BasicSecurity

Differences between revisions 26 and 27
Revision 26 as of 2011-11-05 02:38:19
Size: 19016
Editor: host86-163-226-54
Comment:
Revision 27 as of 2011-11-05 02:39:15
Size: 19038
Editor: host86-163-226-54
Comment:
Deletions are marked like this. Additions are marked like this.
Line 39: Line 39:
*below section edited by haqking, feel free to noob it up if you feel the need* *below section on social engineering edited by haqking, feel free to noob it up if you feel the need*

DRAFT - UNDER CONSTRUCTION

Basic Ubuntu Security Guide, Desktop Edition

Who did we write this for?

Security is a very broad, potentially daunting subject to a new Ubuntu user. It's crazy to think that anyone can boil security down to a list of 7 things. So we didn't even try. Instead, our goal is to present a listing of the most basic security concepts that can be fairly easily implemented while you learn. This guide was inspired and written by several new users of Ubuntu who were very interested in learning how to hack around their brand new Ubuntu operating systems. They were also very interested in not leaving their machines vulnerable as they learned. Therefore, we don't claim to be experts. We were lucky enough to have some security professionals collaborate with us. But we still don't claim that we will reduce your risk to zero. We are presenting a pragmatic approach to security.

This guide is intended for the typical, average home user that is in the process of learning how to use Ubuntu. If you do the following things with your Ubuntu computer, then you are the intended audience:

* surfing the net
* playing games online & off line
* on-line personal banking
* storing documents that could contain a little sensitive information (like name, address, DOB, SSN, etc)
* education or research

This guide is NOT intended for

* People who are using a network server. When you use a server, you must implement different, more comprehensive security measures that we deem beyond “beginner” level. Therefore they are not covered in this guide. If you have a server, then look at the following resources:
** LIST LINKS
**
**

* People who use Ubuntu in their corporate environment. Certain industries must follow certain internet and data storage regulations. Rely on this wiki at your own peril for these uses.

* If you're a home user that is employed by a company, and you occasionally work on company business on your home computer. You should consult with your company's IT department to comply with their security standards.

* This guide is also not intended to replace any existing security information already in existence in the Ubuntu Wikis or stickys in the Ubuntu Forums. There are some great resources there, in fact we've provided links to many right here. Instead think of this guide as a way of bridging the gap to some complex information.

Fallacies

There are common misconceptions in this forum as well as in the world in general:

* Linux is secure out of the box. Kind of. In very general, broad terms, Windows is more targeted than Linux or Mac when it comes to malicious attacks aimed at mass victims. But a determined hacker can just as easily crack a Linux machine as any other. There are known viruses in Linux: https://help.ubuntu.com/community/Linuxvirus and a discussion of vulnerabilities in Ubuntu is here: https://help.ubuntu.com/community/Antivirus

* Enough already. Just tell me which Security Program to install in the Software Center. The typical Windows user mindset is that you just install a security program or two, let it run quietly in the background, and you'll be fine. That's actually not true for Windows and it's not true for Ubuntu either. Security is an active process on all operating systems. There are anti-malware software packages available for Linux. However, they lack some of the more robust features of their Windows counterparts.

* Stealth ports. The reality of this is quite simple. There is no such thing as a "stealth port". Stealth port was a catch phrase coined by Steve Gibson of Gibson Research Corporation. Surely you've heard of Shield's Up? Basically, it was a term he created to explain the difference between a firewall that "rejects" a packet with a response, versus a firewall that silently drops a packet and ignores it. The argument that "stealth" is better than "closed" is an old argument, improved port scanning techology essentially invalidates the argument at this point. Even in its original state "stealth ports" provided security through obscurity. This type of security has its places, but should not be relied upon as comprehensive or indicative of a system's level of security. For more information consult the following resources:
LIST
https://www.grc.com/x/ne.dll?bh0bkyd2 - GRC's "Shields Up"

The Nuts and Bolts of Basic Security

A lot of the following security recommendations are good ideas for any operating system. Because Ubuntu doesn't have a pre-packaged Security Suite, we compiled this list.

Common Sense

Use common sense. A very smart friend of mine once said these words: "Did you go on the Internet to download something? No...Then why are you downloading something?" This applies to all facets of security. Set out with a purpose, if you find yourself veering away from that purpose, ask yourself why and if it's something you should be doing.

Guest Session is a nice Ubuntu tool that can help you manage guest users. It can't be the only tool you use, but a layered approach can work. But if you don't need to allow guests to use your system, why have it installed? Links here

Common sense with proper web browsing plays a big role in securing a desktop. Force https, don't access sensitive information from public wifi. There are tons of simple surfing security guides out there, here are a few:

Who really controls that website? The source (or the host) of this wiki page is "wiki.ubuntu.com". Do we trust that host? What if the host was "www.loadsofviruses.com" - do you still trust that page? In fact, hyperlinks can lie - and I'll prove it! I've provided the website link to www.google.com - but if you click on it, it will take you to www.microsoft.com! Now hover your mouse pointer over that "google" link and look in the corner of your brower. THAT'S the destination of the hyperlink!

Backups It's important to keep regular backups of your data. If it's too valuable to lose, then back it up. If you are prepared to wipe and reinstall with very little notice, then the more secure you are. There are many threads in the Ubuntu Forums that describe problems that would have been avoided with good backup. It is important to make regular backups as well as special backup before certain risky operations like upgrading to a new version, operations on partitions and partition tables, using dd etc. Ubuntu allows you to have security updates installed automatically: https://help.ubuntu.com/community/AutomaticSecurityUpdates

Social Engineering

*below section on social engineering edited by haqking, feel free to noob it up if you feel the need*

Social engineering is a problem. Your network could be as secure as the NSA, but if you tell give an attacker vital information about your network and system configuration, then you've defeated your security. Things to avoid and NOT to divulge about your Ubuntu system:

* Logging in as root. An excellent way to find yourself in deep trouble is to modify permissions and root. Logging in as root means you will be browsing the internet as root, any drive by downloads, malicious scripts can all now execute with root permission, may as well smash your machine with a hammer. Read https://help.ubuntu.com/community/RootSudo

* Don't post the public IP address's of your devices or computers, internal NAT addresses are OK as most people use the same ones and most people know that, the likelihood is that most people reading this have a private NAT address of 192.168.0.x or similar, however do no post Public WAN addresses, or server/router addresses. * And there are tons of things to consider about posting on public forums. As a good gauge, you should consider anything posted in a social network or forum will be seen by good guys and bad guys, too.

* Someone who knows what they're doing can use information you post on various forums to exploit your system. Think about the information you're posting about your computer, your router. Unfortunately we can't tell you what to post and what not to post unless you have some basic knowledge. For instance, it helps if you know the difference between a WAN IP and a LAN IP, and understand NAT routing and Private addresses.
If you'd like to learn more, this is a useful site: http://www.bleepingcomputer.com/tutorials/ip-addresses-explained/

*
We have only covered social engineering as it specifically relates to Ubuntu. However, we encourage you to learn more about general social engineering here: http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics

Know What You Have, Have What You Know

Don't run services you don't need. Do you really need a VOIP phone system? If you do, make sure you understand it and can properly secure it.

Servers: If you don't need an SSH server or VNC server running on your personal computer don't do it. If you don't know what those acronyms are, then you should DEFINITELY not use them until you do some significant research.

Until you do understand how it works, my recommendation would be to not set those things up, and if they are set up by default, disable them. When you're ready to start learning new services like FTP, SSH, VNC, telnet, remote desktop, etc., then consider playing with them in a virtual machine. Ubuntu has Oracle VM Virtual Box right in the Software Center. This can reduce your exposure to security problems you don't know while you learn. Of course it's not fool-proof.

Should we include the following bits?

*I think some of the following is useful, but needs reworded, I just don't know how right now --DT *

-two most common cracks posted on these forums are ssh and vnc, both running with password authentication. Have you installed servers for ssh and vnc? Probably not unless you run Ubuntu Server. Without them your computer is not vulnerable to such attacks. You can check in a terminal window with the following command Code:
which ssh
and instead of Enter press Tab twice and Code:
which vnc
and instead of Enter press Tab twice.
If you get only ssh and vncviewer you have only the client programs. You can login on remote computers with them. If you get a response with several alternatives, for example Code:
ssh ssh-agent ssh-askpass sshd ssh-keygen ssh-vulnkey ssh-add ssh-argv0 ssh-copy-id sshfs ssh-keyscan
and Code:
vnc4-common vnc-java vnc-server vnc-viewer vnstat vnc4server vncserver vncsnapshot vncviewer vnstati
you have the servers installed. But are they running? If you type the following command in the terminal (and press Enter) Code:
ps -au root | grep ssh # the command
and get the following response (mine is running behind a firewall) Code:
873 ? 00:00:00 sshd # the response
then the ssh server is running and similarly for Code:
ps -au root | grep vnc

Strong Credentials

If it takes a password it needs to be a good one. A good password is more than 16 characters containing upper and lower case, numeric, special characters and white space. A bad password is based on a dictionary word, or something like the fact that your eyes are blue or your birth date.) Each system that uses a password should be unique. Make sure you're not reusing your passwords across emails and different social networking sites. If you can use an RSA key for it (eg: SSH) better still.

Use security questions that aren't something like "what color is your house that is shown in your profile picture?"

Learn about how to create a good password here: https://www.grc.com/passwords.htm

This site can give you an idea on how good your password is: https://www.grc.com/haystack.htm

When you are more confident with Ubuntu, we recommend this link for more about passwords: https://help.ubuntu.com/community/StrongPasswords

Encryption

You can encrypt the home folder. Details can be found here: https://help.ubuntu.com/community/EncryptedHome

You can choose to encrypt the disk when installing Ubuntu. More information is here: https://help.ubuntu.com/community/EncryptedFilesystemHowto

Proper Permissions (DAC)

Least privileges, always : Always make sure you are utilizing the least amount of privileges/permissions to do the task necessary. Use only what you need nothing more. This involves learning about DAC and how to use file permissions and non-privileged users (which Ubuntu makes very easy). Learn more here: https://help.ubuntu.com/community/FilePermissions

CAN SOMEONE PROVIDE A LINK FOR DAC?

Updated Services

It's just so easy. Keep your software and operating system up to date. At the very least, install the security updates. Should you automate updates?

Keep your updates , well...updated. This is important, unless you're writing security patches yourself (which you're probably not) this should be way high on your todo list

Strong Service Configurations

  • (recheck credentials as you add users for these services as well as DAC)

Firewall creation and maintenance

There is a lot of existing information about firewalls. There is also a long-term raging debate on the need of a firewall on Ubuntu. We recommend you enable it. Use your firewall PROPERLY. Don't set it and forget it, learn how it works, set decent rules. It takes 5 minutes to configure UFW/GUFW to tell iptables to enforce pretty decent inbound and outbound rules. Maybe 10 minutes if it's the first time you've done it.

Here are some links:

Application Level Firewall Creation and Mandatory Access Controls

Explain the difference between this and the previous header.

Apparmor Additionally we can strengthen this with things like Apparmor, which I do recommend learning. The learning curve is pretty steep but take a few hours to educate yourself on it now, it is a great asset.

Here is a tutorial on Apparmor http://ubuntuforums.org/showthread.php?t=1008906

Add-Ons Ubuntu comes preloaded with Firefox, so we will focus our discussion there. We recommend you use browser add-ons like NoScript and Ad blocking. It can't emphasized enough. Browser exploits get a lot of people, usually people who think they're perfectly fine because they run Linux/Mac OSX/Something else other than Windows. This is where 90% of home users who aren't running a server of some kind get in trouble.

Learn about Firefox and add-ons here: https://help.ubuntu.com/community/Firefox

Network security

There is a lot to say on this topic. We'll boil it down to some highlights to consider, we encourage you to do more research.

Router security: uPNP can be exploited through a router. Turn it off by changing your router settings. *note on UPNP : this needs reworded UPNP isn't necessarily exploited, as the way it works allows an attacker to automatically port forward if a machine inside the network is compromised*



Repeating all of the above on each system

Be consistent, if you do these things with your desktop Ubuntu system you will find it is actually pretty secure. Now apply this to the other devices on your network. This includes any other computers, cell phones, routers, printers, game consoles whatever. Your network's security is only as strong as the weakest link. Once an attacker gains a foothold in a network, whether it's in a DMZ or behind a firewall compromising the rest of the network becomes MUCH easier.

If you have two computers running Ubuntu, then repeat this process on both computers. If you've got one computer partitioned, then secure all partitions.

Strengthening configurations and credentials on network devices

When you connect printers, phones, consoles, routers to your network. Do you have a networked printer? If yes, do you need one? If the printer doesn't need to be on the network, then don't put it there. From an introductory security perspective, this is the first thing to consider about almost any device (printer, scanner, router). Don't broadcast your wifi signal when you're not using it. Gives the bad guys less time to crack it. Make sure they're powered off completely when you don't need them. Some devices don't seem to want to do that, so they need to be unplugged.

An attacker can utilize a device such as a printer to gain access to an entire network.

Wireless Security

*This is good stuff - but I think it may be outside the scope of this discussion what do you guys think? Is this Ubuntu Desktop security or Home Network Security with Ubuntu machines running on the network? --DT* Turn it off when you're not surfing. If you use Wireless access. Make sure you're using STRONG encryption, not WEP but WPA/WPA2 with a GOOD passphrase use all 63 characters, you only have to type it once anyway.

Basic wireless security dictates at the minimum you:

* use Strong Admin Password
* Strong User Password (if your router supports it)
* Disable UPNP
* Disable WPM (if you don't need it)
* Locate the router so the signal isn't ridiculously strong outside of your house.
* Enable Logging in to the router only over HTTPS (if it supports this)
* Disable remote administration (administration from the outside world , defaulted to port 8080 usually)
* Disable the telnet server if it has one
* Disable the TFTP server if it has one.
* You can toss in MAC address filtering, but it's really a waste of time.

Additional Resources That We Think Are Cool

www.navigators.com- MrLeek do you want to put a blub here?

http://ubuntuforums.org/showthread.php?t=510812 – a guide to security on Ubuntu. As a new user, some of the information in this thread may be daunting with a steep learning curve. But if you're serious about securing your system, then this is an excellent resource.

Acknowledgements

This Wiki was birthed on the Ubuntu Forums by MrLeek and ms-daisy99. Contributions came from Dangertux, OpSecShellShock, Haqking, Thewhistlingwind, dFlyer, vasa1, Olle Wiklund, CharlesA,

BasicSecurity (last edited 2012-12-28 10:50:07 by host86-182-68-148)