Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NoScript Configuration Guide


  • Please log in to reply
8 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,755 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:10:46 AM

Posted 01 April 2014 - 08:24 PM

Thanks to Dangertux @ Unbuntu Forums for this.

http://ubuntuforums.org/showthread.php?t=1912426

 

 


DT's NoScript Configuration Guide

This is a quick run-through of configuring NoScript under Firefox. You can get NoScript here : http://noscript.net/getit



Click the NoScript (S) icon next to your URL bar in firefox and choose "Options"


General Tab

Default Settings are Fine

Whitelist Tab

You should add a list of frequently visited sites that you trust. Please note Whitelisting a site will not stop NoScript from protecting you from XSS/CSRF and ABE violations (we'll explain this more later). You will notice there are already some sites whitelisted for you. If for some reason you do not trust those sites you may highlight them and click "Remove Site" and it will no longer be in the whitelist. You should add trusted top-level sites to make it easier.

Adding a whitelisted site

Simply type the domain of the site into the "Address of Website Bar" and click "Allow" example : http://ubuntuforums.org or ubuntuforums.org

whitelist.png


After you have whitelisted the sites you commonly visit and trust you are done here.

Note : You need to weight the probability that the site is secure when whitelisting it. For example: http://canonical.com (probably okay) http://superleethackersecrets.ru (probably not so much) Keep in mind this is entirely subjective and unless you plan on running a vulnerability assessment against the site all you can do is trust the administration of that site.

Embeddings Tab

embeddings.png

This is an important tab and we will be modifying the default settings considerably here. Outside of the default settings you probably also want to place a check in the boxes ("Forbid <IFRAME>", "Forbid <FRAME>", "Forbid WebGL", "No placeholder objects from sites marked as untrusted"). Additionally for ease of use you may wish to choose "Collapse Blocked Objects" this doesn't add or detract security, it just makes sites displaying blocked cross site content display more clearly.

"Apply these restrictions to Whitelisted Sites" : This should probably be left unchecked unless you are super paranoid and want to break all your favorite sites.

Appearance Tab

This is entirely up to you, and depends on how you want NoScript to display itself. I leave it at default, and will not discuss it further here.

Notifications Tab

This is how noisy NoScript is going to be. It will not change the amount of protection NoScript gives you, however it will tell you when NoScript alerts you or doesn't alert you to different blocked content or actions. The default settings are fine here as well.

Advanced Tab

These are your advanced NoScript options and contain several sub tabs which we will go through now.
Untrusted sub-tab

untrusted.png

For untrusted sites you will wish to place a check in the following boxes ("Forbid bookmarklets", "Forbid META redirections inside <NOSCRIPT> tags">

Trusted sub-tab

The default settings for this sub tab are acceptable so long as you are not "Trusting" sites that should not be trusted, refer to the same procedure as whitelisting.

XSS sub-tab

This tab allows you to configure your cross site scripting protection and whitelisting. It offers the ability for you to enter regular expressions for pattern matching of sites to trust cross site content from. By default the settings in the XSS tab are relatively secure. If you do not know regex I do not suggest attempting to learn here as a typo can lead you from trusting cross-site content from "look alike domains" like fakebook.com as opposed to facebook.com. If you wish to learn about basic regex here is a decent explanation : http://linuxreviews.org/beginner/tao...r_expressions/

HTTPS sub-tab

This subtab allows you to force SSL on certain sites (of your choosing) as well as affect SSL cookie behavior. It has two sub-sub-tabs "Behavior" and "Cookies"

Behavior sub-sub-tab

https.png

I would not recommend using "Force forbid active web content unless it comes from a HTTPS connection" as it will break the vast majority of websites. However I do recommend forcing HTTPS for sites where you store important information and or conduct financial transactions. In my example you can see I added my banks and social networking sites. You may type them in the pane seperating them with newlines. When you have done that move to the "Cookies" sub-sub tab.

Cookies sub-sub-tab

https2.png

This sub sub tab allows you to force cookie encryption over SSL. All major sites should support this functionality, and as you can see from the example I added the same sites that I chose to force SSL for in the previous tab. You add them in the same manner. Once you are done we can move on to the ABE Tab

ABE Tab

This stands for Application Boundary Enforcement. This is one of the ways NoScript prevents things like NAT Pinning and some DNS based attacks. The default settings are fine, however its important to understand the major role this plays in your protection. I'm sure many of us know that 192.168.1.1 is a private address, meaning you might find it on your home network. Possibly your router's IP address. That being said, no internet based host should be sending anything to this address. If it is doing so it is likely attempting to use your machine as a relay to send code to another machine on your network, otherwise known as NAT pinning. That being said, if you are hosting a home server, this may cause issues if you are on the same network with the server, so don't freak out of if you get an ABE warning visiting your own website.

External Filters Tab

Again the default settings here are fine. However, a brief overview of what this tab does, it allows you to create filters to block certain MIME types. For those who don't know a MIME type is essentially a file type. Like we all know .jpg is an image, or .fmv is a flash movie file. This allows you to set up filters based on those file types, on a site by site basis. This allows extremely fine grained control, so much so that we're not going to cover it here however if you would like to try to experiment I would suggest picking a content rich site and creating filters one by one to block all the content on the site but the static html. That should get you familiar with MIME type blocking.


After you are done configuring NoScripts Options, make sure "Forbid Scripts Globally" is Enabled (this will not effect your whitelisted sites). Restart your browser and surf safer

  I guess this could be applied to Firefox on Windows system's too???


Edited by NickAu1, 01 April 2014 - 08:50 PM.


BC AdBot (Login to Remove)

 


m

#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:46 AM

Posted 01 April 2014 - 09:10 PM

I use it on my Win systems at home, highly rated plugin. It also prevents some 'drive-by' attacks.

 

Great article Nick :thumbup2:



#3 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:46 PM

Posted 01 April 2014 - 10:15 PM

NoScript is possibly the #1 security extension of any browser. Though it can be tricky to use at first, after practice, one gets the hang of it.

 

One of it's options that I use often is to allow temporary access, that is good only for that session. Good to use if a site is unfamiliar or not often visited.

 

It's updated often & the NoScript page will open when Firefox is launched. For Linux users, this is no issue, but oddly on Windows, if one is running ESET security, a warning will show when this page is displayed. Maybe due to some of the page content, I can't say for sure. However, I & millions of others trusts & uses the extension, combined with AdBlock Plus, it's a great one-two punch against the bad guys.

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:46 PM

Posted 02 April 2014 - 07:10 AM

I received your PM but see TsVk! has already answered your question.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:46 PM

Posted 04 April 2014 - 12:33 AM

 

  I guess this could be applied to Firefox on Windows system's too???

Yes! I used Firefox on Windows before discovering Linux & NoScript was a highly recommended extension.

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#6 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 11,755 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:10:46 AM

Posted 04 April 2014 - 12:44 AM

My No Script is set up as above and I did the IP tables setup,  AND yes I installed an Antivirus plus I did the Bastille thing/audit with a few tweaks( will post that when Im sure its all ok) combined with good surfing habbits App armour strong root password I guess im as safe as 1 can be online.



#7 Winterland

Winterland

  • Members
  • 980 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:04:46 PM

Posted 04 April 2014 - 05:25 AM

omgomgomgomg!

 

I have been looking and reading and looking and reading for something like this for a couple of weeks now.

 

NickAu1 - I'm going to purchase you a beverage!

 

I love NoScript and it's already saved me a couple of times now when I don't surf safe (and I don't, always, mostly, but not always) so this guide is much needed and much appreciated.

 

Cheers!

 

Winterland


Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#8 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 11,755 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:10:46 AM

Posted 04 April 2014 - 06:22 PM

@ Winterland

You are welcome.

 

You should also look at this.

 

http://www.bleepingcomputer.com/forums/t/529607/howto-set-up-a-restrictive-firewall-using-iptables-rtfm-friendly/


Edited by NickAu1, 04 April 2014 - 06:23 PM.


#9 Winterland

Winterland

  • Members
  • 980 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:04:46 PM

Posted 05 April 2014 - 07:28 AM

NickAu1 - you continue to be a wealth of good information, thank you!


Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users