Bleachbit on Linux

Swap File Instead Of A Swap Partition On Linux

By Bob L | August 31, 2018
This article explains how to transition from having a swap partition to a swap file. If you don’t need to disable any existing swap partition and all you need is to create a swap file and activate it, simply skip steps 1 and 2.
On my Ubuntu 18.04 desktop I had a fairly large swap partition which I wanted to use for other purposes, and move the swap to a file. Ubuntu 18.04 already uses a swap file by default instead of a swap partition, however, I upgraded to the latest Ubuntu version instead of making a clean install, so my system continued to use a swap partition. Therefore I had to move the swap to a file myself.
As a result, the instructions below were tested on my Ubuntu 18.04 desktop. They should work on any Linux distribution though.
Note that hibernating (to disk) will no longer work out of the box when using a swap file. This can be done but I can’t test it because resuming from hibernation didn’t work on my system previously to switching to a swapfile so I just gave up on using hibernation. What’s more, most Linux distributions use suspend (to RAM) instead of hibernate (to disk) by default anyway. If you need to enable hibernation with a swapfile, there’s some info here. Suspend (to ram) is not affected by this.

How to Move Swap To A File On Your Linux Filesystem

1. Turn off your current swap partition.
To see the active swap partition, run:
swapon -s
The command output looks like this in my case:
Filename    Type        Size       Used   Priority/dev/sda5   partition   15624188   0      -2
Now you can turn off the current swap device using this command:
sudo swapoff /dev/sdXX
Where /dev/sdXX is the device listed by the swapon -s command (under the Filename section – /dev/sda5 in my case from the example above), so make sure to replace it with your swap partition.
2. Remove your old swap entry from the /etc/fstab file.
To remove the old swap entry, open the /etc/fstab file as root with a text editor, and remove the swap line. Do not modify anything else in the /etc/fstabfile! Changing anything else in this file may prevent your system from booting!
You can open the file with Nano editor from the command line, like this:
sudo nano /etc/fstab
And remove the entry containing your swap partition information (you can also just comment out the line by adding a # in front of it). As an example, in my case the swap entry looks like this:
UUID=d1b17f9c-9c5e-4471-854a-3ccaf358c30b none swap sw 0 0
As you can see, the swap entry should contain swap and sw – that’s how you know which line to remove (or comment out).
Then press Ctrl + O, then Enter to save the file. To exit Nano editor after you’ve saved the file press Ctrl + X.
3. Create a swap file.
To create a swap file of 1GB use this command:
sudo dd if=/dev/zero of=/swapfile bs=1024 count=1048576
Where:
/swapfile is the path and name of the swap file. You can change this to something else.
the number after count (1048576) equals 1GB. Increase it if you want to use a larger swap file. For example, multiply this number by 5 if you want to use a 5GB swap file (so use 5242880 as the count= value for a 5GB swap file).
If you use a different swap file name and path, make sure to use that instead of /swapfile in all the instructions that follow below.
4. Set the swap file permission to 600.
Use this so other users won’t be able to read your swap file, which may contain sensitive information.
To set the swap file permission to 600, use this command:
sudo chmod 600 /swapfile
5. Format the newly created file as swap:
sudo mkswap /swapfile
6. Enable the newly created swap file:
sudo swapon /swapfile
To verify if the new swap file is in use, run:
swapon -s
It should output something like this:
Filename    Type   Size      Used   Priority/swapfile   file   5242876   0      -2
7. Add the newly created swap file to /etc/fstab.
To use the new swap file each time you boot, you’ll need to add it to the /etc/fstab file. Open /etc/fstab with a text editor (as root) like Nano:
sudo nano /etc/fstab
And in this file add the following line:
/swapfile none swap sw 0 0
To save the file (if you’ve used Nano command line editor) press Ctrl + O, then Enter. To exit Nano editor after you’ve saved the file press Ctrl + X. Again, remember to not modify anything else in the /etc/fstab file! Changing anything else in this file may prevent your system from booting!
8. This step is required for Ubuntu and Debian-based Linux distributions (I’m not sure if others need this too).
You need to edit the /etc/initramfs-tools/conf.d/resume file and comment out (add a # at the beginning of the line) the RESUME=UUID=… line. In my case, not doing this resulted in about 15-20 seconds of extra boot time. The systemd-analyze blame command didn’t give any info as to why that’s happening so I had to dig quite a bit to find out this is what’s causing the boot delay.
This file is used to specify the swap partition UUID (which no longer exists since we now use a swap file), and is used when resuming from hibernation. 
To comment out this line in /etc/initramfs-tools/conf.d/resume, all you have to do is run the command below:
sudo sed -i ‘s/^RESUME=UUID/#RESUME=UUID/g’ /etc/initramfs-tools/conf.d/resume
You’ll also need to update initramfs and after that you’re done:
update-initramfs -u

Swap File In Ubuntu, Swap File Linux, Swap File System Linux, Swap File Ubuntu

Swap Partition In Linux, Swap Partition In Ubuntu, Swap Partition On Linux, Swap Partition Type Linux, Swap Partition Ubuntu 16.04, Swap Partition Ubuntu 17.04

Posted in Blog, Fixing Linux and tagged , , , , , , , , ,
Linux File System Explained

The Linux File System – Explained

By Bob L | September 19, 2017

The Linux File System – Explained

The Linux file system structure can be a bit confusing, simply because I didn’t know anything other than the Windows file system for my entire life. But after persisting through the learning curve, the mystery was unraveled and I can now comfortably switch between Linux and Windows whenever needed, and I actually feel like I understand the Windows file system better now after learning the Linux file system.
For me, the biggest difference between the two file systems is to understand where the root of the file system begins. In Windows, the root begins at the drive letter, usually C:\, which basically means it begins at the hard drive. In Linux however, the root of the file system doesn’t correspond with a physical device or location, it’s a logical location of simply “/”. See the graphics below for a visual representation.

 

How this helps.

Linux File System Basics, Linux File System Breakdown, Linux File System Explained, Linux File System Explanation, Linux File System Introduction, Linux File System Structure

Posted in Blog, Fixing Linux and tagged , , , , ,

Run Your Browser In Firejail

By Bob L | July 10, 2017

Objective

Install Firejail and use it to sandbox applications, like web browsers, that interact with the open Internet.

Distributions

This will work with any current Linux distribution.

Requirements

A working Linux install with root privileges.

Difficulty

Easy

Conventions

  • # – requires given command to be executed with root privileges either directly as a root user or by use of sudo command
  • $ – given command to be executed as a regular non-privileged user

Introduction

The single biggest threat to your Linux system is your web browser. When you think about it, it makes perfect sense. A browser is a large and complex piece of software with the ability to execute code, and it accesses the open Internet and executes just about everything that it comes into contact with.

The best way to handle this problem is by compartmentalizing your browser, or any other Internet-facing application, away from the rest of your system. This way, it can’t do nearly as much damage if it is compromised. That’s what Firejail is for. Firejail is a sandboxing program that allows programs to run in individual sandboxes with their own set of parameters, limiting their contact with the rest of your system. Firejail is easy to use, and it’s available in the repositories of nearly every major distribution, except for Fedora and CentOS.

Install Firejail

Debian/Ubuntu

$ sudo apt install firejail

Fedora/CentOS

Download the Firejail .rpm from their Sourceforge page https://sourceforge.net/projects/firejail/files/firejail/, and install it manually.

# rpm -i firejail_X.Y-Z.x86_64.rpm

OpenSUSE

# zypper install firejail

Arch Linux

# pacman -S firejail

Gentoo

# emerge --ask firejail

Basic Usage

To run an application through Firejail, you only need to prefix the command with firejail.

$ firejail firefox

Firefox will start up like it usually would, but contained in it’s own sandbox. This will work with virtually any application that you can think of, including command line ones.

$ firejail tar xpf somefile.tar.gz

Firejail will stay running as long as the application does. Even if you’re using something that’ll be open for a while, you don’t have to worry about Firejail stopping and your application being insecure. Actually, if something like that does happen, the application will stop too. You can also use Firejail along with graphically intensive programs. It won’t slow them down much, if at all.

$ firejail wine64 '~/.wine/drive_c/Program Files (x86)/World of Warcraft/Wow-64.exe'

Passing Arguments

There are tons of features available through flags in Firejail. You probably won’t ever use most of them, but you can certainly check them out in Firejail’s man page. The couple detailed here are the most common.

–seccomp

The --seccomp flag tells Firejail to filter out and block any of a number of system calls. It has it’s own default list of system calls that it will block by default, but you can also specify them with --seccomp=syscall,syscall. Just add --seccomp to your regular Firejail command to use it.

$ firejail --seccomp firefox

–private

The --private flag acts sort of like a private window in a web browser does. It creates a separate sandbox in temporary storage and deletes itself after you close the application.

$ firejail --private firefox

Of course, you can string them together.

$ firejail --seccomp --private firefox

Firejail Profiles

Firejail has independent configurations for most of the programs that you’d commonly run it with. It refers to them as, “profiles.” These profiles pass specific flags and bits of configuration to Firejail by default whenever the corresponding program is run. You don’t need to do anything for Firejail to use it’s default profiles. If you want to modify the profiles or create your own, you can copy them into your local directory at ~/.config/firejail/.

Firejail By Default

There are a few ways to get Firejail to run by default with a program. The easiest is probably to modify the launchers of the programs that you plan to use Firejail with. That can be tedious, though, and you don’t necessarily need to do it. If you want Firejail to run with every program that it has a default profile for, you can run a simple command as root, and Firejail will set itself up.

# firecfg

If you don’t with that wide range of programs using Firejail by default, you can manually set the ones that you want.

# ln -s /usr/bin/firejail /usr/local/bin/firefox

This creates a symbolic link between firejail and the program being run. Substitute the actual path for your system and program.

Closing Thoughts

Firejail is an excellent way to compartmentalize applications on Linux and keep a potential breach quarantined before it even happens. It also has potential for stopping bugs from bringing down more than just the program that they affect. With how easy it is to use, there’s no reason not to run Firejail your system.

Read Article

Posted in Blog, Fixing Linux, General and tagged , ,
Linux iptables

Secure Your Linux Desktop with Iptables

By Bob L | July 8, 2017

Linux may have a reputation for security, but it isn’t perfect. Many distributions also don’t have the best security defaults, so it’s best to implement some best practices for security. One such example is using a firewall.

There are a few options for firewalls in Linux, but most are actually just wrappers around iptables. For this guide we will show you how to work with iptables directly.

What Is Iptables?

Iptables is the Linux kernel firewall. It comes with every Linux distribution, and it’s the most direct way to control traffic coming into and out of your computer.

Iptables has a reputation for being complex, and it can be. You don’t need to know everything about iptables to use it effectively on your desktop, though. You just need some basic knowledge of how it works and how its rules are structured.

Command Structure

All iptables rules follow the same basic structure. Each rule is a single-line command to iptables that tells it how to handle traffic on a specific port. Take a look at the example below:

-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED --sport 80 -j ACCEPT

That might look like a lot, but it’s really simple when you break it down. First, this rule begins with -A because it will append onto your iptables rules.

Next, the -i flag specifies the interface that the rule is for. In this case, it’s eth0. When you write your own rules, make sure that you know which interface you’re connected to your network through.

The following flag, -p, names the protocol. This rule is for tcp, which is Web traffic.

The -m flag is a little different. It is used to assert that there is a condition that must be met in order for traffic not to be rejected. The condition in this rule is the state.

State is actually the next flag. You need to give --state a list of acceptable states written in all caps and separated with commas. This rule accepts both new and established connections.

The second to last flag here is --sport. It stands for “source port,” and it tells iptables where the traffic is coming from. There is also a --dport flag that stands for “destination port.” It’s used for OUTPUT rules for handling which port traffic is arriving from.

Finally, there’s the -j flag. It tells iptable which action to “jump” to. In this case it should ACCEPT the traffic that meets the previous conditions.

Read More

Keywords:

How To Secure Your Linux Desktop, Linux Securetty, Secure A Linux Server, Secure A Linux System, Secure Linux, Secure Linux Client, Secure Linux Configuration, Secure Linux Desktop, Secure Linux Distro, Secure Linux Embedded, Secure Linux Installation, Secure Linux Iptables, Secure Linux Mint, Secure Linux Os, Secure Linux Ubuntu, Secure Linux Ubuntu Server, Secure Linux Workstation, Secure Uefi Linux

Posted in Blog, Fixing Linux, General and tagged , , , , , , , , , , , , , , , , , , , , ,