Opensnitch Linux Firewall: Detect + Bloc ...

Opensnitch Linux Firewall: Detect + Block Malware Connections

Jan 19, 2022

(Click the image below to watch on my decentralized Peertube channel - or watch the YT embedded video right here on the page, below the picture.)

Installation instructions and usage options/screenshots found further down this page.

Bild

Watch right here in the article:

https://youtu.be/0xS3up2xM


Thanks to community member G. (full name not printed in case privacy matters) for asking about Firewall related content. Inspired me to make this video and tutorial on Opensnitch: A great place to start on the Firewall subject in general.


opensnitch offers a nice Firewall starting point. By detecting all process/program connection attempts, you get to know your system better. And the "ports" used to connect out. Think of a port as an "opening" where data can traverse via an application.

What you learn from opensnitch may help aid your future firewall rules.


NOTE: I may add more to this later. Check back sometime. Articles are always posted here in full, first. Later on, some of these articles may be mirrored over at my wordpress.


UPDATED:

In the first 24hr, over 10,000 unnecessary connections have been blocked on one machine.

Screenshot: Bild


(Support options/extras at the bottom - Most of all Thanks for sharing this article link/video on Telegram/Social Media. Many videos continue to be suppressed by the algorithms, even after 2 years of working. Please do help me share this content.)


FIREWALL

Firewalls can protect our machines from unsavory application packets (offering (temp or permanent) block options for these connections, by routing, port, user, process, ip address. Dependent on capability.

Under some circumstances, firewalls can go as far as to protect us from malicious malware (communications) found already on our system: by monitoring connections (socket layer here pertaining to network connections), and blocking at layers untouched by the malware.

If malware/adware cannot connect to its destination, it cannot send malicious data out
(as long as it depends on outgoing connections: opensnitch will soon work on incoming connections as well according to dev page).

I recommend Opensnitch to both new and experienced Linux users. It may provide information you may find valuable for other firewall setups later.


TIP: Even more importantly, opensnitch will teach you what your programs are up to, and who they are contacting. More on this in future post!


Opensnitch

Bild

Open source port based on MacOS "Littlesnitch" (Littlesnitch is for MacOS only and runs $45 for license)

If you are a MacOS user, you can download your free trial of Littlesnitch here.

On the other hand, Opensnitch is completely free to download and install on Linux. No strings attached.

One of the great benefits of being a Linux user is the numerous incredibly powerful tools at our disposal.

Benefits Of Linux

In addition, Linux provides the openness required for complete customization. The more you know about the internals of Linux, the more you will be able to customize it to your liking. While it may seem overwhelming at first achieving your dream setup, this process only needs to be done once. From then on, you can (for the most part) maintain with updates.

Under the hood, Opensnitch utilizes the gold standards for Linux firewalling: iptables and (more recently) netfilter (nft).

Outside installation, no commands are needed to use.

Opensnitch detects any outgoing (soon incoming) connections installed processes are trying to make, displaying a popup, asking if you would like to "allow", or "deny" each (see screenshot below).

Bild

We also install the GUI administration interface today. More on this below.

OPENSNITCH?

Monitors outgoing (soon incoming) connections from processes running on your Linux system. This can help detect hidden malware attempts to send data to outside parties. Imagine a keylogger, or remote access tool, sending your most private data.

Certain backdoors may connect out: such as a simple netcat based reverse shell.

See my video "Watch Out For Hidden Code", for an example of netcat in action (and small demo in video to create opensnitch pop up).

IMPORTANT NOTE: The most common form of compromise in the history of computing comes from the very programs a user chooses to run. Whether hidden inside an innocent looking game, or a backdoor hidden inside a forked repository (make sure to download from official repositories, unless you trust the dev). opensnitch will help you detect these programs making their necessary "connect out". Even the programs serving a reverse shell, are likely to make a 'ping' of sorts out, to reveal their victim's IP address.


Downloading Opensnitch

You can find ready to install .deb (Debian/Pop!_OS based) packages here.

For Pop!OS, we will be downloading opensnitch1.4.1-1_amd64.deb. Save this file to your disk.
(shown in the screenshot below):

Bild

First we will need to open a terminal. This may be called Xterm, or "Terminal Emulator".

Installing Opensnitch Command

Sometimes packages carry dependencies (prerequisites for installation). If at first you first don't succeed, read the error message carefully, and then attempt to use the built in Debian/Pop!_OS apt sources to install whatever package name it mentions needing.

Example command To Search For Any Missing Dependencies:
sudo apt install MissingPackageNamehere

In our case, here we are installing a .deb extension package, and so we will enter the directory where we saved the opensnitch file, and issue:

sudo dpkg --install opensnitch1.4.1-1_amd64.deb

(see screenshot below: first we use 'ls' command to ensure the .deb file is in our current directory, and then we issue the dpkg install command to install)

Bild


NEXT: INSTALLING GRAPHICAL OPENSNITCH INTERFACE

Now we want to download the graphical user interface. Opensnitchd (the "daemon" or service in the background) manages things behind the scenes.

However, we want to manage everything in a nice point and click environment.

We can do so by first downloading the GUI (graphical user interface) from the releases page.

Direct link for downloading the opensnitch GUI package is here. Right click and save as (pay attention to where you save it).

Then we use sudo dpkg command once again to install it:

sudo dpkg --install python3-opensnitch-ui_1.4.2-1_all.deb

Uh Oh... dependencies. We can fix this!

If you (like me) along the way there were missing some of the packages the opensnitch depends on, we can fix this:

Bild

If this is not clear enough you can leave a comment below, and maybe your question will help others along the way!

Or read the opensnitch gui release page here.


USING OPENSNITCH FIREWALL

Now that we've installed both the opensnitch package, and the opensnitch_gui, we can open the graphical management interface!

For my own system, it was found on my Applications menu. Depending on your desktop, it may be in a different area.

Opening Opensnitch on my XFCE desktop (XFCE install instructions below screenshot):

Bild

NOTE: I am using XFCE: a very nice lightweight desktop interface. You can install XFCE easily, by issuing one command:

sudo apt update && sudo apt install xfce4

Then, on your normal Pop!_OS login, select XFCE as your interface. It's that easy!


Now we should see Opensnitch icon (top righthand side in my case)

The opensnitch applet/icon is circles in red in the following screenshot, showing the rules. The "rules" are your particular block/allow settings for each individual application/connection/host:

Bild


ALLOW/DENY

Commonly Legitimate Connection Ports:

443 (https)
80 (http)
21 (ftp)
25 (mail)
9050 (Tor)
9051 (Tor)
53 (DNS)

The above ports are more likely than not, normal activity - if you see ports outside the above numbers, you may wish to look into them. You only need to block IP+app+port combination once if you select 'forever'.

TIP: Temporarily allow the port connections above, and add the IP addresses to your list. Then on your own time, search using whois command. If you trust the IP, you can reboot and have the blocked IP's no longer blocked, and start blocking the untrusted hosts. Check your hosts list/rules.


New Rules And Preferences Button (Middle Button)

You can save yourself many pop-ups by creating rules with the "Priority rule" button enabled.

The priority rule button will bypass all other rules set.

Notice how I use a "|" pipe, to separate IP segments, covering multiple subnets. In my case I need to use 192.168.1., and 192.168.42. Your subnets may vary. And if you are unfamiliar with this, it is okay, you can still take full advantage of opensnitch.

Bild

Preferences

The preferences button (in above picture it is on the top lefthand side, "middle" button (circled in red) will open a box (as seen below) to set how opensnitch behaves by default. You can disable the pop-ups (seen further down in next section below) by checking the box in the picture below.

(In this case you would only see alerts on connection attempts)

Bild


Application Pop-up Boxes offer us the option to "Allow" or "Deny". These pop up anytime a process attempts to connect to an unknown combination of process, ip address, and port. See below example:

Tor Browser Example (/usr/bin/tor process):

Bild

We can change rules at a later time:

Bild


Firefox Connection Detected Example (Pop Up: Allow/Deny):

Bild

We can view the "users" processes used to attempt to make connections:

Bild


From here, we can use Opensnitch however we like, customizing access permissions for our programs/processes/hosts. We may even discover something we aren't aware of (happening in the background).

One thing is for sure, you will get to know your applications better.

It may even help you decide on applications to remove.

We can view events and statistics for dropped packets (based on rules we set), at the bottom:

Bild


INVESTIGATING (WHO/WHAT TO BLOCK?)

We can investigate processes by using the man pages (short for manual pages) to read more about them. Even use rdebsums to check their integrity (original or modified file?) if we aren't 100% sure.

More examples found in the video at the top of this page.

Investigating IP addresses can be done with the whois command as shown below:

whois IPaddressGoesHere

Example of whois results shown in screenshot below:

Bild

Thanks for reading and don't forget to Share this link.


Thoughts, comments and any questions welcome below.

😀 Thank you for Sharing this (Telegram/Social media + everywhere).

Don't forget to follow at the links below.

----------------------------------------------------------------------
🧅🔐 ANONYMOUS GITEA (.onion): Books, Code/Scripts, Wiki, more (make a repository)
🧅🔐 PASTEBIN (.onion): options- password protect, zk-256bit, "Burn After Reading" + more
----------------------------------------------------------------------
🤗 SUPPORT OPTIONS (If you like to):
💲CASHAPP
✍🗒🎞 Politictech (BMAC Memberships (monthly supporter option)
🎁 EXTRAS: Unique extra Services (get something back for your support)
💳 Politictech Main Page: (info + current Crypto)
----------------------------------------------------------------------
FOLLOW:
✍🗒MASTODON
🐦 TWITTER
🎞 PEERTUBE
🎞 BITCHUTE
🎞 ODYSEE
---------------------------------------------------------------------
CONTACT
-------------------------------------------------------------------------
THANK YOU for Sharing this, Liking, and Subscribing.
-------------------------------------------------------------------------
If you aren't registered for Odysee I'd love to see you over there.
Use my invite link: https://odysee.com/$invite/@RTP
--------------------------------------------------------------------------

Gefällt dir dieser Beitrag?

Kaufe 🥷 (RTP) Privacy Tech Tips 📡 einen Kaffee

2 Kommentare

Mehr von 🥷 (RTP) Privacy Tech Tips 📡