binaryanomaly Posted August 29, 2016 Report Share Posted August 29, 2016 Hi, 1st question: Is it from a security point of view relatively safe to directly expose the listening port to the internet? To my understanding this is necessary if I do not want to use a relay server and all devices are NATed? A VPN would restrict use cases a lot. I do of course not expose the Mgmt. UI - not sure how safe that would be at all. 2nd question: Additionally I was wondering why there is no apparmor profile installed by default. Wouldn't that be best practice for applications with direct internet exposure? Thanks, -b Quote Link to comment Share on other sites More sharing options...
iswrong Posted August 29, 2016 Report Share Posted August 29, 2016 29 minutes ago, binaryanomaly said: Additionally I was wondering why there is no apparmor profile installed by default. Wouldn't that be best practice for applications with direct internet exposure? I fully agree. Though, I think in practice this could lead to some problems: Debian does not run AppArmor by default (only Ubuntu). If the user is not aware of AppArmor, they might have troubles using Bittorrent Sync. Bittorrent Sync can also be used as a normal user (there is a systemd unit file for this), this would require different AppArmor profiles. That said, I use the following profile: #include <tunables/global> /usr/bin/btsync { #include <abstractions/base> #include <abstractions/nameservice> / r, /etc/btsync/config.json r, /etc/issue r, /etc/passwd mr, /home/ r, /home/*/ r, /home/btsync/ rw, /home/btsync/** rw, /run/btsync/btsync.pid rwk, /sys/devices/** r, /tmp/btsync_dumps/ w, /var/ r, /var/lib/ r, /var/lib/btsync/ r, /var/lib/btsync/** mrwk, } (I have created the /home/btsync directory to store folders.) Quote Link to comment Share on other sites More sharing options...
binaryanomaly Posted August 29, 2016 Author Report Share Posted August 29, 2016 3 hours ago, iswrong said: I fully agree. Though, I think in practice this could lead to some problems: Debian does not run AppArmor by default (only Ubuntu). If the user is not aware of AppArmor, they might have troubles using Bittorrent Sync. Bittorrent Sync can also be used as a normal user (there is a systemd unit file for this), this would require different AppArmor profiles. That said, I use the following profile: (I have created the /home/btsync directory to store folders.) Thanks @iswrong I start with your profile for the time being - until we have something from resilio Personally I think it would make a lot of sense to have a locked down, secure standard configuration with apparmor (even if it's only for Ubuntu). People with special needs can always apply special settings and it makes them think twice Imho there is value in a secure standard configuration. Quote Link to comment Share on other sites More sharing options...
iswrong Posted August 30, 2016 Report Share Posted August 30, 2016 Agreed, even if it is in permissive mode by default with instructions on how to make it enforcing. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.