Some people are, rather falsely, under the impression that just because they use Linux they don’t need to worry about security. Sure, Linux doesn’t suffer from the same types of security issues and prevalent malware that Windows does, but that doesn’t mean that Linux users can neglect their systems and expect to be secure.
These five tools are absolutely essential for Linux desktop users. If you’re running a server, there are more. This guide doesn’t present them in any particular order because they all serve different and arguably equally important functions. Plus, they are all free and open-source software. So if you aren’t using any of these on your Linux desktop, start now.
In the wake of this spring’s Senate ruling nixing FCC privacy regulations imposed on ISPs, you may be (even more) worried about how your data is used, misused, and abused. There have been a lot of opinions on this topic since, ranging from “the sky is falling” to “move along, citizen, nothing to see here.” The fact is, ISPs tend to be pretty unscrupulous, sometimes even ruthless, about how they gather and use their customers’ data. You may not be sure how it’s a problem if your ISP gives advertisers more info to serve ads you’d like to see—but what about when your ISP literally edits your HTTP traffic, inserting more ads and possibly breaking webpages?
With a Congress that has demonstrated its lack of interest in protecting you from your ISP, and ISPs that have repeatedly demonstrated a “whatever-we-can-get-away-with” attitude toward customers’ data privacy and integrity, it may be time to look into how to get your data out from under your ISP’s prying eyes and grubby fingers intact. To do that, you’ll need a VPN. more
The Linux operating system is known for security. From the bottom up, Linux was designed to be a platform to be trusted. There is, however, one weak link in the chain. This weakness didn’t just appear, nor is it considered a security bug on any given radar. What I’m talking about is the antiquated X11 Window server still found in use on most Linux distributions.
For those that don’t know, X was originally designed and released in 1985 and X11 in 1987. X.org replaced X11 and was originally released April 6, 2004. When X was originally conceived, the computing world was in a completely different state. Both X and X.org lack a few very important security features that are critical for modern era usage and hardware:
- All X applications have access to everything on your screen
- All X applications can register to receive every keystroke, regardless of which window said keystrokes are typed within
- Applications such as browsers can be remotely controlled such that keystrokes can be forged as if the user were typing them
- The xhost + option can completely disable any security on the display
Firejail is an easy to use sandbox that reduces the risk of security breaches by restricting the running environment of untrusted applications using seccomp-bpf and Linux namespaces.
The first seccomp/namespaces sandbox was built by Google for Chromium browser. It was released in 2012, replacing their existing SELinux sandbox. Shiny new technology, the sandbox flew under the radar gaining market share. By 2014 when Firejail project was started, Chromium browser was already running on 50% of Linux desktops. Today there are a small number of projects sandboxing browsers and other desktop applications using seccomp/namespaces technology. We are proud to be one of them.
From the beginning we realized the contradiction between security and comfort, and we made ease of use one of our main goals. We managed to achieve this goal without sacrificing the security functionality. We provide:
- a simple method to start the sandbox from command line – prefix your application name with “firejail”, eg “firejail firefox”
- full desktop integration – applications are sandboxed automatically when started by clicking on icons in file manager or desktop manager menus
- an intuitive syntax for building advanced security profiles
Our focus is GUI application sandboxing, with web browsers being the main target. The sandbox denies access to private files in user’s home directory. Inside the sandbox, Downloads directory and the browser configuration files are real, everything else is stored in a temporary filesystem and later discarded:
Only Downloads directory is visible inside a sandboxed Firefox browser.
This guide describes the steps necessary to install and configure Firejail sandbox on Linux Mint. Both Cinnamon and MATE desktop environments are supported. We provide similar support for all desktop managers.
There is no question that the web browser will be the piece of software with the largest and the most exposed attack surface on your Linux workstation. It is a tool written specifically to download and execute untrusted, frequently hostile code.
It attempts to shield you from this danger by employing multiple mechanisms such as sandboxes and code sanitization, but they have all been previously defeated on multiple occasions. System administrators should learn to approach browsing websites as the most insecure activity you’ll engage in on any given day.
There are several ways you can reduce the impact of a compromised browser, but the truly effective ways will require significant changes in the way you operate your workstation. more
[…] To me, the most prominent information to draw from this little experiment is that similar iptables and nftables setups are comparable in performance. Yes, nftables is usually a bit behind, but given that development focus at this point is still on functionality rather than performance, I’m sure this is subject to change in the near future.
Regarding scalability, ipset is a blessing to any iptables set up. Nftables follow the path with their native implementation of sets and take the concept to a higher level by extending the list of supported data types and allowing it to be used in further applications using (verdict) maps. more
Running Steam in Firejail
I figured out how to install Steam on Debian 8 (jessie). Not a big deal; lot’s of people have figured it out. In fact steam is available as a non-free Debian package.
However, I prefer to install Steam manually and run it inside Firejail. This article is a reminder to myself, in case I forget how I did it.
Hopefully this information will also be useful to someone else. But I guarantee nothing. This procedure works for me, on my computer, with the few games that I tested. It may or may not work for you. more