Category: Security

How To: Make ‘wget’ Ignore Certificate Errors

In today’s article, we’ll learn how to make ‘wget’ ignore certificate errors. It’s an easy thing to do and can be pretty useful if you want to download stuff from a server with a broken or missing security certificate. It’s a simple process, one which even a new Linux user can follow – but it’s not one that comes up all that often and so it’s worth including here.

I’d like to save some time and not duplicate work, so I’d appreciate it greatly if you at least read the intro section from when I wrote how to make ‘curl’ ignore certificate errors.

That’s right, I’ve already written this article – except it was for ‘curl‘ and not for ‘wget’.  Well, this article is pretty much the same thing, except we’re talking about doing it with ‘wget’. So, read the intro to the curl article and you’ll be up to speed with regards to what a certificate is, why they’re important, and why you might want to ignore certificate errors.

That’ll save some time! Those of you who do not read the ‘curl’ article are on your own. Also, many of my readers will already know about security certificates and won’t need a tutorial or refresher course. 

By the way, we use SSL here on Linux Tips. In fact, we use HSTS Preload, which means it’s hard coded in Chromium browsers (or at least Chrome) and the site will simply refuse to load without a proper certificate. So, there’s that… I take security pretty seriously, something important when you’re using WordPress.

Make ‘wget’ Ignore Certificate Errors:

This article requires ‘wget’ which requires an open terminal. If you don’t know how to open the terminal, you can do so with your keyboard – just press CTRL + ALT + T and your default terminal should open. If ‘wget’ isn’t installed, install it. I am pretty darned confident that it’s in your default repositories.

If you don’t know, ‘wget’ is used to download stuff from servers – while  you’re using your terminal. It’s a basic concept, but the command can be pretty complicated. After all, there are some pretty complicated site structures out there, and of course your downloading needs will vary.

So, with that said, it’s really easy to do this. You’ll just use the “--no-check-certificate” flag, like so:

But wait, there’s more! You can actually make the ‘wget’ command ignore certificate errors all the time. If this is something you find yourself needing to add this to your ‘wget’ commands often, you can make it permanent. To do that, you just need to edit your ~/.wgetrc file (create it, if it doesn’t exist) with the following:

You won’t have to reload anything, that command should take effect the very next time you use the ‘wget’ command and you should now permanently be ignoring security certificate errors. 

Doing this might actually be a horrible idea. After all, you’re ignoring security warnings. That’s a bit like ignoring a ‘Bridge Closed’ sign and hoping for the best as you gun it to the tune of “Highway To The Danger Zone”. Or, it could be just fine ’cause not everything even needs a security certificate! It’s Linux. You get to decide.

Closure:

Whelp… You have a new article. In this one, I give you what could be horrible advice. You might not want to make ‘wget’ ignore certificate errors. I mean, they are security related. On the other hand, it’s likely just fine – assuming you do some basic verification. Ah well… I ain’t scared and it’s not my computer. I’ll happily teach you how to completely break your system. I ain’t scared.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Bonus Article: KGIII Rants A Little About Security

The below ‘article’ is a rant about security – except it was written while really, really intoxicated. It’s not very good. I can’t even clean it up to make it good – but it does have some good bits scattered throughout and I’m just going to publish this as a ‘BONUS ARTICLE‘. 

Note: I may someday break this article down into bits and pieces, which is the only way I can think of to make it worth reading. At this point, I just don’t want the time to be wasted, so it might as well get published.

After trying to edit it, again while inebriated, I am not sure I can turn this into an article… I’m a bit inebriated. It’s perfectly legal here. I think I can… It’ll need to be pretty simple.

Let’s talk some basics about security!

You know what I get a kick out of? I get a kick out of seeing the people who move to Linux for “privacy reasons”, only to see them log back in to social media/forums to show that they have now moved to Linux.

They’ll login to accounts where they left plenty of personal information.

I’m not sure who they think they’re hiding from, but it’s not good privacy and they’re hiding from nobody important.

Real privacy is difficult, possibly next to impossible.

Seriously… Even the vaunted Tor is generally only as safe as you are smart, and then only on .onion domains. Once you hit the regular web, you’re probably not safe from a nation-state. Here are some theoretical attacks against Tor.

Realistically? How much privacy do you need or want? As you can guess, it’s a spectrum and and there are extremes on either end. There are also the law of diminishing returns on either end of the spectrum.

By the way, privacy is not security. Privacy is just one aspect of security.

So then, what is security?

Let’s start with the basics. For at least ‘good’ physical security, it should be ‘who you are’, ‘something you have’, and ‘something you know’.

For example, the security guard should check your ID to ensure who you are. The ID is something you have. The something you know is a password, a PIN, or a passphrase. That’s the least amount of security you can physically have to be any good.

Then, there are things you can do to improve it, for example. You can make it a rotating passphrase, make the guards work in pairs, require confirmation from someone proven to be in the building at the time, etc… You can do a layered approach where they may need all three of those things to enter yet another section and incorporate a man-trap between them.

Of course, on the other end of the spectrum is anyone and anything gets in and out. We tend to call those public spaces, when anyone can get in and out. As a general rule, you lose some rights to be in the public spaces – among those rights would be some degree of privacy (which will vary per jurisdiction). That’s pretty damned insecure. As far as security (and privacy goes) that’s the opposite.

So, again, there’s this giant spectrum of security. Where you want to be on that line is up to you. I find it’s a judgement call. We’re even willing to give up some privacy to be recognizable on a forum. Some of that lack of privacy is what keeps the forum secure and running smoothly. We give that privacy up because we get something in exchange.

At the same time, we might not want Google knowing everything we’re up to. We may be some dissident trying to reach a journalist to expose human rights violations and be under legitimate threat of death – or worse than death. We all make judgement calls about how much of our information we’re going to share.

And, really, unless you’re at the extremes, life is pretty good. It’s pretty easy to retain a little bit of privacy while participating in an online community. It’s less easy to do so with a typical Facebook account. where you are in some way connected to a more physical you.

Me? Oh, come on… I’ve long-since eaten the Google kool-aid. The ads here are from Google. I use their Analytics to better optimize the site, and all that – and more. Hell, I use Google Chrome and I’m logged in as the same user that does all those other things. I don’t use Gmail very often, so there’s that. I only use one of their accounts and that’s just to service my phone. But, that too is tied to all things Google.

The thing is, I know this. I know the privacy I give away. I made an informed decision to cede that privacy for those benefits. For me, the risks outweigh the benefits and I have a level of trust for Google. 

That’s the right choice – for me. Y’all make your own choices. If you don’t know how to block Analytics (or ads), just go ahead and ask. Just because I use those things doesn’t mean you need to. You’re perfectly free to block anything you want. You’ll still show up and be counted in the raw server logs. I’ll still be able to see what you did on the site. (Don’t worry, I don’t much care – unless you’re harming the site. The site’s security automatically blocks hundreds of requests per day.) But, yeah, I could see your IP address.

Oh, man… Oh no!!! Your IP address?!?

And the things people think about their IP address, as though it’s some great secret. If you really care, use a VPN – but learn what a VPN actually is before buying into the hype. They tout it as some great security (and it actually can be, but not how you’re using it) but it’s not really. Especially if you’re logging into sites like the video site you’re unlocking!

By the way, it’s ‘security’ when you connect to a VPN ’cause a web access point is locked down so that it only takes inputs from one IP address. That’s not how you’re gonna be using your VPN. (Well, you might, if you keep reading these articles.)

No, your IP address isn’t important. There’s no l337 hacker out there that’s just waiting to learn your IP address before he dusts the Cheetos off his shirt and gets to work hacking you. It’s just bots scanning bots at this point and you’re behind a NAT anyhow. Keep your stuff secure, mostly by keeping it off the public internet.

Ah, yes… The MAC address people…

No, you don’t need to change your MAC. The only reason you’d want to do so would be for something local. It’s not hiding you from Google, ’cause it’s only seen at the very first hop in network traffic. Once the packet is beyond that point, it uses its own MAC address. While changing your MAC address is a useful skill (for local “Spoofing” purposes), it’s not gonna make you appear any different to the rest of the web.

Lemme see… 

More security stuff to spew out onto the page?

I’ve been known to say, “Security is a process, not an application.” I’m probably not the first to express it similarly, but it doesn’t make it any less true. It is indeed a process. It starts best with a good plan and deciding where on the spectrum you’d like to be. Be sure to compare that with where on the spectrum you need to be to accomplish your computational goals. Somewhere in the middle is probably gonna be the sweet spot for you.

The thing is, you have to know where you can be on the spectrum involved. You have to know what the extremes are. You have to be aware of what techniques are available and what they really do. You need to be aware of what threats there are and what goals you want to accomplish. ‘Cause the only completely secure computer is one that doesn’t work and you might want to be extra sure by burying it in 25 feet of concrete.

Want some privacy? How about blocking third party cookies and scripting. How about you take a look at browser fingerprinting and deciding where you want to be on that spectrum? In pretty much every OS you can block DNS requests by using  your hosts file. There are even curated lists that you can download and use.

Alright, I wrote this while impaired. I’ll eventually schedule it or delete it. I’ll probably proofread it, maybe trying to make it salvageable, and the likes.

Meh… After reading this sober, I’m just gonna submit it as a bonus article. It’s not very good. I just barely proofread it and it wasn’t nearly as good as it seemed while drunk!

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

How To: Remove AppArmor From Ubuntu

In today’s article, we’re going to learn how to remove AppArmor from Ubuntu. This will work for other distros, like Debian. It’s actually not a very difficult task to remove AppArmor from Ubuntu, but it’s not something you necessarily want to do. Just because you can, doesn’t mean you should…

As many of you know, I write many of these articles based on the notes I’ve taken over the years. I’m a little reluctant to write this one, because removing AppArmor is probably not the best of choices.

AppArmor is similar to the various jails and application isolation techniques. It’s a security tool that restricts applications to a constrained set of resources. If the application is then compromised, it only has access to that set of resources and not to the whole system.

In other words, unless you know what you’re doing, you almost certainly don’t want to remove AppArmor from Ubuntu. In fact, if you don’t know what you’re doing then doing this is almost certainly a ‘not-bright’ choice.

If you’re going to remove AppArmor, you should consider replacing it with something else. SELinux is an option that’s similar, though I suppose you could use something like Firejail and be prepared to craft your own application profiles.

Again, removing AppArmor from Ubuntu (or whatever distro you’re using that has it) is probably not a good idea. I include the article because the information is already out there and because some folks may just decide to operate their system without such protections. This is Linux, you have the freedom to make bad choices. This isn’t even the first time I’ve shown you how to make bad choices.

Remove AppArmor From Ubuntu:

Like oh so many of these articles, you’re gonna need an open terminal. Just press CTRL + ALT + T and your default terminal should open. (I say that a whole lot on this site.)

We should first check to ensure AppArmor exists and is running. To do so, enter the following command:

What you’re looking for is several lines into the output. You’re looking for ‘apparmor module is loaded‘. If you see that, AppArmor both exists and is running. So, the next step in removing AppArmor is to stop the service. You do that with:

In case AppArmor is somehow installed again, we’ll make sure that it won’t start at boot by disabling the service entirely. That seems like a good idea.

Finally, we nuke AppArmor from existence with a purge command:

And that should do it. You probably want to reboot, just to make sure there are no tendrils sticking around – but stopping the service first should mean you don’t need to. Either way, you have now removed AppArmor from your system – assuming you followed the directions.

Closure:

Again, and I can’t stress this enough, don’t do this unless you know what you’re doing and unless you have something to replace AppArmor with. It’s really a bad idea and you’ll gain very little. I wouldn’t even do this with a system air-gapped from the network, unless I had a very good reason to do so.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Stop People From Viewing Files In A Directory With .htaccess

If you have a website, then you will have directories and you might want to stop people from viewing files in a directory. You might want to do this for privacy reasons, or for security reasons. So, if you’re looking to stop people from viewing files in a directory with .htaccess, you’ve come to the right article.

By using the .htaccess method to stop people from viewing files in a directory, people will still be able to see linked files in the directory – they just won’t be able to browse the directory to find unknown files. It’s like the best of both worlds. They can see what you’ve shared, but (unless guessing URLs) can only see what you’ve shared and nothing else.

It’s a handy tool to use and basic security (and privacy) step to prevent snooping around your server – assuming .htaccess is an option. Of course, if you’re just spinning up a quick Python server, it’s not going to be of much help.

Anyhow, this will be a relatively short and easy article, and only applicable to a subset of the site’s visitors. I want to cover more server articles, so we might as well take this one from the previous site and migrate it to this one. 

Stop People From Viewing Files In A Directory:

Open the directory you want to keep private with your favorite FTP client – unless you’re doing this on a local computer. If that’s the case, you can just navigate to the directory.

Create a new file called .htaccess. The ‘.’ is important and mandatory, as it’s a hidden file. If the file already exists, now would be a good time to make a backup.

The permissions for .htaccess should be 644. Your FTP client will let you set permissions. Locally, you can chmod 644 .htaccess and that should work nicely.

Next, you’ll want to edit the .htaccess file with a plain-text editor to add the following line (if the file already exists, be sure to put this on its own line):

Save the .htaccess file. Be sure not to modify any other lines in the process. There’s a whole lot that can be accomplished using .htaccess and it can be pretty complicated.

What this will do is prevent indexing the files in that particular folder. If people try to access the folder directly, they’ll get a 403 forbidden error. At the same time, you can still link directly to files in that folder.

So, let’s say you added the .htaccess to a directory called /tmp. You can still link to, use, and send people to /tmp/picture.jpg like normal, but people won’t be able to browse the directory and find files you don’t want them to see. They won’t be able to browse the directory to see that you’ve also uploaded picture2.jpg to the same directory.

For more information, you can click this. (I wasn’t kidding when I said it could get complicated.)

Closure:

Thanks for reading today’s article. Today, we learned how to stop people from viewing the files in a directory – unless you let them know the URL, of course. It’s a pretty handy skill to have, as is basic editing of the .htaccess file.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Change Ownership Of Files And Folders

Today, we’ll be covering how to change ownership of files and folders. This is a pretty basic task and one every Linux user should know. This needn’t be terribly complicated, so this article will explain all you really need to know about changing ownership of files and folders.

When dealing with file management, permissions are important. It’s a security matter and a usability matter. You can assign various file and folder permissions, such as read and write permissions, a subject for a different article. However, files and folders all should have owners – owners who can do anything they want with the file or folder.

Curiously, your account should not always be the owner. While maybe not all that intuitive, you shouldn’t have ownership of all the files. This is why you have to use elevated permissions to perform certain tasks. This is to keep things segmented and secure.

Remember, Linux is designed to be a multi-user operating system. That’s not just human users, but different processes and applications may also be associated with users. For example, look at all the users on your system by running the following command in your terminal emulator:

You can also see all the groups on your system with this command:

Obviously, if a user is a member of a group they share permissions with that group. Files also only have one owner and one associated group, of course. So, if you want two people to have control over a file, one way to do that would be to make sure they’re both members of the same group. There’s all sorts of creative things you can do with permissions. This article will be covering just one aspect, it’ll be about how you can …

Change Ownership Of Files And Folders:

Like oh so many of these articles, this one requires an open terminal. You can do so using only your keyboard – just press CTRL + ALT + T and your default terminal should open.

Go right ahead and stay in your home directory. You can check the various files and their permissions with the following:

The output of that command will show you the user and group, with the two being listed in that order as in the image below:

ll listing user and groups
See? I even gave you handy arrows. The order is owner:group, to repeat myself.

To change the owner, the format is:

To change the group, the format is:

If you want to recursively take ownership, you need the -R flag. For that, you’d want something that looks a bit like this:

You can actually just use chown to change both the owner and group at the same time. You’ll most often do this with your own user and group, so I’ll show the command that way:

As you can guess, the -R flag will work there and an asterisk will cover all the files and folders within that directory. Obviously, this applies to folders and not to files.

Closure:

There you have it. You have yet another article and this one has hopefully taught you how to change ownership of files and folders. It may not be one of the most interesting articles, but it’s a skill you’ll eventually want to have and another tool for your Linux toolbox. 

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Subscribe To Our Newsletter
Get notified when new articles are published! It's free and I won't send you any spam.
.
Linux Tips
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.