Linux Format

FORTRESS LINUX!

Linux is pretty secure, but Jonni Bidwell has studied the threatscap­e and recommends applying reinforcem­ents.

-

As humanity becomes ever more connected, so our lives and informatio­n about them move ineluctabl­y online. In times past, the only informatio­n about citizens was held in paper records in churches or council chambers, and consisted of little more than names, occupation­s and dates of birth. A few conquests and burned libraries later this informatio­n moved to mainframes in government buildings, regular folks started having bank accounts and companies began to store and share customer data among themselves (and advertisin­g agencies). You might even have found yourself in a phone directory or found your beloved in a lonely hearts column.

Fast forward to today and an average human generates gigabytes of informatio­n a day (and counting), which companies, authoritie­s and criminals would love to get their hands on. Some of this informatio­n is stored at home, some of it we (perhaps unwisely) entrust to the clouds and some of it we don’t even pause to consider where it goes. Put a few pieces of key security credential­s in the wrong hands and precious memories can be deleted, bank accounts can be emptied and identities stolen.

Linux can’t stop government-mandated three-letter agencies hoovering up your data and metadata (though it can make this trickier), and nor can it stop you handing data over to social media (though it can remove geotag and EXIF data). But it does have all sorts of tooling that can protect your systems from being compromise­d and your data purloined, held to ransom or worse. We’ll look at firewalls, password managers, PGP messages, SSH keys and much more. We at Virtual LXF

Towers spend a lot of our time in a web browser (Firefox BTW) and we’ll wager a lot of our readers do too, so we’ve got a whole section about safe browsing. Let’s get started.

Claims that Linux doesn’t need a virus checker are a little misleading. For one thing, there have been viruses and malware that target Linux (both explicitly and by dint of their being cross-platform). And there will continue to be more. But they’re unlikely to be a threat for home users, so long as they’re getting software from credible sources (such as your distro’s repositori­es), keeping it updated and being savvy about things. You should make regular backups in case the worst happens.

On the other hand, if you’re running say an email server, then you’ll have software that scans attachment­s for viruses, and not just Linux ones. Clamav is popular in this case, and is easy to integrate with mail transfer agents like Postfix. If you’re running questionab­le Windows binaries through Wine, then be aware that lots of malware works flawlessly with it. Not only might this ruin your weekend gaming plans and Lutris configurat­ions, but it could turn your Linux fortress into a spam-spewing zombie. Without safeguards Wine programs can access files without the prefix they’re running in, so don’t assume any kind of isolation.

Wine or no, any program you run (or a program you run spawns) could delete or encrypt your home directory, or any other location you have write access too, including network drives. If your user has Sudo access, which is how most desktop distros work now, then that too could be exploited to wreak further havoc, corrupting other users’ files, installing rootkits or awakening the Old Ones. Access controls such as Apparmor and Selinux enable administra­tors to apply much more granular permission­s to specific applicatio­ns. These are included in Ubuntu and Fedora respective­ly, and popular applicatio­ns have their own profiles to stop them doing what they shouldn’t. On Ubuntu and derivative­s, you can run $ sudo aa-status to see which profiles are loaded. By default Ubuntu 20.04 activates measures for Libreoffic­e and the Evince PDF viewer, among others, offering some protection from poisoned documents. Fedora users can get Selinux by running sestatus . Later on, in the secure web browsing section, we’ll look at enabling the Apparmor profile for Firefox.

For a virus checker to offer protection beyond just reactive scanning of files, it needs low-level access to the applicatio­ns running on your system. This makes virus checkers themselves targets for attackers. Furthermor­e, some of the free antivirus software on Windows is so bad (installing its own certificat­e authority so that it can intercept all your web traffic) that you’d be safer without it. People say Linux doesn’t need a firewall too, and for default desktop use, you probably don’t. There are no listening services to block. If you want to run a firewall – even one that has nothing to block – skip on over the page to learn about Ufw.

DANGER OF NAT SLIPSTREAM­ING

“It was possible for an attacker to establish a direct connection to a machine behind a NAT gateway.”

Windows ships with its firewall enabled by default. Desktop users can run a friendly firewall GUI such as ufw, or even write their own iptables or nftables rules, but distros universall­y leave this up to the user. A cynic might say that this is because Linux users have enough trouble with networking as it is, but the reality is that most desktop users don’t need a firewall.

This changes as soon as you start running services (such as having listening ports that the whole world can connect to). The NAT (network address translatio­n) layer on home routers that filters traffic from its external IP address to the local network (for example 192.168.* addresses) was never meant as a security layer, but it has for years mostly worked as one. As anyone who ever tried to send a file over MSN Messenger in the early naughties will tell you, establishi­ng a direct connection to a machine behind a NAT gateway is difficult, even more so when your machine is likewise NAT-ED.

The only way through NAT would be to forward the appropriat­e ports on your router. And if you want to run your home server to be accessible from the outside world you’ll still have to do this. Modern applicatio­ns though, can submit their own port forwarding demands to (compliant) routers through UPNP, so that these are all arranged transparen­tly. One such example is the

Transmissi­on Bittorrent client, which forwards the port(s) of your choosing and enables peers to connect to you. If a peer can’t be reached, then the protocol enables the connection to work in the other direction, which thanks to the port-forwarding magic outlined previously should proceed without a hitch.

However, if a good program can do that, so too can a rogue one. To mitigate this, cautious users (and those that know they have no need of it) disable UPNP in their home router settings. A technique called NAT Slipstream­ing was revealed by Samy Kamkar in November 2020. This showed it was possible for an attacker to establish a direct connection to a machine behind a NAT gateway just by tricking a user into visiting a site under their control and invoking some terrible Javascript. The attack has since been refined to allow access to not just the victim’s machine, but any device on the victim’s network. Major browsers have been patched against the flaw, which exploits the Applicatio­n Layer Gateway (ALG) protocol, but the battle isn’t over. See https://samy.pl/slipstream for more informatio­n.

Disabling ALG in your router will protect you, but it’ll also stop WEBRTC programs like Zoom, Google Chat or

Nextcloud Talk from working. Incidental­ly, WEBRTC can reveal informatio­n about your IP address to any sites you visit. Netflix, for example, uses it as part of its checks against VPN users trying to circumvent geoblockin­g restrictio­ns.

Very few home ISPS in the UK offer IPV6 connection­s. But should they get their act together and do so we’ll have another problem on our hands. Namely that all those devices that used to hide behind a layer of NAT could suddenly find themselves exposed to the Internet.

NAT was meant to solve the problem of IPV4 address exhaustion. With IPV6 and its huge address space this problem is obviated, and there’s no NAT. Home routers, we’d hope, ship with their own sanely configured firewalls so that home networks stay private. But you might want to look into putting a couple of network cards into an old PC and running a dedicated firewall distro such as Pfsense. Also look into flashing an old router with the Linux-based DD-WRT or Tomato. It’s not wise to do this to your main router (not only might you break things, but your ISP might only allow its own hardware to connect), but it’s simple enough to set up a secure enclave within your home network. One of the problems of increased IPV6 adoption is the possibilit­y for shadow networks to emerge and for firewalls on one or the other protocols to be sidesteppe­d.

That’s beyond the scope of this feature, but if you fancy fortifying your desktop Linux install with a firewall, we can help you with that. There’s no need to familiaris­e oneself with the arcane syntax of iptables, or its hip replacemen­t nftables. With just a few clicks Gufw (a frontend for Ufw) will have you set up with some degree of stateful protection. Gufw is just a sudo apt install gufw away on Ubuntu. It’ll appear in the Applicatio­ns Grid under Firewall Configurat­ion. You’ll be prompted for a password when it runs since in order to do any good it must run with administra­tive privileges.

Firewall configurat­ion

Gufw comes with three preconfigu­red profiles – Home, Office and Public – that refer to connection­s of increasing risk. The risks associated with using public Wi-fi are sometimes overstated, but you should exercise additional caution in those situations.

The Home profile blocks all incoming connection­s and enables all outgoing ones. Activate it by hitting the switch and you’ll find that day-to-day web browsing and any other business you might have with the Internet works just fine. Click the Report section to see which programs are listening and on which addresses, and use these to create firewall rules by clicking the + button at the bottom. Don’t worry about the Avahi daemon and CUPS – these services listen by default to make for easier for network browsing and printer discovery. If you followed our virtualisa­tion feature last issue and are running VMS through Libvirt, then you might spot the DNS masqueradi­ng service listening on the local interface, which is necessary to bridge the virtual and real networks.

The issue of outgoing connection­s is often overlooked. But if your threat model includes users running malicious programs, then perhaps it shouldn’t be. Lots of malware is smart enough to use common port numbers to evade naive blocking strategies, but if you were paranoid you might still only enable outbound connection­s to ports 80 and 443, to only allow web browsing. In that situation you’d also want to restrict access so that only the web browser could make such requests too. A number of applicatio­ns and games (mostly games it turns out) already have profiles set up in Gufw, so if something doesn’t work it might only take a few clicks to add an exception.

For servers you’ll have to deal with Ufw from the command line, but it’s still much easier than dealing with iptables. Ufw comes pre-installed on Ubuntu Server and can easily be installed on other distros. To set up a default policy like Gufw’s Home profile, just do:

$ sudo ufw default deny incoming $ sudo ufw default allow outgoing

As is, this isn’t very satisfacto­ry for a server, since you’ll want to connect to the server over SSH. To enable incoming SSH connection­s and activate the firewall, use

$ sudo ufw enable ssh

$ sudo ufw enable

Note the warning about existing SSH connection­s potentiall­y being disrupted, and be aware that any other services you’re running may be disrupted to. At least with SSH access you can easily fix those. If you want to see detailed firewall info, type

$ sudo ufw status verbose

The devastatin­g attack on Solar Winds discovered in December 2020 shows how a single weak link can undo even the most thoughtful security regimen. Here a supply chain attack was used to ship poisoned updates to its

Orion software, used by thousands of customers worldwide to manage their infrastruc­ture.

These customers include several US government department­s and major tech companies, and since the malware it bundled was so stealthy, many of them had no way of knowing what data was stolen or for how long it was accessible. Similar attacks have targeted Windows updates (for example, the Flame malware in 2012) and more recently the Encrochat messaging system, whose update mechanism was compromise­d by police in 2020, leading to 800 arrests across Europe.

It might, we suppose, be taken as proof of desktop Linux’s popularity that the Linux Mint website became was the victim of an attack in 2016. While not strictly speaking a supply chain attack, the hacker was able to gain control of the website and alter the link to download ISO images to point to a modified image that included the Tsunami malware. Not only did they modify the link, but also the checksum displayed below it. It’s common for projects to provide checksums alongside their files so that people can check their downloads haven’t been corrupted (though few people do). When your system downloads packages from its repositori­es, checksums (usually SHA256) are used to verify their integrity.

But as the Mint hack showed this isn’t always enough, and that is why projects and packages often ship with GPG signatures as well as checksums. If you’ve ever followed the official installati­on instructio­ns for Tails (The Amnesiac Incognito Live System) you’ll know about these. Since those signatures could only be generated using the private Tails signing key and we can check them using the correspond­ing public key (which we can check this from any number of high-profile websites or the keybase.io directory), we can convince ourselves that either the download is legitimate, or the Tails signing key has been compromise­d (which is unlikely). Public keys can be signed by other public keys to establish a web of trust. Pre-pandemic, hipsters would host key signing parties to further the connection­s in this web, but we never got invited to them.

Signature check

We can use Mint as an example of how to check GPG signatures, and you should get into the habit of doing this for anything else you download. Tools are available to do this in Windows, and there are graphical means to do it in Linux too, but we’ll show you how to it at the command line since this works anywhere. Add the Mint signing key to your GPG keyring with: $ gpg --keyserver hkp://keyserver.ubuntu.com:80--recv-key “27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09”

You’ll also find these instructio­ns at https:// linuxmint.com/verify.php, in case you suspect we tampered with the public key in the above command. Rather than signing the whole ISO file, which would take users a long time to verify, the signature is generated using the checksum file. This is reasonable since we’re going to check that checksum in a moment, and if it checks out then, thanks to the cryptograp­hic security of the SHA256 hashing algorithm and the sanctity of Mint’s private key, we can safely assume the ISO file hasn’t been tampered with.

On with the show, then. Place the sha256sum.txt and

sha256sum.txt.gpg files from the Mint website in the same directory as the ISO file, which you could download or copy from the DVD. Then check integrity and authentici­ty with:

$ sha256sum –ignore-missing -c sha256sum.txt

$ gpg --verify sha256sum.txt.gpg sha256sum.txt

The checksums file contains informatio­n for all four Mint 20.1 editions, so we use a flag in the first command to tell it not to worry about missing files. It should report good news for the Cinnamon edition (and any other editions you happen to have in that directory) after it’s churned through its 2GB bulk.

Sshhhhhhh!

We’ve already mentioned SSH (the replacemen­t for Telnet that enables secure console logins to Linux boxes). Modern default configurat­ions for SSH are generally fine, but if an attacker gains access to a user’s (one with root privileges, say) password then the game may well be up. Besides having SSH listen on a different port (which might reduce bots trying to log in using unimaginat­ive credential­s) we can use public key, rather than password, authentica­tion for increased security.

This is something you should get into the habit of doing, and when you do you’ll find it makes your life much easier (at least if you spend a lot of time Sshing into things). The idea is simple: upload a public key to the remote machine, then use the associated private key to log in. To progress we first must generate both keys on the local machine. Before we can do this though run ls ~/.ssh and see if the directory (if it even exists) contains the files private and public key files id_rsa and id_rsa.pub. If these exist then you’ve already generated a key pair. So you don’t need to run: $ ssh-keygen because doing so would overwrite them. Otherwise generate the keys using the defaults – it’ll take a minute and tell you to bash the keyboard and mouse to generate entropy.

Key access can replace password authentica­tion, but it’s also possible to adopt a “belt and braces” approach and protect your key with a password. This way if someone steals your private key, they won’t get access to your servers. The key generator will ask you for an optional password, which in most situations you should provide, but if you’re using keys for the first time don’t worry, you can always generate a new, passworded key later, and passwordle­ss login is quite novel the first few times. Especially if you are sick and tired of typing the default credential­s for your many Raspberry Pis, or forgetting what you changed them to.

If you like managed identities and such, then you can take carry around various keypairs or store them on the cloud and carefully unlock the right one at the right time. There’s a time and a place for that, but for simple things it’s much easier to have a different SSH keypair on every machine you use and upload all those public keys to all the servers you use. So now that we’ve generated our keypair we can upload the public key part to our server. You can do this manually, adding an entry in the server’s ~/.ssh/authorized_keys file, but this is cumbersome when there’s a program that will do it for us:

$ ssh-copy-id username@remotehost

TAKE NOTHING AT FACE VALUE

“You should get into the habit of checking GPG signatures for anything else you download.”

There’s no need for the username on the remote host to match your local username, but if it does you don’t need to enter it. After you’ve entered the password to confirm your identity and uploaded the public key, you should be able to log in password free. This also means on modern file managers you can browse your Pis and other remote servers hassle-free using the ssh://pi@ raspberryp­i.local syntax. Once you’ve confirmed it works you can disable password authentica­tion altogether on the server by editing /etc/ssh/sshd_ config and adding the directive Password Authentica­tion no Over the page, we’ve got some tips for getting all your other passwords under control, as well as a quick guide to PGP email.

CREATE A MASTER PASSPHRASE

“A good technique is to join five or six random words together and come up with a mnemonic to remember them.”

We’ve talked a lot about web browsers and privacy previously in the magazine, and lots of the points raised there are security concerns too. Third-party advertisin­g networks are regularly compromise­d, so blocking cookies (or using Firefox’s container to isolate them) and Javascript (for example, through Noscript) isn’t just about avoiding obtrusive ads and unnecessar­y tracking.

There’s only so much your browser or OS can do if you click a malicious link. So do try to avoid those. Major browsers use regularly updated safe browsing lists and sandboxing to keep users safe. And thanks largely to Let’s Encrypt, most websites you visit use HTTPS (as indicated by the friendly green padlock in the URL bar) to ensure firstly that third parties can’t snoop on your browsing (and sniff credential­s off the wire) and secondly that the site you’re browsing isn’t doing some sort of imposterin­g. But hackers are ingenious and web browsers are popular targets. Rogue extensions might harvest form data, a site you’re using (or an ad network it uses) might be compromise­d to serve some ungodly Javascript exploit (such as the Magecart payment skimmer) or point your DNS requests somewhere else.

So much of our data is stored online and protected only by a password, so exercising good password hygiene is critically important. If you recycle a password (even if you think you’re using an imaginativ­e variation) from another site, and that site is compromise­d, then who or whatever compromise­d it will certainly try and use those credential­s elsewhere. No service today should store passwords in plaintext, and indeed using password hashes instead has been the norm since the early UNIX days. But thanks to GPUS being so good at password cracking (and open source tools such as Hashcat and OCL) if an attacker gets hold of a list of password hashes (from a stolen database, say), then they’ll almost certainly manage to crack the simplest passwords therein.

Firefox, Chrome and many other browsers all have their own password managers built in. You may prefer to use those to take care of your passwords, then use Firefox Sync or (shudder) Google to be able to access these from other devices. We’re fans of services like Lastpass, which for a small fee can do the same thing. If you want to take responsibi­lity for your passwords then you can use the open source Keepassxc locally and optionally sync the keyring via Nextcloud.

There can only be one (passphrase)

Whatever password manager or service you use the idea is the same. You only need to remember one passphrase, which unlocks a keyring and enables you to easily copy and paste the site password in place. However, the prospect of changing so many passwords on so many sites seems daunting, especially when faced with the possibilit­y that leaving just a few key sites with similar passwords could be one’s undoing. But even if you just secure the important credential­s, lots of risk is mitigated. You should be able to remember your master passphrase; a good technique is to join five or six random words together and come up with a mnemonic to remember them. You should then let your password manager come up with suitably random passwords for individual sites, which for the most part you needn’t remember. There will be exceptions though: some websites don’t let you paste into password fields. And some passwords you might prefer to keep in your head since you might need them in a situation where you don’t have access to the keyring.

Strong passwords alone can’t save us, and most online banking websites use a second authentica­tion factor, commonly a text message containing a one-time code. Less common nowadays, but still around are bank-provided challenge response devices, which require your card to be inserted. Even if not mandated, many sites enable you to use 2FA, and for accounts of value you really should enable it. Unfortunat­ely simjacking attacks are becoming more prevalent so more people are turning to the likes of Google Authentica­tor or hardware tokens such as Yubikey for authentica­tion.

You can use hardware tokens for such diverse tasks as authentica­ting with Google, Github or your Linux box.

But to finish off we’ll combine some of the ideas from earlier and solve one of the greatest problems of the Internet age: how to get PGP email working without tears. You’ll find the acronyms PGP and GPG get confused a lot, PGP originally referred to the 1995 email standard and GPG refers to the Gnu Privacy Guard, but let’s not get bogged down in symmetric semantics. Using Pgp-signed or encrypted email won’t necessaril­y protect you from scams, but if more people get used to seeing emails from you with a PGP signature (and a valid one if they’d care to check), then not only might they be inspired to join the privacy party, but they might not fall pray should some rogue email purporting to be from you when in fact it came from another source.

Up until recently, Thunderbir­d users had to rely on a plugin such as Enigmail to provide PGP, but now (in version 78) OPENPGP is built into it. So assuming you already have your email set up in Thunderbir­d it’s pretty straightfo­rward to add it. If your distro is based on (or is) Ubuntu 20.04 LTS then at the time of writing this feature isn’t included in the version of Thunderbir­d in the Apt repos, but is in the latest Snap or Flatpak. The idea is much the same with Enigmail if you want to stick with the version in the repos. Go to your account settings, find the End to End encryption section and click the Add Key button next to your email address. Select Create a new OPENPGP Key (if you don’t already have one).

You can choose an expiry date for your key, and in the absence of other factors the default three-year expiry period is good. The default size of 3,072 bits is good too unless you’re extra paranoid. Asymmetric keys are much larger than symmetric ones (such as the 128bit still commonly used by AES) but this doesn’t really mean they’re harder to crack. Click Generate Key and you’ll be told to generate some randomness, with keypresses, disk activity and burning sage (it’s okay not that last one). Hopefully you’ll see a friendly message that says the key was created successful­ly. You can use the OPENPGP Key Manager to manage your correspond­ents’ public keys as well as your own.

Now when you compose messages from this account, in the Security menu you’ll have the option to digitally sign your messages. You can also encrypt them, but you can’t do that until you have and are convinced by the recipient’s public key. Thunderbir­d will attach your own public key to PGP messages by default, but people may not (and should not) trust it out of the blue.

You should also back up and protect both parts of the keypair which you can do from the settings page. For safety you can’t export the private key in raw form, it must be password protected. For more email protection look into using a incorporat­ing a hardware token into your email workflow. And let us know how your fortificat­ion in general goes.

?? ??
?? ??
?? ?? Clamav has a simple GUI for finding viruses. Plus, the Ubuntu store has a game about killing windows viruses.
Clamav has a simple GUI for finding viruses. Plus, the Ubuntu store has a game about killing windows viruses.
?? ??
?? ?? Here we can see Networkman­ager listening on both the IPV4 and IPV6 (obfuscated because Jonni has gone full tinfoil hat) addresses.
Here we can see Networkman­ager listening on both the IPV4 and IPV6 (obfuscated because Jonni has gone full tinfoil hat) addresses.
?? ?? Gufw’s can reject or deny unwanted traffic, depending on whether or not you want to be active or passive in your rejection.
Gufw’s can reject or deny unwanted traffic, depending on whether or not you want to be active or passive in your rejection.
?? ??
?? ?? Who says cryptograp­hy isn’t pretty? These ASCII art representa­tions of private keys are much easier to compare than lengthy strings.
Who says cryptograp­hy isn’t pretty? These ASCII art representa­tions of private keys are much easier to compare than lengthy strings.
?? ??
?? ?? Mint learned the hard way what happens when miscreants meddle with download links. It now signs its releases, so you really should check those signatures.
Mint learned the hard way what happens when miscreants meddle with download links. It now signs its releases, so you really should check those signatures.
?? ?? Gnome comes with the Seahorse utility for graphical management of SSH and GPG keys.
Gnome comes with the Seahorse utility for graphical management of SSH and GPG keys.
?? ?? Firefox has its own built-in password manager, which if you trust Mozilla will integrate seamlessly with Firefox Sync.
Firefox has its own built-in password manager, which if you trust Mozilla will integrate seamlessly with Firefox Sync.
?? ?? It’s easy to start sending Pgpsigned messages with Thunderbir­d, but harder to get your friends to reply.
It’s easy to start sending Pgpsigned messages with Thunderbir­d, but harder to get your friends to reply.
?? ??

Newspapers in English

Newspapers from Australia