BasicSecurity

Revision 46 as of 2011-11-06 17:31:11

Clear message

DRAFT - UNDER CONSTRUCTION

Basic Ubuntu Security Guide, Desktop Edition

Who did we write this for?

Security is a very broad, potentially daunting subject to a new Ubuntu user. It's crazy to think that anyone can boil security down to a list of 7 things. So we didn't even try. Instead, our goal is to present a listing of the most basic security concepts that can be fairly easily implemented while you learn. This guide was inspired and written by several new users of Ubuntu who were very interested in learning how to hack around their brand new Ubuntu operating systems. We were lucky enough to have some security professionals collaborate with us. But we still don't claim that we will reduce your risk to zero. We are presenting a pragmatic approach to security.

This guide is intended for the typical, average home user that is in the process of learning how to use Ubuntu. So if you just surf the net, play games (online & offline), do on-line banking, education...then you are the intended audience. However if you are running a network server (especially one that is accessed via the Internet) or if you use Ubuntu in your corporate environment (or simply work from home) then the advice you need is more specialised and beyond the scope of this guide.

This guide is also not intended to replace any existing security information already in existence in the Ubuntu Wikis or stickys in the Ubuntu Forums. There are some great resources there, in fact one of the best guides is linked here. But a lot of that material will seem complex to the ordinary Ubuntu user - so another aim of this guide is to take this material and simplify it, making it possible to bridge the gap.

Fallacies

There are common misconceptions in this forum as well as in the world in general:

* Linux is secure out of the box. Kind of. In very general, broad terms, Windows is more targeted than Linux or Mac when it comes to malicious attacks aimed at mass victims. But a determined hacker can just as easily crack a Linux machine as any other. There are known viruses in Linux: https://help.ubuntu.com/community/Linuxvirus and a discussion of vulnerabilities in Ubuntu is here: https://help.ubuntu.com/community/Antivirus

* Enough already. Just tell me which Security Program to install in the Software Center. The typical Windows user mindset is that you just install a security program or two, let it run quietly in the background, and you'll be fine. That's actually not true for Windows and it's not true for Ubuntu either. Security is an active process on all operating systems. There are anti-malware software packages available for Linux. However, they lack some of the more robust features of their Windows counterparts.

The Nuts and Bolts of Basic Security

Because Ubuntu doesn't have a pre-packaged Security Suite, we compiled this list. However, most of these points would be a good idea for any operating system.

Common Sense

* Use common sense A very smart friend of mine once said these words: "Did you go on the Internet to download something? No...Then why are you downloading something?" This applies to all facets of security. Set out with a purpose, if you find yourself veering away from that purpose, ask yourself why and if it's something you should be doing.

* Backups Reinstalling an OS again after it corrupts is annoying. But losing valuable personal pictures, letters, emails...they are priceless! If you are prepared to wipe and reinstall with very little notice, then you are far more secure. Moreover, there are many threads in the Ubuntu Forums that describe problems that would have been avoided with good backup. It is also important to make special backup before certain risky operations like upgrading to a new version, operations on partitions and partition tables, using dd etc.

Credentials and Permissions

* It all starts with a good password - and there's enough material on the subject to keep even the most busy of readers occupied for a few hours (see the links below). Strong unique passwords for each account is best - consider using a password safe (but remember that that password MUST be a good one!)

* Know what sudo is doing - if you're following a set of instructions and you're about to type in sudo, ask yourself "Do I REALLY know what this command is about to do?". If you can't explain it to your granny, then you don't know what's going to happen. Related to that - if you get asked for your password, make sure you know what you've just done to trigger that response. The system is trying to protect you.

* Don't log in as root An excellent way to find yourself in deep trouble is to modify permissions as root. Logging in as root means you will be browsing the internet as root, drive by downloads (downloads that you did not authorise or that you authorised but did not realise the consequence behind), malicious scripts can all now execute with root permission.

* encrypt your home folder - you can set this up on first install. Alternatively you can follow the link below to add encryption to your home folder after installation. You could even just encrypt a particular file, a sub-directory, a usb stick...the choice is endless. WARNING: if you lose the password then your chances of recovering the data drop to almost nil.

* Least privileges, always : Always make sure you are utilizing the least amount of privileges/permissions to do the task necessary. Use only what you need nothing more. This involves learning about DAC and how to use file permissions and non-privileged users (which Ubuntu makes very easy) Also consider enabling guest accounts if you think they are necessary.

automatic creator of strong passwords to help understand how complex passwords can be
test your password here
more tips on creating good passwords - including why using an automatic password creator is bad
explaination of sudo
How to encrypt your home folder
Another guide on home folder encryption
Encrypting your hard drive
Everything you need to know about file permissions

Application security (Updates,MAC/Addons etc)

* Security Updates Ubuntu allows you to have security updates installed automatically - once configured you don't need to run security updates again.

* No Script for Firefox One of the best things you can do to secure your browser, especially as it's one of the most vulnerable parts of your system as a home user. It prevents scripts (i.e. programs) from running on your system unless you allow them. Allow scripts from sites that you trust for a safer browsing experience. But don't "allow all scripts globally" under any circumstances! click here to install

setting up automatic security updates

Basic Network Security (firewall and network appliances)

There is a lot of existing information about firewalls. There is also a long-term raging debate on the need of a firewall on Ubuntu. We recommend you enable it. Use your firewall PROPERLY. Don't set it and forget it, learn how it works, set decent rules. It takes 5 minutes to configure UFW/GUFW to tell iptables to enforce pretty decent inbound and outbound rules. Maybe 10 minutes if it's the first time you've done it.

Here are some links:

Whilst not strictly "Ubuntu-only", securing your Ubuntu system whilst ignoring your network and router is a recipe for disaster. Here's some things to check for:

* If you are using wireless access, make sure you're using STRONG encryption, not WEP but WPA/WPA2 with a GOOD password. Use all 63 characters, you only have to type it once anyway. Short easy-to-remember passwords here make you an easy target.
* Use a strong Admin Password and User Password (if your router supports it) to log into the router
* Disable UPNP and WPM (if you don't need it)
* Locate the router so the signal isn't ridiculously strong outside of your house. Some routers do allow you to reduce the signal strength and that be work experimenting with.
* Enable logging in to the router only over HTTPS (if it supports this) and disable access via wireless and disable remote administration if you can.
* Disable remote administration (administration from the outside world , defaulted to port 8080 usually)
* Disable the telnet server and the TFTP server if your router has it.
* You can toss in MAC address filtering, but it's really a waste of time.

Adding new systems to your network

When you connect printers, phones, consoles, routers to your network. Do you have a networked printer? If yes, do you need one? If the printer doesn't need to be on the network, then don't put it there. From an introductory security perspective, this is the first thing to consider about almost any device (printer, scanner, router). Don't broadcast your wifi signal when you're not using it. Gives the bad guys less time to crack it. Make sure they're powered off completely when you don't need them. Some devices don't seem to want to do that, so they need to be unplugged.

An attacker can utilize a device such as a printer to gain access to an entire network.

Repeating all of the above on each system

Be consistent, if you do these things with your desktop Ubuntu system you will find it is actually pretty secure. Now apply this to the other devices on your network. This includes any other computers, cell phones, routers, printers, game consoles whatever. Your network's security is only as strong as the weakest link. Once an attacker gains a foothold in a network, whether it's in a DMZ or behind a firewall compromising the rest of the network becomes MUCH easier.

If you have two computers running Ubuntu, then repeat this process on both computers. If you've got one computer partitioned, then secure all partitions.

Other bits

Apparmor Additionally we can strengthen this with things like Apparmor, which I do recommend learning. The learning curve is pretty steep but take a few hours to educate yourself on it now, it is a great asset.

Here is a tutorial on Apparmor http://ubuntuforums.org/showthread.php?t=1008906

* Someone who knows what they're doing can use information you post on various forums to exploit your system. Think about the information you're posting about your computer, your router. Unfortunately we can't tell you what to post and what not to post unless you have some basic knowledge.

Know What You Have, Have What You Know

Don't run services you don't need. Do you really need a VOIP phone system? If you do, make sure you understand it and can properly secure it.

Servers: If you don't need an SSH server or VNC server running on your personal computer don't do it. If you don't know what those acronyms are, then you should DEFINITELY not use them until you do some significant research.

Until you do understand how it works, my recommendation would be to not set those things up, and if they are set up by default, disable them. When you're ready to start learning new services like FTP, SSH, VNC, telnet, remote desktop, etc., then consider playing with them in a virtual machine. Ubuntu has Oracle VM Virtual Box right in the Software Center. This can reduce your exposure to security problems you don't know while you learn. Of course it's not fool-proof.

Should we include the following bits?

*I think some of the following is useful, but needs reworded, I just don't know how right now --DT *
*I think so too, maybe on a separate page with a link --Olle*
*I'd agree with the above and Ollie's point is valid. This is "how" to do something (which is very good) but a "what" article with several "how to's" hanging off it is a good place to be -- mrleek*
-two most common cracks posted on these forums are ssh and vnc, both running with password authentication. Have you installed servers for ssh and vnc? Probably not unless you run Ubuntu Server. Without them your computer is not vulnerable to such attacks. You can check in a terminal window with the following command Code:
which ssh
and instead of Enter press Tab twice and Code:
which vnc
and instead of Enter press Tab twice.
If you get only ssh and vncviewer you have only the client programs. You can login on remote computers with them. If you get a response with several alternatives, for example Code:
ssh ssh-agent ssh-askpass sshd ssh-keygen ssh-vulnkey ssh-add ssh-argv0 ssh-copy-id sshfs ssh-keyscan
and Code:
vnc4-common vnc-java vnc-server vnc-viewer vnstat vnc4server vncserver vncsnapshot vncviewer vnstati
you have the servers installed. But are they running? If you type the following command in the terminal (and press Enter) Code:
ps -au root | grep ssh # the command
and get the following response (mine is running behind a firewall) Code:
873 ? 00:00:00 sshd # the response
then the ssh server is running and similarly for Code:
ps -au root | grep vnc

Network printer

Use network printing only if you need it! It is safer with a printer attached directly to your computer.

The following shows how you can make your network printer less vulnerable to intruders. It is an example using a web browser (e.g. Firefox) to log in to your router and printer.

Start by browsing the manual for your printer.

Unless you already know it, find your printer's address. Log in to your router, usually at http://192.168.0.1 or http://192.168.1.1

Look for 'Attached Devices' or something meaning the same. You may find the printer at http://192.168.0.3 (or a similar address),

or run an fping command like
fping -ag 192.168.0.1 192.168.0.20 2>/dev/null |fping -ad
to find the printer (or at least what might be the printer).

Then log in to your printer, in this example at http://192.168.0.3

1. Change the default password(s) to something much better.

2. Browse the menus to find what protocols are enabled. Disable at least FTP, TFTP and Telnet, unless you are sure that you need them! Try to understand the other protocols too, and run only those necessary!

3. Save the changes and shut off the printer. Restart it and make sure that your printer settings really changed, that the settings are safer now (and that you can still use your printer from all computers).

4. If you cannot set the password(s) or disable FTP, TFTP and Telnet, please consider attaching the printer to your main computer, if you care about network security!


Additional Resources That We Think Are Cool

http://ubuntuforums.org/showthread.php?t=510812 – a guide to security on Ubuntu. As a new user, some of the information in this thread may be daunting with a steep learning curve. But if you're serious about securing your system, then this is an excellent resource.

Acknowledgements

This Wiki was birthed on the Ubuntu Forums by MrLeek and ms-daisy99. Contributions came from Dangertux, OpSecShellShock, haqking, Thewhistlingwind, dFlyer, vasa1, Olle Wiklund, CharlesA