032009

Differences between revisions 1 and 2
Revision 1 as of 2009-03-11 04:19:16
Size: 425
Editor: host-69-144-245-173
Comment:
Revision 2 as of 2009-03-27 20:34:43
Size: 27535
Editor: 78
Comment:
Deletions are marked like this. Additions are marked like this.
Line 10: Line 10:

=== logs ===

{{{#!irc
[00:00] <bodhi_zazen> Probably one at at time for guests
[00:00] <Rocket2DMn> ack im fighting with someone
[00:00] <Nano_ext3> we are all fighting lolz
[00:00] <Nano_ext3> can I type something everyone?
[00:00] <Nano_ext3> :)
[00:01] <bodhi_zazen> I can see everyone has hit the wall :)
[00:01] <Rocket2DMn> i should customize my terminal like bodhi_zazen has
[00:01] <Rocket2DMn> is that a bash thing?
[00:01] <jimi_hendrix> bodhi_zazen, what programs are those
[00:01] <bodhi_zazen> OK, lets get this show on the wall
[00:01] <bodhi_zazen> :)
[00:01] <Nano_ext3> haha
[00:01] <WastePotato> \o/
[00:01] <bodhi_zazen> First , thank you everyone for coming to this session
[00:01] <rraj_be> bodhi_zazen: sorry for intrupting, when i tried it , its giving like "Enter passphrase for key '/home/raj/.ssh/ufbt-guest':"
[00:02] <Snova> rraj_be: "padawan"
[00:02] <jimi_hendrix> bodhi_zazen, whats tha shell
[00:02] <bodhi_zazen> Let me assure you , the beginners team put me up to this
[00:02] <rraj_be> k Snova
[00:02] <jimi_hendrix> ive heard zsh but not jailzsh
[00:02] <Snova> jimi_hendrix: A jailed Zsh. :)
[00:02] <jimi_hendrix> which is?
[00:02] <bodhi_zazen> it is a shell I make for apparmor jimi_hendrix
[00:02] <bodhi_zazen> it is zsh
[00:02] <Snova> Zsh, in a restricted environment.
[00:02] <jimi_hendrix> ahh
[00:02] <jimi_hendrix> did you edit it or something
[00:02] <jimi_hendrix> edit the source*
[00:02] <WastePotato> :(
[00:03] <Snova> No, that's what AppArmor is for.
[00:03] <bodhi_zazen> The intention is to raise awareness of security and so here we are :)
[00:03] <jimi_hendrix> ok
[00:03] * jimi_hendrix raises hand
[00:03] <bodhi_zazen> What do people want me to cover, what questions do you have ?
[00:03] * jimi_hendrix raises hand
[00:03] <rraj_be> Snova: Enter passphrase for key '/home/raj/.ssh/ufbt-guest':
[00:03] <bodhi_zazen> go jimi_hendrix :)
[00:03] <rraj_be> Permission denied (publickey).
[00:03] <Nano_ext3> show how to implement profiles
[00:03] <bodhi_zazen> rraj_be: padawan
[00:03] <Nano_ext3> http://paste.ubuntu.com/133993/
[00:03] <jimi_hendrix> bodhi_zazen, i dual boot windows and ubuntu
[00:03] <jimi_hendrix> do i need an antivirus on ubuntu
[00:03] <rraj_be> ok bodhi_zazen
[00:04] <Nano_ext3> jimi_hendrix: hahah no
[00:04] <Nano_ext3> this is for user control
[00:04] <Nano_ext3> security on a server if you may
[00:04] <bodhi_zazen> someone help rraj_be in a private window or on ##beginenrs-help
[00:04] <bodhi_zazen> OK, antivirus first then :)
[00:04] <bodhi_zazen> you will get varied opinions
[00:04] * jimi_hendrix uses AVG on windows
[00:05] <bodhi_zazen> IMO antivirus is best used on your windows boxes
[00:05] <Nano_ext3> Agreed
[00:05] <bodhi_zazen> IMO Linux antivirus is best on file or mail servers
[00:05] <Nano_ext3> things that need the security
[00:05] <bodhi_zazen> IMO scanning your Linux desktop with antivirus will yield lots fo false positives
[00:05] <jimi_hendrix> what about a webserver
[00:05] <Nano_ext3> for desktop , not an issue really
[00:05] * jimi_hendrix is thinking of setting up a webserver
[00:05] <Nano_ext3> yes on a webserver I would say
[00:05] <Rocket2DMn> bodhi_zazen, if you need a place to start the discussion, why dont you briefly explain some of the tools you use to enhance security in linux (apparmor, iptables, ossec, snort, etc). e.g. in one sentence each, what do they do?
[00:06] <Nano_ext3> anything that deals with heavy user traffic
[00:06] <bodhi_zazen> good idea Rocket2DMn :)
[00:06] <Nano_ext3> yea
[00:06] <bodhi_zazen> The linux tools are a bit different
[00:06] <bodhi_zazen> and linux is modular ...
[00:06] <bodhi_zazen> The first line of defense is, of course, permissions
[00:06] <bodhi_zazen> sudo vs su ?
[00:06] <Nano_ext3> yea
[00:07] <jimi_hendrix> sudo runs one command su changes your user
[00:07] <bodhi_zazen> su gives all or none root access
[00:07] <Rocket2DMn> (or other user access)
[00:07] <bodhi_zazen> sudo allows finer control
[00:07] <bodhi_zazen> sudo -i for a root shell
[00:07] <bodhi_zazen> Next a firewall
[00:07] <bodhi_zazen> firewall are also full of opinions
[00:08] <bodhi_zazen> In general, you should use a router as a router has a firewall built in
[00:08] <Nano_ext3> thats how I do it
[00:08] <bodhi_zazen> a default install of ubuntu has no servers listening, so the default settings behind a router are just fine
[00:08] <Nano_ext3> Not versed in linux firewalls yet
[00:09] <bodhi_zazen> If you wish to user a firewall, to set up your own router (NAT) or limit connections, teh firewall is iptables
[00:09] <jimi_hendrix> what about firestarter?
[00:09] <bodhi_zazen> iptables can be configured with commands, a script, ufw, or a gui tool such as GUFW, Guraddog, firestarter, shorewall, etc
[00:10] <bodhi_zazen> guraddog has very nice built in help
[00:10] <bodhi_zazen> the gui tools are not the firewall, only config tools
[00:10] <bodhi_zazen> Open them, config iptables, close them
[00:10] <Nano_ext3> think router access list , but on the OS itself via iptables
[00:10] <bodhi_zazen> I advise you NOT use Firestarter to monitor your network traffic
[00:11] <bodhi_zazen> Next , everyone know the terms HIDS / NIDS ?
[00:11] <Nano_ext3> no
[00:11] <bodhi_zazen> http://en.wikipedia.org/wiki/Intrusion-detection_system
[00:11] <bodhi_zazen> http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system
[00:12] <bodhi_zazen> http://en.wikipedia.org/wiki/Network_intrusion_detection_system
[00:12] <bodhi_zazen> OK, HIDS, most new users are familiar with say Windows antivirus scanners
[00:12] <bodhi_zazen> This is a HIDS
[00:12] <Nano_ext3> k
[00:12] <bodhi_zazen> so is rkhunter and chkrootkit
[00:12] <bodhi_zazen> as is OSSEC, tripwire, etc
[00:13] <bodhi_zazen> use these tools to monitor your system for unauthorizzed changes
[00:13] <bodhi_zazen> rkhunter and chkrootkit have a bunch of flase positives, learn what they are
[00:13] <duanedesign> do you recommend running chkrootkit from a usb device
[00:13] <bodhi_zazen> and what a "normal" sustem is
[00:14] <bodhi_zazen> duanedesign: I do not think it matters really
[00:14] <bodhi_zazen> The point is, you can not monitor your system for changes if you do not know what normal is
[00:14] <bodhi_zazen> You will get alerts when you say install new software as well, or change a config file
[00:15] <bodhi_zazen> Next NIDS
[00:15] <bodhi_zazen> NIDS is sophisticated and even the geekiest will find this hard
[00:16] <bodhi_zazen> You need to understand basic networking protocols, tcp, udp, ping, etc
[00:16] <bodhi_zazen> Tools include snort and wireshark
[00:16] * jimi_hendrix tried wireshark one to sniff some packets i was sending
[00:16] <Nano_ext3> ive take Cisco CCNA, and Id still have enormous trouble with that
[00:16] <Nano_ext3> wireshark I have used
[00:16] * jimi_hendrix 's head blew up
[00:16] <bodhi_zazen> these tools are "packte sniffers" and will montior your network traffic
[00:17] <Nano_ext3> I reccomend wireshark
[00:17] <bodhi_zazen> snort will user a set of rules to identify potentially problematic activity, although lots of false positives
[00:17] <bodhi_zazen> wireshark will monitor the raw packets
[00:17] <bodhi_zazen> in a nut shell
[00:18] <bodhi_zazen> Next line of defense - SELinux / Apparmor
[00:18] <Nano_ext3> :)
[00:18] <jimi_hendrix> SELinux != distro right
[00:18] <Snova> No, it's a security framework built into the kernel.
[00:18] <Nano_ext3> no
[00:18] <Nano_ext3> to jimi
[00:18] <Nano_ext3> security monitor
[00:18] <bodhi_zazen> These are very powerful tools and these are the first tools that can protect you against unknown exploits and Zero day exploits
[00:18] <bodhi_zazen> These tools can limit even root
[00:18] <Nano_ext3> zero day?
[00:19] <Snova> Security exploits, on the day they are found, before they are patched.
[00:19] <bodhi_zazen> http://en.wikipedia.org/wiki/Zero-Day_Attack
[00:19] <bodhi_zazen> Ubuntu uses Apparmor, but it needs to be configured
[00:19] <bodhi_zazen> Most people find apparmor easy to understand
[00:20] <bodhi_zazen> The point, IMO, of apparmor is to "confine" any network applications
[00:20] <bodhi_zazen> such as firefox, thunderbird, etc
[00:20] <bodhi_zazen> you limit what they can do on your os
[00:20] <bodhi_zazen> you can also limit a users shell, as I will show you on the shared ssh session
[00:20] <Nano_ext3> cool
[00:20] <lovinglinux> can be used with torrent applications?
[00:21] <Snova> Anything.
[00:21] <bodhi_zazen> IMO SELINUX and Apparmor are mis characterized as "overkill"
[00:21] <bodhi_zazen> lovinglinux: yes
[00:21] <bodhi_zazen> I am collecting apparmor profiles here : http://bodhizazen.net/aa-profiles/
[00:21] <lovinglinux> So if someone exploit a vunerability on my torrent client, then Apparmor can prevent it from achieving success?
[00:21] <bodhi_zazen> I have a profile for rtorrent
[00:22] <Snova> lovinglinux: AppArmor can prevent it from accomplishing anything by restricting access to the filesystem, which is mostly the same thing.
[00:22] <bodhi_zazen> If anyone is willing to contribute, send me your profiles ( bodhi.zazen @ ubuntu.com)
[00:22] <bodhi_zazen> and I will post them as well
[00:22] <Nano_ext3> i will have time this weeked to learn it bodhi
[00:22] <lovinglinux> do you know a good tutorial for apparmor?
[00:22] <Nano_ext3> bodhi link him your thread
[00:22] <Nano_ext3> :)
[00:22] <bodhi_zazen> /end long winded security drive by
[00:23] * jimi_hendrix puts away machine gun
[00:23] <bodhi_zazen> Links are here : http://paste.ubuntu.com/133993/
[00:23] <lovinglinux> thanks
[00:23] <Snova> AppArmor introduction: http://ubuntuforums.org/showthread.php?t=1008906
[00:23] <bodhi_zazen> OK , with that background, questions please ?
[00:23] <Snova> Oh, didn't notice the links at the bottom of that..
[00:23] <bodhi_zazen> Or do you want to see what the shared session can do ?
[00:23] <bodhi_zazen> ie live demo ?
[00:24] * jimi_hendrix raises hand
[00:24] <bodhi_zazen> go jimi_hendrix :)
[00:24] <jimi_hendrix> if i am running a webserver (linux of course...well maybe a *BSD)...and its just pages with html, what am i at risk for
[00:25] <bodhi_zazen> apache attacks, php attacks, and DOS are the major ones
[00:25] <bodhi_zazen> The damage depends on the attack
[00:26] <bodhi_zazen> I have seen php code that takes you cookies for example (think passwords for web sites)
[00:26] <bodhi_zazen> If a crack allows "arbitrary code" think an intruder then has root access
[00:26] <lovinglinux> Do I need to create apparmor profiles for all applications that connect to network or just for those that listen to ports?
[00:26] <bodhi_zazen> many attacks then use your box to attack others, send spam, spoof ip, what have you
[00:27] <bodhi_zazen> IMO lovinglinux all apps that access the internet
[00:27] <jimi_hendrix> bodhi_zazen, i said just html, no php
[00:27] <bodhi_zazen> although as you can see I do not yet have profiles for all apps yet
[00:28] <bodhi_zazen> jimi_hendrix: LAMP == Linux apache Mysql and PHP so I included it in the broader discussion
[00:28] <jimi_hendrix> ok
[00:28] <bodhi_zazen> Want to see a demo ?
[00:28] <jimi_hendrix> yes
[00:28] <bodhi_zazen> On the ssh session ?
[00:28] <Nano_ext3> yeps
[00:28] <bodhi_zazen> OK
[00:29] <bodhi_zazen> anyone need assistance connecting via ssh ?
[00:29] <bodhi_zazen> ok, the guru account has root access
[00:29] <bodhi_zazen> as you can see
[00:30] <bodhi_zazen> the guru account can install applications
[00:30] <Traveler15164> yeah, i keep getting the Permission denied (publickey) error
[00:30] <bodhi_zazen> :)
[00:30] <bodhi_zazen> someone help Traveler15164 please :)
[00:30] <lovinglinux> sorry, I know how to use ssh, but don't which server I'm supposed to connect
[00:30] <bodhi_zazen> I will wait and answer questions
[00:31] <bodhi_zazen> you need the key
[00:31] <bodhi_zazen> then ssh guest@bodhizazen.net -i ~/.ssh/ufbt-guest
[00:31] <bodhi_zazen> pw = padawan
[00:31] <Nano_ext3> http://paste.ubuntu.com/133993/
[00:31] <Nano_ext3> follow exactly
[00:31] <Nano_ext3> verbatim
[00:31] <bodhi_zazen> http://paste.ubuntu.com/133993/
[00:31] <Nano_ext3> via terminal
[00:31] <bodhi_zazen> for keys
[00:31] <Nano_ext3> beat you to it :)
[00:31] <bodhi_zazen> any other questions while we are waiting
[00:31] <bodhi_zazen> ?
[00:32] <bodhi_zazen> chickens, all questions are welcome :)
[00:33] <bodhi_zazen> you in Traveler15164 ?
[00:33] <bodhi_zazen> lovinglinux: ?
[00:33] <Traveler15164> nope
[00:33] <bodhi_zazen> Traveler15164: what do you need help with ?
[00:33] <bodhi_zazen> do you have the key ?
[00:33] <lovinglinux> just a second
[00:33] <Traveler15164> yes
[00:33] <bodhi_zazen> do you know how to use it ?
[00:34] <Traveler15164> i got it and placed it in a new empty file?
[00:34] <Traveler15164> named ufbt-guest and chmod 400 on that
[00:34] <Snova> Stick it in ~/.ssh
[00:34] <Traveler15164> it is
[00:34] <bodhi_zazen> ok
[00:34] <Snova> ssh guest@bodhizazen.net -i ~/.ssh/ufbt-guest
[00:34] <Nano_ext3> you have to place that text in ~/.ssh/ufbt-guest
[00:34] <Nano_ext3> and then chmod 400 on that file
[00:35] <Nano_ext3> its all in the paste link
[00:35] <Nano_ext3> http://paste.ubuntu.com/133993/
[00:35] <lovinglinux> The authenticity of host xxxxxxxxxxx can't be established.
[00:35] <Traveler15164> i'll redo it all to make sure
[00:35] <bodhi_zazen> lol lovinglinux
[00:35] <Snova> lovinglinux: That's normal, just confirm it.
[00:35] <bodhi_zazen> say yes :)
[00:36] <bodhi_zazen> Traveler15164: cd .ssh
[00:36] <lovinglinux> lol, stupid me
[00:36] <bodhi_zazen> rm ufbt-guest
[00:36] <bodhi_zazen> wget http://bodhizazen.net/beginners/ufbt-guest
[00:36] <bodhi_zazen> chmod 400 ufbt
[00:36] <Rocket2DMn> you may have to "ssh bodhizazen.net" first and accept the fingerprint
[00:36] <bodhi_zazen> ssh guest@bodhizazen.net -i ./ufbt-guest
[00:36] <Rocket2DMn> then just ctrl-c without doing any authentication
[00:37] <Rocket2DMn> then do the ssh command above to use the key
[00:37] <lovinglinux> Connection closed by xxxxxxxxx
[00:37] <Rocket2DMn> i found if you use the key without having the fingerprint cached, it doesnt give you the option to store it and it aborts
[00:38] <bodhi_zazen> thanks Rocket2DMn
[00:38] <bodhi_zazen> Traveler15164: you in ?
[00:38] <Traveler15164> redoing it worked
[00:38] <bodhi_zazen> lovinglinux: ?
[00:38] <Traveler15164> strange
[00:38] <bodhi_zazen> OK, so ...
[00:38] <bodhi_zazen> as you can see we are root :)
[00:38] <lovinglinux> OK, I am in
[00:38] <Nano_ext3> yay!
[00:38] <bodhi_zazen> as you can see, we started a new shell
[00:39] * Nano_ext3 runs around in circles with streamers
[00:39] <bodhi_zazen> guru was jailzsh
[00:39] <bodhi_zazen> root is bash
[00:39] <bodhi_zazen> but the apparmor confinement follows us
[00:39] <bodhi_zazen> so ...
[00:39] <bodhi_zazen> First I am limiting root with iptables ...
[00:40] <bodhi_zazen> sorry for the typo :(
[00:40] <bodhi_zazen> as you can see, root can ping google , but not my lan
[00:40] <jimi_hendrix> back
[00:40] <bodhi_zazen> so lets stop iptables :)
[00:41] <bodhi_zazen> OH NO
[00:41] <bodhi_zazen> Permission denied
[00:41] <jimi_hendrix> sudo it!
[00:41] <Halow> He's root....
[00:41] <jimi_hendrix> (i know)
[00:41] <Rocket2DMn> tab complete fail
[00:41] <bodhi_zazen> ok ..
[00:42] <bodhi_zazen> lets mess with the settings a little
[00:42] <bodhi_zazen> foiled again :)
[00:42] <bodhi_zazen> Lets try this ::)
[00:43] <bodhi_zazen> :)
[00:44] <Halow> :O
[00:44] <Snova> Ok, so the AppArmor restrictions followed you from jailzsh to root's Bash?
[00:44] <bodhi_zazen> so you can see, although root can install apps, access to critical system files is restricted
[00:44] <jimi_hendrix> r00t has uber fail?
[00:44] <bodhi_zazen> yes Snova
[00:44] <bodhi_zazen> We can start a new shell if we wish
[00:45] <Rocket2DMn> My head just exploded.
[00:45] <Nano_ext3> ugh gotta run, sorry guys
[00:45] <bodhi_zazen> so ..
[00:45] <Nano_ext3> have to head home for work tommorow :(
[00:45] <Rocket2DMn> now bodhi_zazen , do these restrictions apply only when using sudo to access root? What if you had a try root login, like "su -" ?
[00:45] <Snova> Bye Nano_ext3.
[00:45] <Nano_ext3> laters :(
[00:45] <bodhi_zazen> any process you start is confined by apparmor
[00:45] <bodhi_zazen> the restrictions follow you
[00:45] <Nano_ext3> ill read more on aa this weekend
[00:46] <Nano_ext3> def
[00:46] <Nano_ext3> laters
[00:46] <bodhi_zazen> no Rocket, watch
[00:46] <bodhi_zazen> see, we are now guru again ?
[00:46] <bodhi_zazen> guru is given jailzsh as a default shell
[00:47] <bodhi_zazen> jailzsh in an apparmor profile and I think I can show it to you
[00:47] <bodhi_zazen> There it is ...
[00:47] <lovinglinux> That's it? Looks simple.
[00:47] <bodhi_zazen> that was jail bash
[00:48] <bodhi_zazen> jailbash is from jdong
[00:48] <bodhi_zazen> posted here :
[00:48] <bodhi_zazen> http://bodhizazen.net/aa-profiles/jdong/ubuntu-8.04/usr.local.bin.jailbash
[00:48] <bodhi_zazen> and yes, it is simple
[00:49] <lovinglinux> I'm gonna try this
[00:49] <bodhi_zazen> I am restricting access to jailzsh as it is a fair amount more permissive then jailbash
[00:49] <bodhi_zazen> anything else you want to see in the shared session ?
[00:50] <bodhi_zazen> please, other security questions ?
[00:50] <jimi_hendrix> bodhi_zazen, is it possible to secure a windows server?
[00:50] <bodhi_zazen> yes, of course
[00:51] <Rocket2DMn> ahh hardened windows servers :)
[00:51] <lovinglinux> I have one stupid question at http://ubuntuforums.org/showthread.php?t=1100778
[00:51] <bodhi_zazen> Again, I am collecting aa profiles here : http://bodhizazen.net/aa-profiles/
[00:51] <bodhi_zazen> download them, try them out, and if you wish send me your modifications and I will post them for others
[00:52] <bodhi_zazen> lovinglinux: in a nut shell, no your router is not ipv6
[00:52] <bodhi_zazen> most people disable ipv6
[00:53] <jimi_hendrix> Rocket2DMn, is it possible then?
[00:53] <bodhi_zazen> ip providers hate ipv6 because ipv6 makes them obsolete as an ip provider
[00:53] <bodhi_zazen> they would need to provide the physical layer howerver
[00:53] <Rocket2DMn> yes jimi_hendrix you can lock down windows servers
[00:53] <lovinglinux> bodhi_zazen: so just leave ipv6 alone right? No need for iptables rules?
[00:53] <bodhi_zazen> yes, or you can disable it if you wish
[00:53] <lovinglinux> bodhi_zazen: thanks
[00:54] <bodhi_zazen> some people think their box runs faster if they disable it
[00:54] <bodhi_zazen> np
[00:54] <bodhi_zazen> please, I have been ranting, questions, questions :)
[00:54] <jimi_hendrix> what is the average airspeed of a swallow
[00:54] <lovinglinux> is there an alternative for intrusion detection without using MySQL?
[00:55] <bodhi_zazen> yes lovinglinux
[00:55] <bodhi_zazen> you can use snort + barnyard
[00:56] <lovinglinux> I will look into that. Thanks
[00:56] <bodhi_zazen> lovinglinux: http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1255683_tax307468,00.html
[00:57] <bodhi_zazen> although that may use mysql, and if so, my mistake
[00:57] <ds305> quit Thanks bodhi
[00:57] <jgoguen> lol :)
[00:58] <lovinglinux> I have another question. Please wait because I have a inflamed finger, so I need time to type.
[00:58] <bodhi_zazen> go lovinglinux
[00:58] <bodhi_zazen> Well, we are close to the hour
[00:59] <bodhi_zazen> Watch, if I close the screen session you all are disconnected :)
[00:59] <bodhi_zazen> >:)
[00:59] <Snova> Oh, like that? ;)
[00:59] <bodhi_zazen> Just like that
[00:59] <lovinglinux> I have an iptables rule to accept established connection. If I have a client listening to a port, but no other ports opened, is it possible for someone already connected to my client to establish connections on other ports?
[00:59] <bodhi_zazen> The guest account can not connect without a session running
[00:59] <bodhi_zazen> if you try you will be blacklisted after a few attempts
[01:00] <bodhi_zazen> hard to follow lovinglinux
[01:00] <lovinglinux> bodhi_zazen: maybe is just my paranoia
[01:01] <bodhi_zazen> If your client is cracked and you are droping new connections I do not think normally the client could establish a new connection on a new port
[01:01] <bodhi_zazen> I guess they could use the established connection and leverage additional exploits
[01:02] <lovinglinux> bodhi_zazen: through the same port?
[01:02] <bodhi_zazen> Well, thank you everyone, it is 7 so we are "oficially" over, although I will be available for say 10-15 minutes
[01:02] <bodhi_zazen> then I have to go to my family
[01:02] <duanedesign> aawesome!!! thank you
[01:02] <bodhi_zazen> in theory lovinglinux
[01:02] <Halow> Yes, thank you!
[01:03] <bodhi_zazen> since the connection is established ...
[01:03] <lovinglinux> Thank you very much. Really nice experience, specially the shared ssh session.
[01:03] <bodhi_zazen> you are most welcome everyone
[01:03] <duanedesign> applause
[01:03] <bodhi_zazen> the beginners team is going to run additional sessions
[01:03] <bodhi_zazen> and the shared ssh session is available to anyone willing to teach
[01:04] <bodhi_zazen> I have found the shared ssh session is a very effective demo for apparmor and iptables , lol
[01:05] <bodhi_zazen> wb k0001 :)
[01:05] <lovinglinux> bodhi_zazen: what do you think about UPnP?
[01:05] <bodhi_zazen> Not a lot
[01:05] <bodhi_zazen> Again, we all like convienience
[01:05] <k0001> bodhi_zazen: hwllo
[01:05] <bodhi_zazen> but we all hate it when we are cracked, lol
[01:05] <lovinglinux> lol
[01:06] <bodhi_zazen> so it is nice (off UPnP) for our flash drives to auto mount
[01:06] <bodhi_zazen> but not so nice when a malignant code the uses this to automatically start it's evil work ;)
[01:07] <bodhi_zazen> security and convenience == yin and yang and we must bring balance to the force
[01:08] <bodhi_zazen> it is just that the balance point is dependent on sphincter tone, :p
[01:08] <lovinglinux> lol
[01:08] <bodhi_zazen> If anyone is interested in topics or teaching sessions, please let me know
[01:08] <lovinglinux> do I need to keep your key for further sessions?
[01:09] <bodhi_zazen> I shall try to run a session every other week at this time with varied topics
[01:09] <bodhi_zazen> I am sorry to have such limited times, I wish I could vary it more, but I have a family so this works best
[01:09] <duanedesign> that is much appreciated
[01:09] <bodhi_zazen> yes lovinglinux
[01:10] <duanedesign> :)
[01:10] <lovinglinux> what time is there right now and what time it starts?
[01:10] <bodhi_zazen> I hope that the sessions are logged and posted in classroom
[01:10] <bodhi_zazen> It is just past 7 PM local time for me
[01:10] <bodhi_zazen> Sessions will start at 6 pm local time
[01:11] <lovinglinux> Ok, great
[01:11] <bodhi_zazen> and if anyone has a topic, add it to the list
[01:11] <bodhi_zazen> I think we do another security session in 2 weeks
=== k00011 is now known as k0001
[01:11] <bodhi_zazen> and after that I have been asked to cover permissions
[01:11] <lovinglinux> permissions will be nice
[01:12] <linuxwarrior> is the session on 26th will be the same as this one ?
[01:12] <bodhi_zazen> Add your topic here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals
[01:12] <bodhi_zazen> put my name in as the instructor
[01:13] <bodhi_zazen> and I will add them here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Events
[01:13] <bodhi_zazen> linuxwarrior: same topic
[01:13] <bodhi_zazen> Hopefully different questions :)
[01:13] <bodhi_zazen> I hope people will try iptables, apparmor, etc and bring questions
[01:13] <Snova> Hmm... I could probably help with a few of those.
[01:14] <linuxwarrior> ok ;)
[01:14] <bodhi_zazen> http://bodhizazen.net/Tutorials/iptables/
[01:14] <bodhi_zazen> I posted a number of links here : http://paste.ubuntu.com/133993/
[01:14] <Traveler15164> what i don't get is i can genprof firefox and play around with it, then do the scan and it doesn't really add that much to the profile
[01:14] <bodhi_zazen> no Traveler15164
[01:15] <bodhi_zazen> That is the problem with apparmor, you will need to emulate a profile or make your own
[01:15] <bodhi_zazen> firefox is not the best to start because it is large
[01:15] <bodhi_zazen> Start with say xchat
[01:15] <bodhi_zazen> or your irc client
[01:15] <bodhi_zazen> and then go to firefox
[01:15] <bodhi_zazen> sudo aa-enforce xchat
[01:15] <bodhi_zazen> then
[01:15] <lovinglinux> Is there a requirement for classes to be related with system configuration or can they be about how to use a specific kind of program, like multimedia for example?
[01:16] <bodhi_zazen> tail -F /var/log/messages
[01:16] <bodhi_zazen> open xchat and watch and resolve errors
[01:16] <bodhi_zazen> lovinglinux: topics are open
[01:17] <bodhi_zazen> we (the beginners team) is here to educate and we really want to grow this service and cover topics of interest to the community
[01:17] <bodhi_zazen> We hope to add things like Moodle
[01:17] <bodhi_zazen> http://fmc.isgreat.org/Ubuntu_Classroom/index.html
[01:17] <bodhi_zazen> so we can develop more formal content
[01:17] <bodhi_zazen> but ...
[01:17] <Traveler15164> iif you put just enough in the firefox profile to allow firefox to start up, then it lets you view or change anything in that session but the settings or cache isn't saved, correct?
[01:17] <bodhi_zazen> we are in the beginning phases
[01:17] <Traveler15164> sorta like a sandboxing app
[01:18] <bodhi_zazen> yes, I think Traveler15164
[01:18] <lovinglinux> So maybe I could help with some stuff, like how to organize image collections using IPTC, EXIF and so on. I will think about it.
[01:18] <bodhi_zazen> If you change (edit) the profile, you need to restart both apparmor and firefox for the effects to take place
[01:18] <Traveler15164> ok
[01:18] <bodhi_zazen> no always firefox, but it does not hurt
[01:19] <bodhi_zazen> Sometimes you also need to clear your cache on firefox as well
[01:19] <bodhi_zazen> lovinglinux: any help you can offer would be awesome
[01:19] <bodhi_zazen> some team members help with content
[01:19] <bodhi_zazen> others teach
[01:19] <bodhi_zazen> some do nothing
[01:19] <bodhi_zazen> :)
[01:19] <lovinglinux> lol
[01:19] <bodhi_zazen> it is a team effort and we are all volunteers
[01:20] <bodhi_zazen> the main limiting factor , of course, is my time
[01:20] <bodhi_zazen> I rely on the focus groups to help
[01:20] <bodhi_zazen> OK, I gotta go
[01:20] <bodhi_zazen> really, thank you all for coming
[01:20] <bodhi_zazen> and lets see if we can continue and extend these sessions
[01:21] <Halow> Thanks again. :)
}}}

Thank you for your interest in Securing Ubuntu !

BodhiZazen will be running two Q&A sessions on irc to discuss security and security issues.

Please review these threads & bring your questions :

  1. Ubuntu Security

  2. Intrusion Detection

  3. Apparmor

logs

   1 [00:00] <bodhi_zazen> Probably one at at time for guests
   2 [00:00] <Rocket2DMn> ack im fighting with someone
   3 [00:00] <Nano_ext3> we are all fighting lolz
   4 [00:00] <Nano_ext3> can I type something everyone?
   5 [00:00] <Nano_ext3> :)
   6 [00:01] <bodhi_zazen> I can see everyone has hit the wall :)
   7 [00:01] <Rocket2DMn> i should customize my terminal like bodhi_zazen has
   8 [00:01] <Rocket2DMn> is that a bash thing?
   9 [00:01] <jimi_hendrix> bodhi_zazen, what programs are those
  10 [00:01] <bodhi_zazen> OK, lets get this show on the wall
  11 [00:01] <bodhi_zazen> :)
  12 [00:01] <Nano_ext3> haha
  13 [00:01] <WastePotato> \o/
  14 [00:01] <bodhi_zazen> First , thank you everyone for coming to this session
  15 [00:01] <rraj_be> bodhi_zazen: sorry for intrupting,   when i tried it , its giving like "Enter passphrase for key '/home/raj/.ssh/ufbt-guest':"
  16 [00:02] <Snova> rraj_be: "padawan"
  17 [00:02] <jimi_hendrix> bodhi_zazen, whats tha shell
  18 [00:02] <bodhi_zazen> Let me assure you , the beginners team put me up to this
  19 [00:02] <rraj_be> k Snova
  20 [00:02] <jimi_hendrix> ive heard zsh but not jailzsh
  21 [00:02] <Snova> jimi_hendrix: A jailed Zsh. :)
  22 [00:02] <jimi_hendrix> which is?
  23 [00:02] <bodhi_zazen> it is a shell I make for apparmor jimi_hendrix
  24 [00:02] <bodhi_zazen> it is zsh
  25 [00:02] <Snova> Zsh, in a restricted environment.
  26 [00:02] <jimi_hendrix> ahh
  27 [00:02] <jimi_hendrix> did you edit it or something
  28 [00:02] <jimi_hendrix> edit the source*
  29 [00:02] <WastePotato> :(
  30 [00:03] <Snova> No, that's what AppArmor is for.
  31 [00:03] <bodhi_zazen> The intention is to raise awareness of security and so here we are :)
  32 [00:03] <jimi_hendrix> ok
  33 [00:03]  * jimi_hendrix raises hand
  34 [00:03] <bodhi_zazen> What do people want me to cover, what questions do you have ?
  35 [00:03]  * jimi_hendrix raises hand
  36 [00:03] <rraj_be> Snova:  Enter passphrase for key '/home/raj/.ssh/ufbt-guest':
  37 [00:03] <bodhi_zazen> go jimi_hendrix :)
  38 [00:03] <rraj_be> Permission denied (publickey).
  39 [00:03] <Nano_ext3> show how to implement profiles
  40 [00:03] <bodhi_zazen> rraj_be: padawan
  41 [00:03] <Nano_ext3> http://paste.ubuntu.com/133993/
  42 [00:03] <jimi_hendrix> bodhi_zazen, i dual boot windows and ubuntu
  43 [00:03] <jimi_hendrix> do i need an antivirus on ubuntu
  44 [00:03] <rraj_be> ok bodhi_zazen
  45 [00:04] <Nano_ext3> jimi_hendrix: hahah no
  46 [00:04] <Nano_ext3> this is for user control
  47 [00:04] <Nano_ext3> security on a server if you may
  48 [00:04] <bodhi_zazen> someone help rraj_be in a private window or on ##beginenrs-help
  49 [00:04] <bodhi_zazen> OK, antivirus first then :)
  50 [00:04] <bodhi_zazen> you will get varied opinions
  51 [00:04]  * jimi_hendrix uses AVG on windows
  52 [00:05] <bodhi_zazen> IMO antivirus is best used on your windows boxes
  53 [00:05] <Nano_ext3> Agreed
  54 [00:05] <bodhi_zazen> IMO Linux antivirus is best on file or mail servers
  55 [00:05] <Nano_ext3> things that need the security
  56 [00:05] <bodhi_zazen> IMO scanning your Linux desktop with antivirus will yield lots fo false positives
  57 [00:05] <jimi_hendrix> what about a webserver
  58 [00:05] <Nano_ext3> for desktop , not an issue really
  59 [00:05]  * jimi_hendrix is thinking of setting up a webserver
  60 [00:05] <Nano_ext3> yes on a webserver I would say
  61 [00:05] <Rocket2DMn> bodhi_zazen, if you need a place to start the discussion, why dont you briefly explain some of the tools you use to enhance security in linux (apparmor, iptables, ossec, snort, etc).  e.g. in one sentence each, what do they do?
  62 [00:06] <Nano_ext3> anything that deals with heavy user traffic
  63 [00:06] <bodhi_zazen> good idea Rocket2DMn :)
  64 [00:06] <Nano_ext3> yea
  65 [00:06] <bodhi_zazen> The linux tools are a bit different
  66 [00:06] <bodhi_zazen> and linux is modular ...
  67 [00:06] <bodhi_zazen> The first line of defense is, of course, permissions
  68 [00:06] <bodhi_zazen> sudo vs su ?
  69 [00:06] <Nano_ext3> yea
  70 [00:07] <jimi_hendrix> sudo runs one command su changes your user
  71 [00:07] <bodhi_zazen> su gives all or none root access
  72 [00:07] <Rocket2DMn> (or other user access)
  73 [00:07] <bodhi_zazen> sudo allows finer control
  74 [00:07] <bodhi_zazen> sudo -i for a root shell
  75 [00:07] <bodhi_zazen> Next a firewall
  76 [00:07] <bodhi_zazen> firewall are also full of opinions
  77 [00:08] <bodhi_zazen> In general, you should use a router as a router has a firewall built in
  78 [00:08] <Nano_ext3> thats how I do it
  79 [00:08] <bodhi_zazen> a default install of ubuntu has no servers listening, so the default settings behind a router are just fine
  80 [00:08] <Nano_ext3> Not versed in linux firewalls yet
  81 [00:09] <bodhi_zazen> If you wish to user  a firewall, to set up your own router (NAT) or limit connections, teh firewall is iptables
  82 [00:09] <jimi_hendrix> what about firestarter?
  83 [00:09] <bodhi_zazen> iptables can be configured with commands, a  script, ufw, or a gui tool such as GUFW, Guraddog, firestarter, shorewall, etc
  84 [00:10] <bodhi_zazen> guraddog has very nice built in help
  85 [00:10] <bodhi_zazen> the gui tools are not the firewall, only config tools
  86 [00:10] <bodhi_zazen> Open them, config iptables, close them
  87 [00:10] <Nano_ext3> think router access list , but on the OS itself via iptables
  88 [00:10] <bodhi_zazen> I advise you NOT use Firestarter to monitor your network traffic
  89 [00:11] <bodhi_zazen> Next , everyone know the terms HIDS / NIDS ?
  90 [00:11] <Nano_ext3> no
  91 [00:11] <bodhi_zazen> http://en.wikipedia.org/wiki/Intrusion-detection_system
  92 [00:11] <bodhi_zazen> http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system
  93 [00:12] <bodhi_zazen> http://en.wikipedia.org/wiki/Network_intrusion_detection_system
  94 [00:12] <bodhi_zazen> OK, HIDS, most new users are familiar with say Windows antivirus scanners
  95 [00:12] <bodhi_zazen> This is a HIDS
  96 [00:12] <Nano_ext3> k
  97 [00:12] <bodhi_zazen> so is rkhunter and chkrootkit
  98 [00:12] <bodhi_zazen> as is OSSEC, tripwire, etc
  99 [00:13] <bodhi_zazen> use these tools to monitor your system for unauthorizzed changes
 100 [00:13] <bodhi_zazen> rkhunter and chkrootkit have a bunch of flase positives, learn what they are
 101 [00:13] <duanedesign> do you recommend running chkrootkit from a usb device
 102 [00:13] <bodhi_zazen> and what a "normal" sustem is
 103 [00:14] <bodhi_zazen> duanedesign: I do not think it matters really
 104 [00:14] <bodhi_zazen> The point is, you can not monitor your system for changes if you do not know what normal is
 105 [00:14] <bodhi_zazen> You will get alerts when you say install new software as well, or change a config file
 106 [00:15] <bodhi_zazen> Next NIDS
 107 [00:15] <bodhi_zazen> NIDS is sophisticated and even the geekiest will find this hard
 108 [00:16] <bodhi_zazen> You need to understand basic networking protocols, tcp, udp, ping, etc
 109 [00:16] <bodhi_zazen> Tools include snort and wireshark
 110 [00:16]  * jimi_hendrix tried wireshark one to sniff some packets i was sending
 111 [00:16] <Nano_ext3> ive take Cisco CCNA, and Id still have enormous trouble with that
 112 [00:16] <Nano_ext3> wireshark I have used
 113 [00:16]  * jimi_hendrix 's head blew up
 114 [00:16] <bodhi_zazen> these tools are "packte sniffers" and will montior your network traffic
 115 [00:17] <Nano_ext3> I reccomend wireshark
 116 [00:17] <bodhi_zazen> snort will user a set of rules to identify potentially problematic activity, although lots of false positives
 117 [00:17] <bodhi_zazen> wireshark will monitor the raw packets
 118 [00:17] <bodhi_zazen> in a nut shell
 119 [00:18] <bodhi_zazen> Next line of defense - SELinux / Apparmor
 120 [00:18] <Nano_ext3> :)
 121 [00:18] <jimi_hendrix> SELinux != distro right
 122 [00:18] <Snova> No, it's a security framework built into the kernel.
 123 [00:18] <Nano_ext3> no
 124 [00:18] <Nano_ext3> to jimi
 125 [00:18] <Nano_ext3> security monitor
 126 [00:18] <bodhi_zazen> These are very powerful tools and these are the first tools that can protect you against unknown exploits and Zero day exploits
 127 [00:18] <bodhi_zazen> These tools can limit even root
 128 [00:18] <Nano_ext3> zero day?
 129 [00:19] <Snova> Security exploits, on the day they are found, before they are patched.
 130 [00:19] <bodhi_zazen> http://en.wikipedia.org/wiki/Zero-Day_Attack
 131 [00:19] <bodhi_zazen> Ubuntu uses Apparmor, but it needs to be configured
 132 [00:19] <bodhi_zazen> Most people find apparmor easy to understand
 133 [00:20] <bodhi_zazen> The point, IMO, of apparmor is to "confine" any network applications
 134 [00:20] <bodhi_zazen> such as firefox, thunderbird, etc
 135 [00:20] <bodhi_zazen> you limit what they can do on your os
 136 [00:20] <bodhi_zazen> you can also limit a users shell, as I will show you on the shared ssh session
 137 [00:20] <Nano_ext3> cool
 138 [00:20] <lovinglinux> can be used with torrent applications?
 139 [00:21] <Snova> Anything.
 140 [00:21] <bodhi_zazen> IMO SELINUX and Apparmor are mis characterized as "overkill"
 141 [00:21] <bodhi_zazen> lovinglinux: yes
 142 [00:21] <bodhi_zazen> I am collecting apparmor profiles here : http://bodhizazen.net/aa-profiles/
 143 [00:21] <lovinglinux> So if someone exploit a vunerability on my torrent client, then Apparmor can prevent it from achieving success?
 144 [00:21] <bodhi_zazen> I have a profile for rtorrent
 145 [00:22] <Snova> lovinglinux: AppArmor can prevent it from accomplishing anything by restricting access to the filesystem, which is mostly the same thing.
 146 [00:22] <bodhi_zazen> If anyone is willing to contribute, send me your profiles ( bodhi.zazen @ ubuntu.com)
 147 [00:22] <bodhi_zazen> and I will post them as well
 148 [00:22] <Nano_ext3> i will have time this weeked to learn it bodhi
 149 [00:22] <lovinglinux> do you know a good tutorial for apparmor?
 150 [00:22] <Nano_ext3> bodhi link him your thread
 151 [00:22] <Nano_ext3> :)
 152 [00:22] <bodhi_zazen>  /end long winded security drive by
 153 [00:23]  * jimi_hendrix puts away machine gun
 154 [00:23] <bodhi_zazen> Links are here : http://paste.ubuntu.com/133993/
 155 [00:23] <lovinglinux> thanks
 156 [00:23] <Snova> AppArmor introduction: http://ubuntuforums.org/showthread.php?t=1008906
 157 [00:23] <bodhi_zazen> OK , with that background, questions please ?
 158 [00:23] <Snova> Oh, didn't notice the links at the bottom of that..
 159 [00:23] <bodhi_zazen> Or do you want to see what the shared session can do ?
 160 [00:23] <bodhi_zazen> ie live demo ?
 161 [00:24]  * jimi_hendrix raises hand
 162 [00:24] <bodhi_zazen> go jimi_hendrix :)
 163 [00:24] <jimi_hendrix> if i am running a webserver (linux of course...well maybe a *BSD)...and its just pages with html, what am i at risk for
 164 [00:25] <bodhi_zazen> apache attacks, php attacks, and DOS are the major ones
 165 [00:25] <bodhi_zazen> The damage depends on the attack
 166 [00:26] <bodhi_zazen> I have seen php code that takes you cookies for example (think passwords for web sites)
 167 [00:26] <bodhi_zazen> If a crack allows "arbitrary code" think an intruder then has root access
 168 [00:26] <lovinglinux> Do I need to create apparmor profiles for all applications that connect to network or just for those that listen to ports?
 169 [00:26] <bodhi_zazen> many attacks then use your box to attack others, send spam, spoof ip, what have you
 170 [00:27] <bodhi_zazen> IMO lovinglinux all apps that access the internet
 171 [00:27] <jimi_hendrix> bodhi_zazen, i said just html, no php
 172 [00:27] <bodhi_zazen> although as you can see I do not yet have profiles for all apps yet
 173 [00:28] <bodhi_zazen> jimi_hendrix: LAMP == Linux apache Mysql and PHP so I included it in the broader discussion
 174 [00:28] <jimi_hendrix> ok
 175 [00:28] <bodhi_zazen> Want to see a demo ?
 176 [00:28] <jimi_hendrix> yes
 177 [00:28] <bodhi_zazen> On the ssh session ?
 178 [00:28] <Nano_ext3> yeps
 179 [00:28] <bodhi_zazen> OK
 180 [00:29] <bodhi_zazen> anyone need assistance connecting via ssh ?
 181 [00:29] <bodhi_zazen> ok, the guru account has root access
 182 [00:29] <bodhi_zazen> as you can see
 183 [00:30] <bodhi_zazen> the guru account can install applications
 184 [00:30] <Traveler15164> yeah, i keep getting the Permission denied (publickey) error
 185 [00:30] <bodhi_zazen> :)
 186 [00:30] <bodhi_zazen> someone help Traveler15164 please :)
 187 [00:30] <lovinglinux> sorry, I know how to use ssh, but don't which server I'm supposed to connect
 188 [00:30] <bodhi_zazen> I will wait and answer questions
 189 [00:31] <bodhi_zazen> you need the key
 190 [00:31] <bodhi_zazen> then ssh guest@bodhizazen.net -i ~/.ssh/ufbt-guest
 191 [00:31] <bodhi_zazen> pw = padawan
 192 [00:31] <Nano_ext3> http://paste.ubuntu.com/133993/
 193 [00:31] <Nano_ext3> follow exactly
 194 [00:31] <Nano_ext3> verbatim
 195 [00:31] <bodhi_zazen> http://paste.ubuntu.com/133993/
 196 [00:31] <Nano_ext3> via terminal
 197 [00:31] <bodhi_zazen> for keys
 198 [00:31] <Nano_ext3> beat you to it :)
 199 [00:31] <bodhi_zazen> any other questions while we are waiting
 200 [00:31] <bodhi_zazen> ?
 201 [00:32] <bodhi_zazen> chickens, all questions are welcome :)
 202 [00:33] <bodhi_zazen> you in Traveler15164 ?
 203 [00:33] <bodhi_zazen> lovinglinux: ?
 204 [00:33] <Traveler15164> nope
 205 [00:33] <bodhi_zazen> Traveler15164: what do you need help with ?
 206 [00:33] <bodhi_zazen> do you have the key ?
 207 [00:33] <lovinglinux> just a second
 208 [00:33] <Traveler15164> yes
 209 [00:33] <bodhi_zazen> do you know how to use it ?
 210 [00:34] <Traveler15164> i got it and placed it in a new empty file?
 211 [00:34] <Traveler15164> named ufbt-guest and chmod 400 on that
 212 [00:34] <Snova> Stick it in ~/.ssh
 213 [00:34] <Traveler15164> it is
 214 [00:34] <bodhi_zazen> ok
 215 [00:34] <Snova> ssh guest@bodhizazen.net -i ~/.ssh/ufbt-guest
 216 [00:34] <Nano_ext3> you have to place that text in ~/.ssh/ufbt-guest
 217 [00:34] <Nano_ext3> and then chmod 400 on that file
 218 [00:35] <Nano_ext3> its all in the paste link
 219 [00:35] <Nano_ext3> http://paste.ubuntu.com/133993/
 220 [00:35] <lovinglinux> The authenticity of host xxxxxxxxxxx can't be established.
 221 [00:35] <Traveler15164> i'll redo it all to make sure
 222 [00:35] <bodhi_zazen> lol lovinglinux
 223 [00:35] <Snova> lovinglinux: That's normal, just confirm it.
 224 [00:35] <bodhi_zazen> say yes :)
 225 [00:36] <bodhi_zazen> Traveler15164: cd .ssh
 226 [00:36] <lovinglinux> lol, stupid me
 227 [00:36] <bodhi_zazen> rm ufbt-guest
 228 [00:36] <bodhi_zazen> wget http://bodhizazen.net/beginners/ufbt-guest
 229 [00:36] <bodhi_zazen> chmod 400 ufbt
 230 [00:36] <Rocket2DMn> you may have to "ssh bodhizazen.net" first and accept the fingerprint
 231 [00:36] <bodhi_zazen> ssh guest@bodhizazen.net -i ./ufbt-guest
 232 [00:36] <Rocket2DMn> then just ctrl-c without doing any authentication
 233 [00:37] <Rocket2DMn> then do the ssh command above to use the key
 234 [00:37] <lovinglinux> Connection closed by xxxxxxxxx
 235 [00:37] <Rocket2DMn> i found if you use the key without having the fingerprint cached, it doesnt give you the option to store it and it aborts
 236 [00:38] <bodhi_zazen> thanks Rocket2DMn
 237 [00:38] <bodhi_zazen> Traveler15164: you in ?
 238 [00:38] <Traveler15164> redoing it worked
 239 [00:38] <bodhi_zazen> lovinglinux: ?
 240 [00:38] <Traveler15164> strange
 241 [00:38] <bodhi_zazen> OK, so ...
 242 [00:38] <bodhi_zazen> as you can see we are root :)
 243 [00:38] <lovinglinux> OK, I am in
 244 [00:38] <Nano_ext3> yay!
 245 [00:38] <bodhi_zazen> as you can see, we started a new shell
 246 [00:39]  * Nano_ext3 runs around in circles with streamers
 247 [00:39] <bodhi_zazen> guru was jailzsh
 248 [00:39] <bodhi_zazen> root is bash
 249 [00:39] <bodhi_zazen> but the apparmor confinement follows us
 250 [00:39] <bodhi_zazen> so ...
 251 [00:39] <bodhi_zazen> First I am limiting root with iptables ...
 252 [00:40] <bodhi_zazen> sorry for the typo :(
 253 [00:40] <bodhi_zazen> as you can see, root can ping google , but not my lan
 254 [00:40] <jimi_hendrix> back
 255 [00:40] <bodhi_zazen> so lets stop iptables :)
 256 [00:41] <bodhi_zazen> OH NO
 257 [00:41] <bodhi_zazen> Permission denied
 258 [00:41] <jimi_hendrix> sudo it!
 259 [00:41] <Halow> He's root....
 260 [00:41] <jimi_hendrix> (i know)
 261 [00:41] <Rocket2DMn> tab complete fail
 262 [00:41] <bodhi_zazen> ok ..
 263 [00:42] <bodhi_zazen> lets mess with the settings a little
 264 [00:42] <bodhi_zazen> foiled again :)
 265 [00:42] <bodhi_zazen> Lets try this ::)
 266 [00:43] <bodhi_zazen> :)
 267 [00:44] <Halow> :O
 268 [00:44] <Snova> Ok, so the AppArmor restrictions followed you from jailzsh to root's Bash?
 269 [00:44] <bodhi_zazen> so you can see, although root can install apps, access to critical system files is restricted
 270 [00:44] <jimi_hendrix> r00t has uber fail?
 271 [00:44] <bodhi_zazen> yes Snova
 272 [00:44] <bodhi_zazen> We can start a new shell if we wish
 273 [00:45] <Rocket2DMn> My head just exploded.
 274 [00:45] <Nano_ext3> ugh gotta run, sorry guys
 275 [00:45] <bodhi_zazen> so ..
 276 [00:45] <Nano_ext3> have to head home for work tommorow :(
 277 [00:45] <Rocket2DMn> now bodhi_zazen , do these restrictions apply only when using sudo to access root?  What if you had a try root login, like "su -" ?
 278 [00:45] <Snova> Bye Nano_ext3.
 279 [00:45] <Nano_ext3> laters :(
 280 [00:45] <bodhi_zazen> any process you start is confined by apparmor
 281 [00:45] <bodhi_zazen> the restrictions follow you
 282 [00:45] <Nano_ext3> ill read more on aa this weekend
 283 [00:46] <Nano_ext3> def
 284 [00:46] <Nano_ext3> laters
 285 [00:46] <bodhi_zazen> no Rocket, watch
 286 [00:46] <bodhi_zazen> see, we are now guru again ?
 287 [00:46] <bodhi_zazen> guru is given jailzsh as a default shell
 288 [00:47] <bodhi_zazen> jailzsh in an apparmor profile and I think I can show it to you
 289 [00:47] <bodhi_zazen> There it is ...
 290 [00:47] <lovinglinux> That's it? Looks simple.
 291 [00:47] <bodhi_zazen> that was jail bash
 292 [00:48] <bodhi_zazen> jailbash is from jdong
 293 [00:48] <bodhi_zazen> posted here :
 294 [00:48] <bodhi_zazen> http://bodhizazen.net/aa-profiles/jdong/ubuntu-8.04/usr.local.bin.jailbash
 295 [00:48] <bodhi_zazen> and yes, it is simple
 296 [00:49] <lovinglinux> I'm gonna try this
 297 [00:49] <bodhi_zazen> I am restricting access to jailzsh as it is a fair amount more permissive then jailbash
 298 [00:49] <bodhi_zazen> anything else you want to see in the shared session ?
 299 [00:50] <bodhi_zazen> please, other security questions ?
 300 [00:50] <jimi_hendrix> bodhi_zazen, is it possible to secure a windows server?
 301 [00:50] <bodhi_zazen> yes, of course
 302 [00:51] <Rocket2DMn> ahh hardened windows servers :)
 303 [00:51] <lovinglinux> I have one stupid question at http://ubuntuforums.org/showthread.php?t=1100778
 304 [00:51] <bodhi_zazen> Again, I am collecting aa profiles here : http://bodhizazen.net/aa-profiles/
 305 [00:51] <bodhi_zazen> download them, try them out, and if you wish send me your modifications and I will post them for others
 306 [00:52] <bodhi_zazen> lovinglinux: in a nut shell, no your router is not ipv6
 307 [00:52] <bodhi_zazen> most people disable ipv6
 308 [00:53] <jimi_hendrix> Rocket2DMn, is it possible then?
 309 [00:53] <bodhi_zazen> ip providers hate ipv6 because ipv6 makes them obsolete as an ip provider
 310 [00:53] <bodhi_zazen> they would need to provide the physical layer howerver
 311 [00:53] <Rocket2DMn> yes jimi_hendrix you can lock down windows servers
 312 [00:53] <lovinglinux> bodhi_zazen:  so just leave ipv6 alone right? No need for iptables rules?
 313 [00:53] <bodhi_zazen> yes, or you can disable it if you wish
 314 [00:53] <lovinglinux> bodhi_zazen:  thanks
 315 [00:54] <bodhi_zazen> some people think their box runs faster if they disable it
 316 [00:54] <bodhi_zazen> np
 317 [00:54] <bodhi_zazen> please, I have been ranting, questions, questions :)
 318 [00:54] <jimi_hendrix> what is the average airspeed of a swallow
 319 [00:54] <lovinglinux> is there an alternative for intrusion detection without using MySQL?
 320 [00:55] <bodhi_zazen> yes lovinglinux
 321 [00:55] <bodhi_zazen> you can use snort + barnyard
 322 [00:56] <lovinglinux> I will look into that. Thanks
 323 [00:56] <bodhi_zazen> lovinglinux: http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1255683_tax307468,00.html
 324 [00:57] <bodhi_zazen> although that may use mysql, and if so, my mistake
 325 [00:57] <ds305> quit Thanks bodhi
 326 [00:57] <jgoguen> lol :)
 327 [00:58] <lovinglinux> I have another question. Please wait because I have a inflamed finger, so I need time to type.
 328 [00:58] <bodhi_zazen> go lovinglinux
 329 [00:58] <bodhi_zazen> Well, we are close to the hour
 330 [00:59] <bodhi_zazen> Watch, if I close the screen session you all are disconnected :)
 331 [00:59] <bodhi_zazen> >:)
 332 [00:59] <Snova> Oh, like that? ;)
 333 [00:59] <bodhi_zazen> Just like that
 334 [00:59] <lovinglinux> I have an iptables rule to accept established connection. If I have a client listening to a port, but no other ports opened, is it possible for someone already connected to my client to establish connections on other ports?
 335 [00:59] <bodhi_zazen> The guest account can not connect without a session running
 336 [00:59] <bodhi_zazen> if you try you will be blacklisted after a few attempts
 337 [01:00] <bodhi_zazen> hard to follow lovinglinux
 338 [01:00] <lovinglinux> bodhi_zazen: maybe is just my paranoia
 339 [01:01] <bodhi_zazen> If your client is cracked and you are droping new connections I do not think normally the client could establish a new connection on a new port
 340 [01:01] <bodhi_zazen> I guess they could use the established connection and leverage additional exploits
 341 [01:02] <lovinglinux> bodhi_zazen: through the same port?
 342 [01:02] <bodhi_zazen> Well, thank you everyone, it is 7 so we are "oficially" over, although I will be available for say 10-15 minutes
 343 [01:02] <bodhi_zazen> then I have to go to my family
 344 [01:02] <duanedesign> aawesome!!! thank you
 345 [01:02] <bodhi_zazen> in theory lovinglinux
 346 [01:02] <Halow> Yes, thank you!
 347 [01:03] <bodhi_zazen> since the connection is established ...
 348 [01:03] <lovinglinux> Thank you very much. Really nice experience, specially the shared ssh session.
 349 [01:03] <bodhi_zazen> you are most welcome everyone
 350 [01:03] <duanedesign> applause
 351 [01:03] <bodhi_zazen> the beginners team is going to run additional sessions
 352 [01:03] <bodhi_zazen> and the shared ssh session is available to anyone willing to teach
 353 [01:04] <bodhi_zazen> I have found the shared ssh session is a very effective demo for apparmor and iptables , lol
 354 [01:05] <bodhi_zazen> wb k0001 :)
 355 [01:05] <lovinglinux> bodhi_zazen:  what do you think about UPnP?
 356 [01:05] <bodhi_zazen> Not a lot
 357 [01:05] <bodhi_zazen> Again, we all like convienience
 358 [01:05] <k0001> bodhi_zazen: hwllo
 359 [01:05] <bodhi_zazen> but we all hate it when we are cracked, lol
 360 [01:05] <lovinglinux> lol
 361 [01:06] <bodhi_zazen> so it is nice (off UPnP) for our flash drives to auto mount
 362 [01:06] <bodhi_zazen> but not so nice when a malignant code the uses this to automatically start it's evil work ;)
 363 [01:07] <bodhi_zazen> security and convenience == yin and yang and we must bring balance to the force
 364 [01:08] <bodhi_zazen> it is just that the balance point is dependent on sphincter tone, :p
 365 [01:08] <lovinglinux> lol
 366 [01:08] <bodhi_zazen> If anyone is interested in topics or teaching sessions, please let me know
 367 [01:08] <lovinglinux> do I need to keep your key for further sessions?
 368 [01:09] <bodhi_zazen> I shall try to run a session every other week at this time with varied topics
 369 [01:09] <bodhi_zazen> I am sorry to have such limited times, I wish I could vary it more, but I have a family so this works best
 370 [01:09] <duanedesign> that is much appreciated
 371 [01:09] <bodhi_zazen> yes lovinglinux
 372 [01:10] <duanedesign> :)
 373 [01:10] <lovinglinux> what time is there right now and what time it starts?
 374 [01:10] <bodhi_zazen> I hope that the sessions are logged and posted in classroom
 375 [01:10] <bodhi_zazen> It is just past 7 PM local time for me
 376 [01:10] <bodhi_zazen> Sessions will start at 6 pm local time
 377 [01:11] <lovinglinux> Ok, great
 378 [01:11] <bodhi_zazen> and if anyone has a topic, add it to the list
 379 [01:11] <bodhi_zazen> I think we do another security session in 2 weeks
 380 === k00011 is now known as k0001
 381 [01:11] <bodhi_zazen> and after that I have been asked to cover permissions
 382 [01:11] <lovinglinux> permissions will be nice
 383 [01:12] <linuxwarrior> is the session on 26th will be the same as this one ?
 384 [01:12] <bodhi_zazen> Add your topic here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals
 385 [01:12] <bodhi_zazen> put my name in as the instructor
 386 [01:13] <bodhi_zazen> and I will add them here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Events
 387 [01:13] <bodhi_zazen> linuxwarrior: same topic
 388 [01:13] <bodhi_zazen> Hopefully different questions :)
 389 [01:13] <bodhi_zazen> I hope people will try iptables, apparmor, etc and bring questions
 390 [01:13] <Snova> Hmm... I could probably help with a few of those.
 391 [01:14] <linuxwarrior> ok ;)
 392 [01:14] <bodhi_zazen> http://bodhizazen.net/Tutorials/iptables/
 393 [01:14] <bodhi_zazen> I posted a number of links here : http://paste.ubuntu.com/133993/
 394 [01:14] <Traveler15164> what i don't get is i can genprof firefox and play around with it, then do the scan and it doesn't really add that much to the profile
 395 [01:14] <bodhi_zazen> no Traveler15164
 396 [01:15] <bodhi_zazen> That is the problem with apparmor, you will need to emulate a profile or make your own
 397 [01:15] <bodhi_zazen> firefox is not the best to start because it is large
 398 [01:15] <bodhi_zazen> Start with say xchat
 399 [01:15] <bodhi_zazen> or your irc client
 400 [01:15] <bodhi_zazen> and then go to firefox
 401 [01:15] <bodhi_zazen> sudo aa-enforce xchat
 402 [01:15] <bodhi_zazen> then
 403 [01:15] <lovinglinux> Is there a requirement for classes to be related with system configuration or can they be about how to use a specific kind of program, like multimedia for example?
 404 [01:16] <bodhi_zazen> tail -F /var/log/messages
 405 [01:16] <bodhi_zazen> open xchat and watch and resolve errors
 406 [01:16] <bodhi_zazen> lovinglinux: topics are open
 407 [01:17] <bodhi_zazen> we (the beginners team) is here to educate and we really want to grow this service and cover topics of interest to the community
 408 [01:17] <bodhi_zazen> We hope to add things like Moodle
 409 [01:17] <bodhi_zazen> http://fmc.isgreat.org/Ubuntu_Classroom/index.html
 410 [01:17] <bodhi_zazen> so we can develop more formal content
 411 [01:17] <bodhi_zazen> but ...
 412 [01:17] <Traveler15164> iif you put just enough in the firefox profile to allow firefox to start up, then it lets you view or change anything in that session but the settings or cache isn't saved, correct?
 413 [01:17] <bodhi_zazen> we are in the beginning phases
 414 [01:17] <Traveler15164> sorta like a sandboxing app
 415 [01:18] <bodhi_zazen> yes, I think Traveler15164
 416 [01:18] <lovinglinux> So maybe I could help with some stuff, like how to organize image collections using IPTC, EXIF and so on. I will think about it.
 417 [01:18] <bodhi_zazen> If you change (edit) the profile, you need to restart both apparmor and firefox for the effects to take place
 418 [01:18] <Traveler15164> ok
 419 [01:18] <bodhi_zazen> no always firefox, but it does not hurt
 420 [01:19] <bodhi_zazen> Sometimes you also need to clear your cache on firefox as well
 421 [01:19] <bodhi_zazen> lovinglinux: any help you can offer would be awesome
 422 [01:19] <bodhi_zazen> some team members help with content
 423 [01:19] <bodhi_zazen> others teach
 424 [01:19] <bodhi_zazen> some do nothing
 425 [01:19] <bodhi_zazen> :)
 426 [01:19] <lovinglinux> lol
 427 [01:19] <bodhi_zazen> it is a team effort and we are all volunteers
 428 [01:20] <bodhi_zazen> the main limiting factor , of course, is my time
 429 [01:20] <bodhi_zazen> I rely on the focus groups to help
 430 [01:20] <bodhi_zazen> OK, I gotta go
 431 [01:20] <bodhi_zazen> really, thank you all for coming
 432 [01:20] <bodhi_zazen> and lets see if we can continue and extend these sessions
 433 [01:21] <Halow> Thanks again. :)

BeginnersTeam/FocusGroups/EducationOLD/Events/032009 (last edited 2009-10-15 20:32:55 by host-84-13-223-244)