Category: Security

Link: Raspberry Pi SOCKS 5 Proxy Server (AKA browse the web with an IP from a different country)

This is a small tutorial, which will show you how to set up a local Raspberry to serve as a so-called SOCKS 5 proxy-server for your local network. The Raspberry itself will connect to a remote server, which will then make the requests to other Internet servers with it’s own IP, thus masquerading the original requestor’s.

All computers on your local network can be configured to connect to the Raspberry, so they all can share the same connection to the remote server.

Full article here:
Raspberry Pi SOCKS 5 Proxy Server (AKA browse the web with an IP from a different country) (pi3g Blog)

Link: Tunnel DNS through ssh -D socks proxy

When using ssh -D to setup a socks proxy, DNS queries and DNS traffic are not sent through the ssh tunnel. However, with Firefox a config change can be made to send DNS traffic through the ssh tunnel. Here’s how it works!

Full article here:
Tunnel DNS through ssh -D socks proxy (scottlinux.com)

Link: How to remove Zeitgeist in Ubuntu and why

Quoting from the article:

On my desktop I use Xubuntu 12.04, and today i noticed that this distribution shipped by default the Zeitgeist daemon, a thing that I’m not using at all, for what i know.

From Wikipedia:

Zeitgeist is a service which logs the users’s activities and events, anywhere from files opened to websites visited and conversations. It makes this information readily available for other applications to use in form of timelines and statistics. It is able to establish relationships between items based on similarity and usage patterns by applying data association algorithms such as “Winepi” and “A Priori”

Zeitgeist is the main engine and logic behind GNOME Activity Journal which is currently seen to become one of the main means of viewing and managing activities in GNOME version 3.0

Personally i don’t use any tool that use the Zeitgeist Framework and I’d prefer to open a terminal and use locate or find to search for files than having something that log all my activity and so slow down my system, so I’ve decided to remove this daemon totally from my system, please note that if you use Gnome 3 or Unity you could have some side effect, or perhaps the system will just become more faster, like the author of the article: Removing Zeitgeist Sped Up Unity .

Just remember that the information collected by Zeitgeist are stored for use in various forms in Unity: showing what were the last application you used, what are the applications you use most, which are the files that were used lately, the music you listen, among many other aspects. If you think you can live without these information probably your system will gain a good sped up.

The remainder of the article at Linuxaria gives provides the actual removal instructions.

Useful SSH How-Tos

These are from an interesting site called Make Tech Easier, listed in order from oldest to newest:

Link: How to protect Apache with Fail2ban

Around 2 years ago I wrote an article about fail2ban.

Fail2ban is an intrusion prevention framework written in the Python programming language. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally (such as, iptables or TCP Wrapper).

Fail2ban’s main function is to block selected IP addresses that may belong to hosts that are trying to breach the system’s security. It determines the hosts to be blocked by monitoring log files (e.g. /var/log/pwdfail, /var/log/auth.log, etc.) and bans any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.

Today I want to show you some configurations that you can use to improve the security of your Apache.

Read the rest here:
How to protect Apache with Fail2ban (Linuxaria)

Link: 10 Annoying Apps We’re All Stuck Using (and How to Make Them Better)

There are probably at least two or three things on this list that you use almost every day, and some of you may use all of them:

10 Annoying Apps We’re All Stuck Using (and How to Make Them Better) (Lifehacker)

The Linux equivalent of Little Snitch, ZoneAlarm, and similar per-application firewalls?

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.

EDIT: This article is very old and outdated. For more current information, see OpenSnitch: The Little Snitch application like firewall tool for Linux.

If you are a Mac user, you’ve probably heard of Little Snitch.  It’s a commercial (as in, not free) program that lets you allow or deny connections to the Internet from individual applications.  One reason for using such a program is to detect software that should have no reason to connect to the Internet nevertheless attempting to do so.  For example, you download a free screensaver (dumb move to start with) and it sends all the personal information it can find on you to some group of hackers on the other side of the world.  A program like Little Snitch would let you know that the screensaver  is trying to connect to the Internet, and allow you to deny that connection.  In the Windows world, I believe that ZoneAlarm has a similar capability, and it’s also a commercial (as in, not free) program.

Leopard Flower personal firewall for Linux OS screenshot
Leopard Flower personal firewall for Linux OS screenshot

It appears that these is a similar program for Linux users, and it IS free!  It’s called Leopard Flower and it’s described as a “Personal firewall for Linux OS (based on libnetfilter_queue) which allows to allow or deny Internet access on a per-application basis rather than on a port/protocol basis.”

Looking at the screenshot it appears to have very much the same per-application blocking functionality you’d get in one of those other programs.  I have not personally tried it yet, but I wanted to create a post about it so if someday in the future I am trying to remember the name of this program, I’ll know where to find it (yes, this blog does sort of serve as my long-term memory!).  🙂

Since this article was originally published, I have been made aware of another similar application called Douane: Linux personal firewall with per application rule controls – here are a couple of screenshots:

Douane personal firewall for GNU/Linux screenshot
Douane personal firewall for GNU/Linux screenshot
Duane configurator screenshot
Duane configurator screenshot

The only downside to this one is that as of this writing the only available package is for Arch Linux but if you want to try to build it for a Ubuntu or Debian system, they provide a page showing the needed dependencies.

There is an older similar program called TuxGuardian but apparently is hasn’t been updated since 2006, so I have no idea if it will even work with current versions of Linux. And as for you Android users, try the NoRoot Firewall app.

Link: FreePBX security advisory – SIP extension types

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
We can set defaults for all these, so why not extension type?
We can set defaults for all these, so why not extension type?

The SysAdminMan blog has posted a new article related to FreePBX security, that I strongly urge you to read if you are running FreePBX or any FreePBX-based distribution:

FreePBX security advisory – SIP extension types

The basic issue is that by default, FreePBX sets extensions to type=friend rather than the more secure type=peer.  The article says it’s for historical reasons but I suspect there have been other reasons at play here (pure stubbornness, perhaps?).  But with the growing body of evidence that type=friend is bad, and because FreePBX now has an Advanced Settings module that allows you to to change certain defaults (though not yet this one), I have put in a Feature Request asking that system administrators be allowed to select a default type for extensions.  We’ll see if it goes anywhere (and it might help if anyone who supports this idea would add a comment to that ticket), but given that in the past they’ve been reluctant to even entertain the idea of changing the default, I fear that they may once again refuse to even consider it.  And for those of us who want to keep our systems as secure as reasonably possible, that would be a real shame.

Recent Posts

Recent Comments

Archives

Categories

Meta

GiottoPress by Enrique Chavez

%d bloggers like this: