Posts Tagged ‘ubuntu’

#!/bin/bash
# This script allows you to permanently enable Face ID/facial recognition instead of
# sudo password when using sudo commands
#  Based on following guide:  https://itsfoss.com/face-unlock-ubuntu/
sudo add-apt-repository ppa:boltgolt/howdy
sudo apt update
sudo apt install howdy
sudo apt install v4l-utils
#######################################################################
# add correct videocamera device into /lib/security/howdy/config.ini 
DEVICENAME=`v4l2-ctl --list-devices |grep dev |head -n 1` 
echo $DEVICENAME

# configure howdy to set device_path to value stored in variable DEVICENAME
# for example: devicename might be /dev/video0
sudo howdy config

# video section of /lib/security/howdy/config.ini file could contain following lines:

# The path of the device to capture frames from 
#device_path = /dev/video0


####################################################################### 
# Use the following command to associate a face to the currently logged in user:
sudo howdy add
# List all the known face models for a user
sudo howdy list
# enable ufw firewall in Ubuntu 18.04 or newer:
# restrict Internet access to certain ports
sudo apt install ufw gufw
sudo ufw status
sudo ufw status > /tmp/ufw-status-old
sudo ufw disable
sudo ufw reset
# inbound rules are not needed
#sudo ufw allow in to any port 53
#sudo ufw allow in to any port 80
#sudo ufw allow in to any port 443
#sudo ufw allow in to any port 853
#sudo ufw allow in to any port 5938
# only outbound rules are required
sudo ufw allow out to any port 53
# http needed in order to get and update packages via apt command:
sudo ufw allow out to any port 80
# NTP port 123 needed to sync time:
sudo ufw allow out to any port 123
sudo ufw allow out to any port 443
# following port needed for DNS-over-TLS:
sudo ufw allow out to any port 853
# following port needed so that TeamViewer works:
sudo ufw allow out to any port 5938
# following port needed so that gpg can connect to keyserver:
sudo ufw allow out to any port 11371
sudo ufw enable
sudo ufw status
sudo ufw status > /tmp/ufw-status-new
# Start of bash shell script:
# ProcDump is a Linux reimagining of the classic
# ProcDump tool from the Sysinternals suite of tools 
# for Windows. ProcDump provides a convenient way for Linux 
# developers to create core dumps of their application based 
# on performance triggers.
cd
sudo rm -rf procdump-for-linux
sudo apt update
sudo apt install git checkinstall build-essential
git clone https://github.com/microsoft/procdump-for-linux
cd procdump-for-linux
sudo make
sudo checkinstall
# End of shell script

 

Checkinstall configuration and terminal output should be similar to this:

This package will be built according to these values:

0 – Maintainer: [ <restricted> ]
1 – Summary: [ Package created with checkinstall 1.6.2 ]
2 – Name: [ procdump ]
3 – Version: [ 20181112 ]
4 – Release: [ 1 ]
5 – License: [ GPL ]
6 – Group: [ checkinstall ]
7 – Architecture: [ amd64 ]
8 – Source location: [ procdump-for-linux ]
9 – Alternate source location: [ ]
10 – Requires: [ ]
11 – Provides: [ procdump ]
12 – Conflicts: [ ]
13 – Replaces: [ ]

Enter a number to change any of them or press ENTER to continue:

Installing with make install…

========================= Installation results ===========================
mkdir -p //usr/bin
cp bin/procdump //usr/bin
mkdir -p //usr/share/man/man1
cp procdump.1 //usr/share/man/man1

======================== Installation successful ==========================

Copying documentation directory…
./
./LICENSE
./README.md

Copying files to the temporary directory…OK

Stripping ELF binaries and libraries…OK

Compressing man pages…OK

Building file list…OK

Building Debian package…OK

Installing Debian package…OK

Erasing temporary files…OK

Writing backup package…OK
OK

Deleting temp dir…OK
**********************************************************************

Done. The new package has been installed and saved to

/home/<restricted>/procdump-for-linux/procdump_20181112-1_amd64.deb

You can remove it from your system anytime using:

dpkg -r procdump

**********************************************************************

#######################################################################################################################v
# enable new DNS over TLSv1.2 encrypted communications
# in Ubuntu 18.04 64-bit using a bash shell script
# Source: https://www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls
sudo apt purge unbound avahi-daemon
LogTime=$(date '+%Y-%m-%d_%Hh%Mm%Ss')

cp /etc/resolv.conf $HOME/resolv.conf_$LogTime
cp /etc/nsswitch.conf $HOME/nsswitch.conf_$LogTime
cp /etc/systemd/resolved.conf $HOME/resolved.conf_$LogTime
cp /etc/network/interfaces $HOME/interfaces_$LogTime

sudo service resolvconf stop
sudo update-rc.d resolvconf remove

sudo apt install stubby
systemctl status stubby
sudo netstat -lnptu | grep stubby
sudo netstat -lnptu | grep systemd-resolve

cp /etc/resolv.conf /tmp/resolv.conf
grep -v nameserver /tmp/resolv.conf > /tmp/resolv.conf.1
echo 'nameserver 127.0.0.1' >> /tmp/resolv.conf.1
# echo 'nameserver 2620:fe::fe' >> /tmp/resolv.conf.1
echo 'domain dnsknowledge.com' >> /tmp/resolv.conf.1
echo 'options rotate' >> /tmp/resolv.conf.1
sudo cp /tmp/resolv.conf.1 /etc/resolv.conf
sudo service resolvconf start

# configure DNS server on Ubuntu 18.04 LTS:
cp /etc/network/interfaces /tmp/interfaces
grep -v nameservers /tmp/interfaces > /tmp/interfaces.1
grep -v search /tmp/interfaces.1 > /tmp/interfaces.2
grep -v options /tmp/interfaces.2 > /tmp/interfaces.3
#echo 'dns-nameservers 9.9.9.9 2620:fe::fe' >> /tmp/interfaces.3
echo 'dns-nameservers 127.0.0.1' >> /tmp/interfaces.3
echo 'dns-search dnsknowledge.com' >> /tmp/interfaces.3
echo 'dns-options rotate' >> /tmp/interfaces.3
sudo cp /tmp/interfaces.3 /etc/network/interfaces

# enable systemd caching DNS resolver
rm /tmp/nsswitch.conf
rm /tmp/nsswitch.conf.1
cp /etc/nsswitch.conf /tmp/nsswitch.conf
grep -v hosts /tmp/nsswitch.conf > /tmp/nsswitch.conf.1
# dns must be mentioned in next line, or else wget does not work
echo 'hosts: files mdns4_minimal [NOTFOUND=return] resolv dns myhostname mymachines' >> /tmp/nsswitch.conf.1
sudo cp /tmp/nsswitch.conf.1 /etc/nsswitch.conf

# set DNS server to 127.0.0.1
rm /tmp/resolved.conf
rm /tmp/resolved.conf.1
cp /etc/systemd/resolved.conf /tmp/resolved.conf
grep -v DNS /tmp/resolved.conf > /tmp/resolved.conf.1
#echo 'DNS=9.9.9.9' >> /tmp/resolved.conf.1
echo 'DNS=127.0.0.1' >> /tmp/resolved.conf.1
echo 'DNSSEC=yes' >> /tmp/resolved.conf.1
sudo cp /tmp/resolved.conf.1 /etc/systemd/resolved.conf
sudo systemd-resolve --flush-caches
sudo systemctl restart systemd-resolved
sudo systemd-resolve --flush-caches
sudo systemd-resolve --status

# It is probably also necessary to manually set
# the DNS server to 127.0.0.1 in the router's configuration
# and in the NetworkManager GUI

# Then reboot your PC to enable new DNS over TLSv1.2 encrypted communications
# Use wireshark application and capture encrypted DNS packages on port 853 
# There should be no more DNS handshakes on port 53 and only encrypted DNS handshakes on port 853

# Test DNSSEC validation using dig command-line tool
# See: https://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation
dig pir.org +dnssec +multi
host dnsknowledge.com

# To get similar functionality on iOS: install "DNSCloak" application
# To get similar functionality on Android: install "Intra" application

Please first visit this bug report that I filed:

https://bugs.chromium.org/p/chromium/issues/detail?id=889072#c2

So disabling the cipher suites below in Mozilla Firefox will make certain websites inaccessible, but will make the browsing experience more secure.

It is up to you to decide if you want extra security or not.

If you wish to proceed, visit following website to test the weaknesses in your Mozilla Firefox browser:

https://www.ssllabs.com/ssltest/viewMyClient.html

Then upgrade Mozilla Firefox to the latest version.

In Mozilla Firefox, navigate to   “about:config”

Set security.tls.version.max to 4

Set security.tls.version.min to 3

Set security.ssl3.rsa_aes_128_sha to false

Set security.ssl3.rsa_aes_256_sha to false

Set security.ssl3.rsa_des_ede3_sha to false

Go back to this website to retest weaknesses:

https://www.ssllabs.com/ssltest/viewMyClient.html

After the changes above, only following Protocols and Cipher Suites should be supported by Mozilla Firefox.

HTTPS protocols TLS 1.0 and older are known to be weak and should be disabled as described above.

TLS_RSA_*_CBC_SHA Cipher Suites should not be used anymore, as they are considered weak. But disabling them will make certain websites inaccessible.

Protocols
TLS 1.3 Yes
TLS 1.2 Yes

 

Cipher Suites (in order of preference)
TLS_AES_128_GCM_SHA256 (0x1301)   Forward Secrecy 128
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   Forward Secrecy 256
TLS_AES_256_GCM_SHA384 (0x1302)   Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy 256

Further instructions (more extensive) can be found here:

https://vikingvpn.com/cybersecurity-wiki/browser-security/guide-hardening-mozilla-firefox-for-privacy-and-security

#!/bin/bash
# install lightweight GTK-based Youtube viewer (inspired by XenialDog 64-bit LiveUSB distro)
# Prerequisite: Ubuntu 20.04 or Debian 10
# source: https://github.com/trizen/youtube-viewer
# source:  https://mark911.wordpress.com/2018/05/02/how-to-install-gtk-youtube-viewer-from-github-source-into-ubuntu-18-04-lts-using-a-bash-shell-script/

# Please follow the instructions at https://github.com/trizen/youtube-viewer
# to update your Youtube API key in ~/.config/youtube-viewer/api.json
# in order to be able to use this program
# You will need to go to https://console.developers.google.com/apis/dashboard
# The new Google API project must be called gtk2-youtube-viewer
# The API key must be called gtk2-youtube-viewer and must be restricted to YouTube Data API v3 only.
# The OAuth 2.0 Client ID name must be called gtk2-youtube-viewer and must be defined for Desktop use.
# Make sure to put the API key, OAuth 2.0 Client ID (not gtk2-youtube-viewer, but long string of letters and numbers)
# and OAuth 2.0 Client secret in ~/.config/youtube-viewer/api.json
# For best playback performance, choose mpv as video player backend for gtk2-youtube-viewer program
cd
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv ED75B5A4483DA07C
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9A2FD067A2E3EF7B
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2EA8F35793D8809A
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9D6D8F6BC857C906
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 8B48AD6246925553
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7638D0442B90D010
sudo apt update
sudo apt install youtube-dl mplayer mpv cpanminus perl git libncurses5-dev libtinfo-dev libreadline-dev pkg-config libgtk2.0-dev libgtk3-perl
sudo rm -rf youtube-viewer
git clone https://github.com/trizen/youtube-viewer
cd youtube-viewer
cpanm .
cpanm --installdeps .
cpanm --from https://cpan.metacpan.org/ CPAN ExtUtils::PkgConfig Module::Build inc::latest PAR::Dist Term::ReadLine::Gnu::XS Unicode::GCString LWP::Protocol::https Data::Dump JSON Gtk2 Gtk3 File::ShareDir LWP::UserAgent::Cached Term::ReadLine::Gnu JSON::XS Unicode::LineBreak
sudo cpanm --from https://cpan.metacpan.org/ CPAN ExtUtils::PkgConfig Module::Build inc::latest PAR::Dist Term::ReadLine::Gnu::XS Unicode::GCString LWP::Protocol::https Data::Dump JSON Gtk2 Gtk3 File::ShareDir LWP::UserAgent::Cached Term::ReadLine::Gnu JSON::XS Unicode::LineBreak
perl Build.PL --gtk2
sudo ./Build installdeps
sudo ./Build install
# install lightweight GTK-based Youtube viewer (inspired by XenialDog 64-bit LiveUSB distro)
# Please follow the instructions at https://github.com/trizen/youtube-viewer
# to update your Youtube API key in ~/.config/youtube-viewer/api.json
# in order to be able to use this program
# You will need to go to https://console.developers.google.com/apis/dashboard
# The new Google API project must be called gtk2-youtube-viewer
# The API key must be called gtk2-youtube-viewer and must be restricted to YouTube Data API v3 only.
# The OAuth 2.0 Client ID name must be called gtk2-youtube-viewer and must be defined for Desktop use.
# Make sure to put the API key, OAuth 2.0 Client ID (not gtk2-youtube-viewer, but long string of letters and numbers)
# and OAuth 2.0 Client secret in ~/.config/youtube-viewer/api.json
# For best playback performance, choose mpv as video player backend for gtk2-youtube-viewer program
cat README.md | more
cd
sudo apt update
sudo apt install git
git clone --depth=1 --recursive https://github.com/HBCD/Hiren-s-Boot-CD-reborn.git
cd Hiren-s-Boot-CD-reborn
git pull --recurse-submodules
git submodule update --remote --recursive
mkisofs -R -D -J -l -joliet-long  -o ./myhbcd.iso -b HBCD/grldr -c HBCD/boot.cat -hide-joliet HBCD/boot.cat -hide HBCD/boot.cat -no-emul-boot -N -boot-info-table -V HirensBootCD  -boot-load-size 4 CD
ls -larth *.iso
# list of tools: https://github.com/HBCD/Hiren-s-Boot-CD-reborn/projects/1
sudo apt update
sudo apt install git
cd
rm -rf spectre-meltdown-checker
git clone https://github.com/speed47/spectre-meltdown-checker.git
cd spectre-meltdown-checker
chmod +x spectre-meltdown-checker.sh
sudo ./spectre-meltdown-checker.sh

grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
grep cpu_insecure /proc/cpuinfo && echo "patched :)" || echo "unpatched :("
dmesg | grep "Kernel/User page tables isolation: enabled" && echo "patched :)" || echo "unpatched :("
uname -a
# enable new Quad9 (9.9.9.9) DNS and DNSSEC service 
# in Ubuntu 17.10 64-bit using a bash shell script
sudo apt purge unbound
LogTime=$(date '+%Y-%m-%d_%Hh%Mm%Ss')
cp /etc/resolv.conf $HOME/resolv.conf_$LogTime
cp /etc/nsswitch.conf $HOME/nsswitch.conf_$LogTime
cp /etc/systemd/resolved.conf $HOME/resolved.conf_$LogTime

sudo service resolvconf stop
sudo update-rc.d resolvconf remove
cp /etc/resolv.conf /tmp/resolv.conf
grep -v nameserver /tmp/resolv.conf > /tmp/resolv.conf.1
echo 'nameserver 9.9.9.9' >> /tmp/resolv.conf.1
sudo cp /tmp/resolv.conf.1 /etc/resolv.conf
sudo service resolvconf start

# enable systemd caching DNS resolver
rm /tmp/nsswitch.conf
rm /tmp/nsswitch.conf.1
cp /etc/nsswitch.conf /tmp/nsswitch.conf
grep -v hosts /tmp/nsswitch.conf > /tmp/nsswitch.conf.1
# dns must be mentioned in next line, or else wget does not work
echo 'hosts: files mdns4_minimal [NOTFOUND=return] resolv dns myhostname mymachines' >> /tmp/nsswitch.conf.1
sudo cp /tmp/nsswitch.conf.1 /etc/nsswitch.conf

# set DNS server to 9.9.9.9
rm /tmp/resolved.conf
rm /tmp/resolved.conf.1
cp /etc/systemd/resolved.conf /tmp/resolved.conf
grep -v DNS /tmp/resolved.conf > /tmp/resolved.conf.1
# enable new Quad9 (9.9.9.9) DNS and DNSSEC service
# https://arstechnica.com/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/
echo 'DNS=9.9.9.9' >> /tmp/resolved.conf.1
echo 'DNSSEC=yes' >> /tmp/resolved.conf.1
sudo cp /tmp/resolved.conf.1 /etc/systemd/resolved.conf
sudo systemd-resolve --flush-caches
sudo systemctl restart systemd-resolved
sudo systemd-resolve --flush-caches
sudo systemd-resolve --status

# It is probably also necessary to manually set
# the DNS server to 9.9.9.9 in the router's configuration
# and in the NetworkManager GUI

# test DNSSEC validation using dig command-line tool and using DNS server 9.9.9.9:
# see: https://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation
dig pir.org +dnssec +multi
cd /tmp
rm *.deb
wget --no-check-certificate https://vivaldi.com/download/
wget --no-check-certificate `grep deb index.html |grep amd64|cut -d"\"" -f4`
sudo dpkg -i vivaldi*.deb
sudo apt-get install -f