BasicSecurity
|
Size: 19050
Comment:
|
← Revision 121 as of 2012-12-28 10:50:07 ⇥
Size: 24152
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = DRAFT - UNDER CONSTRUCTION = | ||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;" style="padding:0.5em;"><<TableOfContents(3)>>|| |
| Line 3: | Line 3: |
| == Who did we write this for? == Security is a very broad, potentially daunting subject to a new Ubuntu user. It's crazy to think that anyone can boil security down to a list of 7 things. So we didn't even try. Instead, our goal is to present a listing of the most basic security concepts that can be fairly easily implemented while you learn. This guide was inspired and written by several new users of Ubuntu who were very interested in learning how to hack around their brand new Ubuntu operating systems. They were also very interested in not leaving their machines vulnerable as they learned. Therefore, we don't claim to be experts. We were lucky enough to have some security professionals collaborate with us. But we still don't claim that we will reduce your risk to zero. We are presenting a pragmatic approach to security.<<BR>><<BR>> This guide is intended for the typical, average home user that is in the process of learning how to use Ubuntu. If you do the following things with your Ubuntu computer, then you are the intended audience: <<BR>><<BR>> * surfing the net<<BR>> * playing games online & off line<<BR>> * on-line personal banking<<BR>> * storing documents that could contain a little sensitive information (like name, address, DOB, SSN, etc)<<BR>> * education or research<<BR>> <<BR>> This guide is NOT intended for<<BR>> <<BR>> * People who are using a network server. When you use a server, you must implement different, more comprehensive security measures that we deem beyond “beginner” level. Therefore they are not covered in this guide. If you have a server, then look at the following resources:<<BR>> ** LIST LINKS<<BR>> ** <<BR>> ** <<BR>><<BR>> * People who use Ubuntu in their corporate environment. Certain industries must follow certain internet and data storage regulations. Rely on this wiki at your own peril for these uses.<<BR>><<BR>> * If you're a home user that is employed by a company, and you occasionally work on company business on your home computer. You should consult with your company's IT department to comply with their security standards.<<BR>> <<BR>> * This guide is also not intended to replace any existing security information already in existence in the Ubuntu Wikis or stickys in the [[ubuntuforums.org | Ubuntu Forums]]. There are some great resources there, in fact we've provided links to many right here. Instead think of this guide as a way of bridging the gap to some complex information.<<BR>><<BR>> |
== Who Did We Write This For? == Security is a very broad, potentially daunting subject to a new Ubuntu user. It's crazy to think that anyone can boil security down to a list of 7 things. So we didn't even try. Instead, our goal is to present a listing of the most basic security concepts that can be fairly easily implemented while you learn. This guide was inspired and written by several new users of Ubuntu who were very interested in learning how to hack around their brand new Ubuntu operating systems. We were lucky enough to have some security professionals collaborate with us. But we still don't claim that we will reduce your risk to zero. We are presenting a pragmatic approach to security.<<BR>> |
| Line 20: | Line 6: |
| == Fallacies == There are common misconceptions in this forum as well as in the world in general:<<BR>> <<BR>> * '''Linux is secure out of the box.''' Kind of. In very general, broad terms, Windows is more targeted than Linux or Mac when it comes to malicious attacks aimed at mass victims. But a determined hacker can just as easily crack a Linux machine as any other. There are known viruses in Linux: https://help.ubuntu.com/community/Linuxvirus and a discussion of vulnerabilities in Ubuntu is here: https://help.ubuntu.com/community/Antivirus <<BR>><<BR>> * '''Enough already. Just tell me which Security Program to install in the Software Center.''' The typical Windows user mindset is that you just install a security program or two, let it run quietly in the background, and you'll be fine. That's actually not true for Windows and it's not true for Ubuntu either. Security is an active process on all operating systems. There are anti-malware software packages available for Linux. However, they lack some of the more robust features of their Windows counterparts.<<BR>><<BR>> * '''Stealth ports.''' The reality of this is quite simple. There is no such thing as a "stealth port". Stealth port was a catch phrase coined by Steve Gibson of Gibson Research Corporation. Surely you've heard of Shield's Up? Basically, it was a term he created to explain the difference between a firewall that "rejects" a packet with a response, versus a firewall that silently drops a packet and ignores it. The argument that "stealth" is better than "closed" is an old argument, improved port scanning techology essentially invalidates the argument at this point. Even in its original state "stealth ports" provided security through obscurity. This type of security has its places, but should not be relied upon as comprehensive or indicative of a system's level of security. For more information consult the following resources: <<BR>> LIST<<BR>> https://www.grc.com/x/ne.dll?bh0bkyd2 - GRC's "Shields Up" |
This guide is intended for the typical, average home user that is in the process of learning how to use Ubuntu. So if you just surf the net, play games (on-line & off-line), do on-line banking, education...then you are the intended audience. However if you are running a network server (especially one that is accessed via the Internet) or if you use Ubuntu in your corporate environment (or simply work from home) then the advice you need is more specialized and beyond the scope of this guide. If you don't know whether you are running a server or not, then [[http://ubuntuforums.org/showpost.php?p=11416478&postcount=4|read this]]. <<BR>><<BR>> ----- = The most basic set of rules = If you're a simple desktop user who only uses his computer for the most ordinary things, then this is the basic rule set:<<BR>> 1. immediately install security updates when you're notified;<<BR>> 2. do not install antivirus, as you *really* don't need it in Linux;unless you share files with Windows<<BR>> 3. enable the firewall (sudo ufw enable) without further tweaks;<<BR>> 4. stick to the official repo's as much as possible, and only deviate from them when strictly necessary and with much caution;<<BR>> 5. keep Java (both openJDK and Oracle Java) disabled by default in your browser, and only enable it when needed;<<BR>> 6. use Wine with caution;<<BR>> 7. and most important of all: use your common sense. The biggest security threat is generally found between keyboard and chair.<<BR>> |
| Line 28: | Line 19: |
| == The Nuts and Bolts of Basic Security == A lot of the following security recommendations are good ideas for any operating system. Because Ubuntu doesn't have a pre-packaged Security Suite, we compiled this list.<<BR>> === Common Sense === Use common sense. A very smart friend of mine once said these words: "Did you go on the Internet to download something? No...Then why are you downloading something?" This applies to all facets of security. Set out with a purpose, if you find yourself veering away from that purpose, ask yourself why and if it's something you should be doing.<<BR>><<BR>> Guest Session is a nice Ubuntu tool that can help you manage guest users. It can't be the only tool you use, but a layered approach can work. But if you don't need to allow guests to use your system, why have it installed? Links here<<BR>><<BR>> Common sense with proper web browsing plays a big role in securing a desktop. Force https, don't access sensitive information from public wifi. There are tons of simple surfing security guides out there, here are a few:<<BR>><<BR>> '''Who really controls that website?''' The source (or the host) of this wiki page is "wiki.ubuntu.com". Do we trust that host? What if the host was "www.loadsofviruses.com" - do you still trust that page? In fact, hyperlinks can lie - and I'll prove it! I've provided the website link to www.google.com - but if you click on it, it will take you to www.microsoft.com! Now hover your mouse pointer over that "google" link and look in the corner of your brower. THAT'S the destination of the hyperlink! |
If you have higher security needs, then read on. |
| Line 36: | Line 21: |
| '''Backups''' It's important to keep regular backups of your data. If it's too valuable to lose, then back it up. If you are prepared to wipe and reinstall with very little notice, then the more secure you are. There are many threads in the Ubuntu Forums that describe problems that would have been avoided with good backup. It is important to make regular backups as well as special backup before certain risky operations like upgrading to a new version, operations on partitions and partition tables, using dd etc. Ubuntu allows you to have security updates installed automatically: https://help.ubuntu.com/community/AutomaticSecurityUpdates <<BR>><<BR>> === Social Engineering === |
= Security Tools and Concepts That Are Easy to Use = |
| Line 39: | Line 23: |
| *below section on social engineering edited by haqking, feel free to noob it up if you feel the need* | In order to simplify the very complex world of security, we have broken it down into two sections. In this first section, we will discuss security tools in Ubuntu that you can configure and (once configured) require little interaction. We will also discuss general security concepts that are easy to implement into your daily computer use. There is a lot of existing security information already in existence in the Ubuntu Wikis and stickies in the [[ubuntuforums.org | Ubuntu Forums]]. There are some great resources there, in fact [[http://ubuntuforums.org/showthread.php?t=510812|one of the best guides is linked here]]. But a lot of that material will seem complex to the new Ubuntu user - so the goal of this guide was to take the existing material and simplify it, making it possible to bridge the gap.<<BR>><<BR>> |
| Line 41: | Line 25: |
| Social engineering is a problem. Your network could be as secure as the NSA, but if you tell give an attacker vital information about your network and system configuration, then you've defeated your security. Things to avoid and NOT to divulge about your Ubuntu system:<<BR>><<BR>> * Logging in as root. An excellent way to find yourself in deep trouble is to modify permissions and root. Logging in as root means you will be browsing the internet as root, any drive by downloads, malicious scripts can all now execute with root permission, may as well smash your machine with a hammer. Read https://help.ubuntu.com/community/RootSudo <<BR>><<BR>> * Don't post the public IP address's of your devices or computers, internal NAT addresses are OK as most people use the same ones and most people know that, the likelihood is that most people reading this have a private NAT address of 192.168.0.x or similar, however do no post Public WAN addresses, or server/router addresses.<<BR>><<BR>> * And there are tons of things to consider about posting on public forums. As a good gauge, you should consider anything posted in a social network or forum will be seen by good guys and bad guys, too.<<BR>><<BR>> * Someone who knows what they're doing can use information you post on various forums to exploit your system. Think about the information you're posting about your computer, your router. Unfortunately we can't tell you what to post and what not to post unless you have some basic knowledge. For instance, it helps if you know the difference between a WAN IP and a LAN IP, and understand NAT routing and Private addresses. <<BR>> If you'd like to learn more, this is a useful site: http://www.bleepingcomputer.com/tutorials/ip-addresses-explained/ <<BR>><<BR>> * <<BR>> We have only covered social engineering as it specifically relates to Ubuntu. However, we encourage you to learn more about general social engineering here: http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics <<BR>> <<BR>> === Know What You Have, Have What You Know === Don't run services you don't need. Do you really need a VOIP phone system? If you do, make sure you understand it and can properly secure it. <<BR>> <<BR>> '''Servers''': If you don't need an SSH server or VNC server running on your personal computer don't do it. If you don't know what those acronyms are, then you should DEFINITELY not use them until you do some significant research. <<BR>><<BR>> Until you do understand how it works, my recommendation would be to not set those things up, and if they are set up by default, disable them. When you're ready to start learning new services like FTP, SSH, VNC, telnet, remote desktop, etc., then consider playing with them in a virtual machine. Ubuntu has Oracle VM Virtual Box right in the Software Center. This can reduce your exposure to security problems you don't know while you learn. Of course it's not fool-proof.<<BR>><<BR>> __Should we include the following bits?__<<BR>><<BR>> |
== Your Tolerance for Risk == |
| Line 55: | Line 27: |
| *I think some of the following is useful, but needs reworded, I just don't know how right now --DT * | We've all heard the argument that if you make a system secure, you also hinder access, create obstacles, and complicate use. '''It is up to the individual user to determine what his tolerance for risk is.''' This Wiki will outline vectors of potential vulnerabilities in your Ubuntu system, and you can evaluate them and determine how those risks relate to your personal situation. <<BR>><<BR>> |
| Line 57: | Line 29: |
| -two most common cracks posted on these forums are ssh and vnc, both running with password authentication. Have you installed servers for ssh and vnc? Probably not unless you run Ubuntu Server. Without them your computer is not vulnerable to such attacks. You can check in a terminal window with the following command Code: <<BR>> which ssh <<BR>> and instead of Enter press Tab twice and Code: <<BR>> which vnc <<BR>> and instead of Enter press Tab twice. <<BR>> If you get only ssh and vncviewer you have only the client programs. You can login on remote computers with them. If you get a response with several alternatives, for example Code: <<BR>> ssh ssh-agent ssh-askpass sshd ssh-keygen ssh-vulnkey ssh-add ssh-argv0 ssh-copy-id sshfs ssh-keyscan <<BR>> and Code: <<BR>> vnc4-common vnc-java vnc-server vnc-viewer vnstat vnc4server vncserver vncsnapshot vncviewer vnstati <<BR>> you have the servers installed. But are they running? If you type the following command in the terminal (and press Enter) Code: <<BR>> ps -au root | grep ssh # the command <<BR>> and get the following response (mine is running behind a firewall) Code: <<BR>> 873 ? 00:00:00 sshd # the response <<BR>> then the ssh server is running and similarly for Code: <<BR>> ps -au root | grep vnc <<BR>> === Strong Credentials === If it takes a password it needs to be a good one. A good password is more than 16 characters containing upper and lower case, numeric, special characters and white space. A bad password is based on a dictionary word, or something like the fact that your eyes are blue or your birth date.) Each system that uses a password should be unique. Make sure you're not reusing your passwords across emails and different social networking sites. If you can use an RSA key for it (eg: SSH) better still. <<BR>><<BR>> Use security questions that aren't something like "what color is your house that is shown in your profile picture?" <<BR>><<BR>> Learn about how to create a good password here: https://www.grc.com/passwords.htm <<BR>><<BR>> This site can give you an idea on how good your password is: https://www.grc.com/haystack.htm <<BR>><<BR>> When you are more confident with Ubuntu, we recommend this link for more about passwords: https://help.ubuntu.com/community/StrongPasswords <<BR>> === Encryption === You can encrypt the home folder. Details can be found here: https://help.ubuntu.com/community/EncryptedHome <<BR>><<BR>> You can choose to encrypt the disk when installing Ubuntu. More information is here: https://help.ubuntu.com/community/EncryptedFilesystemHowto <<BR>><<BR>> |
== Linux Vulnerabilities == The majority of new users are coming from Windows environments, where security focuses mostly on anti-virus software. To understand security on Ubuntu, you must shift your thinking from this point of view. In the following bullets, we're going to analyze what threats actually effect you as a Ubuntu user. |
| Line 82: | Line 33: |
| === Proper Permissions (DAC) === Least privileges, always : Always make sure you are utilizing the least amount of privileges/permissions to do the task necessary. Use only what you need nothing more. This involves learning about DAC and how to use file permissions and non-privileged users (which Ubuntu makes very easy). Learn more here: https://help.ubuntu.com/community/FilePermissions <<BR>><<BR>> '''CAN SOMEONE PROVIDE A LINK FOR DAC?''' <<BR>><<BR>> === Updated Services === It's just so easy. Keep your software and operating system up to date. At the very least, install the security updates. Should you automate updates? <<BR>><<BR>> Keep your updates , well...updated. This is important, unless you're writing security patches yourself (which you're probably not) this should be way high on your todo list<<BR>><<BR>> === Strong Service Configurations === (recheck credentials as you add users for these services as well as DAC)<<BR>><<BR>> === Firewall creation and maintenance === There is a lot of existing information about firewalls. There is also a long-term raging debate on the need of a firewall on Ubuntu. We recommend you enable it. Use your firewall PROPERLY. Don't set it and forget it, learn how it works, set decent rules. It takes 5 minutes to configure UFW/GUFW to tell iptables to enforce pretty decent inbound and outbound rules. Maybe 10 minutes if it's the first time you've done it.<<BR>><<BR>> Here are some links:<<BR>> http://ubuntuforums.org/showthread.php?t=1871177 <<BR>> === Application Level Firewall Creation and Mandatory Access Controls === Explain the difference between this and the previous header.<<BR>><<BR>> '''Apparmor''' Additionally we can strengthen this with things like Apparmor, which I do recommend learning. The learning curve is pretty steep but take a few hours to educate yourself on it now, it is a great asset. <<BR>><<BR>> Here is a tutorial on Apparmor http://ubuntuforums.org/showthread.php?t=1008906 <<BR>><<BR>> '''Add-Ons''' Ubuntu comes preloaded with Firefox, so we will focus our discussion there. We recommend you use browser add-ons like NoScript and Ad blocking. It can't emphasized enough. Browser exploits get a lot of people, usually people who think they're perfectly fine because they run Linux/Mac OSX/Something else other than Windows. This is where 90% of home users who aren't running a server of some kind get in trouble.<<BR>><<BR>> Learn about Firefox and add-ons here: https://help.ubuntu.com/community/Firefox <<BR>><<BR>> === Network security === There is a lot to say on this topic. We'll boil it down to some highlights to consider, we encourage you to do more research.<<BR>><<BR>> '''Router security''': uPNP can be exploited through a router. Turn it off by changing your router settings. *note on UPNP : this needs reworded UPNP isn't necessarily exploited, as the way it works allows an attacker to automatically port forward if a machine inside the network is compromised* |
* '''Myth''': If I install an anti-virus program I'll be fine.<<BR>> |
| Line 104: | Line 35: |
| <<BR>><<BR>> | * '''Reality''': At the time of writing, there are no known viruses on the big bad web designed to target Linux. A few targeting Windows can execute in a manner that could allow compromise of a Linux system via an interpreter layer like [[https://help.ubuntu.com/community/Wine|Wine]]. Very few people recommend existing anti-virus software for Linux machines, in part because there are few decent free anti-malware solutions available. Enterprise class solutions are good, but the consumer-grade products aren't on par with their Windows counterparts enough to warrant their use. Moreover, if you focus entirely on viruses then you are ignoring the vast majority of real threats to your Ubuntu machine. <<BR>> |
| Line 106: | Line 37: |
| === Repeating all of the above on each system === Be consistent, if you do these things with your desktop Ubuntu system you will find it is actually pretty secure. Now apply this to the other devices on your network. This includes any other computers, cell phones, routers, printers, game consoles whatever. Your network's security is only as strong as the weakest link. Once an attacker gains a foothold in a network, whether it's in a DMZ or behind a firewall compromising the rest of the network becomes MUCH easier.<<BR>><<BR>> If you have two computers running Ubuntu, then repeat this process on both computers. If you've got one computer partitioned, then secure all partitions.<<BR>><<BR>> === Strengthening configurations and credentials on network devices === When you connect printers, phones, consoles, routers to your network. Do you have a networked printer? If yes, do you need one? If the printer doesn't need to be on the network, then don't put it there. From an introductory security perspective, this is the first thing to consider about almost any device (printer, scanner, router). Don't broadcast your wifi signal when you're not using it. Gives the bad guys less time to crack it. Make sure they're powered off completely when you don't need them. Some devices don't seem to want to do that, so they need to be unplugged.<<BR>><<BR>> An attacker can utilize a device such as a printer to gain access to an entire network. <<BR>><<BR>> === Wireless Security === *This is good stuff - but I think it may be outside the scope of this discussion what do you guys think? Is this Ubuntu Desktop security or Home Network Security with Ubuntu machines running on the network? --DT* Turn it off when you're not surfing. If you use Wireless access. Make sure you're using STRONG encryption, not WEP but WPA/WPA2 with a GOOD passphrase use all 63 characters, you only have to type it once anyway. <<BR>><<BR>> Basic wireless security dictates at the minimum you:<<BR>><<BR>> |
* '''Myth''': Security through obscurity keeps me safe.<<BR>> |
| Line 117: | Line 39: |
| * use Strong Admin Password<<BR>> * Strong User Password (if your router supports it)<<BR>> * Disable UPNP<<BR>> * Disable WPM (if you don't need it)<<BR>> * Locate the router so the signal isn't ridiculously strong outside of your house.<<BR>> * Enable Logging in to the router only over HTTPS (if it supports this)<<BR>> * Disable remote administration (administration from the outside world , defaulted to port 8080 usually)<<BR>> * Disable the telnet server if it has one<<BR>> * Disable the TFTP server if it has one.<<BR>> * You can toss in MAC address filtering, but it's really a waste of time. <<BR>> == Additional Resources That We Think Are Cool == www.navigators.com- __MrLeek do you want to put a blub here?__<<BR>><<BR>> http://ubuntuforums.org/showthread.php?t=510812 – a guide to security on Ubuntu. As a new user, some of the information in this thread may be daunting with a steep learning curve. But if you're serious about securing your system, then this is an excellent resource.<<BR>><<BR>> |
* '''Reality''': It's a favoured argument from Linux supporters, but Linux/Ubuntu is not that obscure to “crackers”. They may be obscure to you or your friends, however, there are many who know how to exploit Linux vulnerabilities just as easy as Windows, Mac OSX, Solaris, AIX, or any other operating system's vulnerabilities. The best defence is knowledge and preparation. Relying on an “obscure” operating system to hide behind is NOT a good strategy.<<BR>> |
| Line 131: | Line 41: |
| == Acknowledgements == This Wiki was birthed on the Ubuntu Forums by MrLeek and ms-daisy99. Contributions came from Dangertux, OpSecShellShock, Haqking, Thewhistlingwind, dFlyer, vasa1, Olle Wiklund, CharlesA, |
* '''Myth''': I can browse however I want to because malware on the web is mostly designed for Windows.<<BR>> * '''Reality''': While the majority of malware does target Windows, this statement overlooks the fact that an entire spectrum of web based attack vectors exist that work on '''any''' operating system. Cross Site Scripting, Cross Site Request Forgery, Click-Jacking, Session Riding, and many other methods can be used to exploit weaknesses in a relationship of trust between you and a website, or a website and you, regardless of your operating system. For things like this we have browser add-ons which will be discussed in the browser security section.<<BR>> * '''Myth''': I don't need to use fancy browser add-ons when using public access wifi because I use Ubuntu.<<BR>> * '''Reality''': An absurd statement. Most attacks carried out on public wifi include several varieties of [[http://en.wikipedia.org/wiki/Man-in-the-middle_attack|man in the middle attacks]]. If you want to utilize public wifi, it is highly discouraged to do anything more than trivial in nature with it unless you are an advanced user and you know how to set up a [[http://www.howstuffworks.com/vpn.htm|virtual private network (VPN)]], a [[https://help.ubuntu.com/community/SSH_VPN|VPN via Secure Shell (SSH)]], or use [[http://searchsecurity.techtarget.com/definition/Secure-Sockets-Layer-SSL|Secure Sockets Layer (SSL)]] in conjunction with SSLstrip.<<BR>> * '''Myth''': I don't need a firewall because Ubuntu has no open ports by default.<<BR>> * '''Reality''': This is a matter of risk tolerance. Added protection, particularly that which takes only a few minutes to set up, is always worth it. Firewalls are discussed in more depth later in this document. <<BR>> * '''Myth''': Windows malware can not compromise Ubuntu.<<BR>> * '''Reality''': Ubuntu CAN be compromised by Windows malware if you're using [[https://help.ubuntu.com/community/Wine|Wine]]. This is not to say that Windows malware can infect a Linux system directly, however it CAN, if targeted properly, utilize the Wine interpreter to send system calls to the Linux kernel. This is a very rare case, and it is highly unlikely that it would occur as it would be a very targeted attack. But for completeness sake we should mention that it CAN happen. <<BR>> * '''Myth''': Ubuntu is harder to exploit than Windows, Mac OSX, whatever else - and it's targeted less than those other operating systems as well.<<BR>> * '''Reality''': The process of discovering a vulnerability and exploiting it is pretty much the same across the board, regardless of operating system. <<BR>> These are just some common myths associated with Ubuntu and security. This list is not comprehensive, but it covers the largest misconceptions held by new users. This does not mean that Ubuntu is inherently insecure, or is less secure than previous versions, or is more/less secure than any other operating system. It is just an effort to dispel common myths and get the reader (you) thinking in a positive direction toward improving their system's security posture. If you follow the steps in this Wiki, you will have a decent defense built to protect your machine from viruses as well as the other more pressing threats out there.<<BR>> And of course, we'd be remiss not to mention social engineering. What information you're putting into public view? Do you know who you're giving valuable information to? [[http://searchsecurity.techtarget.com/definition/social-engineering|Social engineering]] is important to understand but beyond the scope of this Wiki.<<BR>> == Backups == Reinstalling an operating system again after it corrupts is annoying. But losing valuable personal pictures, letters, emails... these are priceless and cannot be replaced. If you are prepared to wipe and reinstall with very little notice, then you are far more secure. Moreover, there are many threads in the Ubuntu Forums that describe problems that would have been avoided if the user had [[https://help.ubuntu.com/community/BackupYourSystem|made good backups]]. It is important to make special backups before certain risky operations like upgrading to a new version, operations on partitions and partition tables, using dd, etc. Finally, if you're concerned that your computer has been infected or "cracked," then you can restore Ubuntu to a known previously good state. <<BR>> To quote the introduction of [[https://help.ubuntu.com/community/DuplicityBackupHowto|Duplicity Backup]], "There are many different applications that are available to backup Ubuntu. Each one has its strengths and weaknesses. Some are made for enterprise environments where it is necessary to back up many computers quickly and efficiently. Others are made for home environments and come with a simple wizard-driven GUI or command line interface...Each application can backup to one or many DVDs, CDs, disk drives, and other media or may not backup to one or more of those things. As varied as these programs are, so are the needs of the individuals who use them." [[https://help.ubuntu.com/community/jmburgess/Backup|This link]] can help you decide where to backup your data, what to backup, and when. <<BR>><<BR>> == It All Starts With a Good Password == Obviously if an attacker doesn't have your password, then it's harder for him to make changes on your machine. A strong unique password for each account is best - consider using a password safe (but remember that that password MUST be a good one!) [[http://www.cs.umd.edu/faq/Passwords.shtml|Read this discussion]] regarding the process of choosing a good password. <<BR>><<BR>> == Know What Sudo is Doing == If you're following a set of instructions and you're about to type in sudo, ask yourself "Do I REALLY know what this command is about to do?" If you can't explain it to your grandmother, then you don't know what's going to happen. Related to that - if you get asked for your password, make sure you know what you've just done to trigger that response. The system is trying to protect you. Here is an [[https://help.ubuntu.com/community/RootSudo|explaination of sudo]] <<BR>><<BR>> == Don't Log in as Root == An excellent way to find yourself in deep trouble is to modify permissions as root. Logging in as root means you will be browsing the Internet as root, drive by downloads (downloads that you did not authorize or that you authorized but did not realize the consequence behind), malicious scripts can all now execute with root permission. Default settings in Ubuntu will not allow you to log in as root. <<BR>><<BR>> == Encrypt Your Home Folder == Encrypting the home folder will help for physical security. If someone is able to sit down in front of your computer or if they steal it, they won't be able to see the files in your home folder. In Ubuntu when you encrypt the home folder, the folder mounts when you log in which makes it readable to anyone sitting in front of your computer. Once you log out, the home folder unmounts and is encrypted again. Encrypting the home folder will do nothing to protect you from on-line threats. As long as the encrypted folder is mounted, it will be plain text for anyone with access. You can encrypt your home folder or the [[https://help.ubuntu.com/community/EncryptedFilesystemHowto|entire hard drive]] on first install. Alternatively you can [[https://help.ubuntu.com/community/EncryptedHome|click here]] and [[http://ubuntuforums.org/showthread.php?t=1449168|here]] to learn how to add encryption to your home folder after installation. You could even just encrypt a particular file, a sub-directory, a usb stick... the choices are endless. <<BR>> There are risks with encryption, so carefully evaluate your personal situation to determine if it is right for you. If you lose the password then your chances of recovering the data drop to almost nil. You should also keep in mind that if you encrypt your home folder or hard drive, that if your system fails later on it will be harder to recover your files. You will have to consider the value of the data you store on your computer to determine if encryption is worth the risk. For instance, if you insist on saving a detailed list of all your financial accounts in a text file, then encryption is vital. But if you don't store anything of personal value on the hard drive, then encryption may be less necessary. <<BR>><<BR>> == Least Privileges, Always == Always make sure you are using the least amount of privileges/permissions to do the task necessary. Use only what you need, nothing more. If you are surfing the net and come across a "drive-by download" site, then what the malicious program has access to changes dramatically if it has lowered privileges. Learn how to use file permissions and non-privileged users (which Ubuntu makes very easy). Here is a link to [[https://help.ubuntu.com/community/FilePermissions|everything you need to know about file permissions]]. Also consider enabling guest accounts if you will have other people using your computer.<<BR>><<BR>> == Security Updates == Security updates are released by Ubuntu developers when they discover and patch vulnerabilities. If you don't install the updates then you retain the vulnerability. Ubuntu allows you to have security updates automatically installed - once configured you don't need to run security updates manually again. Search for the Update Manager on your desktop and click on "settings" to configure how you want Ubuntu to manage updates. Or you can configure [[https://help.ubuntu.com/community/AutomaticSecurityUpdates|automatic updates via terminal]]. <<BR>><<BR>> == Know What You Have, Have What You Know == Don't run services you don't need. Do you really need a VOIP phone system? What about Secure Shell (SSH), Virtual Network Computing (VNC), Apache server? If you need a service, make sure you understand it and can properly secure it. You can't secure what you don't understand. <<BR>> <<BR>> == Make Your Browser More Secure == The majority of threats to your machine come from your browser, even when you use common sense. You have absolutely no control over vulnerabilities on someone else's web page as an end user, so it's important to defend yourself against any malicious activity originating from a compromised web page. If you are interested in learning how browser exploits happen, you can read [[https://www.owasp.org/index.php/Top_10_2010-Main|this summary of the top ten vulnerabilities]] in a poorly designed web page. <<BR>> Secure your browser. We will discuss Firefox because that's the browser packaged in Ubuntu. However, other browsers have similar features. We recommend that you use the following services. As mentioned before, these measures may inhibit functionality until you manually configure them. Again you must weigh the need for security against the need for functionality as it relates to your personal situation.<<BR>> === Preferences === Find Preferences in the menu bar of Firefox. Under the privacy tab you can tell web sites you don't want to be tracked and you can choose to never remember history. You can choose to whitelist sites for specific needs using exceptions, allow for session at most; clear history when closing the browser. Choose "never remember history" so that if someone hijacks your browser section, they won't find any valuable stored data. Don't use "hardware acceleration". <<BR>> === NoScript === If you unknowingly visit a compromised website, this will prevent scripts (i.e. programs) from running on your system. It can be a tricky tool to use at first glance as it blocks all scripts from running at first. If you spend a little time getting familiar with [[https://addons.mozilla.org/en-US/firefox/addon/noscript/|NoScript]], you will find it easier to use. As a user, you tell NoScript what sites to partially or fully trust. Don't "allow all scripts globally" under any circumstances! <<BR>> Configuring NoScript is notoriously daunting to the new user. A helpful guide to configure NoScript is included on a separate page, [[https://wiki.ubuntu.com/BasicSecurity/NoScript]]. === AdBlockPlus === You can tell by the name that it (surprise!) blocks annoying ads, but it can also block those ads from collecting personal information about you. [[https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/|Adblock Plus]] provides a default list of blocked ads. Additionally, you can block any individual ads or scripts that show up by adding them manually. <<BR>> === BetterPrivacy === The add-on [[https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/|BetterPrivacy]] will prevent websites from installing “super cookies” on your computer designed to track your history for marketing research. <<BR>> === ClickClean === [[https://addons.mozilla.org/en-US/firefox/addon/clickclean/|ClickClean]] is a simple tool to delete your browsing history, erase all temporary internet files, remove downloaded files history, cookies, Flash LSO, typed URLs. Allows for automatic deletion of private data when Firefox closes. Basically if your browser session is ever hijacked, then the hijacker will get little valuable information. <<BR>><<BR>> The importance of securing your browser cannot be overstated. We've listed some of the simple tools you can implement to drastically improve your security. There are numerous others aimed at security as well as privacy, we encourage you to research those. <<BR>><<BR>> == Home Network == Most computer users at home have a local network...often without even realising it. We encourage you to learn more about securing your home network - again, you can't secure what you don't understand. The [[http://www.cert.org/tech_tips/home_networks.html#I-A|CERT Guide to Home Network Security]] provides an excellent overview of the basic principles of networking and the internet. Learn some of the fundamentals [[http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm|about securing your router]]. For instance, if you use ''wireless access'', make sure you're using STRONG encryption: not WEP but WPA/WPA2. Use a GOOD password consisting of all 63 characters, you only have to type it once anyway.<<BR>> Devices plugged into your network can be accessed by unauthorized users just as easily as your computer can. Learn about making a [[http://ubuntuforums.org/showthread.php?p=11433134#post11433134|networked printer more secure]]. <<BR>><<BR>> == Repeating All of the Above on Each System == Be consistent, if you do these things with your desktop Ubuntu system you will find it is actually pretty secure. If you have two computers running Ubuntu, then repeat this process on both computers. If you've got one computer partitioned, then secure all partitions. Now apply this to the other devices on your network. This includes any other computers, cell phones, routers, printers, game consoles whatever. Your network's security is only as strong as the weakest link.<<BR>><<BR>> ----- = Security Tools You Have to Regularly & Actively Engage = So that was the "easy" stuff. True security is an ongoing process, and a lot of the really good security tools require regular interaction from you. The next tools we describe are more advanced because you cannot "set and forget" them. They also require more effort to setup and use effectively, but the effort is worth it. The more security measures you implement from this Wiki, the more secure you will be. <<BR>><<BR>> == Firewall == <<Anchor(firewalls)>>There is a lot of existing information about firewalls - along with a long-term raging debate on the need of a firewall on Ubuntu. We recommend you enable it because you have ports open if you are reading this page. Traffic can go in and out of that port unhindered without a firewall. Malicious programs can open arbitrary ports unless you have a firewall to prevent that. A NAT router can add a layer of protection, but it will not protect you in lieu of a firewall. [[http://ubuntuforums.org/showthread.php?t=1871177|This additional guide]] will provide more information. <<BR>> Use your firewall PROPERLY. Don't set it and forget it, learn how it works, set decent rules.[[https://wiki.ubuntu.com/BasicSecurity/Firewall|Here]] is a tutorial showing how to enable a firewall in Ubuntu. However, adding port numbers can feel confusing. It if helps, think of it this way - currently you're reading this guide because you accessed a webpage hosted by wiki.ubuntu.com. To make the connection (and therefore to see the content) you have to connect your browser to that website by accessing Port 80. Another example is when you pick up your email. Your computer makes a connection to your mail server on Port 110. The other port numbers that you add provide similar functions.<<BR>><<BR>> == AppArmor == AppArmor can strengthen our security. To quote the Novell site, "AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities." AppArmor has a pretty steep learning curve for new users. However, once you master it, creating profiles for most applications is fairly simple. It only gets tricky when you deal with applications that have to change functions a lot (for instance, Apache). [[http://ubuntuforums.org/showthread.php?t=1008906|Here is a tutorial on AppArmor]]. <<BR>><<BR>> ----- = Did I Just Get Owned? = For a helpful guide created by Dangertux which can help you determine if you have been compromised, see this page:<<BR>> [[https://wiki.ubuntu.com/BasicSecurity/DidIJustGetOwned]] ----- = Acknowledgements = This Wiki was birthed on the Ubuntu Forums by [[http://ubuntuforums.org/member.php?u=1418836|MrLeek]] and [[http://ubuntuforums.org/member.php?u=1455355|Ms. Daisy]]. Contributions came from [[http://ubuntuforums.org/member.php?u=1322416|Dangertux]], [[http://ubuntuforums.org/member.php?u=946893|OpSecShellShock]], [[http://ubuntuforums.org/member.php?u=1317912]| haqking]], Thewhistlingwind, dFlyer, vasa1, [[http://ubuntuforums.org/member.php?u=571173|Olle Wiklund]], [[http://ubuntuforums.org/member.php?u=923868|CharlesA]] and a Mystery Guy ;) <<BR>><<BR>> |
Basic Ubuntu Security Guide, Desktop Edition
Who Did We Write This For?
Security is a very broad, potentially daunting subject to a new Ubuntu user. It's crazy to think that anyone can boil security down to a list of 7 things. So we didn't even try. Instead, our goal is to present a listing of the most basic security concepts that can be fairly easily implemented while you learn. This guide was inspired and written by several new users of Ubuntu who were very interested in learning how to hack around their brand new Ubuntu operating systems. We were lucky enough to have some security professionals collaborate with us. But we still don't claim that we will reduce your risk to zero. We are presenting a pragmatic approach to security.
This guide is intended for the typical, average home user that is in the process of learning how to use Ubuntu. So if you just surf the net, play games (on-line & off-line), do on-line banking, education...then you are the intended audience. However if you are running a network server (especially one that is accessed via the Internet) or if you use Ubuntu in your corporate environment (or simply work from home) then the advice you need is more specialized and beyond the scope of this guide. If you don't know whether you are running a server or not, then read this.
The most basic set of rules
If you're a simple desktop user who only uses his computer for the most ordinary things, then this is the basic rule set:
1. immediately install security updates when you're notified;
2. do not install antivirus, as you *really* don't need it in Linux;unless you share files with Windows
3. enable the firewall (sudo ufw enable) without further tweaks;
4. stick to the official repo's as much as possible, and only deviate from them when strictly necessary and with much caution;
5. keep Java (both openJDK and Oracle Java) disabled by default in your browser, and only enable it when needed;
6. use Wine with caution;
7. and most important of all: use your common sense. The biggest security threat is generally found between keyboard and chair.
If you have higher security needs, then read on.
Security Tools and Concepts That Are Easy to Use
In order to simplify the very complex world of security, we have broken it down into two sections. In this first section, we will discuss security tools in Ubuntu that you can configure and (once configured) require little interaction. We will also discuss general security concepts that are easy to implement into your daily computer use. There is a lot of existing security information already in existence in the Ubuntu Wikis and stickies in the Ubuntu Forums. There are some great resources there, in fact one of the best guides is linked here. But a lot of that material will seem complex to the new Ubuntu user - so the goal of this guide was to take the existing material and simplify it, making it possible to bridge the gap.
Your Tolerance for Risk
We've all heard the argument that if you make a system secure, you also hinder access, create obstacles, and complicate use. It is up to the individual user to determine what his tolerance for risk is. This Wiki will outline vectors of potential vulnerabilities in your Ubuntu system, and you can evaluate them and determine how those risks relate to your personal situation.
Linux Vulnerabilities
The majority of new users are coming from Windows environments, where security focuses mostly on anti-virus software. To understand security on Ubuntu, you must shift your thinking from this point of view. In the following bullets, we're going to analyze what threats actually effect you as a Ubuntu user.
Myth: If I install an anti-virus program I'll be fine.
Reality: At the time of writing, there are no known viruses on the big bad web designed to target Linux. A few targeting Windows can execute in a manner that could allow compromise of a Linux system via an interpreter layer like Wine. Very few people recommend existing anti-virus software for Linux machines, in part because there are few decent free anti-malware solutions available. Enterprise class solutions are good, but the consumer-grade products aren't on par with their Windows counterparts enough to warrant their use. Moreover, if you focus entirely on viruses then you are ignoring the vast majority of real threats to your Ubuntu machine.
Myth: Security through obscurity keeps me safe.
Reality: It's a favoured argument from Linux supporters, but Linux/Ubuntu is not that obscure to “crackers”. They may be obscure to you or your friends, however, there are many who know how to exploit Linux vulnerabilities just as easy as Windows, Mac OSX, Solaris, AIX, or any other operating system's vulnerabilities. The best defence is knowledge and preparation. Relying on an “obscure” operating system to hide behind is NOT a good strategy.
Myth: I can browse however I want to because malware on the web is mostly designed for Windows.
Reality: While the majority of malware does target Windows, this statement overlooks the fact that an entire spectrum of web based attack vectors exist that work on any operating system. Cross Site Scripting, Cross Site Request Forgery, Click-Jacking, Session Riding, and many other methods can be used to exploit weaknesses in a relationship of trust between you and a website, or a website and you, regardless of your operating system. For things like this we have browser add-ons which will be discussed in the browser security section.
Myth: I don't need to use fancy browser add-ons when using public access wifi because I use Ubuntu.
Reality: An absurd statement. Most attacks carried out on public wifi include several varieties of man in the middle attacks. If you want to utilize public wifi, it is highly discouraged to do anything more than trivial in nature with it unless you are an advanced user and you know how to set up a virtual private network (VPN), a VPN via Secure Shell (SSH), or use Secure Sockets Layer (SSL) in conjunction with SSLstrip.
Myth: I don't need a firewall because Ubuntu has no open ports by default.
Reality: This is a matter of risk tolerance. Added protection, particularly that which takes only a few minutes to set up, is always worth it. Firewalls are discussed in more depth later in this document.
Myth: Windows malware can not compromise Ubuntu.
Reality: Ubuntu CAN be compromised by Windows malware if you're using Wine. This is not to say that Windows malware can infect a Linux system directly, however it CAN, if targeted properly, utilize the Wine interpreter to send system calls to the Linux kernel. This is a very rare case, and it is highly unlikely that it would occur as it would be a very targeted attack. But for completeness sake we should mention that it CAN happen.
Myth: Ubuntu is harder to exploit than Windows, Mac OSX, whatever else - and it's targeted less than those other operating systems as well.
Reality: The process of discovering a vulnerability and exploiting it is pretty much the same across the board, regardless of operating system.
These are just some common myths associated with Ubuntu and security. This list is not comprehensive, but it covers the largest misconceptions held by new users. This does not mean that Ubuntu is inherently insecure, or is less secure than previous versions, or is more/less secure than any other operating system. It is just an effort to dispel common myths and get the reader (you) thinking in a positive direction toward improving their system's security posture. If you follow the steps in this Wiki, you will have a decent defense built to protect your machine from viruses as well as the other more pressing threats out there.
And of course, we'd be remiss not to mention social engineering. What information you're putting into public view? Do you know who you're giving valuable information to? Social engineering is important to understand but beyond the scope of this Wiki.
Backups
Reinstalling an operating system again after it corrupts is annoying. But losing valuable personal pictures, letters, emails... these are priceless and cannot be replaced. If you are prepared to wipe and reinstall with very little notice, then you are far more secure. Moreover, there are many threads in the Ubuntu Forums that describe problems that would have been avoided if the user had made good backups. It is important to make special backups before certain risky operations like upgrading to a new version, operations on partitions and partition tables, using dd, etc. Finally, if you're concerned that your computer has been infected or "cracked," then you can restore Ubuntu to a known previously good state.
To quote the introduction of Duplicity Backup, "There are many different applications that are available to backup Ubuntu. Each one has its strengths and weaknesses. Some are made for enterprise environments where it is necessary to back up many computers quickly and efficiently. Others are made for home environments and come with a simple wizard-driven GUI or command line interface...Each application can backup to one or many DVDs, CDs, disk drives, and other media or may not backup to one or more of those things. As varied as these programs are, so are the needs of the individuals who use them." This link can help you decide where to backup your data, what to backup, and when.
It All Starts With a Good Password
Obviously if an attacker doesn't have your password, then it's harder for him to make changes on your machine. A strong unique password for each account is best - consider using a password safe (but remember that that password MUST be a good one!) Read this discussion regarding the process of choosing a good password.
Know What Sudo is Doing
If you're following a set of instructions and you're about to type in sudo, ask yourself "Do I REALLY know what this command is about to do?" If you can't explain it to your grandmother, then you don't know what's going to happen. Related to that - if you get asked for your password, make sure you know what you've just done to trigger that response. The system is trying to protect you. Here is an explaination of sudo
Don't Log in as Root
An excellent way to find yourself in deep trouble is to modify permissions as root. Logging in as root means you will be browsing the Internet as root, drive by downloads (downloads that you did not authorize or that you authorized but did not realize the consequence behind), malicious scripts can all now execute with root permission. Default settings in Ubuntu will not allow you to log in as root.
Encrypt Your Home Folder
Encrypting the home folder will help for physical security. If someone is able to sit down in front of your computer or if they steal it, they won't be able to see the files in your home folder. In Ubuntu when you encrypt the home folder, the folder mounts when you log in which makes it readable to anyone sitting in front of your computer. Once you log out, the home folder unmounts and is encrypted again. Encrypting the home folder will do nothing to protect you from on-line threats. As long as the encrypted folder is mounted, it will be plain text for anyone with access.
You can encrypt your home folder or the entire hard drive on first install. Alternatively you can click here and here to learn how to add encryption to your home folder after installation. You could even just encrypt a particular file, a sub-directory, a usb stick... the choices are endless.
There are risks with encryption, so carefully evaluate your personal situation to determine if it is right for you. If you lose the password then your chances of recovering the data drop to almost nil. You should also keep in mind that if you encrypt your home folder or hard drive, that if your system fails later on it will be harder to recover your files. You will have to consider the value of the data you store on your computer to determine if encryption is worth the risk. For instance, if you insist on saving a detailed list of all your financial accounts in a text file, then encryption is vital. But if you don't store anything of personal value on the hard drive, then encryption may be less necessary.
Least Privileges, Always
Always make sure you are using the least amount of privileges/permissions to do the task necessary. Use only what you need, nothing more. If you are surfing the net and come across a "drive-by download" site, then what the malicious program has access to changes dramatically if it has lowered privileges. Learn how to use file permissions and non-privileged users (which Ubuntu makes very easy). Here is a link to everything you need to know about file permissions. Also consider enabling guest accounts if you will have other people using your computer.
Security Updates
Security updates are released by Ubuntu developers when they discover and patch vulnerabilities. If you don't install the updates then you retain the vulnerability. Ubuntu allows you to have security updates automatically installed - once configured you don't need to run security updates manually again. Search for the Update Manager on your desktop and click on "settings" to configure how you want Ubuntu to manage updates. Or you can configure automatic updates via terminal.
Know What You Have, Have What You Know
Don't run services you don't need. Do you really need a VOIP phone system? What about Secure Shell (SSH), Virtual Network Computing (VNC), Apache server? If you need a service, make sure you understand it and can properly secure it. You can't secure what you don't understand.
Make Your Browser More Secure
The majority of threats to your machine come from your browser, even when you use common sense. You have absolutely no control over vulnerabilities on someone else's web page as an end user, so it's important to defend yourself against any malicious activity originating from a compromised web page. If you are interested in learning how browser exploits happen, you can read this summary of the top ten vulnerabilities in a poorly designed web page.
Secure your browser. We will discuss Firefox because that's the browser packaged in Ubuntu. However, other browsers have similar features. We recommend that you use the following services. As mentioned before, these measures may inhibit functionality until you manually configure them. Again you must weigh the need for security against the need for functionality as it relates to your personal situation.
Preferences
Find Preferences in the menu bar of Firefox. Under the privacy tab you can tell web sites you don't want to be tracked and you can choose to never remember history. You can choose to whitelist sites for specific needs using exceptions, allow for session at most; clear history when closing the browser. Choose "never remember history" so that if someone hijacks your browser section, they won't find any valuable stored data. Don't use "hardware acceleration".
NoScript
If you unknowingly visit a compromised website, this will prevent scripts (i.e. programs) from running on your system. It can be a tricky tool to use at first glance as it blocks all scripts from running at first. If you spend a little time getting familiar with NoScript, you will find it easier to use. As a user, you tell NoScript what sites to partially or fully trust. Don't "allow all scripts globally" under any circumstances!
Configuring NoScript is notoriously daunting to the new user. A helpful guide to configure NoScript is included on a separate page, https://wiki.ubuntu.com/BasicSecurity/NoScript.
AdBlockPlus
You can tell by the name that it (surprise!) blocks annoying ads, but it can also block those ads from collecting personal information about you. Adblock Plus provides a default list of blocked ads. Additionally, you can block any individual ads or scripts that show up by adding them manually.
BetterPrivacy
The add-on BetterPrivacy will prevent websites from installing “super cookies” on your computer designed to track your history for marketing research.
ClickClean
ClickClean is a simple tool to delete your browsing history, erase all temporary internet files, remove downloaded files history, cookies, Flash LSO, typed URLs. Allows for automatic deletion of private data when Firefox closes. Basically if your browser session is ever hijacked, then the hijacker will get little valuable information.
The importance of securing your browser cannot be overstated. We've listed some of the simple tools you can implement to drastically improve your security. There are numerous others aimed at security as well as privacy, we encourage you to research those.
Home Network
Most computer users at home have a local network...often without even realising it. We encourage you to learn more about securing your home network - again, you can't secure what you don't understand. The CERT Guide to Home Network Security provides an excellent overview of the basic principles of networking and the internet. Learn some of the fundamentals about securing your router. For instance, if you use wireless access, make sure you're using STRONG encryption: not WEP but WPA/WPA2. Use a GOOD password consisting of all 63 characters, you only have to type it once anyway.
Devices plugged into your network can be accessed by unauthorized users just as easily as your computer can. Learn about making a networked printer more secure.
Repeating All of the Above on Each System
Be consistent, if you do these things with your desktop Ubuntu system you will find it is actually pretty secure. If you have two computers running Ubuntu, then repeat this process on both computers. If you've got one computer partitioned, then secure all partitions. Now apply this to the other devices on your network. This includes any other computers, cell phones, routers, printers, game consoles whatever. Your network's security is only as strong as the weakest link.
Security Tools You Have to Regularly & Actively Engage
So that was the "easy" stuff. True security is an ongoing process, and a lot of the really good security tools require regular interaction from you. The next tools we describe are more advanced because you cannot "set and forget" them. They also require more effort to setup and use effectively, but the effort is worth it. The more security measures you implement from this Wiki, the more secure you will be.
Firewall
There is a lot of existing information about firewalls - along with a long-term raging debate on the need of a firewall on Ubuntu. We recommend you enable it because you have ports open if you are reading this page. Traffic can go in and out of that port unhindered without a firewall. Malicious programs can open arbitrary ports unless you have a firewall to prevent that. A NAT router can add a layer of protection, but it will not protect you in lieu of a firewall. This additional guide will provide more information.
Use your firewall PROPERLY. Don't set it and forget it, learn how it works, set decent rules.Here is a tutorial showing how to enable a firewall in Ubuntu. However, adding port numbers can feel confusing. It if helps, think of it this way - currently you're reading this guide because you accessed a webpage hosted by wiki.ubuntu.com. To make the connection (and therefore to see the content) you have to connect your browser to that website by accessing Port 80. Another example is when you pick up your email. Your computer makes a connection to your mail server on Port 110. The other port numbers that you add provide similar functions.
AppArmor
AppArmor can strengthen our security. To quote the Novell site, "AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities." AppArmor has a pretty steep learning curve for new users. However, once you master it, creating profiles for most applications is fairly simple. It only gets tricky when you deal with applications that have to change functions a lot (for instance, Apache). Here is a tutorial on AppArmor.
Did I Just Get Owned?
For a helpful guide created by Dangertux which can help you determine if you have been compromised, see this page:
https://wiki.ubuntu.com/BasicSecurity/DidIJustGetOwned
Acknowledgements
This Wiki was birthed on the Ubuntu Forums by MrLeek and Ms. Daisy. Contributions came from Dangertux, OpSecShellShock, haqking, Thewhistlingwind, dFlyer, vasa1, Olle Wiklund, CharlesA and a Mystery Guy 
BasicSecurity (last edited 2012-12-28 10:50:07 by host86-182-68-148)