the keypair which you can do from the settings page. For safety you can’t export the private key in raw form, it must be password protected. For more email protection look into using a incorporating a hardware token into your email workflow. And let us know how your fortification in general goes.