Archive for the ‘Security’ Category

#!/bin/bash
# This script allows you to permanently enable Face ID/facial recognition instead of
# sudo password when using sudo commands
#  Based on following guide:  https://itsfoss.com/face-unlock-ubuntu/
sudo add-apt-repository ppa:boltgolt/howdy
sudo apt update
sudo apt install howdy
sudo apt install v4l-utils
#######################################################################
# add correct videocamera device into /lib/security/howdy/config.ini 
DEVICENAME=`v4l2-ctl --list-devices |grep dev |head -n 1` 
echo $DEVICENAME

# configure howdy to set device_path to value stored in variable DEVICENAME
# for example: devicename might be /dev/video0
sudo howdy config

# video section of /lib/security/howdy/config.ini file could contain following lines:

# The path of the device to capture frames from 
#device_path = /dev/video0


####################################################################### 
# Use the following command to associate a face to the currently logged in user:
sudo howdy add
# List all the known face models for a user
sudo howdy list
# enable ufw firewall in Ubuntu 18.04 or newer:
# restrict Internet access to certain ports
sudo apt install ufw gufw
sudo ufw status
sudo ufw status > /tmp/ufw-status-old
sudo ufw disable
sudo ufw reset
# inbound rules are not needed
#sudo ufw allow in to any port 53
#sudo ufw allow in to any port 80
#sudo ufw allow in to any port 443
#sudo ufw allow in to any port 853
#sudo ufw allow in to any port 5938
# only outbound rules are required
sudo ufw allow out to any port 53
# http needed in order to get and update packages via apt command:
sudo ufw allow out to any port 80
# NTP port 123 needed to sync time:
sudo ufw allow out to any port 123
sudo ufw allow out to any port 443
# following port needed for DNS-over-TLS:
sudo ufw allow out to any port 853
# following port needed so that TeamViewer works:
sudo ufw allow out to any port 5938
# following port needed so that gpg can connect to keyserver:
sudo ufw allow out to any port 11371
sudo ufw enable
sudo ufw status
sudo ufw status > /tmp/ufw-status-new

Imagine you have an AppVM called appvm1 which is based on a TemplateVM called templatevm1 in Qubes OS 4.0

Imagine you get the error “Firewall has been modified manually – please use qvm-firewall for any further configuration.” when trying to use the Firewall rule editor GUI via Qube Manager for the AppVM called appvm1.

Solution procedure so that you can use the firewall rule GUI again for that AppVM:

Inspect the existing list of active firewall rules for your TemplateVM using following command (replacing templatevm1 with the actual name of your TemplateVM):

sudo qvm-firewall templatevm1 list

Run following command several times in Dom0 until there are no rules left for the TemplateVM (replacing templatevm1 with the actual name of your TemplateVM):

sudo qvm-firewall templatevm1 del --rule-no 0

Then run following command to set a single default rule in that virtual machine (replacing templatevm1 with the actual name of your TemplateVM):

sudo qvm-firewall templatevm1 add action=accept

Then run this exact same qvm-firewall procedure for the problematic AppVM appvm1

Then reboot your PC and the firewall GUI should be working fine again.

 

#######################################################################################################################v
# enable new DNS over TLSv1.2 encrypted communications
# in Ubuntu 18.04 64-bit using a bash shell script
# Source: https://www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls
sudo apt purge unbound avahi-daemon
LogTime=$(date '+%Y-%m-%d_%Hh%Mm%Ss')

cp /etc/resolv.conf $HOME/resolv.conf_$LogTime
cp /etc/nsswitch.conf $HOME/nsswitch.conf_$LogTime
cp /etc/systemd/resolved.conf $HOME/resolved.conf_$LogTime
cp /etc/network/interfaces $HOME/interfaces_$LogTime

sudo service resolvconf stop
sudo update-rc.d resolvconf remove

sudo apt install stubby
systemctl status stubby
sudo netstat -lnptu | grep stubby
sudo netstat -lnptu | grep systemd-resolve

cp /etc/resolv.conf /tmp/resolv.conf
grep -v nameserver /tmp/resolv.conf > /tmp/resolv.conf.1
echo 'nameserver 127.0.0.1' >> /tmp/resolv.conf.1
# echo 'nameserver 2620:fe::fe' >> /tmp/resolv.conf.1
echo 'domain dnsknowledge.com' >> /tmp/resolv.conf.1
echo 'options rotate' >> /tmp/resolv.conf.1
sudo cp /tmp/resolv.conf.1 /etc/resolv.conf
sudo service resolvconf start

# configure DNS server on Ubuntu 18.04 LTS:
cp /etc/network/interfaces /tmp/interfaces
grep -v nameservers /tmp/interfaces > /tmp/interfaces.1
grep -v search /tmp/interfaces.1 > /tmp/interfaces.2
grep -v options /tmp/interfaces.2 > /tmp/interfaces.3
#echo 'dns-nameservers 9.9.9.9 2620:fe::fe' >> /tmp/interfaces.3
echo 'dns-nameservers 127.0.0.1' >> /tmp/interfaces.3
echo 'dns-search dnsknowledge.com' >> /tmp/interfaces.3
echo 'dns-options rotate' >> /tmp/interfaces.3
sudo cp /tmp/interfaces.3 /etc/network/interfaces

# enable systemd caching DNS resolver
rm /tmp/nsswitch.conf
rm /tmp/nsswitch.conf.1
cp /etc/nsswitch.conf /tmp/nsswitch.conf
grep -v hosts /tmp/nsswitch.conf > /tmp/nsswitch.conf.1
# dns must be mentioned in next line, or else wget does not work
echo 'hosts: files mdns4_minimal [NOTFOUND=return] resolv dns myhostname mymachines' >> /tmp/nsswitch.conf.1
sudo cp /tmp/nsswitch.conf.1 /etc/nsswitch.conf

# set DNS server to 127.0.0.1
rm /tmp/resolved.conf
rm /tmp/resolved.conf.1
cp /etc/systemd/resolved.conf /tmp/resolved.conf
grep -v DNS /tmp/resolved.conf > /tmp/resolved.conf.1
#echo 'DNS=9.9.9.9' >> /tmp/resolved.conf.1
echo 'DNS=127.0.0.1' >> /tmp/resolved.conf.1
echo 'DNSSEC=yes' >> /tmp/resolved.conf.1
sudo cp /tmp/resolved.conf.1 /etc/systemd/resolved.conf
sudo systemd-resolve --flush-caches
sudo systemctl restart systemd-resolved
sudo systemd-resolve --flush-caches
sudo systemd-resolve --status

# It is probably also necessary to manually set
# the DNS server to 127.0.0.1 in the router's configuration
# and in the NetworkManager GUI

# Then reboot your PC to enable new DNS over TLSv1.2 encrypted communications
# Use wireshark application and capture encrypted DNS packages on port 853 
# There should be no more DNS handshakes on port 53 and only encrypted DNS handshakes on port 853

# Test DNSSEC validation using dig command-line tool
# See: https://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation
dig pir.org +dnssec +multi
host dnsknowledge.com

# To get similar functionality on iOS: install "DNSCloak" application
# To get similar functionality on Android: install "Intra" application

Please first visit this bug report that I filed:

https://bugs.chromium.org/p/chromium/issues/detail?id=889072#c2

So disabling the cipher suites below in Mozilla Firefox will make certain websites inaccessible, but will make the browsing experience more secure.

It is up to you to decide if you want extra security or not.

If you wish to proceed, visit following website to test the weaknesses in your Mozilla Firefox browser:

https://www.ssllabs.com/ssltest/viewMyClient.html

Then upgrade Mozilla Firefox to the latest version.

In Mozilla Firefox, navigate to   “about:config”

Set security.tls.version.max to 4

Set security.tls.version.min to 3

Set security.ssl3.rsa_aes_128_sha to false

Set security.ssl3.rsa_aes_256_sha to false

Set security.ssl3.rsa_des_ede3_sha to false

Go back to this website to retest weaknesses:

https://www.ssllabs.com/ssltest/viewMyClient.html

After the changes above, only following Protocols and Cipher Suites should be supported by Mozilla Firefox.

HTTPS protocols TLS 1.0 and older are known to be weak and should be disabled as described above.

TLS_RSA_*_CBC_SHA Cipher Suites should not be used anymore, as they are considered weak. But disabling them will make certain websites inaccessible.

Protocols
TLS 1.3 Yes
TLS 1.2 Yes

 

Cipher Suites (in order of preference)
TLS_AES_128_GCM_SHA256 (0x1301)   Forward Secrecy 128
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   Forward Secrecy 256
TLS_AES_256_GCM_SHA384 (0x1302)   Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy 256

Further instructions (more extensive) can be found here:

https://vikingvpn.com/cybersecurity-wiki/browser-security/guide-hardening-mozilla-firefox-for-privacy-and-security

Whonix 13 is approaching end-of-life:

https://www.qubes-os.org/news/2018/08/24/whonix-13-approaching-eol/

So I decided to install Whonix 14 from scratch in Qubes OS 4.0.

I personally had more success installing the new Whonix 14 templates using following procedure (instead of attempting to upgrade from Whonix 13 to Whonix 14) : 

https://www.whonix.org/wiki/Qubes/Install

After installing the new whonix-gw-14 and whonix-ws-14 TemplateVMs, I had to create a new AppVM called sys-whonix-14 and connect sys-whonix-14 to TemplateVM whonix-gw-14. During creation of sys-whonix-14, make sure to enable Networking.

In sys-whonix-14, run
sudo anon-connection-wizard
to set up Tor networking.

Run following commands in Dom0:

qubes-prefs default_dispvm whonix-ws-14-dvm

qubes-prefs updatevm sys-whonix-14

Last step is to set sys-whonix-14 as updatevm in configuration file /etc/qubes-rpc/policy/qubes.UpdatesProxy   in Dom0

Check the new settings in Dom0 by running the command   qubes-prefs (not qvm-prefs)

That should do it.

Hope this helps someone out there 🙂

 

 

 

sudo apt update
sudo apt install git
cd
rm -rf spectre-meltdown-checker
git clone https://github.com/speed47/spectre-meltdown-checker.git
cd spectre-meltdown-checker
chmod +x spectre-meltdown-checker.sh
sudo ./spectre-meltdown-checker.sh

grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
grep cpu_insecure /proc/cpuinfo && echo "patched :)" || echo "unpatched :("
dmesg | grep "Kernel/User page tables isolation: enabled" && echo "patched :)" || echo "unpatched :("
uname -a
#############################################################################################################################
# Procedure for installing ReactOS in stand-alone HVM in Qubes OS 3.2
#############################################################################################################################
# Prerequisites: Qubes OS 3.2, PC with at least 4 GB of RAM
#############################################################################################################################
# In dom0, first create a stand-alone HVM called reactos using this command:
qvm-create -H -m 1024 --label=blue reactos
#############################################################################################################################
# Inside AppVM <name_of_AppVM> in Qubes OS 3.2, download following compressed ReactOS installation iso file to /tmp directory:
cd /tmp; wget https://iso.reactos.org/bootcd/reactos-bootcd-0.4.8-dev-99-g23bc0b5-x86-gcc-lin-dbg.7z
# decompress .7z file using unp or another tool that can decompress 7zip files:
unp /tmp/reactos-bootcd-0.4.8-dev-99-g23bc0b5-x86-gcc-lin-dbg.7z
mv /tmp/reactos-bootcd-0.4.8-dev-99-g23bc0b5-x86-gcc-lin-dbg.iso /tmp/reactos.iso
#############################################################################################################################
# in dom0, run this command, replacing <name_of_AppVM> with actual name of AppVM where ReactOS .iso image was downloaded:
qvm-start reactOS --cdrom <name_of_AppVM>:/tmp/reactos.iso
# Keep VESA display resolution at 800x600x32 during install to avoid boot issues later on
# Make sure to select the optimal keyboard layout settings for your country and keyboard
#############################################################################################################################
# To increase the security of the ReactOS HVM, apply following firewall settings to the reactos HVM:
# Deny all network access,except for DNS queries, https via tcp and http via tcp
#############################################################################################################################
# !!! Do NOT manually install any Windows PV drivers from xenproject.org, as it will cause boot errors in the ReactOS HVM !!!
#############################################################################################################################
# Issues:
############################################################################################################################# 
# Sound output not working
# Mouse tracking issue where mouse pointer position is not synchronized with Dom0 mouse pointer
# Excessive CPU usage when using newest Opera web browser, but Youtube works using Opera and 4 virtual CPU cores
# Mozilla Firefox crashes when trying to access Youtube website (severe bug)
# Install of Windows PV drivers from xenproject.org within reactos HVM -> causes boot errors in ReactOS HVM -> so don't do it
# Choosing a lower RAM setting than 1024 MB for the ReactOS HVM or choosing a screen resolution higher than 800x600x32 
# during install may cause ReactOS to fail to boot or show any icons on the desktop
# Only attempt to increase screen resolution via ReactOS control panel (not any other way) after install is finished
# Etc...
#############################################################################################################################
# enable new Quad9 (9.9.9.9) DNS and DNSSEC service 
# in Ubuntu 17.10 64-bit using a bash shell script
sudo apt purge unbound
LogTime=$(date '+%Y-%m-%d_%Hh%Mm%Ss')
cp /etc/resolv.conf $HOME/resolv.conf_$LogTime
cp /etc/nsswitch.conf $HOME/nsswitch.conf_$LogTime
cp /etc/systemd/resolved.conf $HOME/resolved.conf_$LogTime

sudo service resolvconf stop
sudo update-rc.d resolvconf remove
cp /etc/resolv.conf /tmp/resolv.conf
grep -v nameserver /tmp/resolv.conf > /tmp/resolv.conf.1
echo 'nameserver 9.9.9.9' >> /tmp/resolv.conf.1
sudo cp /tmp/resolv.conf.1 /etc/resolv.conf
sudo service resolvconf start

# enable systemd caching DNS resolver
rm /tmp/nsswitch.conf
rm /tmp/nsswitch.conf.1
cp /etc/nsswitch.conf /tmp/nsswitch.conf
grep -v hosts /tmp/nsswitch.conf > /tmp/nsswitch.conf.1
# dns must be mentioned in next line, or else wget does not work
echo 'hosts: files mdns4_minimal [NOTFOUND=return] resolv dns myhostname mymachines' >> /tmp/nsswitch.conf.1
sudo cp /tmp/nsswitch.conf.1 /etc/nsswitch.conf

# set DNS server to 9.9.9.9
rm /tmp/resolved.conf
rm /tmp/resolved.conf.1
cp /etc/systemd/resolved.conf /tmp/resolved.conf
grep -v DNS /tmp/resolved.conf > /tmp/resolved.conf.1
# enable new Quad9 (9.9.9.9) DNS and DNSSEC service
# https://arstechnica.com/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/
echo 'DNS=9.9.9.9' >> /tmp/resolved.conf.1
echo 'DNSSEC=yes' >> /tmp/resolved.conf.1
sudo cp /tmp/resolved.conf.1 /etc/systemd/resolved.conf
sudo systemd-resolve --flush-caches
sudo systemctl restart systemd-resolved
sudo systemd-resolve --flush-caches
sudo systemd-resolve --status

# It is probably also necessary to manually set
# the DNS server to 9.9.9.9 in the router's configuration
# and in the NetworkManager GUI

# test DNSSEC validation using dig command-line tool and using DNS server 9.9.9.9:
# see: https://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation
dig pir.org +dnssec +multi
cd
sudo apt update
sudo apt install cmake build-essential
sudo apt install checkinstall git
sudo apt remove hashcat
sudo apt build-dep hashcat
sudo rm -rf hashcat
git clone https://github.com/hashcat/hashcat.git
cd hashcat
git submodule update --init
sudo make
sudo checkinstall
hashcat --version
# hashcat version should be v3.5.0 or newer