[00:00] Probably one at at time for guests [00:00] ack im fighting with someone [00:00] we are all fighting lolz [00:00] can I type something everyone? [00:00] :) [00:01] I can see everyone has hit the wall :) [00:01] i should customize my terminal like bodhi_zazen has [00:01] is that a bash thing? [00:01] bodhi_zazen, what programs are those [00:01] OK, lets get this show on the wall [00:01] :) [00:01] haha [00:01] \o/ [00:01] First , thank you everyone for coming to this session [00:01] bodhi_zazen: sorry for intrupting, when i tried it , its giving like "Enter passphrase for key '/home/raj/.ssh/ufbt-guest':" [00:02] rraj_be: "padawan" [00:02] bodhi_zazen, whats tha shell [00:02] Let me assure you , the beginners team put me up to this [00:02] k Snova [00:02] ive heard zsh but not jailzsh [00:02] jimi_hendrix: A jailed Zsh. :) [00:02] which is? [00:02] it is a shell I make for apparmor jimi_hendrix [00:02] it is zsh [00:02] Zsh, in a restricted environment. [00:02] ahh [00:02] did you edit it or something [00:02] edit the source* [00:02] :( [00:03] No, that's what AppArmor is for. [00:03] The intention is to raise awareness of security and so here we are :) [00:03] ok [00:03] * jimi_hendrix raises hand [00:03] What do people want me to cover, what questions do you have ? [00:03] * jimi_hendrix raises hand [00:03] Snova: Enter passphrase for key '/home/raj/.ssh/ufbt-guest': [00:03] go jimi_hendrix :) [00:03] Permission denied (publickey). [00:03] show how to implement profiles [00:03] rraj_be: padawan [00:03] http://paste.ubuntu.com/133993/ [00:03] bodhi_zazen, i dual boot windows and ubuntu [00:03] do i need an antivirus on ubuntu [00:03] ok bodhi_zazen [00:04] jimi_hendrix: hahah no [00:04] this is for user control [00:04] security on a server if you may [00:04] someone help rraj_be in a private window or on ##beginenrs-help [00:04] OK, antivirus first then :) [00:04] you will get varied opinions [00:04] * jimi_hendrix uses AVG on windows [00:05] IMO antivirus is best used on your windows boxes [00:05] Agreed [00:05] IMO Linux antivirus is best on file or mail servers [00:05] things that need the security [00:05] IMO scanning your Linux desktop with antivirus will yield lots fo false positives [00:05] what about a webserver [00:05] for desktop , not an issue really [00:05] * jimi_hendrix is thinking of setting up a webserver [00:05] yes on a webserver I would say [00:05] bodhi_zazen, if you need a place to start the discussion, why dont you briefly explain some of the tools you use to enhance security in linux (apparmor, iptables, ossec, snort, etc). e.g. in one sentence each, what do they do? [00:06] anything that deals with heavy user traffic [00:06] good idea Rocket2DMn :) [00:06] yea [00:06] The linux tools are a bit different [00:06] and linux is modular ... [00:06] The first line of defense is, of course, permissions [00:06] sudo vs su ? [00:06] yea [00:07] sudo runs one command su changes your user [00:07] su gives all or none root access [00:07] (or other user access) [00:07] sudo allows finer control [00:07] sudo -i for a root shell [00:07] Next a firewall [00:07] firewall are also full of opinions [00:08] In general, you should use a router as a router has a firewall built in [00:08] thats how I do it [00:08] a default install of ubuntu has no servers listening, so the default settings behind a router are just fine [00:08] Not versed in linux firewalls yet [00:09] If you wish to user a firewall, to set up your own router (NAT) or limit connections, teh firewall is iptables [00:09] what about firestarter? [00:09] iptables can be configured with commands, a script, ufw, or a gui tool such as GUFW, Guraddog, firestarter, shorewall, etc [00:10] guraddog has very nice built in help [00:10] the gui tools are not the firewall, only config tools [00:10] Open them, config iptables, close them [00:10] think router access list , but on the OS itself via iptables [00:10] I advise you NOT use Firestarter to monitor your network traffic [00:11] Next , everyone know the terms HIDS / NIDS ? [00:11] no [00:11] http://en.wikipedia.org/wiki/Intrusion-detection_system [00:11] http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system [00:12] http://en.wikipedia.org/wiki/Network_intrusion_detection_system [00:12] OK, HIDS, most new users are familiar with say Windows antivirus scanners [00:12] This is a HIDS [00:12] k [00:12] so is rkhunter and chkrootkit [00:12] as is OSSEC, tripwire, etc [00:13] use these tools to monitor your system for unauthorizzed changes [00:13] rkhunter and chkrootkit have a bunch of flase positives, learn what they are [00:13] do you recommend running chkrootkit from a usb device [00:13] and what a "normal" sustem is [00:14] duanedesign: I do not think it matters really [00:14] The point is, you can not monitor your system for changes if you do not know what normal is [00:14] You will get alerts when you say install new software as well, or change a config file [00:15] Next NIDS [00:15] NIDS is sophisticated and even the geekiest will find this hard [00:16] You need to understand basic networking protocols, tcp, udp, ping, etc [00:16] Tools include snort and wireshark [00:16] * jimi_hendrix tried wireshark one to sniff some packets i was sending [00:16] ive take Cisco CCNA, and Id still have enormous trouble with that [00:16] wireshark I have used [00:16] * jimi_hendrix 's head blew up [00:16] these tools are "packte sniffers" and will montior your network traffic [00:17] I reccomend wireshark [00:17] snort will user a set of rules to identify potentially problematic activity, although lots of false positives [00:17] wireshark will monitor the raw packets [00:17] in a nut shell [00:18] Next line of defense - SELinux / Apparmor [00:18] :) [00:18] SELinux != distro right [00:18] No, it's a security framework built into the kernel. [00:18] no [00:18] to jimi [00:18] security monitor [00:18] These are very powerful tools and these are the first tools that can protect you against unknown exploits and Zero day exploits [00:18] These tools can limit even root [00:18] zero day? [00:19] Security exploits, on the day they are found, before they are patched. [00:19] http://en.wikipedia.org/wiki/Zero-Day_Attack [00:19] Ubuntu uses Apparmor, but it needs to be configured [00:19] Most people find apparmor easy to understand [00:20] The point, IMO, of apparmor is to "confine" any network applications [00:20] such as firefox, thunderbird, etc [00:20] you limit what they can do on your os [00:20] you can also limit a users shell, as I will show you on the shared ssh session [00:20] cool [00:20] can be used with torrent applications? [00:21] Anything. [00:21] IMO SELINUX and Apparmor are mis characterized as "overkill" [00:21] lovinglinux: yes [00:21] I am collecting apparmor profiles here : http://bodhizazen.net/aa-profiles/ [00:21] So if someone exploit a vunerability on my torrent client, then Apparmor can prevent it from achieving success? [00:21] I have a profile for rtorrent [00:22] lovinglinux: AppArmor can prevent it from accomplishing anything by restricting access to the filesystem, which is mostly the same thing. [00:22] If anyone is willing to contribute, send me your profiles ( bodhi.zazen @ ubuntu.com) [00:22] and I will post them as well [00:22] i will have time this weeked to learn it bodhi [00:22] do you know a good tutorial for apparmor? [00:22] bodhi link him your thread [00:22] :) [00:22] /end long winded security drive by [00:23] * jimi_hendrix puts away machine gun [00:23] Links are here : http://paste.ubuntu.com/133993/ [00:23] thanks [00:23] AppArmor introduction: http://ubuntuforums.org/showthread.php?t=1008906 [00:23] OK , with that background, questions please ? [00:23] Oh, didn't notice the links at the bottom of that.. [00:23] Or do you want to see what the shared session can do ? [00:23] ie live demo ? [00:24] * jimi_hendrix raises hand [00:24] go jimi_hendrix :) [00:24] if i am running a webserver (linux of course...well maybe a *BSD)...and its just pages with html, what am i at risk for [00:25] apache attacks, php attacks, and DOS are the major ones [00:25] The damage depends on the attack [00:26] I have seen php code that takes you cookies for example (think passwords for web sites) [00:26] If a crack allows "arbitrary code" think an intruder then has root access [00:26] Do I need to create apparmor profiles for all applications that connect to network or just for those that listen to ports? [00:26] many attacks then use your box to attack others, send spam, spoof ip, what have you [00:27] IMO lovinglinux all apps that access the internet [00:27] bodhi_zazen, i said just html, no php [00:27] although as you can see I do not yet have profiles for all apps yet [00:28] jimi_hendrix: LAMP == Linux apache Mysql and PHP so I included it in the broader discussion [00:28] ok [00:28] Want to see a demo ? [00:28] yes [00:28] On the ssh session ? [00:28] yeps [00:28] OK [00:29] anyone need assistance connecting via ssh ? [00:29] ok, the guru account has root access [00:29] as you can see [00:30] the guru account can install applications [00:30] yeah, i keep getting the Permission denied (publickey) error [00:30] :) [00:30] someone help Traveler15164 please :) [00:30] sorry, I know how to use ssh, but don't which server I'm supposed to connect [00:30] I will wait and answer questions [00:31] you need the key [00:31] then ssh guest@bodhizazen.net -i ~/.ssh/ufbt-guest [00:31] pw = padawan [00:31] http://paste.ubuntu.com/133993/ [00:31] follow exactly [00:31] verbatim [00:31] http://paste.ubuntu.com/133993/ [00:31] via terminal [00:31] for keys [00:31] beat you to it :) [00:31] any other questions while we are waiting [00:31] ? [00:32] chickens, all questions are welcome :) [00:33] you in Traveler15164 ? [00:33] lovinglinux: ? [00:33] nope [00:33] Traveler15164: what do you need help with ? [00:33] do you have the key ? [00:33] just a second [00:33] yes [00:33] do you know how to use it ? [00:34] i got it and placed it in a new empty file? [00:34] named ufbt-guest and chmod 400 on that [00:34] Stick it in ~/.ssh [00:34] it is [00:34] ok [00:34] ssh guest@bodhizazen.net -i ~/.ssh/ufbt-guest [00:34] you have to place that text in ~/.ssh/ufbt-guest [00:34] and then chmod 400 on that file [00:35] its all in the paste link [00:35] http://paste.ubuntu.com/133993/ [00:35] The authenticity of host xxxxxxxxxxx can't be established. [00:35] i'll redo it all to make sure [00:35] lol lovinglinux [00:35] lovinglinux: That's normal, just confirm it. [00:35] say yes :) [00:36] Traveler15164: cd .ssh [00:36] lol, stupid me [00:36] rm ufbt-guest [00:36] wget http://bodhizazen.net/beginners/ufbt-guest [00:36] chmod 400 ufbt [00:36] you may have to "ssh bodhizazen.net" first and accept the fingerprint [00:36] ssh guest@bodhizazen.net -i ./ufbt-guest [00:36] then just ctrl-c without doing any authentication [00:37] then do the ssh command above to use the key [00:37] Connection closed by xxxxxxxxx [00:37] i found if you use the key without having the fingerprint cached, it doesnt give you the option to store it and it aborts [00:38] thanks Rocket2DMn [00:38] Traveler15164: you in ? [00:38] redoing it worked [00:38] lovinglinux: ? [00:38] strange [00:38] OK, so ... [00:38] as you can see we are root :) [00:38] OK, I am in [00:38] yay! [00:38] as you can see, we started a new shell [00:39] * Nano_ext3 runs around in circles with streamers [00:39] guru was jailzsh [00:39] root is bash [00:39] but the apparmor confinement follows us [00:39] so ... [00:39] First I am limiting root with iptables ... [00:40] sorry for the typo :( [00:40] as you can see, root can ping google , but not my lan [00:40] back [00:40] so lets stop iptables :) [00:41] OH NO [00:41] Permission denied [00:41] sudo it! [00:41] He's root.... [00:41] (i know) [00:41] tab complete fail [00:41] ok .. [00:42] lets mess with the settings a little [00:42] foiled again :) [00:42] Lets try this ::) [00:43] :) [00:44] :O [00:44] Ok, so the AppArmor restrictions followed you from jailzsh to root's Bash? [00:44] so you can see, although root can install apps, access to critical system files is restricted [00:44] r00t has uber fail? [00:44] yes Snova [00:44] We can start a new shell if we wish [00:45] My head just exploded. [00:45] ugh gotta run, sorry guys [00:45] so .. [00:45] have to head home for work tommorow :( [00:45] now bodhi_zazen , do these restrictions apply only when using sudo to access root? What if you had a try root login, like "su -" ? [00:45] Bye Nano_ext3. [00:45] laters :( [00:45] any process you start is confined by apparmor [00:45] the restrictions follow you [00:45] ill read more on aa this weekend [00:46] def [00:46] laters [00:46] no Rocket, watch [00:46] see, we are now guru again ? [00:46] guru is given jailzsh as a default shell [00:47] jailzsh in an apparmor profile and I think I can show it to you [00:47] There it is ... [00:47] That's it? Looks simple. [00:47] that was jail bash [00:48] jailbash is from jdong [00:48] posted here : [00:48] http://bodhizazen.net/aa-profiles/jdong/ubuntu-8.04/usr.local.bin.jailbash [00:48] and yes, it is simple [00:49] I'm gonna try this [00:49] I am restricting access to jailzsh as it is a fair amount more permissive then jailbash [00:49] anything else you want to see in the shared session ? [00:50] please, other security questions ? [00:50] bodhi_zazen, is it possible to secure a windows server? [00:50] yes, of course [00:51] ahh hardened windows servers :) [00:51] I have one stupid question at http://ubuntuforums.org/showthread.php?t=1100778 [00:51] Again, I am collecting aa profiles here : http://bodhizazen.net/aa-profiles/ [00:51] download them, try them out, and if you wish send me your modifications and I will post them for others [00:52] lovinglinux: in a nut shell, no your router is not ipv6 [00:52] most people disable ipv6 [00:53] Rocket2DMn, is it possible then? [00:53] ip providers hate ipv6 because ipv6 makes them obsolete as an ip provider [00:53] they would need to provide the physical layer howerver [00:53] yes jimi_hendrix you can lock down windows servers [00:53] bodhi_zazen: so just leave ipv6 alone right? No need for iptables rules? [00:53] yes, or you can disable it if you wish [00:53] bodhi_zazen: thanks [00:54] some people think their box runs faster if they disable it [00:54] np [00:54] please, I have been ranting, questions, questions :) [00:54] what is the average airspeed of a swallow [00:54] is there an alternative for intrusion detection without using MySQL? [00:55] yes lovinglinux [00:55] you can use snort + barnyard [00:56] I will look into that. Thanks [00:56] lovinglinux: http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1255683_tax307468,00.html [00:57] although that may use mysql, and if so, my mistake [00:57] quit Thanks bodhi [00:57] lol :) [00:58] I have another question. Please wait because I have a inflamed finger, so I need time to type. [00:58] go lovinglinux [00:58] Well, we are close to the hour [00:59] Watch, if I close the screen session you all are disconnected :) [00:59] >:) [00:59] Oh, like that? ;) [00:59] Just like that [00:59] I have an iptables rule to accept established connection. If I have a client listening to a port, but no other ports opened, is it possible for someone already connected to my client to establish connections on other ports? [00:59] The guest account can not connect without a session running [00:59] if you try you will be blacklisted after a few attempts [01:00] hard to follow lovinglinux [01:00] bodhi_zazen: maybe is just my paranoia [01:01] If your client is cracked and you are droping new connections I do not think normally the client could establish a new connection on a new port [01:01] I guess they could use the established connection and leverage additional exploits [01:02] bodhi_zazen: through the same port? [01:02] Well, thank you everyone, it is 7 so we are "oficially" over, although I will be available for say 10-15 minutes [01:02] then I have to go to my family [01:02] aawesome!!! thank you [01:02] in theory lovinglinux [01:02] Yes, thank you! [01:03] since the connection is established ... [01:03] Thank you very much. Really nice experience, specially the shared ssh session. [01:03] you are most welcome everyone [01:03] applause [01:03] the beginners team is going to run additional sessions [01:03] and the shared ssh session is available to anyone willing to teach [01:04] I have found the shared ssh session is a very effective demo for apparmor and iptables , lol [01:05] wb k0001 :) [01:05] bodhi_zazen: what do you think about UPnP? [01:05] Not a lot [01:05] Again, we all like convienience [01:05] bodhi_zazen: hwllo [01:05] but we all hate it when we are cracked, lol [01:05] lol [01:06] so it is nice (off UPnP) for our flash drives to auto mount [01:06] but not so nice when a malignant code the uses this to automatically start it's evil work ;) [01:07] security and convenience == yin and yang and we must bring balance to the force [01:08] it is just that the balance point is dependent on sphincter tone, :p [01:08] lol [01:08] If anyone is interested in topics or teaching sessions, please let me know [01:08] do I need to keep your key for further sessions? [01:09] I shall try to run a session every other week at this time with varied topics [01:09] I am sorry to have such limited times, I wish I could vary it more, but I have a family so this works best [01:09] that is much appreciated [01:09] yes lovinglinux [01:10] :) [01:10] what time is there right now and what time it starts? [01:10] I hope that the sessions are logged and posted in classroom [01:10] It is just past 7 PM local time for me [01:10] Sessions will start at 6 pm local time [01:11] Ok, great [01:11] and if anyone has a topic, add it to the list [01:11] I think we do another security session in 2 weeks === k00011 is now known as k0001 [01:11] and after that I have been asked to cover permissions [01:11] permissions will be nice [01:12] is the session on 26th will be the same as this one ? [01:12] Add your topic here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals [01:12] put my name in as the instructor [01:13] and I will add them here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Events [01:13] linuxwarrior: same topic [01:13] Hopefully different questions :) [01:13] I hope people will try iptables, apparmor, etc and bring questions [01:13] Hmm... I could probably help with a few of those. [01:14] ok ;) [01:14] http://bodhizazen.net/Tutorials/iptables/ [01:14] I posted a number of links here : http://paste.ubuntu.com/133993/ [01:14] what i don't get is i can genprof firefox and play around with it, then do the scan and it doesn't really add that much to the profile [01:14] no Traveler15164 [01:15] That is the problem with apparmor, you will need to emulate a profile or make your own [01:15] firefox is not the best to start because it is large [01:15] Start with say xchat [01:15] or your irc client [01:15] and then go to firefox [01:15] sudo aa-enforce xchat [01:15] then [01:15] Is there a requirement for classes to be related with system configuration or can they be about how to use a specific kind of program, like multimedia for example? [01:16] tail -F /var/log/messages [01:16] open xchat and watch and resolve errors [01:16] lovinglinux: topics are open [01:17] we (the beginners team) is here to educate and we really want to grow this service and cover topics of interest to the community [01:17] We hope to add things like Moodle [01:17] http://fmc.isgreat.org/Ubuntu_Classroom/index.html [01:17] so we can develop more formal content [01:17]