Securing your web browsing in Linux

Many years ago, when I installed Red Hat 7 as my primary Internet connected workstation, it was like the surfing the web in 1995.  Before Firefox, we had Mozilla 1.0 and it was a pleasure to use.  It was the first browser with a pop-up blocker and I could count on Linux’s Unix based security model to keep a website from pwning my whole machine.  Life was good back then.  Now with Linux used in smart phones and more popular on the desktop, the crappyness  of the Internet has come here.

If you go to those black hat conferences, you will find that nobody tries to pwn a Linux machine the way they do a Windows one.  Instead, the trick is pwn userland.  It is almost as good as the whole machine.  An attacker can obtain sensitive documents, keepassx databases, tax returns, photos, pretty much everything you have with just access to your $HOME directory.

So how do you prevent it?  With Linux and most other Unix based desktops it is possible to run the as a different user in the desktop.  All you have to do is:

  1. Create a low privileged user such as “nobody” or “interwebs”.  Add your main user to it’s private group
  2. Install sshd if it is not already installed
  3. Set up password user/host equivalence between your main account and the low privileged one.
  4. Set up a command to execute the browser over SSH the same way you might use xming on Windows to run the OUI, and put a short cut on your desktop with a different icon.
  5. Use the “trusted” browser to access your bank, email, paypal and such.  Use your new “untrusted internet” browser to surf the rest of the interwebs.

For example:

Creating the low privileged account:

Screenshot-User Manager

Set up passwordless ssh user/host equivalence:

[oracle@oracle-linux ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
73:06:f4:aa:fd:b2:e0:fa:86:69:08:09:ae:75:ac:0c oracle@oracle-linux.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
|        .        |
|       . .       |
|        . .      |
|.        o       |
|o. .    S o      |
|E.. o  o +       |
|.= + oo .        |
|. + +.....       |
|   ..+o .o.      |
+-----------------+

[oracle@oracle-linux ~]$ ssh-copy-id interwebs@127.0.0.1
interwebs@127.0.0.1's password: 
Now try logging into the machine, with "ssh 'interwebs@127.0.0.1'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[oracle@oracle-linux ~]$ ssh interwebs@127.0.0.1 date
Fri May 29 21:24:41 EDT 2015
[oracle@oracle-linux ~]$ 

So try running the browser through ssh and xwindows:

[oracle@oracle-linux ~]$ ssh -Y interwebs@127.0.0.1 firefox &
[1] 2304
[oracle@oracle-linux ~]$ /usr/bin/xauth:  creating new authority file /home/interwebs/.Xauthority

Now that the broswer has started, you will notice it doesn’t have any of your bookmarks, browser customizations, extenstions, nor anything else assoicated with your main account. You can further verify it is using the low privileged account by accessing the file menu and seeing what home directory you are in:

Screenshot

There you are!  Create a shortcut on on the desktop, preferably with a spammy looking icon so you don’t accidentally use it to login to your bank.

 

Comments are closed.