Your Linux system is inherently less vulnerable to attack than Microsoft Windows for a number of reasons.
- You’re less of a target to virus attack by being in the minority (Only 2.18% of people run Linux as their desktop operating system with most of those running a Debian derivative, the most popular being Linux Mint).
- You execute user processes as a non-privileged user (Remote code executing in your browser is not running in the context of a local Administrator account so has much less privileges to do potentially damaging things to your computer and data).
- Your Linux system is built entirely from packages obtained and installed from known, trusted repositories (No dodgy software downloaded from goodness-knows-where that may or may not be what you think it is. The code of any given package undergoes constant scrutiny and improvements by the open source community.)
- There’s no marketing, advertising, ransom-ware or hidden agendas lurking in the operating system or the applications that are ultimately built by the people, for the people, and distributed to the people for free (feel the love).
Despite all these advantages, we live in the (dis)information age, and that means that the way to reach your users is through their web browsers. So this next part should interest you.
…we live in the disinformation age, and that means the way to reach you is through your web browser. So this next part should interest you.
How do I protect my web browser? (Firefox is the default web browser on Linux Mint -my OS and browser of choice)
- Enable the firewall (above)
- Once a new installation of Linux Mint is complete, I reboot, log on, Install all pending updates by typing sudo apt-get update && sudo apt-get dist-upgrade in a terminal window.
- Connect to my WiFi network, open Firefox and install the AdBlock Plus and uBlock Origin plugins.
And that’s it. Or at least it has been until now, and in fairness it’s kept me safe since 2005. I’ve never installed anti-virus software and never had a problem in over a decade. AV products on Linux such as clam are usually for the benefit of Windows users on the same network or mail attachment scanning on Linux mail servers, neither of which is applicable in my home network environment.
Today though, I learned about something else. The existence of firejail, -a program that “jails” certain other programs, and I really like what I see.
Like most Linux programs, it’s super quick to install with a quick sudo apt-get install firejail command in a terminal window and as easy to “use”. In firejail’s case, you just edit the shortcuts of your existing launchers and pre-pend the command firejail
e.g. firefox %u becomes firejail firefox %u
By jailing the firefox process, it prevents the web browser from being able to access your system, quite literally. Kind of like a firewall for processes rather than TCP/UDP ports, that only allows certain interactions with the rest of the operating system through.
For example, look what happens when trying to upload a picture I’ve saved to my Desktop to this very blog post…
The Desktop looks empty. Nothing. Blank. No files or subfolders. Yet my Desktop folder contains loads of images and other files and subfolders, as does my Pictures folder – same again, blank. This is because firefox is jailed. It can’t get out and into your filesystem. Brilliant – and only a little inconvenient as it can still access my Downloads folder. So if I want to upload a file, I just have a make a copy into my Downloads folder first using my File manager caja (which isn’t jailed). Uploading to my Dropbox account using the web based interface would be a bit of a pain, but the Dropbox daemon running on my computer does all my file syncing anyway, so it doesn’t present a problem. I don’t actually need to use Dropbox’ web interface.
This all works in accordance with the application profile in /etc/firejail/firefox.profile -there’s loads of them, not just for firefox but other internet/vulnerable programs like filezilla, transmission etc too.
Filezilla’s firejail profile on the other hand seems to be a lot more lenient and allows access to your home directory where you might wish to upload an entire folder structure to your web server. You could always edit the filezilla.profile to harden it yourself I guess.
Whilst I found firejail in my repositories, I didn’t find the accompanying firetools package – a simple launcher that sits on your desktop. It’s not really needed if you’ve edited your launchers to your favourite apps already and just allows you to add some additional programs to it and shows any running jailed processes if you’re interested in seeing that. It places a convenient icon in your systray area too, for easy recall.