Locking Down a Leaky Browser (read: Google Chrome)

Everyone has their browser of choice. Myself, I prefer Safari as it functions closest to how I expect a Mac application to function. However, I do find myself using Chrome more and more. There are a couple of things that I do prefer Chrome for. In particular, containing the dumpster fire that is Adobe Flash, but also because Chrome has a rich extension ecosystem. Apple should be jealous. Hardly anyone makes extensions/add-ons for Safari.

This post is intended to take Google’s default options, and modify them such to leak less information to Google. After all, with Google you are the product. There is nothing altruistic about Google. They are an advertising company first, a tech company second. Your data is how they make money. That being said, there are good technologies that Google creates, and their security team hunts bugs at a voracious pace so I can totally respect that. That being said, let’s lock down Chrome as it comes out of the box.

Upon first launch, Google asks you to log in. HELL NO. This is the #1 step to prevent Google from tracking all that you do in your browser. No thanks is the option to select here.

Next, run on over to DuckDuckGo – the search engine that won’t track you. When you go there with Chrome, it will ask if you’d like to install the DuckDuckGo Chrome extension. Absolutely do this.

DuckDuckGo’s Chrome extension does a few things:

First, it will change your search engine within Chrome from Google to DuckDuck Go.

Second, it will stop sites from running tracking scripts and will actually rate sites on their privacy. For instance, here’s CNN:

DuckDuckGo takes CNN’s D rating to a B by blocking 19 unique trackers. It’s incredible just how pervasive tracking is across the internet.

Lastly, DuckDuckGo’s Chrome extension will force HTTPS connections.

Don’t worry, you can still do Google searches with DuckDuckGo, and you can do it very easily. Have a look at all their bang shortcuts for quick searching various sites. The ones I use all the time are !w !a and !yt

If you do nothing else in this post, you’ve already greatly increased your level of online privacy. Continue on for additional tightening up of your shit. I realize that we’re now going to get into functions that you may find convenient. Some of these you may want to keep enabled, and that’s fine. Privacy and security is always a tradeoff with convenience.

Next, let’s look at Chrome’s default privacy settings. Open up Chrome’s settings. (If you’re using Chrome, that settings link will work. Otherwise go to the … menu at the top right of the browser window and click it. Then Settings.

Scroll to the bottom of the settings window and click Advanced. Next find the section called Privacy and security.

The first three options you want to disable. Use a web service to help resolve navigation errors, Use a prediction service to help complete searches and URLs typed in the address bar and Use a prediction service to load pages more quickly.

The “service” that they’re referring to is Google. What you type is sent to Google, it’s analyzed, and they return something that may be helpful (depending on each of these options). I don’t like this kind of help. I don’t need this kind of help. Just let me use my web browser.

Like I said, you may like this help, and that’s fine. Just be aware of what Google’s hoovering up by default. Next select Content settings and you’ll see this window:

Open up the Cookies section.

The third option, Block third-party cookies is the one you want to enable here. So just what is a “third-party cookie?” Let’s say you go to CNN.com. It may set a cookie such as which edition of CNN you prefer. US vs International for instance. A third-party cookie could, for example, be a cookie that CNN’s ad agency uses to lay on your browser so that it can track your activity as you travel to different websites. The reason Google doesn’t block these by default is because, like I said previously, Google is an advertising company and by setting this setting on by default, they’d effectively be blocking their own products from functioning. So, “third party” refers to websites or services that you didn’t explicitly navigate to, but may be embedded into the site you did navigate to.

For the record, Apple’s Safari and Mozilla’s Firefox enable this setting right out of the box. Mozilla and Apple’s privacy stories are miles better than Google’s.

Next click See all cookies and site data:

WOAH. Look at what comes right out the box with Chrome. REMOVE ALL. In the words of Strongbad, BA-LETED.

Next, open up the Extensions area from the … menu -> More Tools -> Extensions:

 

Note all of the Google extensions. If you have no need to use Google Docs, Sheets, Slides, etc, remove them all. (Or at the least disable them.) I don’t know for certain, but I suspect that they will report information back to Google. It’s on my to-do list of things to investigate.

Now, if you’ve gone this far and go no farther, you’re even better off than those quitters up above who stopped after installing the DuckDuckGo extension. I have a question for you, however. Are you ready to go full retard on this?

In this case, we’re going to.

Open up this link. (“chrome://flags” if you prefer to type it in on your own.) You’ll get a big, giant long list of options like this:

 

I’ll be the first to admit that you’re probably not going to know what a lot of these things do. I don’t either. But, have a look through the list and what I’d suggest is that if any leap out at you as, “Hey, I wonder if that needs to send information about me or my computer somewhere…” you may want to throw that setting’s name through your search engine of choice to find out. That search engine is DuckDuckGo, right… RIGHT!?!? (Full disclosure: I am not compensated in any way by DuckDuckGo. I just really like them is all. There are plenty of non-Google search engines.)

Here’s what I’ve modified within chrome://flags:

  • Hyperlink auditing – Disabled
  • Mark non-secure origins as non-secure – Always mark HTTP as actively dangerous. (As an aside, Google will be treating HTTP this way within Chrome by default beginning in July 2018. May as well get a jump on it.)
  • Show in-form warnings for sensitive fields when the top-level page is not HTTPS – Enabled
  • Enable tabs for the Clear Browsing Data dialog – Enabled
  • No-State Prefetch – Disabled
  • Speculative Prefetch – Disabled
  • Enable new preconnect predictor – Disabled

So, there you have it. If you’ve got other tips for locking up the information sieve that is Google Chrome, let me know via Twitter.

Upgrading fail2ban to a Permanent Banhammer

I don’t keep many logs on this site – on purpose – but I do keep logs on who’s trying to break into my SSH service. I use a popular tool called fail2ban that monitors service logs (such as sshd – but also many others) and then based upon throttles that you set will ban that IP from hitting the service for a certain period of time by inserting a rule into iptables. By default that ban is an hour and is usually enough to dissuade your typical script kiddies.

What I’ve noticed, however, is the same bunch of IP address trying again and again. They’d get banned and then within minutes of the hour ban being up, be back again for 5 more tries before being banned again. I presume these are machines that have become compromised and malware is simply rolling through IP addresses with SSH open and trying various combinations of usernames and passwords trying to find an opening.

Time to upgrade my banhammer to permanent. Here’s how to do it – it’s really easy.

First edit your jail file. Best practice is to use a .local file and not edit the .conf. .local will overwrite anything in your .conf so if you have only a couple settings to tweak it’s a good idea to use a .local. .locals also survive fail2ban updates.

jail.local

bantime = -1

By changing your bantime parameter to -1, this will be a permanent ban. This is the easy part. What we need to do now is make sure these permanent bans survive across fail2ban service restarts. (For instance if you run updates and then reboot your box.)

By default, fail2ban’s action is iptables-multiport. There’s an associated configuration file for that in

/action.d/iptables-multiport.conf

Find the block that begins with:

actionstart = <iptables> -N f2b-<name>

There should be 3 lines there. Add this to the bottom of the block:

cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \
| while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done

When you’re done the entire block should read:

actionstart = <iptables> -N f2b-<name>

              <iptables> -A f2b-<name> -j <returntype>

              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

        cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \

        | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done

Now further down find:

actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

add an additional line:

echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans

When you’re done the entire block should read:

actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

        echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans

Now restart fail2ban:

sudo service fail2ban restart

And you should be good to go! Just this morning I’ve brought the banhammer down on IPs from the Russian Federation, The Netherlands, Islamic Republic of Iran, and China.