Ok so I want to sandbox firefox and chromium in lubuntu.

1. I am using FIREJAIL now. is this a good program and safe and secure for sandboxing browsers in LUNBUNTU?

2. I see SElinux seems to be good for sandboxing but isn't compatible with mint/LUBUNTU? it also looks complicated.

3. is there a simple GUI interface for SElinux?

5. DOCKER seems neat but is it hard to use??

6. I use OS LINUX LUNBUNTU AND PEPPERMINT for security better than microsoft windows 7,8,10 is there a BEST LINUX OS for security? "NOTE I AM INTERESTED IN HIDING MY REAL IP ADDRESS BUT NOT MY IDENTITY SO TOR ISN't A PRIORITY FOR MY BUT HARDENING MY OS IS!

7. will using a VPN while using FIREJAIL degrade FIREJAILS security?

I haven't used FJ, so can't comment on it.

Drop pep and LUB and look at stuff like hardened gentoo.

In so far as MAC (Mandatory Access Control) goes: On .deb systems I like apparmor. A lot of people knock it and say that it's not as mature or flexible as SEL. And that is true to some extent. But the scripting is about a million times easier to learn, IMHO. And using a VPN will not effect how any MAC works. It's apples and oranges. One helps to locally secure a program the other is a NT protocol.

As far as VPNs go: I'm in the US and I have *major* problems with the crap the NSA is pulling. Some times I like to have a private conversation. To that end I own a virtual VPN server hosted on metal in a country with much stronger privacy laws than the US. I built the instance myself, so I know *exactly* what's in it.

As far as docker goes: I agree it looks neat. But, if you're clinically paranoid like I am then why trust other peoples work? I'd rather just build it from scratch myself and *know* what's in it rather than audit it and worry if I missed anything.

I also like to use compartmentalized computing; which is actually rather easy to achieve with a hardened *nix OS, virtualbox and VT NT. I built my own hardened OS on the hardware and then run 6 different VMs that are hardened to different levels depending on their use. Right now I'm on my web surfer. It's for every day web surfing. My banking machine is locked down so tight that it only works with the ~18 sites that I need to pay bills. And it takes about 30 minutes to prick pinholes in its defences to get it to work with a new web site. It's no good for every day use. But I can track *every* hop my money makes.

Back when I had a Dell account they moved part of their bank processing from the US to Brazil. My banking machine warned me of the route change. I tracked down the published owner of the server and asked him if it was a legit change or if I was being MTMed. He got mad and wanted to know how I found him. And he did not comment on the change. But since he was just mad at me for calling and not concerned about what I was reporting I figured it was legit.

That same machine has also kept me from being ripped off a couple of times.

One example: Our landlord only lets us pay on line. I went to pay the rent one time and the machine warned me that the hosting service had some anomalies and had most likely been compromised in a manner that would allow the interception of my banking info. So I did a quick reporting to both our corporate office and the hosting service. They got it fixed and I was able to pay my rent the next day.

But stuff like that will take you a while to pick up. Gotta walk before you can fly.

PS: IMHO chromium is bad for sec. This is just one reason why. In my mind there are *many* reasons not to use it. Some technical and some political. I.E. the CEO of google thinks that algos should sensor free speech!

That would actually be a reason why Chromium is more secure than Chrome ...
Any application can have security holes, this one was found and closed quickly because it's open source.

thanks for suggestion. do u have a like to direct download the hardened gentoo install dvd, or do u have to install gentoo then install the harden part???

wow you and i think a lot alike when it comes to privacy. you are definitly way ahead of me when it comes to securing my systems and having the ability to build my own from scratch.


one question, what do u think about putting a PFSENSE or ipfire pc hardware firewall in front of my networks router for more protection?

my network is

1. cable modem
2. g wireless class router with dd-wrt installed. "i have read numerous faq's on hardening dd-wrt"
3.
windows 7 pc's
linux pepermint,unbuntu,lubuntu pc's

Sorry it took so long to get back, I had my head under the hood building some new fun toys.

On the gateway: DO IT!!! Also, drop the rented cable modem and go buy one. It won't be 100 percent secure (nothing is) but at least it won't have friggin backdoors inside of backdoors built in to it with crappy published kegen seeds that can be used to unlock the password of the day. (And you'll save money. You can buy one for ~$70 and you're paying about that much a year to rent one.)

Home routers fragging, scraggin suck to the max. They are a complete and total joke. And to some extent that is true for commercial routers as well. And a decent SMB commercial router can easily go 5K (US) plus a monthly subscription fee.

Get IPFire and contribute. Throw them a few bucks when you can or set up a VM or server for beta testing nightly builds, whatever. Or translate a wiki page. Everybody at every skill has something to contribute. (And I'm not associated with them.)

You can set up a P4 w/ 1GB RAM and 3 NCIS for under $100 (cost me 60). This is more than enough to be a gateway for less than 5 users.

Set up 3 dif subnets (blue / green / orange).

Learn how to harden the IPFire install and firewall. Learn how to set up NIDs. Set up the AV proxy.

Move your wifi in to a segregated subnet. Secure it, don't use it. Leave it for friends, significant other, etc to web surf. dd-wrt is good. But depending on a million ifs and thens it is still possible to have holes in some set ups due to flaws inherent to the underlying hardware itself. I've got a dd-wrt / hardened in a segregated sub net for the wife to surf.

Build a LAN. Learn how to set up HIDs.

Put a hardware FW between the gateway and the LAN. With a little elbow grease you can build a some what intelligent / adaptive UTM entirely from FOSS. I built one on a 10 year old netbook. I just had to add a USB NIC. For extra points learn how to port SNORT to IPTables and how to monitor IPT for rule violations and drop / perma-block violators.

Hardened Gentoo tuts (a lot of this will apply in general, I built my own hardened distro):

http://resources.infosecinstitute.co...ned-profile-2/

http://resources.infosecinstitute.co...ax-grsecurity/

http://resources.infosecinstitute.co...ng-checksec-2/

http://resources.infosecinstitute.co...x-rbac-clamav/

And after all of that there is still a ton of work that needs to be done on the systems and then there is all kinds of use case stuff like the right way to use TOR (it involves VPNs, multiple exit nodes, chained random pathway proxies).

But it will be a while before you get to all of that. And you'll never know it all. Just strive to keep learning. Heck, I just found out about like 3 days ago that IPv5 is more than:
1) A mathematical possibility.
2) The failed ST protocol.
3) The groundwork for VOIP

It can actually be used to evade trunk / edge / BGP taps! Time to roll up my sleeves, there's always more to learn.

Oh and doze 7 is a combo big blabber mouth and nosy neighbor, move it off your LAN. I've got a hacked up doze server that I need for some toys. It's hardwired to the dd-wrt in blue w/ a static route so I can admin it from my main LAN terminal.