LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Blogs > arniekat
User Name
Password

Notices



Rate this Entry

Slackware-14.1-Firefox-24.6.0

Posted 06-22-2014 at 07:59 PM by arniekat

This tutorial will go through speeding up and hardening Mozilla Firefox 24.6.0, which is the current version from the patches directory. Since Web Browsers and other Network-Aware Applications communicate with the outside world, it makes sense to spend time locking down/hardening these applications. Some of this information is elsewhere on my blog, but I decided to put it in one place along with updated information. You do not have to do everything in this tutorial. Select what you need/want.

FIREWALL

Hardware - If you do not already have a NAT Router, this is a good start for protecting your network. NAT Routers function as a Hardware Firewall. If you have a WiFi Access Point, that functions as a NAT Router. This advice is basically for people who have a modem for their Internet hooked up to a desktop machine with an Ethernet Cable.

Software - Install an IPTables Software Firewall. You can choose between an IPTables Script (such as Slax-7.0.8 Live Firewall Script that you can copy over to /etc/rc.d/rc.firewall), Uncomplicated Firewall (UFW), FireHol, or Arno-Iptables-Firewall. There is a tutorial on installing each of these.

HOSTS FILE

Note - I skipped over some information since a previous tutorial has more details. The Hosts file contains a list of IP Addresses mapped to Host Names. It is loaded into memory when your start your computer. The file name is /etc/hosts. The interesting thing about the Hosts file is that you can block ads, third-party cookies, third-party hit counters, web bugs and banners by putting the hostname of known offending websites and the IP as 127.0.0.1. This will block the connection to the website from your browser since the Hosts file makes it connect to the loopback network interface. The default /etc/hosts look similar to this:

# cat /etc/hosts

# For loopbacking.
127.0.0.1 localhost
127.0.0.1 darkstar.linux.net darkstar

Go to http://www.mvps.org/winhelp2002/hosts.htm and download the latest hosts.zip file which is dated June 4, 2014.

After unzipping, you will have some files. Look for the text file named HOSTS. Using a text editor, erase the following two lines from this file since your /etc/hosts file already has this information:

127.0.0.1 localhost
::1 localhost #[IPv6]

Now, using your text editor's replace funtion, replace all the 0.0.0.0 dotted quads with 127.0.0.1 and save the file. Append the modified HOSTS file to your /etc/hosts with the following command:

# cat /location/of/modified/HOSTS >> /etc/hosts

Check that all of the following worked:

# cat /etc/hosts

You should have the original contents plus all of the blacklisted websites.

As you are visiting websites, you will see windows within the webpage that have an error message "Unable to connect. Firefox can't establish a connection to the server at <Server_Name>. The hosts file is blocking that content.

FIREFOX SECURITY SETTINGS

These are the settings and addons I use for my Desktop. Adjust as necessary for your use.

Go to Edit--Preferences

Click on the "Privacy" Tab

Tracking
CHECK Tell websites I do not want to be tracked

History
CHECK Firefox will: Never Remember History
Firefox will now restart

History
CLICK ON clear all current history
Time range to clear: Everything
CHECK Browsing and download history
CHECK Form & Search History
CHECK Cookies
CHECK Cache
CHECK Active Logins
CHECK Offline website data
CHECK Site Preferences
CLICK Clear Now

Location Bar
When using the Location Bar, suggest: Nothing

Click the "Security" Tab

Passwords
UNCHECK Remember passwords for sites

Click the "Advanced" Tab

General Tab
Browsing > UNCHECK Check my spelling as I type

Data Choices Tab
Firefox Health Report > UNCHECK Enable Firefox Health Report

Update Tab
CHECK Never check for updates (not recommended: security risk)
NOTE - Since you get your updated packages from Slackware, you don't need to check the Mozilla Website.

Click "Close"

FIREFOX SPEED/SECURITY TWEAKS

Look at this website for more details.

http://www.wikihow.com/Make-Firefox-Load-Pages-Faster

To make some changes that will hopefully speed up Firefox if you have a fast connection:

Type about:config in the URL Bar:

Click "I'll be careful, I promise" at the "This Might Void Your Warranty" Dialog Box. Under the Search, type the following Preference Name and change its value to the following:

Preference Name Value
network.http.pipelining true
network.http.pipelining.maxrequests 8
network.http.proxy.pipelining true
network.http.keep-alive.timeout 600
network.http.max-connections 30
network.http.max-persistent-connections-per-proxy 16
network.http.pipelining.ssl true

There are several addons that are described as making Firefox load pages more quickly, but I have no experience with them.

JAVA

A lot of sites require Java to function properly. I normally install the Java Development Kit, which includes the Java Runtime Environment. The current version of JDK is 7u60 from SlackBuilds. After compiling and installing it, activate the Java Plugin for Firefox by creating a link in the Mozilla Plugins folder. Close Firefox before doing the following.

Slackware 14.1 (32-Bit)
# cd /usr/lib/mozilla/plugins/
# ln -s /usr/lib/java/jre/lib/i386/libnpjp2.so
# ls -al
lrwxrwxrwx 1 root root 41 Jun 2 14:09 libnpjp2.so -> /usr/lib/java/jre/lib/i386/libnpjp2.so

Slackware64 14.1 (64-Bit)
# cd /usr/lib64/mozilla/plugins/
# ln -s /usr/lib64/java/jre/lib/amd64/libnpjp2.so
# ls -al
lrwxrwxrwx 1 root root 41 Jun 2 14:09 libnpjp2.so -> /usr/lib64/java/jre/lib/amd64/libnpjp2.so

Open Firefox 24.6.0ESR and type aboutlugins in the address bar.

Installed Plugins
Java(TM) Plug-in 10.60.2

Now, go to https://www.java.com/en/download/installed.jsp and click "Verify Java version" to test your java. You should see:
Congratulations!
You have the recommended Java installed (Version 7 Update 60).

NO SCRIPT

No Script allows you to disable Adobe Flash and Java Script on a per-website basis, it also has an anti-XSS filter and anti-Clickjacking protection.

Go to Tools--Addons and search for the NoScript Security Suite. Click Install. Click Restart Now.

After restarting Firefox, you can change the Preferences, but I leave the defaults. Next to the URL Bar, you will see an "S". Put your cursor on the "S" and you can change the security setting on a webpage-by-webpage basis, such as your Banking or Stock Broker website, etc. I usually set it as "Allow all this page" for the sites I frequent.

FLASHPLAYER-PLUGIN

Flash is required to view videos on YouTube and some websites use flash. The current version is flashplayer-plugin-11.2.202.378. You can get this from SlackBuilds.org. Compile and install, then visit the Adobe Flash page

https://www.adobe.com/software/flash/about/

to verify that Flash works and so the /home/<user_name>/.macromedia directory is created. This is where the Flash Cookies are stored.

BETTER PRIVACY

Adobe Flash cookies are called Local Shared Objects (LSO) and they are stored on your computer by the Flashplayer Plugin. If you have the Flash Plugin, you will have these so called "Super Cookies". Even if you set Firefox to delete cookies, Flash cookies will not be deleted. That is where Better Privacy comes in. It will delete these "Super Cookies" to keep others from tracking you. Better Privacy will also protect you from "DOM Storage" longterm tracking.

Go to Tools--Addons and search for BetterPrivacy. Click Install. Click Restart Now.

A Better Privacy informational tab will come up so you can be better informed regarding Flash Cookies.

Go to Tools--BetterPrivacy and make the settings as follows:

LSO Manager Tab
Flash-Data Directory: /home/<user_name>/.macromedia

Flash cookies have the extension *.sol You will see a settings.sol cookie and whatever other Flash Cookies are on your machine.

Click on Remove All LSO's

Options & Help Tab
CHECK Delete Flash Cookies on Firefox Exit
UNCHECK Always Ask
CHECK Also delete flashplayer default cookie. It stores flashplayer settings as well as all visited flash sites!
CHECK On cookie deletion, also delete empty cookie folders
CHECK Auto protect LSO Sub-Folders
CHECK Disable Ping Tracking

Click "OK" when you have changed the settings.

GHOSTERY

Ghostery sees web bugs and other detecting tracking technologies and also allows you to see which companies have placed bugs on the webpage you are visiting. With Ghostery, you can learn about the company in question or just block the scripts, images and IFrames for your privacy.

Go to Tools--Addons and search for Ghostery. Click Install. The Ghostery Configuration Walk-Through will appear.

Click Arrow-Right

UNCHECK Enable GhostRank (your choice on this)

Click Arrow-Right

CHECK Enable Alert Bubble (this will show you the websites with bugs on your webpage)

Click Arrow-Right

Trackers Tab
Click "Select All" to block all trackers.

Cookies Tab
Click "Select All" to block all cookies. (This blocks cookies from select third-party providers, not from all websites!)

There is a note in Ghostery that if you combine this setting with a cookie manager such as Beef Taco, Cookie Monster, and Google Opt-Out that you may get unresponsive script errors. If you intend to use a Cookie Manager, I would not select "Block all cookies".

ADBLOCK PLUS

AdBlock Plus blocks annoying adverts and banner ads. It does not block unobtrusive ads by default to help support websites who get money from ads. If you want an adblocker that does not have a sponsored ads whitelist, look at the AdBlock Edge Addon. AdBlock Edge does not have "Acceptable Ads".

Go to Tools--Addons and search for Adblock Plus. Click Install. A new tab will open in Firefox which is the Adblock First Run Settings page. You have several choices that can be activated.

ON Malware Blocking - This setting blocks known malware domains.
ON Remove Social Media Buttons - This setting gets rid of social media buttons, such as the Facebook Like, which appear on web pages and track your behavior.
ON Disable Tracking - This setting allows to browse privately by hiding your tracks from ad companies.

Click the "disable" text in the third introductory sentence under the heading "Annoying ads will now be blocked" to get to the Adblock Plus Filter Preferences.

To block all Ads
UNCHECK Allow some non-intrusive advertising

At the upper right-hand corner of the browser to the right of the URL bar, you will see a red octagon with the letters "ABP". You can left-click to see a menu that allows you to change preferences or see all the blocked items or even to turn off Adblock Plus for this webpage, etc.

COOKIE CONTROLLER

Use Steve Gibson's site to check your browser's cookie storage policy and behavior:

http://www.grc.com/cookies/forensics.htm?fge1u3320smeo

Firefox does not have a way to delete 3rd Party Session and 3rd Party Persistent Cookies which means these could potentially be stored on your computer. When I tested my machine, there were no Privacy concerns with 1st Party Session and Persistent Cookies, however, there was a concern with 3rd Party Session and Persistent Cookies.

Go to Tools--Addons and search for Cookie Controller. Click Install. Go to Tools--Cookie Controller--Cookies and there you can remove all cookies or just individual cookies.

Go to Tools--Cookie Controller--aboutermissions

These are the settings I use as Default permission for all sites. Change and adjust to your needs.

Store Passwords: Block
Share Location: Block
Set Cookies: Block
Open Popup Windows: Block
Maintain Offline Storage: Block
Plugins: Allow
Full Screen: Always Ask

If you go to a website and you want to store 1st Party Session or Persistant Cookies, go to the website in question, then

Go to Tools--Cookie Controller and select one of the following:

Cookies allowed for website
Cookies allowed for website only as a 1st Party
Cookies allowed for this session for website

After configuring Cookie Controller, I tested my machine again, there were no Privacy concerns with 1st Party Session and Persistent Cookies nor with 3rd Party Session and Persistent Cookies.

Ghostery Note - Be sure to disable Cookie Blocking Options in Ghostery since you are using Cookie Controller to manage browser cookies!

Tools--Ghostery--Manage Ghostery options

Blocking Options Section
Click Cookies Tab
Click "Select None"

Click Save

HTTPS EVERYWHERE

This addon is available from the Electronic Fronteir Foundation. What this addon does is use a whitelist of sites that support the SSL-Secured (HTTPS instead of HTTP) version of the webpage you are visiting, if available. This can protect you against eavesdropping.

Go to the website to download the latest plugin:

https://www.eff.org/https-everywhere

Click on "Install In Firefox". You will get a message that Firefox prevented a site (eff.org) from installing an addon. Click "Allow" to continue with the installation. You will now see a dialog box asking you to confirm the installation. Click "Install Now".

An SSL Observatory dialog box will appear. It will ask for permission to send SSL Certificates to the Observatory to check for bogus certifcates. I usually answer "No", but it is your choice.

POLIPO

Polipo is a small and fast caching web proxy (a web cache, an HTTP proxy, a proxy server) designed to be used by one person or a small group of people. Using layman's terms, Polipo keeps webpage information on your hard disk. When you revisit a webpage, polipo only downloads the information that has changed, thus saving bandwidth. Unlike Squid, it is very easy to configure and light on resources so you can use it on a stand-alone machine. If you keep an on-disk cache, polipo will add to the cache without regard to its size. You will have to do some clean-up or run polipo -x to wipe out the cache. See the Polipo Manual. Road Warriors, bandwidth-limited people, and people who pay by the GB for bandwidth might consider using Polipo and Pdnsd since Polipo caches Web Information and Pdnsd caches DNS Information thus saving bandwidth. I disabled the diskCacheRoot since I am using it at home and do not want to deal with the cache file maintenance.

Compile and install polipo-1.0.4.1 from SlackBuilds.org

Edit the configuration file /etc/polipo/config and uncomment the following lines:

# Uncomment this if there's only one user using this instance of Polipo:
cacheIsShared = false

# Uncomment this if you want to disable the on-disk cache:
diskCacheRoot = ""

Add the following line to the Basic Configuration Section

daemonise = true

Save the file and exit.

Add the following command to /etc/rc.d/rc.local so polipo starts on every boot.

polipo

Now, start Firefox and click on Firefox Preferences > Advanced > Network Settings Tab

Connection Settings
CHECK Manual Proxy Configuration
HTTP Proxy: localhost Port: 8123
UNCHECK Use this proxy server for all protocols

Cached Web Content
CHECK Override automatic cache management
Limit cache to 0 MB of space

Note - If you trouble connecting to an FTP Site, go into the Firefox Settings and make sure that "Use this proxy server for all protocols" is UNCHECKED.

See http://rightfootin.blogspot.com/2009...th-polipo.html

Polipo can also block ads, in effect doing the same thing as the Adblock Plus addon for Firefox. If you have Polipo do the adblocking, you don't need the Adblock addon, so remove it. Understand that Adblock gives you more flexibility in making changes. If you want this functionality, you will have to grab an adblock filterset list (easylist.txt) and convert it to a format Polipo understands.

The easylist.txt file can be downloaded from:

http://easylist.adblockplus.org/easylist.txt

Download an adblock2polipo.py python conversion tool - you will need to Google Search since I don't have a direct link or you can get it from rightfootin shown below:

Now, run the python script to convert the easylist.txt and save it as /etc/polipo/forbidden

python adblock2polipo.py easylist.txt > /etc/polipo/forbidden

Now, edit the file /etc/polipo/forbidden and make one formatting change:

# vi /etc/polipo/forbidden

Around line 58, you will see this text

+adverts/

Change it to this

\+adverts/

Save the file and exit.

PDNSD

Pdnsd is a proxy DNS server with permanent caching (the cache contents are written to hard disk on exit) that is designed to cope with unreachable or down DNS servers (e.g., in dial-in networking).

Compile and install Pdnsd-1.2.7 from SlackBuilds.org

Edit the file /etc/rc.d/rc.local and add this section:

if [ -x /etc/rc.d/rc.pdnsd ]; then
/etc/rc.d/rc.pdnsd start
fi

Create the file /etc/rc.d/rc.local_shutdown and make it executable:

# touch /etc/rc.d/rc.local_shutdown
# chmod 0755 /etc/rc.d/rc.local_shutdown
# vi /etc/rc.d/rc.local_shutdown

Add the following:

if [ -x /etc/rc.d/rc.pdnsd ]; then
/etc/rc.d/rc.pdnsd stop
fi

Save the file and exit.

Pdnsd needs to be configured. This setting will use my own ISP's DNS Servers, but you can also use Google DNS Servers 8.8.8.8 and 8.8.4.4 or even OpenDNS's Servers 208.67.220.220 and 208.67.222.222

Make the following changes to /etc/pdnsd.conf. You will need to have your ISP's DNS Server Address. For example, if you use ifconfig and see your IP Address as 192.168.1.86, then you box traffic goes out through address 192.168.1.1, which then goes out to your ISP's DNS Servers. The interface will probably be wlan0 if you are using WiFi.

global {
perm_cache=2048;
paranoid=on

server {
label= "att";
ip = 192.168.1.1; # Put your ISP's DNS-server address(es) here.
# proxy_only=on; # Do not query any name servers beside your ISP's.
# This may be necessary if you are behind some
# kind of firewall and cannot receive replies
# from outside name servers.
timeout=60; # Server timeout; this may be much shorter
# that the global timeout option.
uptest=if; # Test if the network interface is active.
interface=eth0; # The name of the interface to check.
interval=10m; # Check every 10 minutes.
purge_cache=off; # Keep stale cache entries in case the ISP's
caching=on; # DNS servers go offline.

source {
ttl=86400;
owner=localhost;
serve_aliases=on;
file="/etc/hosts";

Save the file and exit.

Edit /etc/dhclient.conf and add this line to the end of the file

prepend domain-name-servers 127.0.0.1;

If you use NetworkManager or Wicd, you will need to set the DNS manually to 127.0.0.1

RESETTING FIREFOX

If for some reason after doing all of this, you decide you liked Firefox the way it was before, you can reset everything to its default state.

Type about:support in the URL Window

Click the "Reset Firefox" button to undo all the changes.
Posted in Uncategorized
Views 675 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 07:56 AM.

Main Menu
Advertisement

Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration