Linux: Systemd ignore console-setup settings

If you work on older Laptops and you use a Console only System Setup like on Debian there is a Bug on systemd and the console-setup package since years. After reboot all Font Settings seems gone. But the Settings are not real gone, cause systemd does not pull the settings on boot!

How to fix?

  • edit the crontab of root by

sudo su -
crontab -e

  • insert the /bin/setupcon command on “@reboot” means on every boot!

@reboot     /bin/setupcon > /dev/null 2>&1 

  • save and exit, reboot now
  • now the PC should echo big Fonts for old eyes “Terminus 20×12 Frambuffermode”

 

Security: Disable USB Drive mount for Users

If you share your Systems and you want to disable USB Drive connects there is a small solution. By default the gvfs Service handle all automounts and drive scans. On old Linux Systems you could purge the complete gvfsd “Backend” but Ubuntu-Desktop forces some pakets to the default Desktop Package! If you purge it the working Desktop can be destroyed!

It’s easier to disable the “USB Drivers” called Modules from load on Start! Cause Rules are “Software” and can FAIL unknown!!

Howto? Edit the /etc/modprobe.d/blacklist.conf and add:

blacklist usb_storage
blacklist uas

Update initramfs (Kernel Image)

update-initramfs -u -k all
reboot

Now try to plugin USB Sticks , they should now be ignored!

To enable USB Drives temporaily do:

$sudo modprobe uas
$nautilus

Now the USB Stick should be able to mount for root!

Advantage? No gvfs, org.freedesktop rules or package deps are touched!

Remark: On Laptops DISABLE all USB Devices for Security Reasons! There should now “Fake Keyboard” or “Fake Mouse” be able to enter the Systems!!! (USB Kill Sticks)

Security: Isolated Browser eMail Programs

If you want to be more secure, on Linux you can isolate used programs on different Users! All you need is installed by default!

isolated firefox thunderbird

Howto:

  • Add a new User for eMail and Browser to the System with:

$sudo adduser mailuser
$sudo adduser webuser

  • now install if not installed by default “gksu” User Switch

$sudo apt-get install gksu

  • copy now the default App Links to webuser’s Home Desktop, for mailuser enter mailuser’s name

$cp /usr/share/applications/firefox-esr.desktop /home/webuser/Desktop/firefox-esr.desktop

  • edit the firefox-esr.desktop by right click on nautilus or a editor and change command line:
  • old:

/usr/lib/firefox-esr/firefox-esr %u

  • to:

gksu -u webuser -w "/usr/lib/firefox-esr/firefox-esr %u"

  • save and exit
  • Now to test click on the Firefox App Link and a Password is asked! Enter the webuser password and you use Firefox on a isolated Account!
  • Do same for thunderbird eMail Client! that no bad Code can access your Emails!
  • Set the Home Folder rights for webuser and mailuser to 700 with:

$sudo chmod 700 /home/webuser
$sudo chmod 700 /home/mailuser

  • Remark: Same Technics available at Windows or other Unix Systems, alternate use VNCSERVER! a App to run Desktops inside Desktops!
  • Advantage: Programs run on isolated RAM Space!

Security: Protection Against Cryptware Wannacry

You heard perhaps last day’s about the major problems of Attacks to Systems with the “WannaCry” Crypto Ware

Howto protect yourself?

  • Enable the Firewall on Windows Systems!! Always!
  • Update daily the Virus Scanners and Windows Patches!
  • Disable and CLOSE Ports you never need! SMB Protocol is a open unencrypted Transfer Protocol!
  • Use a second Router with Firewall behind your ISP Router or Modem! (openwrt, pfsense)
  • Check with nmap Portscanner Tool the taken Rules and check if the work!
  • For Network Access use ALWAYS SFTP with Authentification over KEYs Logins (Two Factor: Key and Password for unlock the Keyfiles id_rsa)
  • For fresh installed Systems do a Full Backup of the Disk.
  • To Save your work files use USB Drives or USB Sticks which can be unplugged, if you don’t need them.
  • Backup weekly the Windows Disk to a external USB Disk 1TB sold for less than 50$
  • ..last but not least use a Live CD of Linux like ubuntu to access the Internet..

Update:

  • The Linux Windows Share Service called Samba is also under attack CVE-2017-7494
  • to fix enter smb.conf with a Editor:

nt pipe support = no

  • restart the Service with:

$service samba stop && service samba start

  • Don’t use reload, to be secure that the config is really reloaded!! A “systemd” Problem!
  • Check the Samba Share for write and read access!

Debian Ubuntu Laptop mods for SSD HDD and a full encrypted with luks

Major INFO 06-2015: Do not set tmpfs on ubuntu 15.XX or Systems with systemd!!! This block PC boot !!

If you want to setup a Ubuntu/Debian Laptop with a full encrypted HDD use a “alternate” CD/DVD.
After Setup you have to change some little Parameters to extend the lifecycle of the SSD Chips

  • disable Swap if you have more than 4GB Ram
  • enable a RAMDISK with tmpfs for logs, caches of Browsers
  • install cpufrequtils for CPU freqscaling
  • install laptop-mode-tools to set powersave mode for hardware modules
  • install xbacklight to reduce backlight energy

Steps:

  • open a Console and change to root user, enter “$sudo -s” and password,
  • now we have to disable swap, edit with $nano /etc/rc.local and insert a “swapoff -a”  before “exit”
  • edit with “$nano /etc/fstab” insert and set “#” at line with older “/tmp” entry  :
    tmpfs  /tmp  tmpfs  nosuid  0  0
    tmpfs /var/run tmpfs nosuid,mode=0755 0 0
    tmpfs /var/lock tmpfs noexec,nosuid,nodev 0 0
    tmpfs /var/log tmpfs noexec,nodev,nosuid 0 0
  • remove /var/tmp and create a symlink “$ln -s /var/tmp /tmp”
  • reboot
  • login as User to Config the Firefox / iceweasel Browser to use the RAMDISK as Cache with “firefox -P” Command
  • delete the default Profile, create new named “ram” and let the Profilemanager create the  new Profile to /tmp
  • restart Firefox / iceaweasel with “-P” option, now all is hold inside the RAMDISK!! (after a reboot all is History and Cookies are deleted!)
  • if you use other applications with CACHE do same with EVERY Applications (read the readme.txt of Apps)

Enjoy the new very secure Internet Laptop with builtin steal protection and secure private permanent browsing!

Linux Tip: Split Console Screen on Widescreen Laptop / PCs with “screen” and “terminator”

Current Laptops / PCs uses 16:9 Widescreen Displays and if you dont want to use Xorg (Gnome,unity,Openbox Desktops)

you can use on Linux Console the program called “screen” it offers:

– Split Consoles horizontally and vertically
– disconnect the screen and let the scripts/commands active on remote Systems
– reconnect if the remote Session was broken cause network problems

On Gnome or unity you can use “terminator”

screen-tiled

see:

– manpage of screen
– http://unix.stackexchange.com/questions/7453/how-to-split-the-terminal-into-more-than-one-view

Chromebook Replacement: Get or build your Firefoxbook with Linux for free

fireboxbook a free chromebook replacement
firefoxbook a free chromebook replacement – Screen after boot

A free Howto to get a free Chromebook Replacement: Called Firefoxbook

Everybody knows a product called chromebook, but you must not buy such a laptop with branded OS! Here is a small  Howto get a similar Laptop with free firefox.

How does it work? Easy, the Laptop boots from Stick or CF-Card to RAMDISK, the firefox profile and cache is always new created at non permanent RAMDISK. The private Mode surpress cookie and other waste. Only the Window Settings are stored (Fullscreen/ F11). After boot the Internet is connected and Firefox is shown on Desktop.

All you need:

  • a Laptop, can be a older one, i prefer Thinkpads
  • a Wireless/LAN Card if not available inside
  • 4GB USB Stick or 4GB CF-Disk with ATA-CF-Adaptor
  • Time to work
  • Tinycorelinux at CD source http://distro.ibiblio.org/tinycorelinux/

Let’s do:

  • Download Tinycorelinux and burn it to CD
  • reboot the Laptop on the CD to tinycore
  • open a Terminal and enter #sudo tc-install
  • follow instructions
  • reboot the Laptop and remove the CD
  • boot the Laptop on the USB Stick
  • check network connection
  • if not available plugin LAN cable reboot again on stick
  • or setup WIFI with the WIFI Manager
  • check internet connection again
  • NOW LETS MAKE SAFE!
  • if the Laptop is online install firefox with: #tce-load -wi firefox
  • NOW!! Create first a firefox profile on the RAMDISK!!
  • do run as tc user #firefox -P
  • create new firefox profilename “tmp” locate it at /tmp
  • now run as user tc #firefox, close firefox!
  • edit now /opt/.filetool.lst with #sudo vi /opt/.filetool.lst
  • add “tmp/localstore.rdf” line, close and save
  • edit as user tc #vi /home/tc/.setbackground
  • add line “sh /tmp/tcloop/firefox/usr/local/firefox-official/firefox –private”
  • save settings to USB Stick called mydata.tgz with #filetool.sh -b”
  • run #sudo reboot

Enjoy a Firefoxbook with always safe browsing option! On every reboot the old cached data are really lost cause the profile is always placed inside ramdisk and never on chip!

Do always reboot or shutdown without backup by menu, or push only the Laptop Power Button to auto delete waste at poweroff. Other Browsers can be used also (Opera).