BasicSecurity

Revision 44 as of 2011-11-06 10:54:50

Clear message

DRAFT - UNDER CONSTRUCTION

Basic Ubuntu Security Guide, Desktop Edition

Who did we write this for?

Security is a very broad, potentially daunting subject to a new Ubuntu user. It's crazy to think that anyone can boil security down to a list of 7 things. So we didn't even try. Instead, our goal is to present a listing of the most basic security concepts that can be fairly easily implemented while you learn. This guide was inspired and written by several new users of Ubuntu who were very interested in learning how to hack around their brand new Ubuntu operating systems. We were lucky enough to have some security professionals collaborate with us. But we still don't claim that we will reduce your risk to zero. We are presenting a pragmatic approach to security.
<BR>> This guide is intended for the typical, average home user that is in the process of learning how to use Ubuntu. So if you just surf the net, play games (online & offline), do on-line banking, education...then you are the intended audience. However if you are running a network server (especially one that is accessed via the Internet) or if you use Ubuntu in your corporate environment (or simply work from home) then the advice you need is more specialised and beyond the scope of this guide.

This guide is also not intended to replace any existing security information already in existence in the Ubuntu Wikis or stickys in the Ubuntu Forums. There are some great resources there, in fact one of the best guides is linked here. But a lot of that material will seem complex to the ordinary Ubuntu user - so another aim of this guide is to take this material and simplify it, making it possible to bridge the gap.

Fallacies

There are common misconceptions in this forum as well as in the world in general:

* Linux is secure out of the box. Kind of. In very general, broad terms, Windows is more targeted than Linux or Mac when it comes to malicious attacks aimed at mass victims. But a determined hacker can just as easily crack a Linux machine as any other. There are known viruses in Linux: https://help.ubuntu.com/community/Linuxvirus and a discussion of vulnerabilities in Ubuntu is here: https://help.ubuntu.com/community/Antivirus

* Enough already. Just tell me which Security Program to install in the Software Center. The typical Windows user mindset is that you just install a security program or two, let it run quietly in the background, and you'll be fine. That's actually not true for Windows and it's not true for Ubuntu either. Security is an active process on all operating systems. There are anti-malware software packages available for Linux. However, they lack some of the more robust features of their Windows counterparts.

The Nuts and Bolts of Basic Security

Because Ubuntu doesn't have a pre-packaged Security Suite, we compiled this list. However, most of these points would be a good idea for any operating system.

Common Sense

* Use common sense A very smart friend of mine once said these words: "Did you go on the Internet to download something? No...Then why are you downloading something?" This applies to all facets of security. Set out with a purpose, if you find yourself veering away from that purpose, ask yourself why and if it's something you should be doing.

* Backups Reinstalling an OS again after it corrupts is annoying. But losing valuable personal pictures, letters, emails...they are priceless! If you are prepared to wipe and reinstall with very little notice, then you are far more secure. Moreover, there are many threads in the Ubuntu Forums that describe problems that would have been avoided with good backup. It is also important to make special backup before certain risky operations like upgrading to a new version, operations on partitions and partition tables, using dd etc.

Credentials and Permissions

* It all starts with a good password - and there's enough material on the subject to keep even the most busy of readers occupied for a few hours (see the links below). Strong unique passwords for each account is best - consider using a password safe (but remember that that password MUST be a good one!)

* Know what sudo is doing - if you're following a set of instructions and you're about to type in sudo, ask yourself "Do I REALLY know what this command is about to do?". If you can't explain it to your granny, then you don't know what's going to happen. Related to that - if you get asked for your password, make sure you know what you've just done to trigger that response. The system is trying to protect you.

* Don't log in as root An excellent way to find yourself in deep trouble is to modify permissions as root. Logging in as root means you will be browsing the internet as root, drive by downloads (downloads that you did not authorise or that you authorised but did not realise the consequence behind), malicious scripts can all now execute with root permission.

* encrypt your home folder - you can set this up on first install. Alternatively you can follow the link below to add encryption to your home folder after installation. You could even just encrypt a particular file, a sub-directory, a usb stick...the choice is endless. WARNING: if you lose the password then your chances of recovering the data drop to almost nil.

* Least privileges, always : Always make sure you are utilizing the least amount of privileges/permissions to do the task necessary. Use only what you need nothing more. This involves learning about DAC and how to use file permissions and non-privileged users (which Ubuntu makes very easy) Also consider enabling guest accounts if you think they are necessary.

automatic creator of strong passwords to help understand how complex passwords can be
test your password here
more tips on creating good passwords - including why using an automatic password creator is bad
explaination of sudo
How to encrypt your home folder
Another guide on home folder encryption
Encrypting your hard drive
Everything you need to know about file permissions

Application security (Updates,MAC/Addons etc)

* Security Updates Ubuntu allows you to have security updates installed automatically - once configured you don't need to run security updates again.

* No Script for Firefox One of the best things you can do to secure your browser, especially as it's one of the most vulnerable parts of your system as a home user. It prevents scripts (i.e. programs) from running on your system unless you allow them. Allow scripts from sites that you trust for a safer browsing experience. But don't "allow all scripts globally" under any circumstances! click here to install

setting up automatic security updates

Basic Network Security (firewall and network appliances)

There is a lot of existing information about firewalls. There is also a long-term raging debate on the need of a firewall on Ubuntu. We recommend you enable it. Use your firewall PROPERLY. Don't set it and forget it, learn how it works, set decent rules. It takes 5 minutes to configure UFW/GUFW to tell iptables to enforce pretty decent inbound and outbound rules. Maybe 10 minutes if it's the first time you've done it.

Here are some links:

Whilst not strictly "Ubuntu-only", securing your Ubuntu system whilst ignoring your network and router is a recipe for disaster. Here's some things to check for:

* If you are using wireless access, make sure you're using STRONG encryption, not WEP but WPA/WPA2 with a GOOD password. Use all 63 characters, you only have to type it once anyway. Short easy-to-remember passwords here make you an easy target.
* Use a strong Admin Password and User Password (if your router supports it) to log into the router
* Disable UPNP and WPM (if you don't need it)
* Locate the router so the signal isn't ridiculously strong outside of your house. Some routers do allow you to reduce the signal strength and that be work experimenting with.
* Enable logging in to the router only over HTTPS (if it supports this) and disable access via wireless and disable remote administration if you can.
* Disable remote administration (administration from the outside world , defaulted to port 8080 usually)
* Disable the telnet server and the TFTP server if your router has it.
* You can toss in MAC address filtering, but it's really a waste of time.

Adding new systems to your network

When you connect printers, phones, consoles, routers to your network. Do you have a networked printer? If yes, do you need one? If the printer doesn't need to be on the network, then don't put it there. From an introductory security perspective, this is the first thing to consider about almost any device (printer, scanner, router). Don't broadcast your wifi signal when you're not using it. Gives the bad guys less time to crack it. Make sure they're powered off completely when you don't need them. Some devices don't seem to want to do that, so they need to be unplugged.

An attacker can utilize a device such as a printer to gain access to an entire network.

Repeating all of the above on each system

Be consistent, if you do these things with your desktop Ubuntu system you will find it is actually pretty secure. Now apply this to the other devices on your network. This includes any other computers, cell phones, routers, printers, game consoles whatever. Your network's security is only as strong as the weakest link. Once an attacker gains a foothold in a network, whether it's in a DMZ or behind a firewall compromising the rest of the network becomes MUCH easier.

If you have two computers running Ubuntu, then repeat this process on both computers. If you've got one computer partitioned, then secure all partitions.

Other bits

Apparmor Additionally we can strengthen this with things like Apparmor, which I do recommend learning. The learning curve is pretty steep but take a few hours to educate yourself on it now, it is a great asset.

Here is a tutorial on Apparmor http://ubuntuforums.org/showthread.php?t=1008906

* Someone who knows what they're doing can use information you post on various forums to exploit your system. Think about the information you're posting about your computer, your router. Unfortunately we can't tell you what to post and what not to post unless you have some basic knowledge.

Know What You Have, Have What You Know

Don't run services you don't need. Do you really need a VOIP phone system? If you do, make sure you understand it and can properly secure it.

Servers: If you don't need an SSH server or VNC server running on your personal computer don't do it. If you don't know what those acronyms are, then you should DEFINITELY not use them until you do some significant research.

Until you do understand how it works, my recommendation would be to not set those things up, and if they are set up by default, disable them. When you're ready to start learning new services like FTP, SSH, VNC, telnet, remote desktop, etc., then consider playing with them in a virtual machine. Ubuntu has Oracle VM Virtual Box right in the Software Center. This can reduce your exposure to security problems you don't know while you learn. Of course it's not fool-proof.

Should we include the following bits?

*I think some of the following is useful, but needs reworded, I just don't know how right now --DT *
*I think so too, maybe on a separate page with a link --Olle*
*I'd agree with the above and Ollie's point is valid. This is "how" to do something (which is very good) but a "what" article with several "how to's" hanging off it is a good place to be -- mrleek*
-two most common cracks posted on these forums are ssh and vnc, both running with password authentication. Have you installed servers for ssh and vnc? Probably not unless you run Ubuntu Server. Without them your computer is not vulnerable to such attacks. You can check in a terminal window with the following command Code:
which ssh
and instead of Enter press Tab twice and Code:
which vnc
and instead of Enter press Tab twice.
If you get only ssh and vncviewer you have only the client programs. You can login on remote computers with them. If you get a response with several alternatives, for example Code:
ssh ssh-agent ssh-askpass sshd ssh-keygen ssh-vulnkey ssh-add ssh-argv0 ssh-copy-id sshfs ssh-keyscan
and Code:
vnc4-common vnc-java vnc-server vnc-viewer vnstat vnc4server vncserver vncsnapshot vncviewer vnstati
you have the servers installed. But are they running? If you type the following command in the terminal (and press Enter) Code:
ps -au root | grep ssh # the command
and get the following response (mine is running behind a firewall) Code:
873 ? 00:00:00 sshd # the response
then the ssh server is running and similarly for Code:
ps -au root | grep vnc


Additional Resources That We Think Are Cool

http://ubuntuforums.org/showthread.php?t=510812 – a guide to security on Ubuntu. As a new user, some of the information in this thread may be daunting with a steep learning curve. But if you're serious about securing your system, then this is an excellent resource.

Acknowledgements

This Wiki was birthed on the Ubuntu Forums by MrLeek and ms-daisy99. Contributions came from Dangertux, OpSecShellShock, haqking, Thewhistlingwind, dFlyer, vasa1, Olle Wiklund, CharlesA,

Edited out Material

Dropping all "unwanted material" here - just a first pass at this. Mrleek

They were also very interested in not leaving their machines vulnerable as they learned. Therefore, we don't claim to be experts.

* If you work from home is employed by a company, and you occasionally work on company business on your home computer. You should consult with your company's IT department to comply with their security standards.

* Stealth ports. The reality of this is quite simple. There is no such thing as a "stealth port". Stealth port was a catch phrase coined by Steve Gibson of Gibson Research Corporation. Surely you've heard of Shield's Up? Basically, it was a term he created to explain the difference between a firewall that "rejects" a packet with a response, versus a firewall that silently drops a packet and ignores it. The argument that "stealth" is better than "closed" is an old argument, improved port scanning technology essentially invalidates the argument at this point. Even in its original state "stealth ports" provided security through obscurity. This type of security has its places, but should not be relied upon as comprehensive or indicative of a system's level of security. For more information consult the following resources:
LIST
https://www.grc.com/x/ne.dll?bh0bkyd2 - GRC's "Shields Up"

Who really controls that website? The source (or the host) of this wiki page is "wiki.ubuntu.com". Do we trust that host? What if the host was "www.loadsofviruses.com" - do you still trust that page? In fact, hyperlinks can lie - and I'll prove it! I've provided the website link to wiki.ubuntu.com - but if you click on it, it will take you to wiki.ubuntu.com/AboutUbuntu! Hover your mouse pointer over that first link and look in the corner of your browser. THAT'S the destination of the hyperlink! * Remember that anything posted on a public forum - even Facebook! - can potentially be read by anyone. Both good guys and bad guys use the internet, and a thief would love to know that you're not home as you're away on vacation.

www.navigators.com- MrLeek do you want to put a blub here?

Common sense with proper web browsing plays a big role in securing a desktop. Force https, don't access sensitive information from public wifi. There are tons of simple surfing security guides out there, here are a few:

A lot of the following security recommendations are good ideas for any operating system.

Social Engineering

Social engineering is a problem. Your network could be as secure as the NSA, but if you tell an attacker vital information about your network and system configuration, then you've defeated your security. Things to avoid and NOT to divulge about your Ubuntu system:

* Don't post the public IP address's of your devices or computers. Internal NAT addresses are OK as most people use the same ones and most people know that, the likelihood is that most people reading this have a private NAT address of 192.168.0.x or similar. However do no post Public WAN addresses, or server/router addresses. If you can't tell the difference then a) you need to learn the difference (visit here=== Wireless Security === *This is good stuff - but I think it may be outside the scope of this discussion what do you guys think? Is this Ubuntu Desktop security or Home Network Security with Ubuntu machines running on the network? --DT*
So many people use WLAN, so I think it is important to include it --Olle
Turn it off when you're not surfing. If you use Wireless access. Make sure you're using STRONG encryption, not WEP but WPA/WPA2 with a GOOD passphrase use all 63 characters, you only have to type it once anyway.

Basic wireless security dictates at the minimum you:

* use Strong Admin Password
* Strong User Password (if your router supports it)
* Disable UPNP
* Disable WPM (if you don't need it)
* Locate the router so the signal isn't ridiculously strong outside of your house.
* Enable Logging in to the router only over HTTPS (if it supports this)
* Disable remote administration (administration from the outside world , defaulted to port 8080 usually)
* Disable the telnet server if it has one
* Disable the TFTP server if it has one.
* You can toss in MAC address filtering, but it's really a waste of time.
: http://www.bleepingcomputer.com/tutorials/ip-addresses-explained/) and b) don't post ANY IP addresses until you do!



* We have only covered social engineering as it specifically relates to Ubuntu. However, we encourage you to learn more about general social engineering here: http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics

Start learning about how to create a good password here: https://www.grc.com/passwords.htm

This site can give you an idea on how good your password is: https://www.grc.com/haystack.htm

When you are more confident with Ubuntu, we recommend this link for more about passwords: https://help.ubuntu.com/community/StrongPasswords

Proper Permissions (DAC)

Least privileges, always : Always make sure you are utilizing the least amount of privileges/permissions to do the task necessary. Use only what you need nothing more. This involves learning about DAC and how to use file permissions and non-privileged users (which Ubuntu makes very easy). Learn more here: https://help.ubuntu.com/community/FilePermissions

CAN SOMEONE PROVIDE A LINK FOR DAC?

Use security questions that aren't something like "what color is your house?" that is shown in your profile picture.

You can encrypt the home folder. Details can be found here: https://help.ubuntu.com/community/EncryptedHome

You can choose to encrypt the disk when installing Ubuntu. More information is here: https://help.ubuntu.com/community/EncryptedFilesystemHowto

Some basic password facts:

- The average password is between 6 and 8 characters long
- Almost every uses just UPPER or lower-case letter in their password
- One in three passwords only uses words found in a dictionary
- "123456", "password", "qwerty", "123123", "letmein", "abc123" - just some of the most popular passwords in use today!
- Almost everyone reuses their passwords for different forums, email accounts...even bank account!

All of these examples are bad examples - if you need to provide a password it needs to be a good one. A good password is at least 16 characters long containing upper and lower case, numeric, special characters and white space. A bad password is based on a dictionary word, or something like the fact that your eyes are blue or your birth date.) Every password used should be unique - no exceptions, Make sure you're not reusing your passwords across emails and different social networking sites. If you can use an RSA key for it (eg: SSH) better still.

Updated Services

It's just so easy. Keep your software and operating system up to date. At the very least, install the security updates. Should you automate updates?

Keep your updates , well...updated. This is important, unless you're writing security patches yourself (which you're probably not) this should be way high on your todo list

Application Level Firewall Creation and Mandatory Access Controls

Explain the difference between this and the previous header.

Apparmor Additionally we can strengthen this with things like Apparmor, which I do recommend learning. The learning curve is pretty steep but take a few hours to educate yourself on it now, it is a great asset.

Here is a tutorial on Apparmor http://ubuntuforums.org/showthread.php?t=1008906

Add-Ons Ubuntu comes preloaded with Firefox, so we will focus our discussion there. We recommend you use browser add-ons like NoScript and Ad blocking. It can't emphasized enough. Browser exploits get a lot of people, usually people who think they're perfectly fine because they run Linux/Mac OSX/Something else other than Windows. This is where 90% of home users who aren't running a server of some kind get in trouble.

Learn about Firefox and add-ons here: https://help.ubuntu.com/community/Firefox

There is a lot to say on this topic. We'll boil it down to some highlights to consider, we encourage you to do more research.

Router security: uPNP can be exploited through a router. Turn it off by changing your router settings. *note on UPNP : this needs reworded UPNP isn't necessarily exploited, as the way it works allows an attacker to automatically port forward if a machine inside the network is compromised*

Wireless Security

*This is good stuff - but I think it may be outside the scope of this discussion what do you guys think? Is this Ubuntu Desktop security or Home Network Security with Ubuntu machines running on the network? --DT*
So many people use WLAN, so I think it is important to include it --Olle
Turn it off when you're not surfing. If you use Wireless access. Make sure you're using STRONG encryption, not WEP but WPA/WPA2 with a GOOD passphrase use all 63 characters, you only have to type it once anyway.

Basic wireless security dictates at the minimum you:

* use Strong Admin Password
* Strong User Password (if your router supports it)
* Disable UPNP
* Disable WPM (if you don't need it)
* Locate the router so the signal isn't ridiculously strong outside of your house.
* Enable Logging in to the router only over HTTPS (if it supports this)
* Disable remote administration (administration from the outside world , defaulted to port 8080 usually)
* Disable the telnet server if it has one
* Disable the TFTP server if it has one.
* You can toss in MAC address filtering, but it's really a waste of time.

Encryption

Olle suggests to add:
{You can also choose to encrypt a single directory or file, where you keep secret information.

Obviously encryption is most important on mobile devices (laptops, netbooks, USB sticks ...). But if your system is damaged, it might be hard or impossible to recover the data unless you have a recent backup. If you forget your password, not even the backup will help you.}

Strong Service Configurations

  • (recheck credentials as you add users for these services as well as DAC)

Firewall creation and maintenance

Network security

There is a lot to say on this topic. We'll boil it down to some highlights to consider, we encourage you to do more research.

Router security: uPNP can be exploited through a router. Turn it off by changing your router settings. *note on UPNP : this needs reworded UPNP isn't necessarily exploited, as the way it works allows an attacker to automatically port forward if a machine inside the network is compromised*

Strengthening configurations and credentials on network devices

When you connect printers, phones, consoles, routers to your network. Do you have a networked printer? If yes, do you need one? If the printer doesn't need to be on the network, then don't put it there. From an introductory security perspective, this is the first thing to consider about almost any device (printer, scanner, router). Don't broadcast your wifi signal when you're not using it. Gives the bad guys less time to crack it. Make sure they're powered off completely when you don't need them. Some devices don't seem to want to do that, so they need to be unplugged.

An attacker can utilize a device such as a printer to gain access to an entire network.

Strengthening configurations and credentials on network devices

When you connect printers, phones, consoles, routers to your network. Do you have a networked printer? If yes, do you need one? If the printer doesn't need to be on the network, then don't put it there. From an introductory security perspective, this is the first thing to consider about almost any device (printer, scanner, router). Don't broadcast your wifi signal when you're not using it. Gives the bad guys less time to crack it. Make sure they're powered off completely when you don't need them. Some devices don't seem to want to do that, so they need to be unplugged.

An attacker can utilize a device such as a printer to gain access to an entire network.