BasicSecurity

Revision 73 as of 2011-11-08 22:09:01

Clear message

Basic Ubuntu Security Guide, Desktop Edition

Who Did We Write This For?

Security is a very broad, potentially daunting subject to a new Ubuntu user. It's crazy to think that anyone can boil security down to a list of 7 things. So we didn't even try. Instead, our goal is to present a listing of the most basic security concepts that can be fairly easily implemented while you learn. This guide was inspired and written by several new users of Ubuntu who were very interested in learning how to hack around their brand new Ubuntu operating systems. We were lucky enough to have some security professionals collaborate with us. But we still don't claim that we will reduce your risk to zero. We are presenting a pragmatic approach to security.

This guide is intended for the typical, average home user that is in the process of learning how to use Ubuntu. So if you just surf the net, play games (on-line & off-line), do on-line banking, education...then you are the intended audience. However if you are running a network server (especially one that is accessed via the Internet) or if you use Ubuntu in your corporate environment (or simply work from home) then the advice you need is more specialized and beyond the scope of this guide. If you don't know whether you are running a server or not, then read this.

Linux Vulnerabilities

In very general, broad terms, Windows is more targeted than Linux or Mac when it comes to malicious attacks aimed at mass victims. But a determined hacker can just as easily crack a Linux machine as any other. There are known viruses and vulnerabilities that you need to defend against.

Backups

Reinstalling an OS again after it corrupts is annoying. But losing valuable personal pictures, letters, emails...they are priceless! If you are prepared to wipe and reinstall with very little notice, then you are far more secure. Moreover, there are many threads in the Ubuntu Forums that describe problems that would have been avoided if the user had made good backups. It is also important to make special backup before certain risky operations like upgrading to a new version, operations on partitions and partition tables, using dd etc.

It All Starts With a Good Password

Strong unique passwords for each account is best - consider using a password safe (but remember that that password MUST be a good one!) There's enough material on the subject of passwords to keep even the most busy of readers occupied for a few hours. You can use an automatic creator of strong passwords to help understand how complex passwords can be. You can test your password here. And here are more tips on creating good passwords - including why using an on-line automatic password creator is bad. Remember to beware of online sites where they offer to test password strength, to the uninitiated remember that these sites have your IP Address as well as now the possibility of your password and or methods you use to construct them and of course perhaps a malicous script running from the site etc. How many of you have entered your password online to test its strength and thought nothing of it ? You were giving someone you dont know your password, just beware who your trust with your information.

Know What Sudo is Doing

If you're following a set of instructions and you're about to type in sudo, ask yourself "Do I REALLY know what this command is about to do?" If you can't explain it to your granny, then you don't know what's going to happen. Related to that - if you get asked for your password, make sure you know what you've just done to trigger that response. The system is trying to protect you. Here is an explaination of sudo

Don't Log in as Root

An excellent way to find yourself in deep trouble is to modify permissions as root. Logging in as root means you will be browsing the internet as root, drive by downloads (downloads that you did not authorize or that you authorized but did not realize the consequence behind), malicious scripts can all now execute with root permission.

Encrypt Your Home Folder

You can encrypt your home folder or the entire hard drive on first install. Alternatively you can click here and here to learn how to add encryption to your home folder after installation. You could even just encrypt a particular file, a sub-directory, a usb stick...the choice is endless. WARNING: if you lose the password then your chances of recovering the data drop to almost nil.

Least Privileges, Always

Always make sure you are utilizing the least amount of privileges/permissions to do the task necessary. Use only what you need nothing more. This involves learning how to use file permissions and non-privileged users (which Ubuntu makes very easy). Also consider enabling guest accounts if you think they are necessary. Here is a link to everything you need to know about file permissions

AppArmor

Additionally AppArmor can strengthen our security. To quote the Novell site, "AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities." The learning curve is pretty steep but it is worthwhile to take a few hours to educate yourself on it now, it is a great asset. Here is a tutorial on AppArmor.

Security Updates

Security updates are released by Ubuntu developers when they discover and patch vulnerabilities. If you don't install the updates then you retain the vulnerability. Ubuntu allows you to have security updates installed - once configured you don't need to run security updates manually again. Search for the Update Manager on your desktop and click on the "settings" tab to configure how you want Ubuntu to manage updates.

is this link even relevant anymore? Seems super old- ms.daisy

Know What You Have, Have What You Know

Don't run services you don't need. Do you really need a VOIP phone system? What about SSH, VNC, Apache? If you need a service, make sure you understand it and can properly secure it.

Make Your Browser More Secure

One of the best things you can do is secure your browser, especially as it's one of the most vulnerable parts of your system as a home user. Noscript in Firefox prevents scripts (i.e. programs) from running on your system unless you allow them. Allow scripts from sites that you trust for a safer browsing experience. But don't "allow all scripts globally" under any circumstances!

Firewall

There is a lot of existing information about firewalls - along with a long-term raging debate on the need of a firewall on Ubuntu. We recommend you enable it and here is why. Use your firewall PROPERLY. Don't set it and forget it, learn how it works, set decent rules.

Here is a tutorial showing how to enable a firewall in Ubuntu. However, adding port numbers can feel confusing. It if helps, think of it this way - currently you're reading this guide because you accessed a webpage hosted by wiki.ubuntu.com. To make the connection (and therefore to see the content) you have to connect your browser to that website by accessing Port 80. Another example is when you pick up your email. Your computer makes a connection to your mail server on Port 110. The other port numbers that you are adding provide similar functions.



Home Network

We encourage you to learn more about securing your home network if you choose to set one up. Learn some of the fundamentals about securing your router. If you use wireless access, make sure you're using STRONG encryption, not WEP but WPA/WPA2 with a GOOD passphrase use all 63 characters, you only have to type it once anyway.

And learn about making a networked printer more secure.

CERT Guide to Home Network Security

Repeating All of the Above on Each System

Be consistent, if you do these things with your desktop Ubuntu system you will find it is actually pretty secure. If you have two computers running Ubuntu, then repeat this process on both computers. If you've got one computer partitioned, then secure all partitions. Now apply this to the other devices on your network. This includes any other computers, cell phones, routers, printers, game consoles whatever. Your network's security is only as strong as the weakest link.

Don't Stop Learning

Security is an ongoing process, no matter what operating system you use. This is a basic guide to help you get started on Ubuntu. But don't stop there. There is a lot of existing security information already in existence in the Ubuntu Wikis or stickys in the Ubuntu Forums. There are some great resources there, in fact one of the best guides is linked here. But a lot of that material will seem complex to the new Ubuntu user - so the goal of this guide was to take this material and simplify it, making it possible to bridge the gap.

Acknowledgements

This Wiki was birthed on the Ubuntu Forums by MrLeek and Ms. Daisy. Contributions came from Dangertux, OpSecShellShock, haqking, Thewhistlingwind, dFlyer, vasa1, Olle Wiklund, CharlesA





I propose we delete everything below this point. Thoughts? #Ms. Daisy





* Someone who knows what they're doing can use information you post on various forums to exploit your system. Think about the information you're posting about your computer, your router. Unfortunately we can't tell you what to post and what not to post unless you have some basic knowledge.

Included now (with small edits) in Olle's thread {Servers: If you don't need an SSH server or VNC server running on your personal computer don't do it. If you don't know what those acronyms are, then you should DEFINITELY not use them until you do some significant research.

Until you do understand how it works, my recommendation would be to not set those things up, and if they are set up by default, disable them. When you're ready to start learning new services like FTP, SSH, VNC, telnet, remote desktop, etc., then consider playing with them in a virtual machine. Ubuntu has Oracle VM Virtual Box right in the Software Center. This can reduce your exposure to security problems you don't know while you learn. Of course it's not fool-proof.}

Did I Just Get Owned?

** Note : I'm sticking this here for now. If you want to change move or otherwise rearrange the entire order feel free to --DT **

This section will cover the basics of log auditing, as well as keeping an eye on different aspects of your system in order to make sure you haven't gotten "owned".

Logging is an incredibly powerful feature. It can give you intelligence on how an attack was carried out , and the extent of the compromise. As such if your system is cracked, the first place a cracker will go after gaining root on the system will be to sanitize your log files. One of the quickest ways to determine if your system was compromised is if your key log files are tampered with. It's often glaringly obvious that a log file has been tampered. Important signs to note in your log files when checking for tampering are the following.

* Incorrect time stamps : Many times attackers will copy and paste legitimate log files over the existing log, this will create impropriety in that the log will not be from the time it was supposed to be.

* Completely sanitized : If the log file is completely gone, it is time to start suspecting something is up. Log files don't just disappear.

* Partially sanitized : If large chunks of time (more than 5 minutes) are unaccounted for in a log file while the machine was running, it is a safe bet something has happened that someone didn't wish to be seen.

If you see any of the above signs it's time to do some further digging, and safe to assume the machine may be compromised.

Now let's take a look at some of your key logs and auditing methods for determining a system compromise.

Log File Viewer

Ubuntu provides a convenient graphical log viewer for newer users. It can be found in Administration > Log File Viewer (On 10.04.3 LTS) otherwise all the log files mentioned can be found in /var/log and viewed using commands such as cat, more, less, head, and tail.

http://dangertux.no-ip.org/downloads/logviewer.png

syslog

Syslog can be invaluable when trying to detect a compromised service or a possibly rooted system. It logs all events at the system level, including kernel behavior and activity. Often times when a service is compromised it will cause the service to crash. This crash may or may not yield remote code execution. However, if you notice your system is behaving weirdly, and you are running several services on your machine. Particularly services frequent to buffer overflow type attacks (applications that accept user input, either in the form of files or data) this file can be helpful in determining if a "crash" or segmentation fault has occured. Now it's important to note that a seg fault in and of itself does not mean your system was compromised. Sometimes an application will seg fault all on its own with no help. However, if you notice other interesting phenomena that is unexplained it might be a good place to start.

Here is an example segfault from the mysql service:

[Mon Aug 29 14:51:14 2011] [notice] child pid 22622 exit signal Segmentation fault (11)

You can also notice naughty activity when a rootkit is hooking kernel space memory in syslog. Here is an example of the phalanx rootkit hooking the Linux kernel and the last syslog entry associated with it :

Nov 7 21:27:40 dangertux-laptop kernel: [ 7549.229981] phalanx[27964]: segfault at 763405 ip 080490ee sp bfe940b0 error 4 in phalanx[8048000+5000]
Nov 7 21:28:09 dangertux-laptop kernel: [ 7577.979252] Program phalanx tried to access /dev/mem between 0->1f400000.
Nov 7 21:28:09 dangertux-laptop kernel: [ 7577.979292] phalanx[29055]: segfault at 763405 ip 080490ee sp bff465e0 error 4 in phalanx[8048000+5000]

Syslog is also one of the most popularly tampered log files, so if you see any missing time, or any anomalies it is a good idea to start looking into the potential for a system compromise having occured.

auth.log

This file contains logs on all user authentication. This can be greatly helpful in determining if someone has gained unauthorized access to your system either locally or remotely. This file will become crucial in determining if a brute force attack has been successful against a remote administration service such as SSH. Due to the incriminating nature of this log file this will be one of the first logs sanitized by a potentials attacker. As such if this log appears to be tampered with, it is almost a dead give away that your system has been compromised.

An example log snippet from a brute force against SSH might look like this :

Nov 7 19:39:36 dangertux-laptop sshd[1972]: Failed password for dangertux from 192.168.0.4 port 34163 ssh2
Nov 7 19:39:42 dangertux-laptop sshd[1974]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.4
(these same entries about 5 million more times followed by this entry)
Nov 7 19:40:22 dangertux-laptop sshd[1985]: Failed password for dangertux from 192.168.0.4 port 44615 ssh2
Nov 7 19:40:28 dangertux-laptop sshd[1987]: Accepted password for dangertux from 192.168.0.4 port 59713 ssh2

Also random guessing of usernames is an indication of a brute force attempt. Particularly if service and common usernames are being tried. The following are commonly bruteforced usernames, if you see these names trying to authenticate against your system this is a good indicator that someone may be trying to brute force one of your services. (Usually SSH)

admin administrator nagios squid www-admin root guest web_admin www-developer

ufw.log

This is your Uncomplicated Firewall log. Blocked traffic will show up here. If you have configured strong firewall rules, you may notice UFW blocking traffic to an unauthorized port. Random arbitrary ports are often used by different malicious applications, they use oddball ports to try and obfuscate their existence as they make a remote connection back to their owner. If your firewall's outbound rules are configured properly and the creator of the malicious application wasn't very diligent you should be able to notice the traffic being blocked. Here is an example of UFW blocked traffic

Nov 5 14:46:18 dangertux kernel: [ 2080.258253] [UFW BLOCK] IN= OUT=eth0 SRC=192.168.0.4 DST=224.0.0.251 LEN=67 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=47

Here we see blocked outbound traffic. It is UDP originating at port 5353 bound for port 5353. It is broadcast traffic as it is bound for 224.0.0.251 which is a multicast address. Paying attention to the destination and source ports here are important. As there are quite a few ports which are frequented by malicious applications. Here are a few examples of the more common ones.

1337 4141 4444 6666 7777 9999 13337 31337 44444

There are others but if you start seeing odd traffic on any unregistered port, there is a chance that it is malicious if you did not authorize it.

If you are not using UFW, but instead iptables, the same can be seen in either syslog or kern.log

Watching Network Traffic

When being mindful of your system's security it is important to watch network traffic. Often times malicious applications , or unauthorized access will lead to the opening of a connection that is equally malicious and unauthorized. A quick way to view your active connections, both inbound and outbound is with the netstat command. Netstat can give you a near real time look at the connections your system has.

For instance the command sudo watch netstat -anlp will provide a fairly verbose output for netstat that updates every 2 seconds.

Here is example output from that command

http://dangertux.no-ip.org/downloads/cleannetstat.png

Let's take a look at what that means for us. The first column tells us what the protocol is. The Recv-Q and Send-Q is how much data queued for the connection and isn't really that important. the local address is the listening address of the service, this is 127.0.0.1 the :631 indicates we are listening on port 631. The Foreign Address is the address we are connected to 0.0.0.0:* means any host any port. We are in state Listen which means we do not have an active connection but are waiting for one. Our process ID and program name is 1122 and this is the common unix printing system daemon. Now here is an example of output that might be considered slightly more malicious in nature

http://dangertux.no-ip.org/downloads/compromisednetstat.png

This output indicates a connection to a service running /bin/sh on 31337. This is a nearly direct indication that this machine has been compromised.

rkhunter & chkrootkit

rkhunter and chkrootkit are two applications that are designed to aid in the detection of a compromised system. They function by doing two things. First they check the integrity of commonly hooked system files. These files are often backdoored by an attacker in order to gain special access or glean credentials from a compromised system. An example of a frequently backdoored command in the Linux world is /bin/su.

It is important to understand that rkhunter and chkrootkit function best if they are given a benchmark standard. Meaning that you run them following your initial installation so that they may get a "base line" for what your system should look like. That way if changes are made, they will be able to detect the changes as potentially unauthorized. Note, some times updates may throw false positives due to the way these applications work.

The second thing that these applications do is they attempt to determine if your system has been compromised with a known, or signatured root kit. They will look for files and process associated with known root kits, as well as known malicious communications ports associated with them. Additionally they will look for hidden pid's and hidden tcp ports, as this is often a sign of root kit like activity.

Bash Profiles

Yet another method by which an attacker can maintain access to a compromised machine is by loading a backdoor at login. Often times these can be noted in the following places

/home/username/.bash_profile
/home/username/.bash_rc
/home/username/.profile

There are other locations but these are the three most targeted. An example entry that might be found in a modified .profile might include

nc -l -p 4444 -e '/bin/sh' &

this would start a netcat listener that executes a shell when an attacker tried to connect. The persistence is there because it is in your .profile, and will be loaded every time your shell is loaded.

Cron Jobs

Another common way an attacker will maintain access to a compromised system is to add a cron job with a backdoor. This backdoor might be a simple netcat listener , or it could be something else. In any case if you suspect that you have been compromised checking cron is a good idea.

The following output from sudo crontab -l indicates that something not so kosher is happening every 5 hours.

# m h dom mon dow command
* 5 * * * /home/dangertux/reverse_tcp

Additional places to check for cron jobs being placed are as follows

/etc/cron.daily
/etc/cron.weekly
/etc/cron.hourly
/etc/cron.monthly
/etc/cron.d

Tampered Environment & LD_PRELOAD

Another method a system may be backdoored is by adding the LD_PRELOAD= attribute to the environment. This will load a library often used to hook system calls, and escalate privileges on a system. You can view your current environment by utilizing the printenv command. (note each user has their own environment)

Additionally if you suspect this you may wish to check /etc/ld.so.conf.d for any malicious links.

Hooked Run Level Scripts

An attacker will also commonly hook the rc.local on a root compromised machine. They will do this to maintain their presence on the machine.

If we look at the contents of our /etc/rc.local file we may find there is something not quite right on our compromised machine. An example entry in this file might be something along these lines :

sh '/usr/local/lib/.bad/libowned-4.0.0.so' &

This indicates that whatever libowned-4.0.0.so is is being executed at boot time generally by default this file will not contain anything but a single exit 0 line. So if you see some strange additions here, particularly something as obvious as this line it is safe to say your machine may be compromised.

Additional areas to check for potentially malicious scripts are the following directories.

/etc/rc0.d
/etc/rc1.d
/etc/rc2.d
/etc/rc3.d
/etc/rc4.d
/etc/rc5.d
/etc/rc6.d
/etc/init.d
/etc/networking/ (particularly note your interface pre-up and up scripts may be tampered with)

Additional Users

Often times when a system is compromised an attacker will create an additional user to allow them return access in the event you change your password. If you suspect a compromise has occurred you can and should check for the creation of additional users.

You may notice something similar to the following in your auth.log file if a user has been created.

Nov 8 11:22:14 dangertux-laptop useradd[1517]: new user: name=reallybadguy, UID=1001, GID=1002, home=/dev/null, shell=/bin/sh
Nov 8 11:22:14 dangertux-laptop useradd[1517]: add 'reallybadguy' to group 'admin'
Nov 8 11:22:14 dangertux-laptop useradd[1517]: add 'reallybadguy' to shadow group 'admin'

In your /etc/passwd file you may also notice an entry similar to this.

reallybadguy:x:1001:1002::/dev/null:/bin/sh