Unsafe Defaults

While Ubuntu comes secure and ready for the user, many people decide to expand their use of their computer to perform various services, such as running an FTP server or Apache. The purpose of this page is to advise these users on settings that they would probably want to change.

Shared Memory

By default, /dev/shm is mounted read/write. There has recently been an uptake noticed on many security mailing lists where /dev/shm had been leveraged in an attack against a running service such as httpd. There is almost no reason for it to be mounted read/write. To change this setting, edit the /etc/fstab file to include the following line:

tmpfs     /dev/shm     tmpfs     defaults,ro     0 0

The changes will take affect next time you reboot, unless you remount /dev/shm

SSH Root Login

This is not a major issue, as even OpenBSD ships with root login permitted (though the documentation suggests removing it), and Ubuntu does not ship with root enabled by default. However, in many environments it is standard procedure to create a root account, even if it is never used. If a root account is created, and you are running sshd, edit the /etc/ssh/sshd_config file and replace the following line

PermitRootLogin yes

with

PermitRootLogin no

The OpenSSH sever must be restarted for this to take effect, which can be down with sudo /etc/init.d/ssh restart.