LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-22-2015, 08:40 AM   #1
oceanus2
LQ Newbie
 
Registered: Feb 2015
Posts: 5

Rep: Reputation: Disabled
Firefox Security Best Practices


What are the recommended best security practices for using Firefox on a new Linux system (Centos 7 in my case)? I only access the web using Firefox using my regular, non-root, account. Other than that, what Firefox and/or system settings should I enable/disable in order to safeguard my system from malware scripts, viruses, etc? Also, are there similar Thunderbird settings that should be enabled/disabled?

Thanks in advance from a new Linux user
 
Old 02-22-2015, 08:55 AM   #2
Head_on_a_Stick
Senior Member
 
Registered: Dec 2014
Location: London, England
Distribution: Arch & Debian
Posts: 1,183

Rep: Reputation: 283Reputation: 283Reputation: 283
Use the "noscript" add-on.
 
Old 02-22-2015, 08:58 AM   #3
gor0
Member
 
Registered: Jun 2014
Distribution: quad BOOT!
Posts: 549

Rep: Reputation: 64
NO spyware,virus,blablabla...

U r in Penguin my friend, do not worry bout that:

http://www.whylinuxisbetter.net/item...ndex.php?lang=




Quote:
Why Linux is Better


Forget about viruses.


If your computer shuts itself down without asking you, if strange windows with text you don't understand and all kinds of advertisements appear when you don't ask for them, if emails get sent to all your contacts without your knowing it, then your computer probably has a virus. The main reason for this is because it runs win$UCK$.

Linux hardly has any viruses. And that's not like "Oh well, not very often, you know". That's like "If you've ever heard of a real Linux virus, please tell me". Of course, a Linux virus is not impossible to get. However, Linux makes it very hard for this to happen, for several reasons:

Most people use Microsoft Windows, and pirates want to do as much damage (or control) as possible: therefore, they target Windows. But that's not the only reason; the Apache web server (a web server is a program located on a remote computer that sends web pages to your browser when you ask for them), which is open source software, has the biggest market share (against Microsoft's IIS server), but it still suffers from much fewer attacks/flaws than the Microsoft one.
Linux uses smart authorization management. In Windows you (and any program you install) usually have the right to do pretty much anything to the system. If you feel like punishing your PC because it just let your precious work disappear, you can go inside the system folder and delete whatever you want: Windows won't complain. Of course, the next time you reboot, trouble begins. But imagine that if you can delete this system stuff, other programs can, too, or just mess it up. Linux doesn't allow that. Every time you request to do something that has to do with the system, an administrator password is required (and if you're not an administrator on this system, you simply can't do it). Viruses can't just go around and delete or modify what they want in the system; they don't have the authorization for that.
More eyes make fewer security flaws. Linux is Open source software, which means that any programmer in the world can have a look at the code (the "recipe" of any program), and help out, or just tell other developers "Hey, what if blah blah, isn't this a security flaw?".

Last edited by gor0; 02-22-2015 at 11:09 AM.
 
Old 02-22-2015, 10:20 AM   #4
Head_on_a_Stick
Senior Member
 
Registered: Dec 2014
Location: London, England
Distribution: Arch & Debian
Posts: 1,183

Rep: Reputation: 283Reputation: 283Reputation: 283
It's not quite as simple as that.
https://en.wikipedia.org/wiki/Linux_malware

Personally I always boot up a live distribution to do my internet banking, just in caseŠ...
 
Old 02-22-2015, 10:46 AM   #5
jross
Member
 
Registered: Apr 2014
Distribution: Xubuntu 14.04
Posts: 164

Rep: Reputation: Disabled
Quote:
Originally Posted by Head_on_a_Stick View Post
It's not quite as simple as that.
I agree with that! Never a good idea to think you are immune. Here's a video of malware gotten through firefox and adobe flash in linux: https://www.youtube.com/watch?v=94QsgdXnsmU

A good idea is to always make the browser ask you to enable flash, so you only use it when necessary (and you don't need it for youtube anymore).

Last edited by jross; 02-22-2015 at 12:01 PM.
 
Old 02-22-2015, 11:14 AM   #6
ozar
Member
 
Registered: May 2004
Location: USA
Distribution: Arch Linux
Posts: 415

Rep: Reputation: 82
Quote:
Originally Posted by oceanus2 View Post
What are the recommended best security practices for using Firefox on a new Linux system (Centos 7 in my case)? I only access the web using Firefox using my regular, non-root, account. Other than that, what Firefox and/or system settings should I enable/disable in order to safeguard my system from malware scripts, viruses, etc?
Hello

I'd recommend using one or more of the following add-ons:

NoScript
Policeman
uBlock

...and you might also consider setting some or all of the following in Firefox/about:config to help with security:

beacon.enable = false
breakpad.reportURL = blank
browser.cache.disk.enable = false
browser.cache.disk.capacity = 0
browser.cache.offline.enable = false
browser.cache.offline.capacity = 0
browser.safebrowsing.appRepURL = blank
browser.safebrowsing.downloads.enabled = false
browser.safebrowsing.enabled = false
browser.safebrowsing.gethashURL = blank
browser.safebrowsing.malware.enabled = false
browser.safebrowsing.malware.reportURL = blank
browser.safebrowsing.reportErrorURL = blank
browser.safebrowsing.reportGenericURL = blank
browser.safebrowsing.reportMalwareErrorURL = blank
browser.safebrowsing.reportMalwareURL = blank
browser.safebrowsing.reportPhishURL = blank
browser.safebrowsing.reportURL = blank
browser.safebrowsing.updateURL = blank
services.sync.prefs.sync.browser.safebrowsing.enabled = false
services.sync.prefs.sync.browser.safebrowsing.malware.enabled = false
browser.send_pings.require_same_host = true
browser.sessionhistory.max_total_viewers = 0
browser.sessionstore.privacy_level = 2
devtools.cache.disabled = true
dom.event.clipboardevents.enabled = false
dom.storage.enabled = false
geo.enabled = false
geo.wifi.uri = blank (or http://127.0.0.1)
keyword.enabled = false
media.peerconnection.enabled = false
network.dns.disablePrefetch = true
network.http.pipelining = true
network.http.pipelining.ssl = true
network.http.pipelining.maxrequests = 10
network.http.proxy.pipelining = true
network.http.referer.XOriginPolicy = 1
network.http.referer.spoofSource = true
network.http.referer.trimmingPolicy = 2
network.http.sendRefererHeader = 0
network.http.use-cache = false
network.prefetch-next = false
newtabpage.enabled = false
privacy.trackingprotection.enabled = true (may break some sites)
security.ssl3.ecdhe_ecdsa_rc4_128_sha = false
security.ssl3.ecdhe_rsa_rc4_128_sha = false
security.ssl3.rsa_rc4_128_md5 = false
security.ssl3.rsa_rc4_128_sha = false
social.remote-install.enabled = false
webgl.disabled = true
 
2 members found this post helpful.
Old 02-22-2015, 11:17 AM   #7
gor0
Member
 
Registered: Jun 2014
Distribution: quad BOOT!
Posts: 549

Rep: Reputation: 64
Quote:
Originally Posted by Head_on_a_Stick View Post
Personally I always boot up a live distribution to do my internet bankin
just use TAILS... !!!

and

can U expand?
 
Old 02-22-2015, 11:19 AM   #8
gor0
Member
 
Registered: Jun 2014
Distribution: quad BOOT!
Posts: 549

Rep: Reputation: 64
Quote:
Originally Posted by ozar View Post

...and you might also consider setting some or all of the following in Firefox/about:config to help with security:

beacon.enable = false
breakpad.reportURL = blank
browser.cache.disk.enable = false
browser.cache.disk.capacity = 0
browser.cache.offline.enable = false
browser.cache.offline.capacity = 0
browser.safebrowsing.appRepURL = blank
browser.safebrowsing.downloads.enabled = false
browser.safebrowsing.enabled = false
browser.safebrowsing.gethashURL = blank
browser.safebrowsing.malware.enabled = false
browser.safebrowsing.malware.reportURL = blank
browser.safebrowsing.reportErrorURL = blank
browser.safebrowsing.reportGenericURL = blank
browser.safebrowsing.reportMalwareErrorURL = blank
browser.safebrowsing.reportMalwareURL = blank
browser.safebrowsing.reportPhishURL = blank
browser.safebrowsing.reportURL = blank
browser.safebrowsing.updateURL = blank
services.sync.prefs.sync.browser.safebrowsing.enabled = false
services.sync.prefs.sync.browser.safebrowsing.malware.enabled = false
browser.send_pings.require_same_host = true
browser.sessionhistory.max_total_viewers = 0
browser.sessionstore.privacy_level = 2
devtools.cache.disabled = true
dom.event.clipboardevents.enabled = false
dom.storage.enabled = false
geo.enabled = false
geo.wifi.uri = blank (or http://127.0.0.1)
keyword.enabled = false
media.peerconnection.enabled = false
network.dns.disablePrefetch = true
network.http.pipelining = true
network.http.pipelining.ssl = true
network.http.pipelining.maxrequests = 10
network.http.proxy.pipelining = true
network.http.referer.XOriginPolicy = 1
network.http.referer.spoofSource = true
network.http.referer.trimmingPolicy = 2
network.http.sendRefererHeader = 0
network.http.use-cache = false
network.prefetch-next = false
newtabpage.enabled = false
privacy.trackingprotection.enabled = true (may break some sites)
security.ssl3.ecdhe_ecdsa_rc4_128_sha = false
security.ssl3.ecdhe_rsa_rc4_128_sha = false
security.ssl3.rsa_rc4_128_md5 = false
security.ssl3.rsa_rc4_128_sha = false
social.remote-install.enabled = false
webgl.disabled = true
That's pretty Paranoid !
 
Old 02-22-2015, 11:22 AM   #9
gor0
Member
 
Registered: Jun 2014
Distribution: quad BOOT!
Posts: 549

Rep: Reputation: 64
Quote:
Originally Posted by Head_on_a_Stick View Post
Linux_malware
R U spreadin FUD ???

 
Old 02-22-2015, 11:22 AM   #10
Head_on_a_Stick
Senior Member
 
Registered: Dec 2014
Location: London, England
Distribution: Arch & Debian
Posts: 1,183

Rep: Reputation: 283Reputation: 283Reputation: 283
Quote:
Originally Posted by gor0 View Post
just use TAILS... !!!

and

can U expand?
I have heard of ISPs throttling connections used with TAILS.

With a live distribution, everything is "fresh" when you boot it up -- there is zero chance of keyloggers or trojans being on the system (check the md5sums when you download the ISO though) and nothing is saved when you shut down the system.
 
1 members found this post helpful.
Old 02-22-2015, 11:23 AM   #11
Head_on_a_Stick
Senior Member
 
Registered: Dec 2014
Location: London, England
Distribution: Arch & Debian
Posts: 1,183

Rep: Reputation: 283Reputation: 283Reputation: 283
Quote:
Originally Posted by gor0 View Post
R U spreadin FUD ???

Not at all -- maybe @Unspawn or one of the other security experts will chime in and back me up here.
 
Old 02-22-2015, 11:48 AM   #12
oceanus2
LQ Newbie
 
Registered: Feb 2015
Posts: 5

Original Poster
Rep: Reputation: Disabled
I have used live images before and they worked nicely except that they are slow to boot from a CD/DVD. It sounds like I should reconfigure my system with my base/primary Linux image and a second Linux live image so I can boot quickly from my SSD with the live image when necessary to process financial transactions. Can a live image be configured to coexist on a SSD with another image but can't access the other image's file system?
 
Old 02-22-2015, 12:17 PM   #13
XenaneX
Member
 
Registered: Jan 2009
Location: SE USA
Distribution: Mageia 4 formerly PCLOS
Posts: 144
Blog Entries: 5

Rep: Reputation: 19
Use a good hosts file.

http://www.pclinuxos.com/forum/index...tml#msg1103856

http://www.pclinuxos.com/forum/index...tml#msg1103856
 
Old 02-22-2015, 01:13 PM   #14
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Adblock and Noscript are the main addons you need. I also run only in private browsing mode.

Some about:config values:

These stop javascript from messing with the window, there are more than one
user_pref("dom.disable_window*", true);

This limits the number of popups
user_pref("dom.popup_maximum", 2);

Some recent concerns:
http://threatpost.com/webrtc-found-l...dresses/110803
https://www.techdirt.com/articles/20...-attacks.shtml
 
1 members found this post helpful.
Old 02-22-2015, 01:57 PM   #15
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Rep: Reputation: Disabled
1.) I would consider adding "AdBlock Plus" which is a free add-on and lets you block out spammy ads and unwanted videos which eat up your bandwidth.

2.) Set your Privacy settings so you block all 3rd party cookies

3.) Set your Privacy settings so you have to Accept/Decline all 1st-party cookies

4.) Erase everything (e.g. Cache, Passwords, etc) when you close FireFox

5.) Don't store browsing or search history


There is quite a bit more that you can do, but those are some basics.


Rob
 
  


Reply

Tags
firefox, thunderbird


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Stability vs security: best practices? DJRcomputing Debian 13 06-05-2011 12:10 PM
Bad Security Practices from Professor CincinnatiKid General 5 08-12-2010 04:28 PM
Best practices for Network and Security roldancer Linux - Security 3 02-07-2010 08:58 AM
Security Practices shaolin77 Linux - Security 3 08-19-2009 11:39 AM


All times are GMT -5. The time now is 10:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration