BasicSecurity

Differences between revisions 60 and 61
Revision 60 as of 2011-11-07 14:07:13
Size: 11264
Editor: 96-28-46-134
Comment:
Revision 61 as of 2011-11-07 17:53:58
Size: 11247
Editor: host86-163-226-54
Comment:
Deletions are marked like this. Additions are marked like this.
Line 8: Line 8:
In very general, broad terms, Windows is more targeted than Linux or Mac when it comes to malicious attacks aimed at mass victims. But a determined hacker can just as easily crack a Linux machine as any other. There are known [[https://help.ubuntu.com/community/Linuxvirus|viruses]] and [[https://help.ubuntu.com/community/Antivirus|vulnerabilities]] that you need to defend against. <<BR>><<BR>> In very general, broad terms, Windows is more targeted than Linux or Mac when it comes to malicious attacks aimed at mass victims. But a determined hacker can just as easily crack a Linux machine as any other. There are known [[https://help.ubuntu.com/community/Linuxvirus|viruses]] and [[https://www.ubuntu.com/usn|vulnerabilities]] that you need to defend against. <<BR>><<BR>>

Basic Ubuntu Security Guide, Desktop Edition

Who Did We Write This For?

Security is a very broad, potentially daunting subject to a new Ubuntu user. It's crazy to think that anyone can boil security down to a list of 7 things. So we didn't even try. Instead, our goal is to present a listing of the most basic security concepts that can be fairly easily implemented while you learn. This guide was inspired and written by several new users of Ubuntu who were very interested in learning how to hack around their brand new Ubuntu operating systems. We were lucky enough to have some security professionals collaborate with us. But we still don't claim that we will reduce your risk to zero. We are presenting a pragmatic approach to security.

This guide is intended for the typical, average home user that is in the process of learning how to use Ubuntu. So if you just surf the net, play games (on-line & off-line), do on-line banking, education...then you are the intended audience. However if you are running a network server (especially one that is accessed via the Internet) or if you use Ubuntu in your corporate environment (or simply work from home) then the advice you need is more specialized and beyond the scope of this guide. If you don't know whether you are running a server or not, then read this.

Linux Vulnerabilities

In very general, broad terms, Windows is more targeted than Linux or Mac when it comes to malicious attacks aimed at mass victims. But a determined hacker can just as easily crack a Linux machine as any other. There are known viruses and vulnerabilities that you need to defend against.

Backups

Reinstalling an OS again after it corrupts is annoying. But losing valuable personal pictures, letters, emails...they are priceless! If you are prepared to wipe and reinstall with very little notice, then you are far more secure. Moreover, there are many threads in the Ubuntu Forums that describe problems that would have been avoided if the user had made good backups. It is also important to make special backup before certain risky operations like upgrading to a new version, operations on partitions and partition tables, using dd etc. Learn about backups in Ubuntu .

It All Starts With a Good Password

Strong unique passwords for each account is best - consider using a password safe (but remember that that password MUST be a good one!) There's enough material on the subject of passwords to keep even the most busy of readers occupied for a few hours. You can use an automatic creator of strong passwords to help understand how complex passwords can be. You can test your password here. And here are more tips on creating good passwords - including why using an on-line automatic password creator is bad.

Know What Sudo is Doing

If you're following a set of instructions and you're about to type in sudo, ask yourself "Do I REALLY know what this command is about to do?" If you can't explain it to your granny, then you don't know what's going to happen. Related to that - if you get asked for your password, make sure you know what you've just done to trigger that response. The system is trying to protect you. Here is an explaination of sudo

Don't Log in as Root

An excellent way to find yourself in deep trouble is to modify permissions as root. Logging in as root means you will be browsing the internet as root, drive by downloads (downloads that you did not authorize or that you authorized but did not realize the consequence behind), malicious scripts can all now execute with root permission.

Encrypt Your Home Folder

You can encrypt your home folder or the entire hard drive on first install. Alternatively you can click here and here to learn how to add encryption to your home folder after installation. You could even just encrypt a particular file, a sub-directory, a usb stick...the choice is endless. WARNING: if you lose the password then your chances of recovering the data drop to almost nil.

Least Privileges, Always

Always make sure you are utilizing the least amount of privileges/permissions to do the task necessary. Use only what you need nothing more. This involves learning how to use file permissions and non-privileged users (which Ubuntu makes very easy). Also consider enabling guest accounts if you think they are necessary. Here is a link to everything you need to know about file permissions

AppArmor

Additionally AppArmor can strengthen our security. To quote the Novell site, "AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities." The learning curve is pretty steep but it is worthwhile to take a few hours to educate yourself on it now, it is a great asset. Here is a tutorial on AppArmor.

Security Updates

Security updates are released by Ubuntu developers when they discover and patch vulnerabilities. If you don't install the updates then you retain the vulnerability. Ubuntu allows you to have security updates installed automatically - once configured you don't need to run security updates manually again.


Know What You Have, Have What You Know

Don't run services you don't need. Do you really need a VOIP phone system? What about SSH, VNC, Apache? If you need a service, make sure you understand it and can properly secure it.

Make Your Browser More Secure

One of the best things you can do is secure your browser, especially as it's one of the most vulnerable parts of your system as a home user. Noscript in Firefox prevents scripts (i.e. programs) from running on your system unless you allow them. Allow scripts from sites that you trust for a safer browsing experience. But don't "allow all scripts globally" under any circumstances!

Firewall

There is a lot of existing information about firewalls. There is also a long-term raging debate on the need of a firewall on Ubuntu. We recommend you enable it and here is why. Use your firewall PROPERLY. Don't set it and forget it, learn how it works, set decent rules. Here is a tutorial showing how to enable a firewall in Ubuntu.

Home Network

We encourage you to learn more about securing your home network if you choose to set one up. Learn some of the fundamentals about securing your router. If you use wireless access, make sure you're using STRONG encryption, not WEP but WPA/WPA2 with a GOOD passphrase use all 63 characters, you only have to type it once anyway.

And learn about making a networked printer more secure.

Repeating All of the Above on Each System

Be consistent, if you do these things with your desktop Ubuntu system you will find it is actually pretty secure. If you have two computers running Ubuntu, then repeat this process on both computers. If you've got one computer partitioned, then secure all partitions. Now apply this to the other devices on your network. This includes any other computers, cell phones, routers, printers, game consoles whatever. Your network's security is only as strong as the weakest link.

Don't Stop Learning

Security is an ongoing process, no matter what operating system you use. This is a basic guide to help you get started on Ubuntu. But don't stop there. There is a lot of existing security information already in existence in the Ubuntu Wikis or stickys in the Ubuntu Forums. There are some great resources there, in fact one of the best guides is linked here. But a lot of that material will seem complex to the new Ubuntu user - so the goal of this guide was to take this material and simplify it, making it possible to bridge the gap.

Acknowledgements

This Wiki was birthed on the Ubuntu Forums by MrLeek and Ms. Daisy. Contributions came from Dangertux, OpSecShellShock, haqking, Thewhistlingwind, dFlyer, vasa1, Olle Wiklund, CharlesA





I propose we delete everything below this point. Thoughts? #Ms. Daisy





* Someone who knows what they're doing can use information you post on various forums to exploit your system. Think about the information you're posting about your computer, your router. Unfortunately we can't tell you what to post and what not to post unless you have some basic knowledge.

Included now (with small edits) in Olle's thread {Servers: If you don't need an SSH server or VNC server running on your personal computer don't do it. If you don't know what those acronyms are, then you should DEFINITELY not use them until you do some significant research.

Until you do understand how it works, my recommendation would be to not set those things up, and if they are set up by default, disable them. When you're ready to start learning new services like FTP, SSH, VNC, telnet, remote desktop, etc., then consider playing with them in a virtual machine. Ubuntu has Oracle VM Virtual Box right in the Software Center. This can reduce your exposure to security problems you don't know while you learn. Of course it's not fool-proof.}

BasicSecurity (last edited 2012-12-28 10:50:07 by host86-182-68-148)