Did you look into setting up a jailed environment?
A lot of people will advise you not to run programs such as web browsers and media players as root, reason being that if the program is exploited, the hacker has full access to your system.
However, if you run these programs as a normal user, there's still one very big problem: The program has full access to your home folder.
Now I don't know about anyone else, but the most valuable thing on my machine is my home folder. You could wipe all my applications, all my settings, my entire operating system, and I'll be able to replace it all within a day or two. My home folder however is valuable. I back it up from time to time, but still there's always gonna be stuff that I don't wanna lose.
So with that said, I think something like a web browser should be run as a different user which doesn't have access to your home folder. That way, even if it the program gets exploited, there's not too much it can do.
Has anyone ever played around with this before?
Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".
Did you look into setting up a jailed environment?
Tiocfaidh ár lá
Browser Appliance | Virtual Appliance Marketplace
Of course this is really just running a new OS in a VM and browsing in that VM.
Using a jail as KMDave suggested is also good.
In Windows there are various process control tools that can be used to define what particular applications can do (e.g. what registry access can it perform, what files can it write to, etc). Its been a while since I looked at this, but I think the app I was doing this with was WinPooch?
I don't know if there is a Linux equivalent to that, but you may want to investigate Linux Host Based Intrusion Prevention/Detection systems to see if they will fit the bill for controlling what the browser process can access.
For those interested in Windows process control tools I would suggest checking out Sandboxie
"Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer."
ANyway, point of that story is, a jail is good, but it shouldnt be your only protection, regular backups trump an army of HIDS, and firewalls everyday (reverse connection of course)
And yes, backups are one of the most important things you can do, but I don't necessarily think they can be described as trumping firewalls and HIDS, their purposes are too different to allow a comparison. You probably didn't mean that backups can be used instead of a firewall or HIDS, but just in case anyone else gets the impression that thats appropriate....
But when I say proper backups, I mean a reverse connecting system, where the backup machine connects to the server, then the logs are cleaned after wards, leaving it almost spotless. I even saw one that was compiled right into the kernel so noone could even see when it was happening. I dont expect most people to do that, but it was awesome nonetheless
An example - all outbound traffic denied by default, you only allow SMTP outgoing from your email server, DNS requests are only allowed outbound from your DNS server and web traffic has to go through a decent web filter that whitelists or inspects inside https and performs content checking on http/ftp traffic, blocking executables, binary content, etc. Using a proper proxy device can severely restrict the ability to tunnel out using the CONNECT method or http encapsulation tunneling (httptunnel).
Yes a network like that would be hard for an idiot to get through, however, I want you to honestly tell me how many networks you have seen with that kind of security.If any idiot (or even many idiots) can get through it, the firewall rules probably need to be specified better. Proper filtering on outgoing connections (restricting allowed outbound traffic to what can be controlled) and proxying allowed outbound ports using a decent content inspecting device at least brings things to the level where it takes more than an idiot to get past it.
gain, how have you seen like that, im not saying that all firewalls can be bypassed. But I sometimes want to hit my head off my wall at the amount that respond to an ICMP Quench or redirect. Or worse, the amount of ways to utterly destroy the bigger routers with certain BGP and RIP transmissions.An example - all outbound traffic denied by default, you only allow SMTP outgoing from your email server, DNS requests are only allowed outbound from your DNS server and web traffic has to go through a decent web filter that whitelists or inspects inside https and performs content checking on http/ftp traffic, blocking executables, binary content, etc. Using a proper proxy device can severely restrict the ability to tunnel out using the CONNECT method or http encapsulation tunneling (httptunnel).
But I think Inter-Router Protocol are a bit over the top for this thread
Oh and to quickly mention somehting I found hillarious, during a recent test (consented of course) I found myself in a really tight chmod jail, I mean it was REALLY TIGHT. After about... oh i dont know... three hours of scouring the commands I had outputed (I always output them to a file so I dont make more logs to clean up) I found that although /etc was a no go, one of its children had better access than it... God knows how it happened, slip of the r key or w/e. But I ended up hitting myself since I had read/write to a very nice file I like to call /etc/inetd.conf. Took all of 15 seconds to gain root once I knew the vuln was there D:
I cant remember exactly, but from what I do, it didnt have a conf file. What it did was listen for a specially forged packet containing everything it needed to know, it was some random reserved Type and Code in an ICMP Datagram. The packet contained (encrypted of course) what it needed to connect to and what they were coming for. From what I remember, it was completely transparent except for when it did its backups, on both machines. And even that would be a **** to break since he used some special checksum/encryption that wasnt standard.Very cool. Perhaps overkill, but I respect that level of healthy paranoia. Would be a pain having to recompile the kernel whenever you needed to change configuration though (unless the config files were in the filesystem, but then theres a way to detect it...)
Yeah, he was paranoid, but I swear, his machine was like albestos is to flame. Un(hack/burn)able except when the world is ending
Outside of that maybe not too many, but its asking for trouble in this day and age if you dont lock down your firewall in this way in my opinion...