#] #] ********************* #] "$d_SysMaint"'security/0_security notes.txt' www.BillHowell.ca 10Apr2009 initial To view this file - use a text editor (not word processor) constant width font (eg courrier 10), tab - 3 spaces to setup keys, see : "$d_bin""encrypt - gpg create [public-private, symmetric] keys, [en,de]-crypt dataFile.sh" #24************************24 # Table of Contents, generate with : # $ grep "^#]" "$d_SysMaint"'security/0_security notes.txt' | sed "s/^#\]/ /" # ********************* "$d_SysMaint"'security/0_security notes.txt' ENCRYPTION INSTRUCTIONS Howell's security [instructions, public keys] : Encryption/decryption/keyserver https://sks-keyservers.net/ NOT in this file! see : Can't connect to internet? : 22Jan2017 great : https://sites.google.com/site/easylinuxtipsproject/security Uncomplicated Firewall (ufw) default settings: fine for the vast majority of home users +-----+ Setup, ToDos, +-----+ 04Jan2022 search "Linux Mint - how to bypass keyring" 04Dec2019 wireless - can't access 29Nov2019 gpg2 keys 14Oct2019 gpg key for wireless 09May2019 openssl symmetric key encryption 31Dec2018 Symantic advice : 31Dec2018 Digitally sign emails : need PKCS12 file? 06Dec2018 matlab install - problem with javascript security? 19Sep2018 Samsung wifi - can't connect? 16Jul2018 Update Manager warning while doing updates following monthly backups 22Jan2017 Great security overview 22Jan2018 use terminal ftp to transfer WCCI2018 photos 02Mar2017 SECURITY PROBLEM - I am treated as root for Software Manager etc!! 05Mar2017 better yet - how do I force the use of a password!! 14Jul2016 The 4 Best Free Linux Anti-Virus Programs 14Jul2016 03Jun2016 MALWARE!!! see /home/bill/Qnial/MY_NDFS/Toshiba_clamscan_log.txt 04Jun2016 Linux Firewalls 10Aug09 Security ***************** #] ENCRYPTION INSTRUCTIONS #] Howell's security [instructions, public keys] : I have two public keys listed below (no time to do a new one) - just pick one. Primitive instructions are in the 1st bash file. Simply put: 1. generate a symmetric key and use it to encypt the file 2. use my public key to encrypt the symmetric key 3. send BOTH the encrypted [file, symmetric key] to me in an email. http://www.BillHowell.ca/bash%20scripts/encrypt%20-%20openssl%20create%20[public-private,%20symmetric]%20keys,%20[en,de]-crypt%20dataFile.sh http://www.BillHowell.ca/bash%20scripts/encrypt%20-%20openssl%20header.sh http://www.BillHowell.ca/bash%20scripts/encrypt%20-%20Howells%20public%20key,%20RSA%202048%20ID%20DA74BE1C%20181209.pem http://www.BillHowell.ca/bash%20scripts/encrypt%20-%20Howells%20public%20key,%20openssl%202048%20190509.pem For my public keys (new keys should be generated for each email), the browser may not allow downloading them with the direct URL link. Instead, just download (right clik on link) from a directory : - http://www.BillHowell.ca/bash%20scripts/ ****************** #] Encryption/decryption/keyserver https://sks-keyservers.net/ NOT in this file! see : "/media/bill/PROJECTS/System_maintenance/" [sftp notes.txt, security/encryption notes.txt] ***************** #] Can't connect to internet? : 1. Rogers 50$ over : give permission to charge more (billing doesn't show this!!) 2. Fallback : Samsung USB tether (not Mobile hotspot!), pwd should be OK 3. ZTE pwd : haven't needed 4. Rogers pwd : haven't needed ***************** #] 22Jan2017 great : https://sites.google.com/site/easylinuxtipsproject/security Security in Ubuntu, Linux Mint and Debian: an explanation and some tips Great security overview ****************** #] Uncomplicated Firewall (ufw) default settings: fine for the vast majority of home users https://sites.google.com/site/easylinuxtipsproject/security Uncomplicated Firewall (ufw) has a sensible set of default settings (profile), which are fine for the vast majority of home users. So unless you have special wishes: you're done! $ sudo ufw enable Check the status of the firewall: $ sudo ufw status verbose $ sudo ufw disable #24************************24 #] +-----+ #] Setup, ToDos, #] +-----+ #24************************24 #08********08 #] ??Mar2024 #08********08 #] ??Mar2024 #08********08 #] ??Mar2024 #08********08 #] ??Mar2024 #08********08 #] 27Mar2024 search "Linux gpg and how do I include the password?" +-----+ https://unix.stackexchange.com/questions/60213/gpg-asks-for-password-even-with-passphrase gpg asks for password even with --passphrase Asked 11 years, 2 months ago Modified 2 months ago Viewed 331k times +--+ I am in your exact same boat (it worked on Fedora but not Ubuntu). Here is an apparent work around I discovered: echo your_password | gpg --batch --yes --passphrase-fd 0 your_file.gpg Explanation: Passing 0 causes --passphrase-fd to read from STDIN rather than from a file. So, piping the passphrase will get --passphrase-fd to accept your specified password string. edited Oct 8, 2018 at 10:14 JigglyNaga answered Mar 21, 2013 at 19:19 jonS90 >> Howell: I did the same to close all files #08********08 #] 12Oct2023 gpg --multifile option to process multiple files --passphrase "" +-----+ In case you one day need the lines to script a solution #!/usr/bin/env bash _dir="/some/directory" _paraphrase=( "$@" ) Decrypt(){ _pass=( "$@" ) for _file in $(ls "${_dir}"); do case "${_file}" in *.gpg) echo "${_pass[*]}" | gpg --always-trust --passphrase-fd 0 --decrypt ${_file} --output ${_file%.gpg*} ;; esac done unset _pass } Decrypt "${_paraphrase[*]}" unset _paraphrase Some similar code works great in my personal GnuPG scripts that have to decrypt without human interaction. However the accepted answer of gpg --decrypt-files *.gpg is far more secure because GnuPG is the only application handling your password. edited Aug 23, 2021 at 16:09 Whois_me answered Oct 31, 2016 at 20:52 S0AndS0 +-----+ https://www.linuxquestions.org/questions/linux-security-4/how-to-use-gpg-to-encrypt-multiple-files-4175607106/ +--+ 06-01-2017, 11:11 AM #3 justmy2cents Member Thanks I came up with this and it works, but the output is "file.txt.pgp" do you know how I can get rid of the .txt part? Code: #1/bin/bash for f in `ls -1 *.txt`; do password=$(pwgen -sy -1 100) echo "$password:$f" | gpg --no-use-agent -c --passphrase "$password" > $f.pgp Last edited by justmy2cents; 06-01-2017 at 11:17 AM. +-----+ https://unix.stackexchange.com/questions/43846/encrypt-multiple-files-at-once Encrypt multiple files at once Asked 11 years, 2 months ago Modified 2 years, 5 months ago Viewed 31k times +--+ Current gpg has an option for this: gpg --encrypt-files --recipient me@example.com *.txt produces a .txt.asc file for each .txt file. References: man gpg options --verify-files, --encrypt-files, --decrypt-files and --multifile https://linoxide.com/gpg-command-encrypt-decrypt-file/ answered May 2, 2021 at 12:03 Joachim Wagner +--+ The following command works for me as long as I do not have any filenames with spaces in them. for file in $(ls | grep -v ".gpg"); do gpg -c --cipher-algo AES256 --compress-algo 1 --batch --passphrase "" $file && rm -f $file; done You could also use the find command as well. for file in $(find /home -type f | grep -v ".gpg"); do gpg -c --cipher-algo AES256 --compress-algo 1 --batch --passphrase "" $file && rm -f $file; done Lastly if you want to use a file for the password, use: --passphrase-file answered Aug 16, 2017 at 15:27 Brian Mc 08********08 #] 04Jan2022 search "Linux Mint - how to bypass keyring" What I did was to delete the LMDE "Login keyrings" - this may cause boot problems? Then I created a "Default keyring" from a popup window seems to work now... for Evolution? +-----+ https://forums.linuxmint.com/viewtopic.php?t=357579 [SOLVED} linux mint 20.2 keyring - shut it off FFS Post by spamator12 » Tue Sep 21, 2021 2:50 am How to disable this keyring notifications in 20.2 ? EDIT: the only available solution is to delete keyrings: rm -v ~/.local/share/keyrings/*.keyring and when the keyrings prompt start show up - put the NO password (empty). I did this TWICE (delete keyrings twice), to get it working. Last edited by spamator12 on Tue Sep 21, 2021 2:42 pm, edited 1 time in total. >> *********** #] 04Dec2019 wireless - can't access +-----+ Suse firewall - Menu -> Favourites -> Help -> search firewalld FIREWALLD Section: firewalld (1) NAME firewalld - Dynamic Firewall Manager SYNOPSIS firewalld [OPTIONS...] DESCRIPTION firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and permanent configuration options. It also supports an interface for services or applications to add firewall rules directly. OPTIONS These are the command line options of firewalld: -h, --help Prints a short help text and exists. --debug[=level] Set the debug level for firewalld to level. The range of the debug level is 1 (lowest level) to 10 (highest level). The debug output will be written to the firewalld log file /var/log/firewalld. --debug-gc Print garbage collector leak information. The collector runs every 10 seconds and if there are leaks, it prints information about the leaks. --nofork Turn off daemon forking. Force firewalld to run as a foreground process instead of as a daemon in the background. --nopid Disable writing pid file. By default the program will write a pid file. If the program is invoked with this option it will not check for an existing server process. see comments *********** #] 29Nov2019 gpg2 keys $ gpg2 --full-generate-key gpg (GnuPG) 2.2.5; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 2048 Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: gpg2_Howell_simple Email address: Bill@BillHowell.ca Comment: 29Nov2019 test You selected this USER-ID: "gpg2_Howell_simple (29Nov2019 test) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 988C2B17D8C3B34F marked as ultimately trusted gpg: directory '/home/bill/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/bill/.gnupg/openpgp-revocs.d/F6D426B96C09C4EF05697C33988C2B17D8C3B34F.rev' public and secret key created and signed. pub rsa2048 2019-11-29 [SC] F6D426B96C09C4EF05697C33988C2B17D8C3B34F uid gpg2_Howell_simple (29Nov2019 test) sub rsa2048 2019-11-29 [E] >> OK, seems to work KDE Wallet -> picks out keys automatically gpg2_Howell_simple (20\9Nov2019 test) Bill@BillHowell.ca Key-ID : D8C3B34F **************** #] 14Oct2019 gpg key for wireless Install gnupg - already installed +-----+ https://www.gnupg.org/documentation/manpage.html This is a very old version of the gpg man page. Please see the latest release or software package for your operating system to find an up to date version ("man gpg2"). This man page does only list the commands and options available. For a more verbose documentation get the GNU Privacy Handbook (GPH), which is available at https://www.gnupg.org/gph/ . You will find a list of HOWTO documents at https://www.gnupg.org/docs.html . --encrypt -e Encrypt data to one or more public keys. This command may be combined with --sign (to sign and encrypt a message), --symmetric (to encrypt a message that can decrypted using a secret key or a passphrase), or --sign and --symmetric together (for a signed message that can be decrypted using a secret key or a passphrase). --recipient and related options specify which public keys to use for encryption. --symmetric -c Encrypt with a symmetric cipher using a passphrase. The default symmetric cipher used is AES-128, but may be chosen with the --cipher-algo option. This command may be combined with --sign (for a signed and symmetrically encrypted message), --encrypt (for a message that may be decrypted via a secret key or a passphrase), or --sign and --encrypt together (for a signed message that may be decrypted via a secret key or a passphrase). --decrypt -d Decrypt the file given on the command line (or STDIN if no file is specified) and write it to STDOUT (or the file specified with --output). If the decrypted file is signed, the signature is also verified. This command differs from the default operation, as it never writes to the filename which is included in the file and it rejects files that don't begin with an encrypted message. How to manage your keys --list-keys -k --list-public-keys List the specified keys. If no keys are specified, then all keys from the configured public keyrings are listed. Never use the output of this command in scripts or other programs. The output is intended only for humans and its format is likely to change. The --with-colons option emits the output in a stable, machine-parseable format, which is intended for use by scripts and other programs. --list-secret-keys -K List the specified secret keys. If no keys are specified, then all known secret keys are listed. A # after the initial tags sec or ssb means that the secret key or subkey is currently not usable. We also say that this key has been taken offline (for example, a primary key can be taken offline by exported the key using the command --export- secret-subkeys). A > after these tags indicate that the key is stored on a smartcard. See also --list-keys. --generate-key --gen-key Generate a new key pair using the current default parameters. This is the standard command to create a new key. In addition to the key a revocation certificate is created and stored in the ‘openpgp-revocs.d’ directory below the GnuPG home directory. --full-generate-key --full-gen-key Generate a new key pair with dialogs for all options. This is an extended version of --generate-key. There is also a feature which allows you to create keys in batch mode. See the manual section ``Unattended key gen- eration'' on how to use this. +-----+ https://www.thesecuritybuddy.com/pgp-and-gpg/how-to-generate-gpg-key/ $ sudo gpg --gen-key RSA keys DSA keys size 4096 duration 0 (infinite) user-ID "www.BillHowell.ca Passphrase : login QKC2.[4B7!X entropy - keep busy on computer during key generation +-----+ https://www.maketecheasier.com/generate-gpg-keys-linux/ same command with instructions Exporting Your Public Key to a File To share your files or messages with others, you’ll need to share your public key, which means exporting it from your machine. To export your public key to a file, open a terminal and type: gpg --armor --export your@emailaccount.com > key.asc If you want the key in a readable format (for example, as ASCII in a text file), run the following: gpg --armor --output key.txt --export your@emailaccount.com You can then open this file using any standard text editor. Exporting Your Public Key to a Keyserver You can make your public key easy to share and find by registering it to a keyserver, a public repository of keys. You could use the MIT repository, for instance, which will synchronize your key with other repositories. First, find your key id by opening a terminal and typing: gpg --fingerprint Locate your key and take note of the final eight digits of your key user ID (your user ID fingerprint). For example, B852 085C. ... shows key information ... Gpg Linux Key Fingerprint List Using your eight-digit user ID and type the following, replacing B852 085C with your own: gpg --keyserver gpg.mit.edu --send-key B852085C Your public key will then be registered with the keyserver, where others can then find and import it. Remember, your public key is safe to share. It cannot be used to decrypt files or messages but can be used to encrypt them to send to you, where only you can decrypt them. Encrypting and Decrypting Files To encrypt a file, open a terminal and run the following: gpg --encrypt --recipient 'your@emailaccount.com' --output encryptedfile.txt.enc originalfile.txt You could replace the recipient email with your key fingerprint if you’d prefer. Replace the output and input file names with the files you’re encrypting, as well as your output file. ... shows key output in binary ... To decrypt the file, run the following command: gpg --decrypt --output decrypted.txt encryptedfile.txt.enc You’ll be asked to provide your passphrase to allow access to your private key to be able to decrypt the file. It’ll then output the decrypted contents as the file listed under the --output flag. +----+ My result 2048 bit, not 4096 : gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 0E97CE11403227DB marked as ultimately trusted gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/8D4BF2700B8D5B425CDE06F60E97CE11403227DB.rev' public and secret key created and signed. pub rsa2048 2019-10-14 [SC] [expires: 2021-10-13] 8D4BF2700B8D5B425CDE06F60E97CE11403227DB uid www.BillHowell.ca sub rsa2048 2019-10-14 [E] [expires: 2021-10-13] Notes : This was instant - no entropy? I should use "gpg2 --full-generate-key" !! *********************** #] 09May2019 openssl symmetric key encryption After upgrading to LMDE3, this doesn't work any more : openssl rand 32 -out "$key_symmetric" +-----+ https://security.stackexchange.com/questions/162867/whats-better-when-rsa-encrypting-an-aes-passphrase-more-data-or-better-padding Any more than 32 bytes of random key is a total and complete waste of effort. However, rand can produce all 256 8-bit values but trying to pass those through a shell to a process like openssl enc usually loses at least some of them, which changes the derived key and your decryption doesn't work. You should either generate a password of characters (not bytes) with 256 bits entropy and allow openssl enc to use its (poor) PBKDF, or generate a key and IV (max 48 bytes), convert to hex and use -K (uppercase) and -iv. Or if your keys are single use you can use fixed IV like zero. dave_thompson_085 Jun 28 '17 at 2:54 A password is characters that at least notionally a human can type, and in this situation a shell can pass to openssl, and that are derived to produce the key, which is different from the password; this is always less dense and often significantly less so than the all-bits case, but how much depends on details of your systems and some choices you make. One fairly easy choice nowadays is a 64-character set so that 43 independent uniform characters is enough (slightly over 256 bits of entropy); there are lots of other choices. dave_thompson_085 Jun 29 '17 at 4:47 >> try: openssl rand -out '$key_symmetric' -base64 32 # 1. create a symmetric key : 256 #beval "openssl rand 256 -out '$key_symmetric'" beval "openssl rand -out '$key_symmetric' -base64 32 " # generates symmetric key successfully, doesn't work in step 2 #beval "openssl rand -out '$key_symmetric' 256 " see "/media/bill/SWAPPER/bin/encrypt - openssl create [public-private, symmetric] keys, [en,de]-crypt dataFile.sh" $ bash "/media/bill/SWAPPER/bin/encrypt - openssl create [public-private, symmetric] keys, [en,de]-crypt dataFile.sh" openssl rand -out '/media/bill/Midas/keys/190509 openssl symmetric Howell rand 256.pem' -base64 32 openssl rsautl -encrypt -inkey '/media/bill/Midas/keys/190509 openssl public Howell 2048.pem' -pubin -in '/media/bill/Midas/keys/190509 openssl symmetric Howell rand 256.pem' -out '/media/bill/Midas/keys/190509 openssl symmetric Howell rand 256.pem encrypted' openssl rsautl -decrypt -inkey '/media/bill/Midas/keys/190509 openssl private Howell 2048.pem' -in '/media/bill/Midas/keys/190509 openssl symmetric Howell rand 256.pem encrypted' -out '/media/bill/Midas/keys/190509 openssl symmetric Howell rand 256.pem decrypted' diff '/media/bill/Midas/keys/190509 openssl symmetric Howell rand 256.pem' '/media/bill/Midas/keys/190509 openssl symmetric Howell rand 256.pem decrypted' +-----+ https://www.mkssoftware.com/docs/man1/openssl_rand.1.asp SYNOPSIS openssl rand [-out file] [-rand file(s)] [-base64] num DESCRIPTION The rand command outputs num pseudo-random bytes after seeding the random number generater once. As in other openssl command line tools, PRNG seeding uses the file $HOME/.rnd or .rnd in addition to the files given in the -rand option. A new $HOME/.rnd or .rnd file will be written back if enough seeding was obtained from these sources. OPTIONS: -out file Writes to file instead of standard output. -rand file(s) Uses specified file or files or EGD socket for seeding the random number generator. Multiple files can be specified separated by a OS-dependent character. The separator is ; for MS-Windows, , for OpenVMS, and : for all others. -base64 performs base64 encoding on the output. +-----+ https://stackoverflow.com/questions/7143514/how-to-encrypt-a-large-file-in-openssl-using-public-key/7146463 Solution for safe and high secured encode anyone file in OpenSSL and command-line: openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem You should have ready some X.509 certificate for encrypt files in PEM format. Encrypt file: What is what: -smime - ssl command for S/MIME utility (smime(1)) -encrypt - chosen method for file process -binary - use safe file process. Normally the input message is converted to "canonical" format as required by the S/MIME specification, this switch disable it. It is necessary for all binary files (like a images, sounds, ZIP archives). -aes-256-cbc - chosen cipher AES in 256 bit for encryption (strong). If not specified 40 bit RC2 is used (very weak). (Supported ciphers) -in plainfile.zip - input file name -out encrypted.zip.enc - output file name -outform DER - encode output file as binary. If is not specified, file is encoded by base64 and file size will be increased by 30%. -yourSslCertificate.pem - file name of your certificate's. That should be in PEM format. That command can very effectively a strongly encrypt big files regardless of its format. Known issue: Something wrong happens when you try encrypt huge file (>600MB). No error thrown, but encrypted file will be corrupted. Always verify each file! (or use PGP - that has bigger support for files encryption with public key) Decrypt file: openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password What is what: -inform DER - same as -outform above -inkey private.key - file name of your private key. That should be in PEM format and can be encrypted by password. -passin pass:your_password - your password for private key encrypt. (passphrase arguments) edited Oct 10 '14 at 8:58 answered Sep 2 '12 at 5:38 JakubBoucek +-----+ https://security.stackexchange.com/questions/126988/ways-to-generate-symmetric-and-asymmetric-keys >> great discussion/advice openssl rand -rand /dev/urandom 128 > sym_keyfile.key https://security.stackexchange.com/questions/59190/why-do-you-need-a-4096-bit-dsa-key-when-aes-is-only-256-bits/80785#80785 Symmetric algorithms are designed to be as simple and quick as possible (for cryptography anyway), and retain a high level of security. A symmetric AES key with 256-bits yields 256 bits of work. Which is currently enough bits of security. Asymmetric cryptography require that the key sizes be larger to provide equivalent levels of security (in bits). Table : NIST recommended key sizes symmetric RSA&Diffie-Hellman RSA 256 15360 521 ************************ #] 31Dec2018 Symantic advice : https://www.symantec.com/security-center/writeup/2018-123117-2322-99 Recommendations Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices": 1. Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world. 2. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. 3. Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application. 4. Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available. 5. Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared. 6. Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack. 7. If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied. 8. Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. 9. Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files. 10. Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media. 11. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched. 12. If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources. 13. For further information on the terms used in this document, please refer to the Security Response glossary. ****************** #] 31Dec2018 Digitally sign emails : need PKCS12 file? https://luxsci.com/blog/do-i-need-to-buy-an-ssl-certificate-to-use-secure-email.html You do not need to buy your own SSL certificate to use secure email. That is a little technical and terse; for a much more verbose and down to earth overview of how this works, see: How does Secure Socket Layer (SSL or TLS) Work? However, the main point is that the only certificate involved is the one that resides on the server owned by the service provider and which is sent to the user when s/he connects. Since the user never needs to send his/her own certificate, there is no need to own it. >> I'll assume this?!? +-----+ Don't bother for now : https://knowledge.digicert.com/solution/SO25984.html To create a PKCS12 file using OpenSSL follow the steps listed below: Copy the private key and SSL certificate to a plain text file. The private key should go on top with the SSL certificate below. In the example, we use "filename.txt" as the name of the file containing the private key and SSL certificate. Run the following openssl command: openssl pkcs12 -export -in filename.txt -out filename.p12 $ openssl pkcs12 -export -in "/media/bill/Midas/keys/181231 Howell private & SSL keys.txt" -out "/media/bill/Midas/keys/181231 Howell PKCS12 file.p12" You should be prompted in this order: Loading 'screen' into random state - done Enter pass phrase for filename.txt: (Enter the private key password) Enter Export Password: (This will be the password for the new PKCS12 file) Verifying - Enter Export Password: (Confirm the password) unable to write 'random state' (If this this error appears, please ignore) If a location is not specified, the new PKCS12 file will be located within the directory from where the OpenSSL command was executed. ****************** #] 06Dec2018 matlab install - problem with javascript security? Activation halted by : There was an unexpected exception: The BROWSE action is not supported on the current platform! See the log file (/tmp/aws_root.log) for more details. >> might be my firewall? -check javascript rights FireFox : can't find javascript security settings Linux : https://stackoverflow.com/questions/21279085/application-blocked-by-security-settings-prevent-applets-running-using-oracle#21514227 ~$ java -version java version "1.7.0_181" OpenJDK Runtime Environment (IcedTea 2.6.14) (7u181-2.6.14-1~deb8u1) OpenJDK 64-Bit Server VM (build 24.181-b01, mixed mode) Verified Java plugin https://www.java.com/en/download/installed.jsp : +-----+ Verify Java Version Starting with Firefox Version 52 (released in March 2017), Firefox has limited support for plug-ins, and therefore will not run Java. Use the Java Control Panel to find the installed Java version. How to find the installed Java version » Firefox and plug-ins FAQ Firefox 52 ESR users: If you'd like to run the verify app as a plugin, please click here. +-----+ https://www.java.com/en/download/faq/firefox_java.xml Java and Firefox Browser This article applies to: Browser(s) Firefox Firefox no longer provides NPAPI support (technology required for Java applets) As of September, 2018, Firefox no longer offers a version which supports NPAPI, the technology required to run Java applets. The Java Plugin for web browsers relies on the cross-platform plugin architecture NPAPI, which had been supported by all major web browsers for over a decade. The 64 bit version of Firefox has never supported NPAPI, and Firefox version 52ESR is the last release to support the technology. It is below the security baseline, and no longer supported. Java applications are offered through web browsers as either a Java Webstart application (which do not interact with the browser once they are launched) or as a Java Applet (which might interact with the browser). This change does not affect Web Start applications, it only impacts Java Applets. Developers and System administrators looking for alternative ways to support Firefox users should see this blog regarding Launching Web Start applications. RELATED INFORMATION » NPAPI Plugins in Firefox (mozilla.org) » Firefox plugin support (Java Product Management blog) +-----+ https://java.com/en/download/help/enable_console_linux.xml How do I enable and view the Java Console for Linux and Solaris? This article applies to: Platform(s): Oracle Enterprise Linux, Oracle Linux, Red Hat Linux, SUSE Linux, Solaris SPARC, Solaris x86, Ubuntu Linux Java version(s): 8.0 The Java Console provides information about the Java version, user home directory, and any error message that occurs while running an applet or application. You can enable the Java Console for the Linux and Solaris platforms through the Java Control Panel Enabling the Java Console for Linux or Solaris Open a Terminal window. Go to the Java installation directory. In this example Java is installed in the /usr/java/ directory. cd /usr/java/jre1.8.0_73/bin (Change the path to where you have installed Java) Open the Java Control Panel. Enter: ./ControlPanel In the Java Control Panel, click the Advanced tab. Select Show console under the Java Console section. Click the Apply button. +-----+ https://stackoverflow.com/questions/21279085/application-blocked-by-security-settings-prevent-applets-running-using-oracle#21514227 >> this seems to be specific to Oracle's proprietary java +-----+ $ java --help >> too [basic, complex]? Forget it _ I requested the verification code by email. ************************** #] 19Sep2018 Samsung wifi - can't connect? My Rogers ethernet won't connect, so I need wifi... SUMMARY - I can't use Samsung wireless tether - Why? Connections icon upper left panel -> Network Connections -> SGH-1337M Tab : General - All users Wifi - SSID SGH-1337M, Mode Infrastructure, BSSID empty, Devic MAC E8:4E:06:2B:BA:EB, Cloned MAC empty, MTU auto Wifi security - Security WPA & WPA2 Personal, Password ******* IPV4 settings - Method auto (DHCP), ghosted, Require IPv4 not shecked, nothing in Routes window IPv6 settings - Method auto, ghosted, Require IPv6 not checked, nothing in Routes window Oops - I hadn't put in the USB wifi !! Oops - tethering had shut off $ hwinfo --short D-Link 802.11n WLAN Adapter >> so wifi USB recognized $ lsusb Bus 002 Device 007: ID 2001:3314 D-Link Corp. Bus 002 Device 003: ID 0781:5581 SanDisk Corp. Bus 002 Device 002: ID 0480:d011 Toshiba America Info. Systems, Inc. Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 001 Device 004: ID 058f:6387 Alcor Micro Corp. Flash Drive Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 004 Device 003: ID 413c:3016 Dell Computer Corp. Optical 5-Button Wheel Mouse Bus 004 Device 005: ID 046d:c227 Logitech, Inc. G15 Refresh Keyboard Bus 004 Device 004: ID 046d:c226 Logitech, Inc. G15 Refresh Keyboard Bus 004 Device 002: ID 046d:c223 Logitech, Inc. G11/G15 Keyboard / USB Hub Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Samsung -> Settings -> turn on wifi - this is to connect my cell to the internet through a wifi, not to connect computer to cell Did I shut this off for security? /media/bill/PROJECTS/System_maintenance/security/0_security notes.txt ufw (uncomplicated firewall) - check settings >> Can't figure this out what app uses USB wifi? $ sudo ufw app list Available applications: AIM Bonjour CIFS CUPS DNS Deluge IMAP IMAPS IPP KTorrent Kerberos Admin Kerberos Full Kerberos KDC Kerberos Password LDAP LDAPS LPD MSN MSN SSL Mail submission NFS POP3 POP3S PeopleNearby SMTP SSH Socks Telnet Transmission Transparent Proxy VNC WWW WWW Cache WWW Full WWW Secure XMPP Yahoo qBittorent svnserve $ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing) New profiles: skip >> how about allow incoming on USB wifi D-Link usb? /var/log/ufw.log >> shows a few entries/day Turn off/on ZTE cell-modem >> didn't help www.manage.rogers.com/consent FireFox error msg : "You must log on to this network before you can access the internet." Click : "Open Network Login age" : doesn't work Click "i" icon at left of URL : window-manu with two items : 1. www.manage.rogers.com "Connection is not secure" -> link 2. Permissions "You have not granted this site any special permissions" Click 1. link : Use Samsung USB tethering! After connection : Rogers message to enter phone# to send code! Data usage over by 50$, data was cut, so authorize more ***************** #] 16Jul2018 Update Manager warning while doing updates following monthly backups WARNING : You are about to install software that can't be authenticated! Doing this could allow a malicious individual to damage or take control of your system. Checking LMDE2 "Software Sources" Mirrors that I have selected : Main (betsy) : http://muug.ca/mirror/linuxmint/packages Manitoba Unix Users' Group Base (jessie): ftp://debian.bhs.mirrors.ovh.net/debian OVH.com downloads? locations: Beauharnois, QC; France (3) There is no obvious way to check [reliability,honesty,vulnerability] of these sites? I did the Linux kernel update (need to reboot) ***************** #] 22Jan2017 Great security overview https://sites.google.com/site/easylinuxtipsproject/security Security in Ubuntu, Linux Mint and Debian: an explanation and some tips +-----+ Firewall >> ufw (Uncomplicated FireWall) is already installed on my system. https://sites.google.com/site/easylinuxtipsproject/security Launch a terminal window. $ sudo ufw enable [sudo] password for bill: Firewall is active and enabled on system startup >> That must have been LMDE2 that did it - I don't remmber doing anything Uncomplicated Firewall (ufw) has a sensible set of default settings (profile), which are fine for the vast majority of home users. So unless you have special wishes: you're done! Check the status of the firewall: $ sudo ufw status verbose When enabled, the output should be like this: +--+ pjotr@netbook:~$ sudo ufw status verbose [sudo] password for pjotr: Status: active Logging: on (low) Default: deny (incoming), allow (outgoing) disabled (routed) New profiles: skip pjotr@netbook:~$ +--+ >> My results Status: active Logging: on (low) Default: deny (incoming), allow (outgoing) disabled (routed) is STILL active? ????????????!!!!!!!!********* New profiles: skip >> OK but I've printed the most important message in red: this output basically means that all incoming is denied and all outgoing allowed. There are sensible exceptions in the default settings: for example, with the default profile the use of Samba should be no problem. Also downloading torrents (fetch) should be possible; but seeding torrents (serve), might require a temporal disabling of ufw. It's easy to disable the firewall (should you wish to do so) with this terminal command: sudo ufw disable >> NYET - only if I'm doing special sysadmin work If you're interested in the full set of rules, see the output of: sudo ufw show raw You can also read the rules files in /etc/ufw (the files whose names end with .rules). +-----+ **************** #] 22Jan2018 use terminal ftp to transfer WCCI2018 photos >> YIKES!! ftp only works in active mode - can't do "ls" and "dir" so I would be working blind! ************* #] 02Mar2017 SECURITY PROBLEM - I am treated as root for Software Manager etc!! "... Granted permissions without asking for password The 'mintinstall' program was started with the privileges of the root user without the need to ask for a password, due to your system's authentication mechanism setup. It is possible that you are being allowed to run specific programs as user root without the need for a password, or that the password is cached. This is not a problem report; it's simply a notification to make sure you are aware of this. .." How do I shut this off? ??? !!!! #] 05Mar2017 better yet - how do I force the use of a password!! +-----+ If I accidentally check the box so the warning doesn't appear, see : https://forums.linuxmint.com/viewtopic.php?t=199226 Re: Re-enable "Granted permissions without asking for passwo Quote Postby Vadim@dbFin » Sat Oct 10, 2015 7:18 pm Big thanks to nomad.rc, this helped me too! Just wanted to note, that you, actually, do not need to edit any files manually. Everything in .gconf directory is managed by gconf-editor. So, 1) (if you do not have gconf-editor installed) Install gconf-editor. Code: Select all apt-get install gconf-editor 2) (optional, if you want to get access to gconf-editor via the menu) Add gconf-editor to the Linux Mint menu (in my case for some reason it was not added). Right-click the menu, choose "Configure...", click "Open the menu editor", choose category Administration, and you should see "Configuration Editor" unchecked, so enable it. If you do not see "Configuration Editor", click "New Item", and put "gconf Editor", "gconf-editor" and some description in the fields, optionally, choose an icon, such as /usr/share/icons/hicolor/256x256/apps/gconf-editor.png, and click OK. 3) Run gconf-editor using either Run dialog by typing "gconf-editor", or the Linux Mint Menu. 4) Go to apps > gksu, and check "display-no-pass-info". And it should work. BTW, no logging-out or rebooting is needed (not sure if this is the case with manual editing of the files). Just my two cents in case anyone would need this in the future. +-----+ Cool - check this : http://www.tecmint.com/disable-or-enable-ssh-root-login-and-limit-ssh-access-in-linux/ Disable or Enable SSH Root Login and Limit SSH Access in Linux see /home/bill/System_maintenance/Autotools/0autotools notes.txt **************** #] 14Jul2016 The 4 Best Free Linux Anti-Virus Programs http://www.makeuseof.com/tag/free-linux-antivirus-programs/ Avast http://avast.com/ BitDefender http://www.bitdefender.com/business/antivirus-for-unices.html This is one of my favorites. BitDefender frequently finds, for me, viruses that other scanners miss. Being able to use it from Linux is a big plus. ClamAV (I have been using for a long time...) Completely open source, ClamAV is probably the most famous Linux anti-virus. AVG http://free.avg.com/us-en/download.prd-alf http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Anti-virus_Software#Compatible_antivirus_programs Antivirus software ***************** #] 14Jul2016 Mozilla CA Certificate Inclusion Policy (Version 2.2) https://wiki.mozilla.org/MozillaRootCertificate SSL/TLS certificates: What you need to know http://www.techrepublic.com/blog/data-center/ssl-tls-certificates-what-you-need-to-know/ starter explanation JUST DELETE most certificates, then allow as I go - but maintain a list of what they are! ******** 11&12Jul2016 search : FireFox virus "email" with comma erroneously in To or from list, an email is sent to "Awards@lexi.ca" https://support.mozilla.org/en-US/questions/942818 hello george this sounds like a problem possibly caused by adware/malware on your pc. please go to firefox > addons > extensions & remove any suspicious entries (toolbars, things that you have not installed intentionally, don't know what purpose they serve, etc). also go to the windows control panel / programs and remove all toolbars or potentially unwanted software from there and do a full scan of your system with the security software that you have in place and/or a different tool like the free version of malwarebytes. Troubleshoot Firefox issues caused by malware Read this answer in context *************** #] 03Jun2016 MALWARE!!! see /home/bill/Qnial/MY_NDFS/Toshiba_clamscan_log.txt clamscan >>/home/bill/Qnial/MY_NDFS/Toshiba_clamscan_log.txt -ri --bell --exclude="/media" /home/bill /home/bill/.tar: Unix.Malware.Agent-1415284 FOUND http://www.zdnet.com/article/shellshock-how-to-protect-your-unix-linux-and-mac-servers/ Shellshock: How to protect your Unix, Linux and Mac servers, 26Sep2014 good article on Linux vulnerabilities So, how do you know if your servers can be attacked? First, you need to check to see if you're running a vulnerable version of Bash. To do that, run the following command from a Bash shell: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" If you get the result: vulnerable this is a test Bad news, your version of Bash can be hacked. If you see: bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test You're good. Well, to be more exact, you're as protected as you can be at the moment. >> I ran the command : got "this is a test" I am VULNERABLE !!!! http://www.infoworld.com/article/3035895/linux/linux-mint-site-hacked-modified-isos-with-backdoor-distributed.html Linux Mint site hacked, modified ISOs with backdoor distributed ...Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO. >> I don't have man.cy I can't view /var/lib/mdm (several directories are locked - probably normal) http://www.linuxtopia.org/LinuxSecurity/LinuxSecurity_Firewall_How.html As we mentioned previously computer systems communicate through ports. A firewall can be used to block any ports that you do not want to be open to your systems inside the firewall. For example FTP operates through port 21. If you do not wish anyone on the outside to have ftp access to your systems you will need to configure your firewall to block port 21. ssh port 22 httpd port 80 ftp port 21 ********************** #] 04Jun2016 Linux Firewalls http://www.techradar.com/us/news/software/applications/7-of-the-best-linux-firewalls-697177 2. ClearOS www.clearos.com/clearfoundation/software/clearos-7-community A well thought-out distribution that's refreshingly easy to use and expands to suit your needs. IPCop www.ipcop.org The interface doesn't look great, but this distro protects your network effectively. 1. Zentyal Server Development Edition www.zentyal.org/server Don't be put off by the seemingly overwhelming interface, because this offers so much more than a firewall. Monowall http://m0n0.ch Great for older boxes and embedded systems, but only has basic features, and is no longer supported. pfSense www.pfsense.org The most complete firewall distribution here, but it doesn't come with any non-firewall extras. Smoothwall Express www.smoothwall.org A great firewall that's easy to use, but it comes up a bit short in terms of more advanced features. Final verdict Just a firewall http://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/ Great description of Iptables sudo -i iptables -L lists policies iptables -L -v verbose option lists activity since startup OPNSense Firewall http://www.amazon.com/Linux-Firewalls-Detection-Response-iptables/dp/1593271417?ie=UTF8&*Version*=1&*entries*=0 Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort UFW – Uncomplicated Firewall UFW is the default firewall tool for Ubuntu servers, it is basically designed to lesser the complexity of the iptables firewall and makes it more user friendly. A Graphical user interface of ufw, GUFW is also available for Ubuntu and Debian users. http://www.tecmint.com/open-source-security-firewalls-for-linux-systems/ Vuurmuur is another powerful Linux firewall manager built or manage iptables rules for your server or network. At the same time its very user friendly to administrate, no prior iptables working knowledge required to use Vuurmuur. pfSense is another Open Source and a very reliable firewall for FreeBSD servers. Its based on the concept of Stateful Packet filtering. It offers wide ranges of feature which is normally available on expensive commercial firewalls only. IPFire is another open source Linux based firewalls for Small Office , Home Office (SOHO) environments. Its designed with modularity and highly flexibility. IPfire community also took care of Security and developed it as a Stateful Packet Inspection(SPI) firewall. Endian firewall is another Stateful packet Inspection concept based firewall which can be deployed as routers, proxy and Gateway VPN with OpenVPN. Its originally developed from IPCop firewall which is also a fork of Smoothwall. Last, But not the last Configserver security & firewall. It’s a cross platform and a very versatile Firewall, it’s also based on the concept of Stateful packet inspection (SPI) Firewall. It supports almost all Virtualization environments like Virtuozzo, OpenVZ, VMware, XEN, KVM and Virtualbox. CONCLUSION- for me, just use iptables, that'se all these systems do anyways start iptables on startup disallow incoming pings special ftp port kill on startup, allow when launching ssh disallow incoming unless my request based ************************* 130908 Firefox security Alert: Could not initialize the application's security component. The most likely cause is problems with files in your application's profile directory. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full. It is recommended that you exit the application and fix the problem. If you continue to use this session, you might see incorrect application behaviour when accessing security features. ******************************************* #] 10Aug09 Security "Ubuntu unleashed" security recommendations: Ethereal - Gnome graphical network scanner gnome-lokkit - Ubuntu's basic graphical firewalling tool for X lokkit - Ubuntu's basic graphical firewalling tool ssh - The OpenSSH remote login client and preferred replacement for telnet Note ftp and ssh (security risks, do not appear to be running according to System Monitor 2.22.3 - 09Aug09 Security - Chapter 28 of Ubuntu unleased reference namp - pings ports and seeks security vulnerabilities /usr/share/nmap /usr/lib/nmap -> executable ?? no /usr/bin/nmap -> executable? from console: nmap - gives listingof options (some required) namp -v -A scanme.nmap.org namp >"/home/bill/system maintenance/nmap test 090809.txt" -v -A scanme.nmap.org Firewall - installed & run, but does this boot automatically? /usr/sbin/lokkit - done 09Aug09 Viruses - most popular free one www.clamav.net/support/faq ClamAV /usr/bin/clamscan - seems to launch scanning # enddoc