Linux Internet Security

With all the attacks on Windows based machines, Linux users all to often assume that their machines are not vulnerable to malware. Since Android is another distribution of Linux, the honeymoon from malware is coming to an end. For mobile devices, the dangers of Man in The Middle (MiTM) attacks is always present. What can Linux users do to increase the security of their systems?

Firewall

Every distributions comes with the ability to create a firewall. The question rises as to how many of you have configured the firewall? How many of you that have not configured a firewall connect to the Internet directly through a broadband modem, DSL, cable, or public Wi-Fi connection? Configuring a firewall for desktops is not difficult. The few minutes invested may protect your computer from unwanted intrusion. You don’t need to be an iptables expert to use a GUI. You only need to get down-and-dirty with iptables, when you are configuring a more complex firewall.

Malware Protection

While it may be difficult for an anti-virus to effect Linux, the files from Windows machines may contain viruses. At a minimum, these files should be scanned before copying them to  your Linux filesystem. Sharing those files with others just propagates the malware to other machines.

ClamAv is the open source standard for Linux malware protection. ClamAV is available from every distro’s repository, but the package contains command-line only utilities. In addition to the man pages, documentation for ClamAV exists in /usr/share/doc/packages/clamav. You can find additional documentation at the ClamAV Web site.

One you install ClamAV, you need to configure two daemons: /etc/clamd.conf and /etc/freshclam.conf. The comments in the configuration file are fairly explicit. You can obtain additional information from the man pages for each conf file.

The command-line options for clamscan, or clamdscan, take awhile to master. There are two GUI front-ends to ClamAV that make life a lot easier: ClamTK and Klamav. I use ClamTK, as Klamav is only available for KDE 3, and was last maintained in 2009. The ClamTK site gives instructions for downloading ClamTK. For openSUSE, you can find ClamTK on the openSUSE Build Service.

There is one free alternative to ClamAV for the home user, and that is avast! Home Edition. avast! does require an unlock key that you get from their Web site. The key needs to be renewed every year.

Proxy Services

In some ways a proxy server acts like a router, as it is a gateway between two networks. In terms of IP addresses, the destination server (such as a Web site) only knows about the IP address of the proxy server. However, some application protocols (such as HTTP) also contain information that identifies the source of the traffic. Security is always a major consideration when going through a proxy server. There are three categories of proxy servers:

Web Proxy

The easiest proxy service is the Web proxy. With a Web proxy, you simply enter the URL of the Web proxy service, and then, on their site, enter the URL of the site to which you want to connect. Web proxies come in four flavors: transparent, anonymous, distorting, and high anonymity (hianon for short). The transparent, anonymous, and distorting proxies announce that they are a proxy server. While high anonymity proxies hide that they are actually acting as a proxy. Transparent proxies really do nothing to hide your IP address. Distorting proxies provide a fake address in the request headers, while anonymous and high anonymity proxies truly hide your IP address, with the address of the proxy server. The problem with a Web proxy a is that they do not handle all media types (such as Adobe Flash). In addition, some sites, such as YouTube, complain that there are two many connections from the same IP address.

There is a security risk to using anonymous proxy servers in that any personal information, such as passwords, pass through the server as unencrypted. Unless you use a Web proxy from a reliable provider (for example, Hide My Ass), there is a chance that the proxy server is acting as the MiTM to collect private information. The other danger is that the connection between your machine and the Web proxy is not a secure connection.

HTTP Proxy

The HTTP proxy, sometimes referred to as IP:Port proxy, goes one step further in that it handles all media types, and provide a higher level of security between you and the proxy server. Like Web proxy servers, they come in several flavors: Transparent, Anonymous, and Highly Anonymous (also called Elite). The meanings are the same, and for higher security Elite is preferred. They do provide access to more sites, and exist in different countries. However, they do require additional configuration. You can a list of free proxy servers from Hide My Ass,  Proxyhttp.net, or Proxy List.

Web browsers for laptops and desktops generally provide for configuration of HTTP proxies in their preferences or settings menu. For Firefox you click Edit -> Preferences -> Advanced -> Network -> Connection Settings. For Google Chrome, you need to click on the wrench icon -> Preferences -> Under the Hood -> Change Proxy Settings.

You need to enter the IP address and port number in the HTTP field. If the proxy server support HTTPS, you enter the same values in that field. You can also enter the same value in the FTP field. You should always add “localhost, 127.0.0.1” to the no proxy field, as there is no point in routing traffic for your local machine to the proxy server.

After saving the results, you are ready for a test. Try connecting to What is My IP Address. If it fails to connect, check your values. If the values are correct, then try a different proxy server. If it works, you will see the new IP address, and its location. Don’t bother with the speed test, as it doesn’t use the HTTP protocol for the actual tests.

The problem with free services is that there reliability and speed constantly changes. Finding a free proxy service that can actually stream movies takes a lot time. Some free HTTP proxies also have download limits. Paid HTTP proxy service such as FoxyProxy are faster and more reliable. FoxyProxy charges $8 US a month with discounts for three months, six months, or a year in advance. Once you subscribe to a service, you will receive an email that gives you the proxy IP address, port number, your user name and password. FoxyProxy has a browser extension for Firefox, and Google Chrome. As of this writing, the extension for Google Chrome does not work for their paid service.

The main disadvantage of the HTTP proxy is the limitation to just the HTTP protocol. In addition, there is no easy way to turn the proxy configuration on or off (with exception of the FireProxy extension). With an HTTP proxy, you may want to configure one browser just for connecting to sites that require the HTTP proxy.

VPN Proxy

VPN (Virtual Private Network) proxy services are a totally different ballgame. VPN operates at layer 2 of the TCP/IP protocol stack. With a VPN proxy you are sending all Internet traffic through a single encrypted tunnel to the VPN server. Corporations often use VPN to connect remote devices to the corporate network. You can use the same technology to connect to a VPN proxy server that then routes your traffic to the Internet.

Web proxies and HTTP proxies are great for the Web browser, but all other traffic is routed through the Internet.  With a VPN proxy all your apps applications appear as if they came from the VPN proxy IP address. It is the best solution for secure connections from a public Wi-Fi hotspot, and for travelers who need extra security.

VPN proxy services are not free. Hide My Ass (HMA) charges $11.52 US a month, with discounts for paying six months or a year in advance. VPN Service Providers provides an extensive list of VPN services, along with there costs. HMA is the largest and cheapest VPN proxy service. HMA does not have a traffic limit, and allows multiple devices to connect to a single account.

HMA provides a simple script for Linux that initiates an openVPN connection. Their instructions call for installing the files into an hma directory under Desktop directory. However, I created an hma directory in my home directory, and installed them there, as openSUSE uses the Desktop directory for its plasma desktops. For the server information required by the script, you need to login to your VPN Control Panel at HMA, and select the PPTP servers tab. When you run the script, you will be prompted for your account name and password. For an openVPN connection, you use your VPN account password, and not the PPTP password. It worked. I had a VPN connection from Costa Rica to the USA.

I wasn’t satisfied. I wanted an easier way to make the connection. Since openSUSE is my default desktop, I started my journey to find an easier connection through its Network Manager. It took awhile, but I got it to work. The process is actually very simple, and I documented the KDE steps on the HMA forum. I now have a simple means to start and stop the VPN connection, without using the script.

After spending a lot of time looking for an openVPM plugin that would work with Fedora, Linux Mint, Ubuntu, Lubuntu, and Xubuntu, I surrendered and tried to create a PPTP connection. I managed to get a stable PPTP connection on these distros, and I documented the steps on the HMA forum. I was not able to establish a stable PPTP connection on openSUSE. It appears that there are missing links in /etc/sysconfig/network/scripts. I haven’t had time to resolve this issue. Besides, I prefer the security of openVPN over that of PPTP.

When you use a VPN connection, you need to use a firewall. VPN creates a tunnel through the your router. It is the same as connecting directly to the Internet via a modem (Cable, DSL, or Broadband). When I first started using a VPN, I forgot to change my firewall from internal zone to external zone. It did not take long before I discovered unauthorized ssh connection attempts. I immediately changed the firewall to external zone, and then changed the iptables to provide for local network connects only, which excluded the Wi-Fi router.

While there are routers that support VPN, this approach did not meet my needs for a mobile environment. I now have my netbook, Android tablet, and Android phone configured to use HMA VPN. This is where a VPN service that allows multiple connections comes a necessity.