032009
Revision 7 as of 2009-10-15 20:32:55
Clear message
Thank you for your interest in Securing Ubuntu !
BodhiZazen will be running two Q&A sessions on irc to discuss security and security issues.
Please review these threads & bring your questions :
logs for 19/03 and 26/03
19/03/2009
1 [00:00] <bodhi_zazen> Probably one at at time for guests
2 [00:00] <Rocket2DMn> ack im fighting with someone
3 [00:00] <Nano_ext3> we are all fighting lolz
4 [00:00] <Nano_ext3> can I type something everyone?
5 [00:00] <Nano_ext3> :)
6 [00:01] <bodhi_zazen> I can see everyone has hit the wall :)
7 [00:01] <Rocket2DMn> i should customize my terminal like bodhi_zazen has
8 [00:01] <Rocket2DMn> is that a bash thing?
9 [00:01] <jimi_hendrix> bodhi_zazen, what programs are those
10 [00:01] <bodhi_zazen> OK, lets get this show on the wall
11 [00:01] <bodhi_zazen> :)
12 [00:01] <Nano_ext3> haha
13 [00:01] <WastePotato> \o/
14 [00:01] <bodhi_zazen> First , thank you everyone for coming to this session
15 [00:01] <rraj_be> bodhi_zazen: sorry for intrupting, when i tried it , its giving like "Enter passphrase for key '/home/raj/.ssh/ufbt-guest':"
16 [00:02] <Snova> rraj_be: "padawan"
17 [00:02] <jimi_hendrix> bodhi_zazen, whats tha shell
18 [00:02] <bodhi_zazen> Let me assure you , the beginners team put me up to this
19 [00:02] <rraj_be> k Snova
20 [00:02] <jimi_hendrix> ive heard zsh but not jailzsh
21 [00:02] <Snova> jimi_hendrix: A jailed Zsh. :)
22 [00:02] <jimi_hendrix> which is?
23 [00:02] <bodhi_zazen> it is a shell I make for apparmor jimi_hendrix
24 [00:02] <bodhi_zazen> it is zsh
25 [00:02] <Snova> Zsh, in a restricted environment.
26 [00:02] <jimi_hendrix> ahh
27 [00:02] <jimi_hendrix> did you edit it or something
28 [00:02] <jimi_hendrix> edit the source*
29 [00:02] <WastePotato> :(
30 [00:03] <Snova> No, that's what AppArmor is for.
31 [00:03] <bodhi_zazen> The intention is to raise awareness of security and so here we are :)
32 [00:03] <jimi_hendrix> ok
33 [00:03] * jimi_hendrix raises hand
34 [00:03] <bodhi_zazen> What do people want me to cover, what questions do you have ?
35 [00:03] * jimi_hendrix raises hand
36 [00:03] <rraj_be> Snova: Enter passphrase for key '/home/raj/.ssh/ufbt-guest':
37 [00:03] <bodhi_zazen> go jimi_hendrix :)
38 [00:03] <rraj_be> Permission denied (publickey).
39 [00:03] <Nano_ext3> show how to implement profiles
40 [00:03] <bodhi_zazen> rraj_be: padawan
41 [00:03] <Nano_ext3> http://paste.ubuntu.com/133993/
42 [00:03] <jimi_hendrix> bodhi_zazen, i dual boot windows and ubuntu
43 [00:03] <jimi_hendrix> do i need an antivirus on ubuntu
44 [00:03] <rraj_be> ok bodhi_zazen
45 [00:04] <Nano_ext3> jimi_hendrix: hahah no
46 [00:04] <Nano_ext3> this is for user control
47 [00:04] <Nano_ext3> security on a server if you may
48 [00:04] <bodhi_zazen> someone help rraj_be in a private window or on ##beginenrs-help
49 [00:04] <bodhi_zazen> OK, antivirus first then :)
50 [00:04] <bodhi_zazen> you will get varied opinions
51 [00:04] * jimi_hendrix uses AVG on windows
52 [00:05] <bodhi_zazen> IMO antivirus is best used on your windows boxes
53 [00:05] <Nano_ext3> Agreed
54 [00:05] <bodhi_zazen> IMO Linux antivirus is best on file or mail servers
55 [00:05] <Nano_ext3> things that need the security
56 [00:05] <bodhi_zazen> IMO scanning your Linux desktop with antivirus will yield lots fo false positives
57 [00:05] <jimi_hendrix> what about a webserver
58 [00:05] <Nano_ext3> for desktop , not an issue really
59 [00:05] * jimi_hendrix is thinking of setting up a webserver
60 [00:05] <Nano_ext3> yes on a webserver I would say
61 [00:05] <Rocket2DMn> bodhi_zazen, if you need a place to start the discussion, why dont you briefly explain some of the tools you use to enhance security in linux (apparmor, iptables, ossec, snort, etc). e.g. in one sentence each, what do they do?
62 [00:06] <Nano_ext3> anything that deals with heavy user traffic
63 [00:06] <bodhi_zazen> good idea Rocket2DMn :)
64 [00:06] <Nano_ext3> yea
65 [00:06] <bodhi_zazen> The linux tools are a bit different
66 [00:06] <bodhi_zazen> and linux is modular ...
67 [00:06] <bodhi_zazen> The first line of defense is, of course, permissions
68 [00:06] <bodhi_zazen> sudo vs su ?
69 [00:06] <Nano_ext3> yea
70 [00:07] <jimi_hendrix> sudo runs one command su changes your user
71 [00:07] <bodhi_zazen> su gives all or none root access
72 [00:07] <Rocket2DMn> (or other user access)
73 [00:07] <bodhi_zazen> sudo allows finer control
74 [00:07] <bodhi_zazen> sudo -i for a root shell
75 [00:07] <bodhi_zazen> Next a firewall
76 [00:07] <bodhi_zazen> firewall are also full of opinions
77 [00:08] <bodhi_zazen> In general, you should use a router as a router has a firewall built in
78 [00:08] <Nano_ext3> thats how I do it
79 [00:08] <bodhi_zazen> a default install of ubuntu has no servers listening, so the default settings behind a router are just fine
80 [00:08] <Nano_ext3> Not versed in linux firewalls yet
81 [00:09] <bodhi_zazen> If you wish to user a firewall, to set up your own router (NAT) or limit connections, teh firewall is iptables
82 [00:09] <jimi_hendrix> what about firestarter?
83 [00:09] <bodhi_zazen> iptables can be configured with commands, a script, ufw, or a gui tool such as GUFW, Guraddog, firestarter, shorewall, etc
84 [00:10] <bodhi_zazen> guraddog has very nice built in help
85 [00:10] <bodhi_zazen> the gui tools are not the firewall, only config tools
86 [00:10] <bodhi_zazen> Open them, config iptables, close them
87 [00:10] <Nano_ext3> think router access list , but on the OS itself via iptables
88 [00:10] <bodhi_zazen> I advise you NOT use Firestarter to monitor your network traffic
89 [00:11] <bodhi_zazen> Next , everyone know the terms HIDS / NIDS ?
90 [00:11] <Nano_ext3> no
91 [00:11] <bodhi_zazen> http://en.wikipedia.org/wiki/Intrusion-detection_system
92 [00:11] <bodhi_zazen> http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system
93 [00:12] <bodhi_zazen> http://en.wikipedia.org/wiki/Network_intrusion_detection_system
94 [00:12] <bodhi_zazen> OK, HIDS, most new users are familiar with say Windows antivirus scanners
95 [00:12] <bodhi_zazen> This is a HIDS
96 [00:12] <Nano_ext3> k
97 [00:12] <bodhi_zazen> so is rkhunter and chkrootkit
98 [00:12] <bodhi_zazen> as is OSSEC, tripwire, etc
99 [00:13] <bodhi_zazen> use these tools to monitor your system for unauthorizzed changes
100 [00:13] <bodhi_zazen> rkhunter and chkrootkit have a bunch of flase positives, learn what they are
101 [00:13] <duanedesign> do you recommend running chkrootkit from a usb device
102 [00:13] <bodhi_zazen> and what a "normal" sustem is
103 [00:14] <bodhi_zazen> duanedesign: I do not think it matters really
104 [00:14] <bodhi_zazen> The point is, you can not monitor your system for changes if you do not know what normal is
105 [00:14] <bodhi_zazen> You will get alerts when you say install new software as well, or change a config file
106 [00:15] <bodhi_zazen> Next NIDS
107 [00:15] <bodhi_zazen> NIDS is sophisticated and even the geekiest will find this hard
108 [00:16] <bodhi_zazen> You need to understand basic networking protocols, tcp, udp, ping, etc
109 [00:16] <bodhi_zazen> Tools include snort and wireshark
110 [00:16] * jimi_hendrix tried wireshark one to sniff some packets i was sending
111 [00:16] <Nano_ext3> ive take Cisco CCNA, and Id still have enormous trouble with that
112 [00:16] <Nano_ext3> wireshark I have used
113 [00:16] * jimi_hendrix 's head blew up
114 [00:16] <bodhi_zazen> these tools are "packte sniffers" and will montior your network traffic
115 [00:17] <Nano_ext3> I reccomend wireshark
116 [00:17] <bodhi_zazen> snort will user a set of rules to identify potentially problematic activity, although lots of false positives
117 [00:17] <bodhi_zazen> wireshark will monitor the raw packets
118 [00:17] <bodhi_zazen> in a nut shell
119 [00:18] <bodhi_zazen> Next line of defense - SELinux / Apparmor
120 [00:18] <Nano_ext3> :)
121 [00:18] <jimi_hendrix> SELinux != distro right
122 [00:18] <Snova> No, it's a security framework built into the kernel.
123 [00:18] <Nano_ext3> no
124 [00:18] <Nano_ext3> to jimi
125 [00:18] <Nano_ext3> security monitor
126 [00:18] <bodhi_zazen> These are very powerful tools and these are the first tools that can protect you against unknown exploits and Zero day exploits
127 [00:18] <bodhi_zazen> These tools can limit even root
128 [00:18] <Nano_ext3> zero day?
129 [00:19] <Snova> Security exploits, on the day they are found, before they are patched.
130 [00:19] <bodhi_zazen> http://en.wikipedia.org/wiki/Zero-Day_Attack
131 [00:19] <bodhi_zazen> Ubuntu uses Apparmor, but it needs to be configured
132 [00:19] <bodhi_zazen> Most people find apparmor easy to understand
133 [00:20] <bodhi_zazen> The point, IMO, of apparmor is to "confine" any network applications
134 [00:20] <bodhi_zazen> such as firefox, thunderbird, etc
135 [00:20] <bodhi_zazen> you limit what they can do on your os
136 [00:20] <bodhi_zazen> you can also limit a users shell, as I will show you on the shared ssh session
137 [00:20] <Nano_ext3> cool
138 [00:20] <lovinglinux> can be used with torrent applications?
139 [00:21] <Snova> Anything.
140 [00:21] <bodhi_zazen> IMO SELINUX and Apparmor are mis characterized as "overkill"
141 [00:21] <bodhi_zazen> lovinglinux: yes
142 [00:21] <bodhi_zazen> I am collecting apparmor profiles here : http://bodhizazen.net/aa-profiles/
143 [00:21] <lovinglinux> So if someone exploit a vunerability on my torrent client, then Apparmor can prevent it from achieving success?
144 [00:21] <bodhi_zazen> I have a profile for rtorrent
145 [00:22] <Snova> lovinglinux: AppArmor can prevent it from accomplishing anything by restricting access to the filesystem, which is mostly the same thing.
146 [00:22] <bodhi_zazen> If anyone is willing to contribute, send me your profiles ( bodhi.zazen @ ubuntu.com)
147 [00:22] <bodhi_zazen> and I will post them as well
148 [00:22] <Nano_ext3> i will have time this weeked to learn it bodhi
149 [00:22] <lovinglinux> do you know a good tutorial for apparmor?
150 [00:22] <Nano_ext3> bodhi link him your thread
151 [00:22] <Nano_ext3> :)
152 [00:22] <bodhi_zazen> /end long winded security drive by
153 [00:23] * jimi_hendrix puts away machine gun
154 [00:23] <bodhi_zazen> Links are here : http://paste.ubuntu.com/133993/
155 [00:23] <lovinglinux> thanks
156 [00:23] <Snova> AppArmor introduction: http://ubuntuforums.org/showthread.php?t=1008906
157 [00:23] <bodhi_zazen> OK , with that background, questions please ?
158 [00:23] <Snova> Oh, didn't notice the links at the bottom of that..
159 [00:23] <bodhi_zazen> Or do you want to see what the shared session can do ?
160 [00:23] <bodhi_zazen> ie live demo ?
161 [00:24] * jimi_hendrix raises hand
162 [00:24] <bodhi_zazen> go jimi_hendrix :)
163 [00:24] <jimi_hendrix> if i am running a webserver (linux of course...well maybe a *BSD)...and its just pages with html, what am i at risk for
164 [00:25] <bodhi_zazen> apache attacks, php attacks, and DOS are the major ones
165 [00:25] <bodhi_zazen> The damage depends on the attack
166 [00:26] <bodhi_zazen> I have seen php code that takes you cookies for example (think passwords for web sites)
167 [00:26] <bodhi_zazen> If a crack allows "arbitrary code" think an intruder then has root access
168 [00:26] <lovinglinux> Do I need to create apparmor profiles for all applications that connect to network or just for those that listen to ports?
169 [00:26] <bodhi_zazen> many attacks then use your box to attack others, send spam, spoof ip, what have you
170 [00:27] <bodhi_zazen> IMO lovinglinux all apps that access the internet
171 [00:27] <jimi_hendrix> bodhi_zazen, i said just html, no php
172 [00:27] <bodhi_zazen> although as you can see I do not yet have profiles for all apps yet
173 [00:28] <bodhi_zazen> jimi_hendrix: LAMP == Linux apache Mysql and PHP so I included it in the broader discussion
174 [00:28] <jimi_hendrix> ok
175 [00:28] <bodhi_zazen> Want to see a demo ?
176 [00:28] <jimi_hendrix> yes
177 [00:28] <bodhi_zazen> On the ssh session ?
178 [00:28] <Nano_ext3> yeps
179 [00:28] <bodhi_zazen> OK
180 [00:29] <bodhi_zazen> anyone need assistance connecting via ssh ?
181 [00:29] <bodhi_zazen> ok, the guru account has root access
182 [00:29] <bodhi_zazen> as you can see
183 [00:30] <bodhi_zazen> the guru account can install applications
184 [00:30] <Traveler15164> yeah, i keep getting the Permission denied (publickey) error
185 [00:30] <bodhi_zazen> :)
186 [00:30] <bodhi_zazen> someone help Traveler15164 please :)
187 [00:30] <lovinglinux> sorry, I know how to use ssh, but don't which server I'm supposed to connect
188 [00:30] <bodhi_zazen> I will wait and answer questions
189 [00:31] <bodhi_zazen> you need the key
190 [00:31] <bodhi_zazen> then ssh guest@bodhizazen.net -i ~/.ssh/ufbt-guest
191 [00:31] <bodhi_zazen> pw = padawan
192 [00:31] <Nano_ext3> http://paste.ubuntu.com/133993/
193 [00:31] <Nano_ext3> follow exactly
194 [00:31] <Nano_ext3> verbatim
195 [00:31] <bodhi_zazen> http://paste.ubuntu.com/133993/
196 [00:31] <Nano_ext3> via terminal
197 [00:31] <bodhi_zazen> for keys
198 [00:31] <Nano_ext3> beat you to it :)
199 [00:31] <bodhi_zazen> any other questions while we are waiting
200 [00:31] <bodhi_zazen> ?
201 [00:32] <bodhi_zazen> chickens, all questions are welcome :)
202 [00:33] <bodhi_zazen> you in Traveler15164 ?
203 [00:33] <bodhi_zazen> lovinglinux: ?
204 [00:33] <Traveler15164> nope
205 [00:33] <bodhi_zazen> Traveler15164: what do you need help with ?
206 [00:33] <bodhi_zazen> do you have the key ?
207 [00:33] <lovinglinux> just a second
208 [00:33] <Traveler15164> yes
209 [00:33] <bodhi_zazen> do you know how to use it ?
210 [00:34] <Traveler15164> i got it and placed it in a new empty file?
211 [00:34] <Traveler15164> named ufbt-guest and chmod 400 on that
212 [00:34] <Snova> Stick it in ~/.ssh
213 [00:34] <Traveler15164> it is
214 [00:34] <bodhi_zazen> ok
215 [00:34] <Snova> ssh guest@bodhizazen.net -i ~/.ssh/ufbt-guest
216 [00:34] <Nano_ext3> you have to place that text in ~/.ssh/ufbt-guest
217 [00:34] <Nano_ext3> and then chmod 400 on that file
218 [00:35] <Nano_ext3> its all in the paste link
219 [00:35] <Nano_ext3> http://paste.ubuntu.com/133993/
220 [00:35] <lovinglinux> The authenticity of host xxxxxxxxxxx can't be established.
221 [00:35] <Traveler15164> i'll redo it all to make sure
222 [00:35] <bodhi_zazen> lol lovinglinux
223 [00:35] <Snova> lovinglinux: That's normal, just confirm it.
224 [00:35] <bodhi_zazen> say yes :)
225 [00:36] <bodhi_zazen> Traveler15164: cd .ssh
226 [00:36] <lovinglinux> lol, stupid me
227 [00:36] <bodhi_zazen> rm ufbt-guest
228 [00:36] <bodhi_zazen> wget http://bodhizazen.net/beginners/ufbt-guest
229 [00:36] <bodhi_zazen> chmod 400 ufbt
230 [00:36] <Rocket2DMn> you may have to "ssh bodhizazen.net" first and accept the fingerprint
231 [00:36] <bodhi_zazen> ssh guest@bodhizazen.net -i ./ufbt-guest
232 [00:36] <Rocket2DMn> then just ctrl-c without doing any authentication
233 [00:37] <Rocket2DMn> then do the ssh command above to use the key
234 [00:37] <lovinglinux> Connection closed by xxxxxxxxx
235 [00:37] <Rocket2DMn> i found if you use the key without having the fingerprint cached, it doesnt give you the option to store it and it aborts
236 [00:38] <bodhi_zazen> thanks Rocket2DMn
237 [00:38] <bodhi_zazen> Traveler15164: you in ?
238 [00:38] <Traveler15164> redoing it worked
239 [00:38] <bodhi_zazen> lovinglinux: ?
240 [00:38] <Traveler15164> strange
241 [00:38] <bodhi_zazen> OK, so ...
242 [00:38] <bodhi_zazen> as you can see we are root :)
243 [00:38] <lovinglinux> OK, I am in
244 [00:38] <Nano_ext3> yay!
245 [00:38] <bodhi_zazen> as you can see, we started a new shell
246 [00:39] * Nano_ext3 runs around in circles with streamers
247 [00:39] <bodhi_zazen> guru was jailzsh
248 [00:39] <bodhi_zazen> root is bash
249 [00:39] <bodhi_zazen> but the apparmor confinement follows us
250 [00:39] <bodhi_zazen> so ...
251 [00:39] <bodhi_zazen> First I am limiting root with iptables ...
252 [00:40] <bodhi_zazen> sorry for the typo :(
253 [00:40] <bodhi_zazen> as you can see, root can ping google , but not my lan
254 [00:40] <jimi_hendrix> back
255 [00:40] <bodhi_zazen> so lets stop iptables :)
256 [00:41] <bodhi_zazen> OH NO
257 [00:41] <bodhi_zazen> Permission denied
258 [00:41] <jimi_hendrix> sudo it!
259 [00:41] <Halow> He's root....
260 [00:41] <jimi_hendrix> (i know)
261 [00:41] <Rocket2DMn> tab complete fail
262 [00:41] <bodhi_zazen> ok ..
263 [00:42] <bodhi_zazen> lets mess with the settings a little
264 [00:42] <bodhi_zazen> foiled again :)
265 [00:42] <bodhi_zazen> Lets try this ::)
266 [00:43] <bodhi_zazen> :)
267 [00:44] <Halow> :O
268 [00:44] <Snova> Ok, so the AppArmor restrictions followed you from jailzsh to root's Bash?
269 [00:44] <bodhi_zazen> so you can see, although root can install apps, access to critical system files is restricted
270 [00:44] <jimi_hendrix> r00t has uber fail?
271 [00:44] <bodhi_zazen> yes Snova
272 [00:44] <bodhi_zazen> We can start a new shell if we wish
273 [00:45] <Rocket2DMn> My head just exploded.
274 [00:45] <Nano_ext3> ugh gotta run, sorry guys
275 [00:45] <bodhi_zazen> so ..
276 [00:45] <Nano_ext3> have to head home for work tommorow :(
277 [00:45] <Rocket2DMn> now bodhi_zazen , do these restrictions apply only when using sudo to access root? What if you had a try root login, like "su -" ?
278 [00:45] <Snova> Bye Nano_ext3.
279 [00:45] <Nano_ext3> laters :(
280 [00:45] <bodhi_zazen> any process you start is confined by apparmor
281 [00:45] <bodhi_zazen> the restrictions follow you
282 [00:45] <Nano_ext3> ill read more on aa this weekend
283 [00:46] <Nano_ext3> def
284 [00:46] <Nano_ext3> laters
285 [00:46] <bodhi_zazen> no Rocket, watch
286 [00:46] <bodhi_zazen> see, we are now guru again ?
287 [00:46] <bodhi_zazen> guru is given jailzsh as a default shell
288 [00:47] <bodhi_zazen> jailzsh in an apparmor profile and I think I can show it to you
289 [00:47] <bodhi_zazen> There it is ...
290 [00:47] <lovinglinux> That's it? Looks simple.
291 [00:47] <bodhi_zazen> that was jail bash
292 [00:48] <bodhi_zazen> jailbash is from jdong
293 [00:48] <bodhi_zazen> posted here :
294 [00:48] <bodhi_zazen> http://bodhizazen.net/aa-profiles/jdong/ubuntu-8.04/usr.local.bin.jailbash
295 [00:48] <bodhi_zazen> and yes, it is simple
296 [00:49] <lovinglinux> I'm gonna try this
297 [00:49] <bodhi_zazen> I am restricting access to jailzsh as it is a fair amount more permissive then jailbash
298 [00:49] <bodhi_zazen> anything else you want to see in the shared session ?
299 [00:50] <bodhi_zazen> please, other security questions ?
300 [00:50] <jimi_hendrix> bodhi_zazen, is it possible to secure a windows server?
301 [00:50] <bodhi_zazen> yes, of course
302 [00:51] <Rocket2DMn> ahh hardened windows servers :)
303 [00:51] <lovinglinux> I have one stupid question at http://ubuntuforums.org/showthread.php?t=1100778
304 [00:51] <bodhi_zazen> Again, I am collecting aa profiles here : http://bodhizazen.net/aa-profiles/
305 [00:51] <bodhi_zazen> download them, try them out, and if you wish send me your modifications and I will post them for others
306 [00:52] <bodhi_zazen> lovinglinux: in a nut shell, no your router is not ipv6
307 [00:52] <bodhi_zazen> most people disable ipv6
308 [00:53] <jimi_hendrix> Rocket2DMn, is it possible then?
309 [00:53] <bodhi_zazen> ip providers hate ipv6 because ipv6 makes them obsolete as an ip provider
310 [00:53] <bodhi_zazen> they would need to provide the physical layer howerver
311 [00:53] <Rocket2DMn> yes jimi_hendrix you can lock down windows servers
312 [00:53] <lovinglinux> bodhi_zazen: so just leave ipv6 alone right? No need for iptables rules?
313 [00:53] <bodhi_zazen> yes, or you can disable it if you wish
314 [00:53] <lovinglinux> bodhi_zazen: thanks
315 [00:54] <bodhi_zazen> some people think their box runs faster if they disable it
316 [00:54] <bodhi_zazen> np
317 [00:54] <bodhi_zazen> please, I have been ranting, questions, questions :)
318 [00:54] <jimi_hendrix> what is the average airspeed of a swallow
319 [00:54] <lovinglinux> is there an alternative for intrusion detection without using MySQL?
320 [00:55] <bodhi_zazen> yes lovinglinux
321 [00:55] <bodhi_zazen> you can use snort + barnyard
322 [00:56] <lovinglinux> I will look into that. Thanks
323 [00:56] <bodhi_zazen> lovinglinux: http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1255683_tax307468,00.html
324 [00:57] <bodhi_zazen> although that may use mysql, and if so, my mistake
325 [00:57] <ds305> quit Thanks bodhi
326 [00:57] <jgoguen> lol :)
327 [00:58] <lovinglinux> I have another question. Please wait because I have a inflamed finger, so I need time to type.
328 [00:58] <bodhi_zazen> go lovinglinux
329 [00:58] <bodhi_zazen> Well, we are close to the hour
330 [00:59] <bodhi_zazen> Watch, if I close the screen session you all are disconnected :)
331 [00:59] <bodhi_zazen> >:)
332 [00:59] <Snova> Oh, like that? ;)
333 [00:59] <bodhi_zazen> Just like that
334 [00:59] <lovinglinux> I have an iptables rule to accept established connection. If I have a client listening to a port, but no other ports opened, is it possible for someone already connected to my client to establish connections on other ports?
335 [00:59] <bodhi_zazen> The guest account can not connect without a session running
336 [00:59] <bodhi_zazen> if you try you will be blacklisted after a few attempts
337 [01:00] <bodhi_zazen> hard to follow lovinglinux
338 [01:00] <lovinglinux> bodhi_zazen: maybe is just my paranoia
339 [01:01] <bodhi_zazen> If your client is cracked and you are droping new connections I do not think normally the client could establish a new connection on a new port
340 [01:01] <bodhi_zazen> I guess they could use the established connection and leverage additional exploits
341 [01:02] <lovinglinux> bodhi_zazen: through the same port?
342 [01:02] <bodhi_zazen> Well, thank you everyone, it is 7 so we are "oficially" over, although I will be available for say 10-15 minutes
343 [01:02] <bodhi_zazen> then I have to go to my family
344 [01:02] <duanedesign> aawesome!!! thank you
345 [01:02] <bodhi_zazen> in theory lovinglinux
346 [01:02] <Halow> Yes, thank you!
347 [01:03] <bodhi_zazen> since the connection is established ...
348 [01:03] <lovinglinux> Thank you very much. Really nice experience, specially the shared ssh session.
349 [01:03] <bodhi_zazen> you are most welcome everyone
350 [01:03] <duanedesign> applause
351 [01:03] <bodhi_zazen> the beginners team is going to run additional sessions
352 [01:03] <bodhi_zazen> and the shared ssh session is available to anyone willing to teach
353 [01:04] <bodhi_zazen> I have found the shared ssh session is a very effective demo for apparmor and iptables , lol
354 [01:05] <bodhi_zazen> wb k0001 :)
355 [01:05] <lovinglinux> bodhi_zazen: what do you think about UPnP?
356 [01:05] <bodhi_zazen> Not a lot
357 [01:05] <bodhi_zazen> Again, we all like convienience
358 [01:05] <k0001> bodhi_zazen: hwllo
359 [01:05] <bodhi_zazen> but we all hate it when we are cracked, lol
360 [01:05] <lovinglinux> lol
361 [01:06] <bodhi_zazen> so it is nice (off UPnP) for our flash drives to auto mount
362 [01:06] <bodhi_zazen> but not so nice when a malignant code the uses this to automatically start it's evil work ;)
363 [01:07] <bodhi_zazen> security and convenience == yin and yang and we must bring balance to the force
364 [01:08] <bodhi_zazen> it is just that the balance point is dependent on sphincter tone, :p
365 [01:08] <lovinglinux> lol
366 [01:08] <bodhi_zazen> If anyone is interested in topics or teaching sessions, please let me know
367 [01:08] <lovinglinux> do I need to keep your key for further sessions?
368 [01:09] <bodhi_zazen> I shall try to run a session every other week at this time with varied topics
369 [01:09] <bodhi_zazen> I am sorry to have such limited times, I wish I could vary it more, but I have a family so this works best
370 [01:09] <duanedesign> that is much appreciated
371 [01:09] <bodhi_zazen> yes lovinglinux
372 [01:10] <duanedesign> :)
373 [01:10] <lovinglinux> what time is there right now and what time it starts?
374 [01:10] <bodhi_zazen> I hope that the sessions are logged and posted in classroom
375 [01:10] <bodhi_zazen> It is just past 7 PM local time for me
376 [01:10] <bodhi_zazen> Sessions will start at 6 pm local time
377 [01:11] <lovinglinux> Ok, great
378 [01:11] <bodhi_zazen> and if anyone has a topic, add it to the list
379 [01:11] <bodhi_zazen> I think we do another security session in 2 weeks
380 === k00011 is now known as k0001
381 [01:11] <bodhi_zazen> and after that I have been asked to cover permissions
382 [01:11] <lovinglinux> permissions will be nice
383 [01:12] <linuxwarrior> is the session on 26th will be the same as this one ?
384 [01:12] <bodhi_zazen> Add your topic here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals
385 [01:12] <bodhi_zazen> put my name in as the instructor
386 [01:13] <bodhi_zazen> and I will add them here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Events
387 [01:13] <bodhi_zazen> linuxwarrior: same topic
388 [01:13] <bodhi_zazen> Hopefully different questions :)
389 [01:13] <bodhi_zazen> I hope people will try iptables, apparmor, etc and bring questions
390 [01:13] <Snova> Hmm... I could probably help with a few of those.
391 [01:14] <linuxwarrior> ok ;)
392 [01:14] <bodhi_zazen> http://bodhizazen.net/Tutorials/iptables/
393 [01:14] <bodhi_zazen> I posted a number of links here : http://paste.ubuntu.com/133993/
394 [01:14] <Traveler15164> what i don't get is i can genprof firefox and play around with it, then do the scan and it doesn't really add that much to the profile
395 [01:14] <bodhi_zazen> no Traveler15164
396 [01:15] <bodhi_zazen> That is the problem with apparmor, you will need to emulate a profile or make your own
397 [01:15] <bodhi_zazen> firefox is not the best to start because it is large
398 [01:15] <bodhi_zazen> Start with say xchat
399 [01:15] <bodhi_zazen> or your irc client
400 [01:15] <bodhi_zazen> and then go to firefox
401 [01:15] <bodhi_zazen> sudo aa-enforce xchat
402 [01:15] <bodhi_zazen> then
403 [01:15] <lovinglinux> Is there a requirement for classes to be related with system configuration or can they be about how to use a specific kind of program, like multimedia for example?
404 [01:16] <bodhi_zazen> tail -F /var/log/messages
405 [01:16] <bodhi_zazen> open xchat and watch and resolve errors
406 [01:16] <bodhi_zazen> lovinglinux: topics are open
407 [01:17] <bodhi_zazen> we (the beginners team) is here to educate and we really want to grow this service and cover topics of interest to the community
408 [01:17] <bodhi_zazen> We hope to add things like Moodle
409 [01:17] <bodhi_zazen> http://fmc.isgreat.org/Ubuntu_Classroom/index.html
410 [01:17] <bodhi_zazen> so we can develop more formal content
411 [01:17] <bodhi_zazen> but ...
412 [01:17] <Traveler15164> iif you put just enough in the firefox profile to allow firefox to start up, then it lets you view or change anything in that session but the settings or cache isn't saved, correct?
413 [01:17] <bodhi_zazen> we are in the beginning phases
414 [01:17] <Traveler15164> sorta like a sandboxing app
415 [01:18] <bodhi_zazen> yes, I think Traveler15164
416 [01:18] <lovinglinux> So maybe I could help with some stuff, like how to organize image collections using IPTC, EXIF and so on. I will think about it.
417 [01:18] <bodhi_zazen> If you change (edit) the profile, you need to restart both apparmor and firefox for the effects to take place
418 [01:18] <Traveler15164> ok
419 [01:18] <bodhi_zazen> no always firefox, but it does not hurt
420 [01:19] <bodhi_zazen> Sometimes you also need to clear your cache on firefox as well
421 [01:19] <bodhi_zazen> lovinglinux: any help you can offer would be awesome
422 [01:19] <bodhi_zazen> some team members help with content
423 [01:19] <bodhi_zazen> others teach
424 [01:19] <bodhi_zazen> some do nothing
425 [01:19] <bodhi_zazen> :)
426 [01:19] <lovinglinux> lol
427 [01:19] <bodhi_zazen> it is a team effort and we are all volunteers
428 [01:20] <bodhi_zazen> the main limiting factor , of course, is my time
429 [01:20] <bodhi_zazen> I rely on the focus groups to help
430 [01:20] <bodhi_zazen> OK, I gotta go
431 [01:20] <bodhi_zazen> really, thank you all for coming
432 [01:20] <bodhi_zazen> and lets see if we can continue and extend these sessions
433 [01:21] <Halow> Thanks again. :)
434 [01:21] <bodhi_zazen> we need both helpers and an audience :)
435 [01:21] <lovinglinux> bodhi_zazen: thanks again
436 [01:21] <bodhi_zazen> PM me on the forms or come on by #ubuntuforums-beginners :)