UnsafeDefaults
Unsafe Defaults
While Ubuntu comes secure and ready for the user, many people decide to expand their use of their computer to perform various services, such as running an FTP server or Apache. The purpose of this page is to advise these users on settings that they would probably want to change.
Shared Memory
By default, /dev/shm is mounted read/write. There has recently been an uptake noticed on many security mailing lists where /dev/shm had been leveraged in an attack against a running service such as httpd. There is almost no reason for it to be mounted read/write. To change this setting, edit the /etc/fstab file to include the following line:
tmpfs /dev/shm tmpfs defaults,ro 0 0
The changes will take affect next time you reboot, unless you remount /dev/shm
SSH Root Login
This is not a major issue, as even OpenBSD ships with root login permitted (though the documentation suggests removing it), and Ubuntu does not ship with root enabled by default. However, in many environments it is standard procedure to create a root account, even if it is never used. If a root account is created, and you are running sshd, edit the /etc/ssh/sshd_config file and replace the following line
PermitRootLogin yes
with
PermitRootLogin no
The OpenSSH sever must be restarted for this to take effect, which can be down with sudo /etc/init.d/ssh restart.