Ubuntu Security :: Users With Different Firewall - Works Best With Separate Installations?
Mar 5, 2011
Just to confirm - I have come to the conclusion that it is best to have separate Ubuntu installations if users of the same computer have different default firewall blocking needs. Me and my wife have totally different Internet surfing habits. I also tend to block most of the websites that she normally uses, some of which are dialed by default when opening Firefox.
We have used one desktop computer for a while now with two users in one Ubuntu installation. It is becoming too much of a hassle having to change the firewall settings each time it was changed by the other user with a previous log-on. We also have two other computers in the household for the children. I have created a Local Repository, and download updates only on my computer, saving on time and bandwidth (the only replication that takes place is downloading the index files from the update servers for each computer). Having another Ubuntu installation on the same computer will just add to the "auto update" list.
Another advantage is that my "more secure" Ubuntu partition (which may contain sensitive information from time to time) will not be mounted when my wife is on the Internet.
I have 2 linux installations with the same username in each of them, which are on different disks.I would like to create another partiton to use it as home for both distros(the one to be at /home/debian/username and the other at /home/suse/username e.g)First, is this possible? If yes how can I do it, and how much space is enough for the other directories? More details: The first distro is on a 82GB partition, and the second on a 21GB partition on another disk. I'm planning to use all 82GB partition for the shared /home and move both distros to the other disk's partition(in fact the one, the other is already there).So, I'm thinking to resize the 82G partition, to make free space for the /home partition(which filesystem is better to use?). Then to move my user of both distros there in folders /home/debian/username - /home/suse/username. After to resize 21GB partition(how much space is enough for debian?), and on new free space to move the other distro. And finally to resize again the new /home partition to use all 82GB.
And last, this way will be easy if I want to install another distro later, to use the home partition with the same form(/home/other-distro/username? Can I define this at distro's installation procedure?
sharing a wine installation across the system but I haven't managed to get them to work (you'd think that this is something that would have been implemented properly a LONG time ago. Crossover has a rubbish version of it but I wanted to get it to work in Wine).Here's what I did (it works insofar as office 2003 can be used but the menu entries don't (as of yet) appear in the different users' menus):
Regular install of wine, start wine on my profile and let it build all its stuff. DO NOT INSTALL ANY PROGRAMMES YET (I did the first time and it didn't work afterwards). Create user and group "wine" with disabled password/login and no home dir. Move system.reg and drive_c to /wine and chown wine:wine, chmod 0775 (both recursively, bien sur).
Add all users to the "wine" group. Make symlinks to drive_c and system.reg in my .wine directory. Copy ~/.wine to all the other users' home directories, delete user specific registration files user.reg and userdef.reg. Chown the .wine directory for each user. Install Office 2003 (for me at least) or whatever programmes you want (I've only tried this is Office 2003).
chown wine:wine /wine -R because your installation will have messed things up a bit. Now cd (in Terminal, obviously) to /wine/drive_c/users. If you ls you'll see a folder called Public and a folder with your user name (mine is "gideon"). cp your home directory (recursively again) for each of your other users who you want to be able to use wine. Chown their user folders to user_name:wine (recursively - I'm going to stop writing that, just assume it). su as each user, go into their user directory and you'll see something like this (ls -al):
I've just added my wife as a seperate user on my desktop and have a question about shared network folders. So /etc/fstab mounts network folders from a second computer and until today I've mounted them to /home/David/NetworkData
This of course means that when my wife logs in she won't see them since they're not mounted to her home folder. So what folder should I use and what tricks so that we both have it visible and accessible in Places from the top menu?
I have an Ubuntu 10.04 server/router with IPv6 internet connectivity (I have an internet routable /64 subnet). Since I have this abundance of IPv6 addresses I wanted to try and assign v6 addresses to specific users on the local system. I've been looking at ip6tables with packet mangling but I don't seem to be able to find out how to do this or if this is even possible.
Current configuration: eth0: Local network, has the /64 IPv6 public range active and the IPv4 LAN range. tun0: 6in4 tunnel with a ISP assigned public v6 address. eth1: Standard IPv4 internet connection.
All users on my system use the v6 address configured on tun0. I want to force them to use the /64 range which is configured on eth0. If I can force users to use a specific v6 address, I'll configure more then one v6 address on this interface based on the users userID on the system.
I want to use samba in ubuntu.For samba users i make a user in my linux box like
# useradd smith # useradd jone
These users can also login into my ubuntu system if they want. For samba I want to know that, is there any way to create separate valid list of samba users so that they may access files from windows xp.
We are trying to set up a classroom training environment where our SIG can hold classes for prospective converts from Microsoft/Mac. The ten machines will have /home/student01..10 and /home/linsig01..10 as users. We want /home/student01 to be able to explore and sudo so they can learn to administer their personal machines at home. We don't want them to be able to modify (sudo) /home/linsig01. I've seen the tutorial on Access Control Lists but I'd like other input so we get it right the first time.
I have squid as a proxy on the Suse box, and with the default firewall I have to enable masquerading to allow clients on the eth3:1-3 to send and receive mail through the Suse box. I found the Suse firewall completely inadequate (all P2P software/connections are allowed once you enable masquerading) and had to install ConfigServer Security & Firewall. In die configuration of csf I could get my way around getting smtp to work for the eth3:1-3 clients, but pop3 connections does not go through the box. I know I need to allow port 110 and 995 to masquerade of NAT (or something) and then the same for port 22
i have a hp 6500 e709a printer. have configured for network printing and would like to use the scan facility.i have tried to scan from the printer but it does not find the computer. the hp documents mention advanced firewall information on incoming udp ports and tcp ports etci believe it is with my machine as my son has a windows box with the hp software and i have managed to scan from that machine.
Since I installed FC11 I can't get vpnc to work (I always getno response from target").Also I can't ping any external IP even with the firewall disabled.What I see strange is that I had the same configuration in FC10 and the router configuration seems okay to me:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.64.64.64 * 255.255.255.255 UH 0 0 0 ppp0
We have reason to ask this of you following some strange firewall behaviour - But don't panic If you use openSUSE 11.2 and you think: Your Firewall should be running You are not sure but think it should be check and report back here.
To avoid having to input a password for the keyring each time I connect to the net via wireless, I enabled the 'Available to all users' option in Network Manager. Now, my question is this. Are the 'users' it refers to just those created on this machine? Would a drive-by be able to use my network without entering the password?
I'm working on setting up access for our developer via Telnet, we are on a local network behind a physical firewall. I set up the standard Telnet service for Fedora15 and from localhost I can login via any user and root.... However I cannot login from another terminal on the LAN, even though I can ping and FTP to the fedora15 box. I added the firewall rules for telnet, that did not work, so I disabled the firewall, still cannot get a connection via port 25. I feel either port 25 is closed in another manor or the telnet is restricted to the localhost.
Also I cannot login to root to configure the Firewall Desktop GUI, only standard users, is this an issue? I also cannot login to the console as root even though I use the correct password.I can only su to root and sometimes it is a PITA. There must be some settings to clear these issues up...
install a keylogger on my laptop, which I share with my bf, who I have previously discovered is accessing various "dubious" dating sites, the idiot had even linked his iTouch to his email so I had the passwords and usernames, anyhoo, after a very strong telling off, (on all profiles he had ticked "looking for a discreet relationship!" and being clearly uber busted, he maintained that he would never do it again. I need to check though, am sure you will understand my reasons for doing so. We both share a laptop, but have seperate removable drives, Im running xubuntu on mine and so is he with a FreeBSD as a server.
Does "Portable Ubuntu" run separate from Windows? Point being, would I be vulnerable to Windows based trojans if I ran Firefox from Portable Ubuntu on Windows?
I have an environment with multiple projects that have a variety of government and commercial sponsors. We have been satisfied to this point with a netapp serving nfs/cifs and keeping a tight reign on nfs exports.Some of these projects have started asking us to provide access restricted sub-folders of the project space based on different groups that contain a user subset of the primary group.
We have a linux machine that serves as a version control front end to the netapp, mounting the project spaces via nfs. People are now mounting their project space via sshfs to this "front end" and sharing the root password of this sshfs client with everyone in their project, in turn creating a security hole to access the so called restricted sub-folders. I know all the obligatory responses referring to irresponsible user behavior but would like to see how others have addressed something like this where user behavior seems out of control.
I havnt, intentionally, addressed this issue (not for initial want of trying), but after having given the matter up for some time, today i closed the lid and was expecting it to go to blank screen, but no it went into suspend (despite not being instructed to do so in power management), crikey i thought here comes a forced shut down and a dicey boot, but lo she woke After an initial second of smeared-up graphics and the sound of the hard disk starting to spin twice in a row, she woke.
On closing the lid again it went to blank screen, a fluke i thought, so i changed the options to suspend when lid closed in power management and tried again, and it worked, again, and again and again. Any other ppc users noticed that suspend now suddenly works?
I have Ubuntu running on an old PE server. It is running Virtualbox with an instance of Ubuntu inside. The instance is there to run my honeypot.
The server box IP is192.168.1.10. The Virtualbox is bridged with it's own IP of 192.168.1.200. The honeypot daemon is listening to 192.168.1.201 with arpd.
I set up the UFW with DENY. And then enabled only the ports leading to the honeypot scripts which are abound to IP .201. I then forwarded the ports necessary to run VNC to .200.
Here is the UFW status: buntu@ubuntu-desktop:/var/lib$ sudo ufw status Status: active To Action From -- ------ ---- 192.168.1.201 21/tcp ALLOW 21/tcp 192.168.1.201 4444/tcp ALLOW 4444/tcp 192.168.1.201 5544/tcp ALLOW 5544/tcp
I want to make a sandbox for my music streaming server(subsonic). I was going to make a directory and chroot to it. I don't really have any room on my HD for new partitions. For the sandbox/chroot jail to be proper does it need to be on a seperate filesystem/mount point?
I have an Ubuntu 9.10 server and i need to use an ftp server. I installed vsftp but i can't make it to work. What doesn't work is that can't login to the ftp server with my user(s).I created a user ("AddressBookUser") that should access to some files located on "/var/www/fpt/rubriche/". I set this folder as his home.Here is the row for this user in /etc/passwd:
vsftpd.chroot_list exists, but as you see above the chroot_list_file directive is disabled.When i try to connect to the FTP server the connections is established but after i insert "AddressBookUser" as user name and confirm i get a "530 permission denied" message. This occurs both from the network (LAN) computers and locally:
Quote:
webs@webs:/etc$ ftp localhost Connected to localhost. 220 Welcome to WEBS FTP service!
[code]...
I can't figure out what is the problem but my thought was that it's a problem related to the user configuration rather than vsftp configuration, but it's only my supposition. If i try to login with the "main" user of my Ubuntu server, "webs" i can login correctly.
I am trying to set up an SFTP server. I can log on to it with no problem. But our trading partner for whose benefit we want it cannot. They are unable to make a connection. Here is what happens when they try:
Error: Could not open connection to `ogxxxsft@subdomain.domain.com': Could not connect to `subdomain.domain.com': Unable to connect to server
I have a VPS (Ubuntu 8.04 server eition) and as such am stuck with using a software firewall.
i currently have UFW installed.
I would ideally like to have my firewall be a little rude, or rather just not polite. I know what i am asking will break the RFC, but i consider this ok due to the security benefits.
I would like to have my firewall 1) ignore (eg drop without responding)all packets that dont start with a syn flag 2)for all other traffic that is currently blocked, have it dropped (again drop it without responding)
If there are any other rules you can think of i would like to know them. I already have only the services i want open and the rest blocked.
I've been using Windows for quite a few years now. I loved the way how I used to set incoming/outgoing rules for my applications. But I'm having hard time doing that in Ubuntu. I tried searching for a good GUI for iptables but I need your help selecting the best. I might learn iptables someday but for the time being I will be using a nice GUI. I'm currently using GUFW, I've tried Firestarter. All I need is a firewall that would allow me to configure rules for my applications.
