ENFORCE Google to DuckDuckgo SEARCH

If you want to enforce the use of DuckDuckgo.com instead of google.com do:

Edit at the PC the „hosts“ File on:

Linux /etc/hosts
Windows C:\Windows\System32\drivers\etc

insert at last:

54.229.105.92  google.com  #ip of duckduckgo or 176.34.131.233
54.229.105.203 google.com #ip of duckduckgo
176.34.131.233 bing.com #ip of duckduckgo or 176.34.131.233
176.34.131.233 yahoo.com #ip of duckduckgo or 176.34.131.233

..reboot and test on a Browser Session after google.com you see duckduckgo.com

Remark:

  • Most DSL Routers do offer the edit of the hosts File too, do same there and ALL devices redirected!
  • Don’t forget to reboot!
  • This Solution works only on IPv4 Networks, to enforce the local net, disable IPv6 forwarding on your ISP Router!
  • Test the „addressbar“ search, there the redir does not work, cause compiled in IP’s or IPv6 broadcast, then remove uneeded Search Engines on the Browser Settings!
  • Use the free fork of Firefox named icecat Browser

Nextcloud Owncloud Opensource Risk’s

If you are current using Nextcloud / Owncloud or other PHP-Kits for File Handling you should know these remarks:

Based on this Article

You must know:

  • Details of Security about your current used PHP Versions (7.X)
  • Details of your used Database Version (MySQL..)
  • Details of hardened OS and Webserver Version (Apache,Firewall,fail2ban,file policys, selinux, apparmor filter)
  • See ALWAYS PHP-Kits of opensource with the trust of NON HARDENED SOFTWARE (prefer NON-PUBLIC ACCESS)
  • You can ACCESS this Software thru SSH TUNNELS with a local running non-caching PROXY (privoxy)
  • Use the SSH Tunnels on unknown Ports and Login via Key Files which must be unlocked by LONG PASSWORDS
  • Public ACCESS is ALWAYS a RISK if YOU didn’t have the KNOWLEDGE of the SOURCE CODE!

Howto read here

Ubuntu 16.04 Compiz Hang Kernel

After Ubuntu published the latest Kernel Patches for Meltdown and Spectre the Kernel 4.4.0-104/109-generic let Intel Graphics freeze or hang on Compiz with Unity.

Howto fix:

Install the latest Kernel 4.4.0-112-generic

do:
sudo apt-get install linux-image-4.4.0-112-generic
sudo apt-get install linux-image-extra-4.4.0-112-generic

reboot

then:

sudo apt-get autoremove --purge -y

This removes older kernels and save Space! Do test the PC for hanging again!!!

Meltdown Spectre VM Hosting

Thru current IT News you may have heard about the major Security Problem of x86 Technology.

If your Websites current hosted on VM at VM Providers, contact them to get current news about their bug handling of their VM Host Servers. If you get no details, then shutdown your sites temporarily, or look for a other solution which isn’t running on x86 Technology.

Otherwise you can try to switch from php-kits to static HTML Websites. On the Net there are very helpful tools to do this easy. For WordPress is a WP to HTML Plugin available. This dumps your blog to HTML static paket where you can use a raspberry Pi with ligttpd as litte Webserver instance up to the time the x86 Manufacter fixes the nasty problems. Remark Debian runs on other CPUs like Sparc64 Mips too..

Debian: without sytemd

If you run Debian Servers, you read last weeks about security problems of systemd service manager.

On several tests i have seen much systems having problems on service starts on boot like on debian, raspian ..

This is a result of not clean redesigned scripts of the services by the Maintainers like the Proxy Server „privoxy“ Package…

For Tests i decided to try the new Debian Fork Replacement DEVUAN  for Desktop and a standard Debian Server Setup without systemd!

Howto purge Systemd on a Debian System read this external Wiki:

http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installation

or try Devuan for Server and Desktop:

https://devuan.org/

Remark: Devuan is tested for Desktop usage cause customized scripts and packages like polkit for EASY setup!

Security: Disable USB Drive mount for Users

If you share your Systems and you want to disable USB Drive connects there is a small solution. By default the gvfs Service handle all automounts and drive scans. On old Linux Systems you could purge the complete gvfsd „Backend“ but Ubuntu-Desktop forces some pakets to the default Desktop Package! If you purge it the working Desktop can be destroyed!

It’s easier to disable the „USB Drivers“ called Modules from load on Start! Cause Rules are „Software“ and can FAIL unknown!!

Howto? Edit the /etc/modprobe.d/blacklist.conf and add:

blacklist usb_storage
blacklist uas

Update initramfs (Kernel Image)

update-initramfs -u -k all
reboot

Now try to plugin USB Sticks , they should now be ignored!

To enable USB Drives temporaily do:

$sudo modprobe uas
$nautilus

Now the USB Stick should be able to mount for root!

Advantage? No gvfs, org.freedesktop rules or package deps are touched!

Remark: On Laptops DISABLE all USB Devices for Security Reasons! There should now „Fake Keyboard“ or „Fake Mouse“ be able to enter the Systems!!! (USB Kill Sticks)

Security: Isolated Browser eMail Programs

If you want to be more secure, on Linux you can isolate used programs on different Users! All you need is installed by default!

isolated firefox thunderbird

Howto:

  • Add a new User for eMail and Browser to the System with:

$sudo adduser mailuser
$sudo adduser webuser

  • now install if not installed by default „gksu“ User Switch

$sudo apt-get install gksu

  • copy now the default App Links to webuser’s Home Desktop, for mailuser enter mailuser’s name

$cp /usr/share/applications/firefox-esr.desktop /home/webuser/Desktop/firefox-esr.desktop

  • edit the firefox-esr.desktop by right click on nautilus or a editor and change command line:
  • old:

/usr/lib/firefox-esr/firefox-esr %u

  • to:

gksu -u webuser -w "/usr/lib/firefox-esr/firefox-esr %u"

  • save and exit
  • Now to test click on the Firefox App Link and a Password is asked! Enter the webuser password and you use Firefox on a isolated Account!
  • Do same for thunderbird eMail Client! that no bad Code can access your Emails!
  • Set the Home Folder rights for webuser and mailuser to 700 with:

$sudo chmod 700 /home/webuser
$sudo chmod 700 /home/mailuser

  • Remark: Same Technics available at Windows or other Unix Systems, alternate use VNCSERVER! a App to run Desktops inside Desktops!
  • Advantage: Programs run on isolated RAM Space!

Security: Protection Against Cryptware Wannacry

You heard perhaps last day’s about the major problems of Attacks to Systems with the „WannaCry“ Crypto Ware

Howto protect yourself?

  • Enable the Firewall on Windows Systems!! Always!
  • Update daily the Virus Scanners and Windows Patches!
  • Disable and CLOSE Ports you never need! SMB Protocol is a open unencrypted Transfer Protocol!
  • Use a second Router with Firewall behind your ISP Router or Modem! (openwrt, pfsense)
  • Check with nmap Portscanner Tool the taken Rules and check if the work!
  • For Network Access use ALWAYS SFTP with Authentification over KEYs Logins (Two Factor: Key and Password for unlock the Keyfiles id_rsa)
  • For fresh installed Systems do a Full Backup of the Disk.
  • To Save your work files use USB Drives or USB Sticks which can be unplugged, if you don’t need them.
  • Backup weekly the Windows Disk to a external USB Disk 1TB sold for less than 50$
  • ..last but not least use a Live CD of Linux like ubuntu to access the Internet..

Update:

  • The Linux Windows Share Service called Samba is also under attack CVE-2017-7494
  • to fix enter smb.conf with a Editor:

nt pipe support = no

  • restart the Service with:

$service samba stop && service samba start

  • Don’t use reload, to be secure that the config is really reloaded!! A „systemd“ Problem!
  • Check the Samba Share for write and read access!