This document is aimed at teams of systems administrators who use Linux workstations to access and manage your project’s IT infrastructure.
If your systems administrators are remote workers, you may use this set of guidelines to help ensure that their workstations pass core security requirements in order to reduce the risk that they become attack vectors against the rest of your IT infrastructure.
Even if your systems administrators are not remote workers, chances are that they perform a lot of their work either from a portable laptop in a work environment, or set up their home systems to access the work infrastructure for after-hours/emergency support. In either case, you can adapt this set of recommendations to suit your environment.
Once you’ve installed Ubuntu with security in mind and reduced the possibility of network attacks on your system, you can start thinking about security on an application level. In the event that a malicious file is opened on your system, will an attacker be able to access every file on the computer? The chances are much slimmer if you put the proper defenses in place.
In this third part to our mini-series on strengthening your primary Ubuntu installation, you’ll learn how Ubuntu package repositories work, which repos you should avoid, and how to update. Also, you’ll see how to import additional AppArmor profiles to limit resources that apps can use, as well as create sandboxes to completely isolate unsafe applications from the operating system.
I am very fond of combining both VPN and Firejail on my travel laptop (where I cannot use QubesOS), but I have recently discovered that I was leaving myself exposed to online tracking via so-called “WebRTC leaks.” My VPN provider offers a convenient testing page to see how well protected my connection is, and they very helpfully alerted me to this problem:
This guide shall let the reader be informed about the usage of firejail. Additionally, the reader shall be informed about how to use firejail profiles efficiently. Video and audio support are present and are excellent. At the end of the guide, the reader shall have the ability to run X11 applications in an arbitrary home folder using a custom configuration I made.
Linux has a reputation of being fairly secure, and out of the big three operating systems it runs into far less issues when it comes to privacy. Still, as secure as Linux can be, there’s always room for improvement. The app is the most popular program sandboxing tool on Linux. It is because of this, many Linux distributions have decided to ship this software.
Nowadays security threats are everywhere in the web, new security holes are discovered everyday, but sadly there are no instant patches available. If you are a firefox user, this problem is worse, as it lacks the sandbox feature like chromium or Google chrome browser.
Here’s how to protect yourself from such threats by running firefox in sandbox environment with firejail.
Firejail is an extremely lightweight Linux namespace based sandbox application, could be used with both GUI and CLI applications with minimal effort. Firejail could do even more, like traffic shaping, application spacific DNS server and default gateway etc. etc.
It could effectively run most apps with limited permission and system resource to minimize security risk. There’s also a GUI app firetools , to launch and monitor apps with firejail.
Network bandwidth shaping or traffic shaping is extensively used for efficient use of available network bandwidth and fairer bandwidth sharing.
Most common use of bandwidth shaping in Linux desktop is fair bandwidth sharing among different application, assume your torrent client is eating all download speed while browsing something important. For servers, it’s a lot more complex and important subject.
Surely firejail is not the best tool for this purpose, there are other utilities like iptables and tc token bucket filter. But why not use the handy firejail tool ?
For new comers, firejail is an extremely lightweight tool for isolating one/many application from the rest of the system, more straightly a sandbox application, read more about sandboxing apps with firejail here. So using fireail for traffic shaping adds an extra layer of security. Lets start !