Showing headlines posted by netblue30

Applications are increasingly privileged and we find ourselves running programs that could represent a security vulnerability to our systems and, more importantly, to our information. In this post, we will use a very simple sandboxing method using Firejail and AppArmor on Linux.

When it comes to your security and privacy, it is always better to build your own. Like a chef cooking a meal. Good or bad, at least you know what you put in. Here’s our bittorrent recipe, deep-fried edition.

fdns is a DNS-over-HTTPS proxy server targeted at small networks and Linux desktops. To speed up the name resolution fdns caches the responses, and uses a configurable adblocker and privacy filter to cut down unnecessary traffic. The software is written in C and it is released as part of Firejail project under GPLv3 license.

Even the best written software can contain vulnerabilities that can be exploited. With the advent of container technologies, such as docker, flatpak or LXC, many have suggested to use them to isolate software from the rest of the system and in doing so mitigate the harm of possible breaches.

Out of the big three operating systems, Linux runs into far less issues when it comes to privacy. Still, as secure as Linux can be, there’s always room for improvement. Introducing Firejail, the most popular sandboxing tool on Linux.

Firejail is an easy to use sandbox that reduces the risk of security breaches by restricting the running environment of untrusted applications using seccomp-bpf and Linux namespaces. From the beginning the team realized the contradiction between security and comfort, and made ease of use one of the main project goals.

The main focus of Firejail project is GUI application sandboxing, with web browsers being one of the main targets. I will describe some of the new features available in Firejail, and how to use them to sandbox a web browser such as Mozilla Firefox.

This article describes how to build a whitelist seccomp-bpf filter and how to attach the filter to a user program and all its descendants using Firejail sandbox.

In this article I describe the Linux capabilities feature of Firejail security sandbox. Firejail allows the user to start programs with a specified set of capabilities. The set is applied to all processes running inside the sandbox, thus restricting what processes can do, and somehow reducing the attack surface of the kernel.

In part 2 of this series, we look at some new browser sandboxing developments in Firejail security sandbox. Since the first article was published, many new features have been added. Unlike other sandboxes, the main focus of Firejail project is GUI application sandboxing, with web browsers being, at least for the immediate future, the main target.

In our connected world, the traditional UNIX privilege separation is not enough anymore. Security models are changing in order to provide a higher level of protection expected by users. We start with seccomp-bpf, a software techniques introduced in 2010 that seems to gain more and more popularity as networked application grow and expand.

This article describes how to build an Ubuntu-based LXDE system piece by piece, on top of a regular Ubuntu 14.10 server. It is a longer process, but the resulting system is as small and light as it possibly gets.

Welcome to our November edition of Linux Software Releases. This month we examine a project which takes software freedom very seriously and attempts to make using and sharing free software as easy as possible. The project is Warzone 2100, an open source real-time strategy game, originally developed by Pumpkin Studios and published by Eidos Interactive. We begin with a short introduction of this software and continue with the list of the projects released during November 2014.

Welcome to the October edition of Linux Software Releases. In this installment we start with a networking application, qtmib MIB browser. Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment (eg. routers), computer equipment and even devices like UPSs. I begin with a short introduction of this project and continue with the list of the projects released during October 2014.

I have a dual-boot setup. On one partition I have Debian 7. I spend most of my time here, this is my main Linux desktop. On a different partition I have Ubuntu 14.04. I used to boot into Ubuntu occasionally for playing games or for testing my software on a newer compiler tool chain. Not anymore! My new setup allows me to run programs on Ubuntu partition directly from Debian, without the need to boot back and forth between the two distros.

There are many different open-source software projects with a variety of goals. Some projects focus on speed and security, while others focus on stability and portability. This month I aim to celebrate the diversity of the open-source ecosystem by looking at Clang Static Analyzer, a little known project in software development category. I begin with a short introduction of this project and continue with the list of the projects released during the month of September 2014.

We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system. Firejail is a sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications.

Open-source software comes in a wide variety of flavors. From conservative to bleeding-edge, from experimental to stable, the software changes all the time, trying to meet the needs of the users. With that in mind, I start this month post with an introduction to cppcheck, one of the few source code analysis tools available on Linux platform. I continue as usual with the list of the latest software releases as picked up from developer’s ftp servers.

When running a web server that is available to the public, striking a balance between making your content accessible and establishing a secure configuration can become difficult. There are many different areas that should be subject to careful scrutiny. One of these is process isolation and visibility. A project called firejail seeks to assist in this area by providing a lightweight security containerization mechanism that utilizes kernel namespacing to enforce separation policies. This makes the chroot environments extremely lightweight.

The goal of this article is to isolate a small public web server on a simulated demilitarized zone (DMZ) network, and to restrict the local network access in case the server is breached. It is an extra security layer added to an existing home server setup.