Ubuntu:Feisty/Security

From

Contents

[edit]

Security

[edit]

What are the basic things I need to know about securing my Ubuntu

  • Read #General Notes
  • Ensure hard drive is first in BIOS boot-up sequence
    • To prevent trespassers from using Linux Installation CD which allows them to gain root user access
    • To prevent trespassers from using Linux Live CD (e.g. UBUNTU/KNOPPIX/MEPIS) which allows them to destroy/browse/share the entire hard drive
    • To prevent trespassers from installing another Operating System
  • Ensure a password is set for BIOS
    • To prevent trespassers from changing the BIOS boot-up sequence
  • Ensure computer is located at a secured place
    • To prevent trespassers from removing computer's hard drive which allows them to destroy/browse/share the entire hard drive from a different computer
    • To prevent trespassers from removing computer's on-board battery which resets the BIOS password
  • Ensure passwords used on the system cannot be easily guessed
    • To prevent trespassers from cracking password file using brute force attacks (e.g. John the Ripper)
    • Create password with minimum length of 8 characters
    • Create password with mixture of characters/numbers, and upper/lower case
    • Not create a password with just a single or just a typical union of main languages (english, german, french, spanish...) dictionary words
  • Ensure interactive editing control for GRUB menu is disabled
  • Ensure history listing is disabled in Console mode
  • Ensure Ctrl+Alt+Del is disabled in Console mode
  • Ensure interactive option is set for remove, copy and move of files/folders in Console mode
  • For day to day usage, login as a normal user
  • Disable root user account, use "sudo" instead
    • To reduce the amount of time spent with root privileges, and thus the risk of inadvertently executing a command as root
    • "sudo" provides a more useful audit trail (/var/log/auth.log)
    • Read #How to disable root user account
  • Install a Firewall
  • Perform vulnerability test
[edit]

How to disable all interactive editing control for GRUB menu

  • Run This: 
grub-md5-crypt 

Password: 
Retype password: 
$1$tumnZ1$xB/shuXs7MlawZXkLiBDV/
  • Backup your current configuration file 
sudo cp /boot/grub/menu.lst /boot/grub/menu.lst_backup
gksudo gedit /boot/grub/menu.lst
  • Find this section 
...
## password ['--md5'] passwd
# If used in the first section of a menu file, disable all interactive editing
# control (menu entry editor and command-line) and entries protected by the
# command 'lock'
# e.g. password topsecret
#   password --md5 $1$tumnZ1$xB/shuXs7MlawZXkLiBDV/
# password topsecret
...
  • Add the following line below it 
password --md5 $1$tumnZ1$xB/shuXs7MlawZXkLiBDV/ (encrypted password above)
  • Find this section 
...
## should update-grub lock alternative automagic boot options
## e.g. lockalternative=true
##      lockalternative=false
# lockalternative=false
...
  • Make the following change: 
...
## should update-grub lock alternative automagic boot options
## e.g. lockalternative=true
##      lockalternative=false
# lockalternative=true
...
  • Save the edited file then run update-grub: 
sudo update-grub

This will make it so your grub console will require a password to edit the lines, and the recovery modes won't work unless the password is typed. To access the other grub options at the menu, follow the instructions at the bottom of the screen. It will be something like pressing p and typing your password.

[edit]

How to disable history listing in Console mode 

rm -f .bash_history
gedit ~/.bash_profile
  • Add the following: 
export HISTFILESIZE=4
unset HISTFILE
# Change this to a reasonable number of lines to save, I like to save only 100.
export HISTSIZE=1
# Ignores duplicate lines next to each other
export HISTCONTROL=ignoredups

This will disable Bash history for the user, retaining keystroke history and recall to use while limiting recall history to 100 lines. This will also not record duplicate lines next to each other.

[edit]

How to disable recently used documents

  • To disable run this in your user directory. Example: /home/username/ 
sudo rm ~/.recently-used ~/.recently-used.xbel && mkdir ~/.recently-used.xbel
[edit]

How to clear history listing in Console mode 

history -c

This will just clear your current history.

[edit]

How to disable Ctrl+Alt+Del from restarting computer in Console mode 

sudo cp /etc/inittab /etc/inittab_backup
gksudo gedit /etc/inittab
  • Find this line 
...
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
...
  • Replace with the following line 
#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
  • Save the edited file 
sudo telinit q
[edit]

How to enable prompt before removal/overwritten of files/folders in Console mode 

sudo cp /etc/bash.bashrc /etc/bash.bashrc_backup
gksudo gedit /etc/bash.bashrc
  • Append the following lines at the end of file 
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
  • Save the edited file
[edit]

How to setup a LoJack system for your laptop

  • If your laptop is stolen and then subsequently connected to the Internet, you will be able to find out from which IP address it connects to the Internet, by this method.
  • The hostname (yourhostname.dyndns.org in the example) that you registered with your dynamic IP service (i.e. DynDNS) should be updated whenever someone runs your computer, stolen or not. You can find out from which IP address the computer was last run by using the ping command: 
ping yourhostname.dyndns.org
  • You can then look up the IP address with a reverse IP service and at least get an idea in what city your laptop is in. Of course, if the IP address resolves to one of a large bank of addresses used by an ISP provider, such as AT&T, you may not be helped much by this method.
[edit]

How to get advanced protection against buffer overflows with grsecurity

  • You can get advanced protection against buffer overflows by using a PaX/grsecurity enabled kernel. You can get a precompiled version for Ubuntu at kernelsec
[edit]

How to add Access Control Lists (ACLs)

  • You can obtain finer control of permissions over files and folders similar to NTFS in Windows by installing acl. Additionally, Eiciel will add an Access Control List tab to file and folder properties in Nautilus. Original instructions were found here. See the serfacl command manual for information on setting ACLs from the console. 
sudo apt-get install acl
  • After installing, modify your /etc/fstab to add the "acl" option to each device/partition you want to have ACL functionality. It should look like something similar to this: 
# /dev/hda3
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx   /      ext3   defaults,acl,errors=remount-ro   0  1
# /dev/hda4
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx   /home  ext3   defaults,acl   0   2
...
  • Remount the file system(s) ACL will be enabled on: 
sudo mount / -o remount
sudo mount /home -o remount
...
  • Install Eiciel: 
sudo apt-get install eiciel
  • Restart Nautilus (may need to be manually restarted). See Eiciel installation page for more details. 
nautilus -q
[edit]

Firewall

Ubuntu has a built-in firewall system called IPtables (netfilter) that is enabled by default. At installation all ports are open and there is effectively no filtering/protection. To close the ports and leave only the ones you want open, you must either manually edit the iptables or use a GUI (such as Firestarter). Once you edit the iptables configuration, your computer will be better protected from attacks from the Internet.

[edit]
Manually configuring IPtables
  • Read UbuntuHelp Iptables
  • Read Netfilter's documentation for iptables
  • Read the manual: 
man iptables
[edit]
How to install IPtables Firewall Configuration GUI (Firestarter)
  • Read #General Notes
  • Firetarter is a Gnome GUI. For KDE (Kubuntu) users, try fwbuilder, guarddog, guidedog, kmyfirewall, or knetfilter.
  • You are strongly recommended to learn and use Firestarter for managing iptables/netfilter. For more information: http://www.fs-security.com/

Firestarter is the easiest GUI to change the IPtables and alter the firewall functions. Firestarter itself does not perform these firewall functions. It is only a method for changing your IPtables firewall settings. When Firestarter is installed from the package, it integrates with iptables, which runs in the background as a system service. After running Firestarter's initial setup wizard, your iptables will be changed and most ports closed. Firestarter then needs to be run only when you wish to change settings. 

System-->Administration-->Synaptic Package Manager-->Search-->firestarter-->Mark for Installation

or (from command-line terminal): 

sudo apt-get install firestarter
  • Run Firestarter: 
System-->Administration-->Firestarter
[edit]
How to minimize Firestarter to a panel icon when closed 
System-->Administration-->Firestarter-->Preferences-->Enable tray icon
[edit]
How to make the Firestarter GUI start automatically at startup
  • Note: Once you have setup the iptables firewall the first time using Firestarter, you do not need to have Firestarter running to be protected by the IPtables firewall (which is then always enabled in Ubuntu). Firestarter is only the GUI for changing the settings of the firewall; it only needs to be started when doing so. The following step is therefore unnecessary for most users. 
System -> Preferences -> Sessions -> Startup Programs -> New
Name: Firestarter --start-hidden
[edit]
How to have Firestarter start without the root password
  • Read #Security
  • Warning: This is NOT secure. It is unnecessary for most users.
  • The original instructions can be found at the Firestarter FAQ website.
  • Edit the configuration file: 
sudo gedit /etc/sudoers

Note: You can also edit the sudoers file using: 

export EDITOR=gedit
sudo visudo
  • In the Defaults section of the file, comment out this line with a with a hashmark (#) at the beginning of the line (optional): 
#Defaults !lecture,tty_tickets,!fqdn

Add this line right after it (optional): 

Defaults !lecture,tty_tickets,!fqdn,env_reset,env_keep+="DISPLAY HOME XAUTHORIZATION"
  • At the bottom of the file add the line: 
your_user_name ALL= NOPASSWD: /usr/sbin/firestarter

Replace 'your_user_name' with your actual username.

  • Reboot.
[edit]

Using Shorewall to manage iptables

Shorewall is an alternative to Firestarter. It allows more options to be set, but is more difficult to use. It can be administered from a GUI using Webmin.

  • Read Getting Started with Shorewall
[edit]

Anti-virus

[edit]

ClamAV AntiVirus Server

  • Although viruses and spyware are less common in Linux systems, they do exist. Furthermore, many users share files with Windows users, either on their own computer or on LANs. ClamAV is useful for checking these files.
  • Install ClamAV AntiVirus Server: 
sudo apt-get install clamav

If you get errors, try running the command again

[edit]
How to update virus definitions
  • Virus definition updates are provided by the clamav-freshclam module, which is installed as part of clamav.
  • Run freshclam manually: 
sudo freshclam
[edit]
How to install ClamAV automatic updater daemon
  • The clamav daemon will run freshclam automatically to keep definitions up-to-date. It will also run e-mail server checking modules for e-mail attachments. 
sudo apt-get install clamav-daemon
[edit]
How to scan files or folders 
sudo clamscan -r /location_of_files_or_folders
[edit]
How to install ClamTk GUI frontend for ClamAV 
sudo apt-get install clamtk

ClamTk can be accessed from the Menu: Applications--> Accessories-->Virus Scanner

  • Note: As of August 1, 2007, the Ubuntu repository version of ClamTk is 0.31, which has a bug that does not allow it to run. Obtain and install the current version of ClamTk 0.99, which functions fine in Ubuntu Feisty: 
wget -c http://downloads.sourceforge.net/clamtk/clamtk_2.99-1_all.deb
sudo dpkg -i clamtk_2.99-1_all.deb
[edit]
How to automatically scan files/folders for viruses
  • This method is used to automatically scan files/folders for viruses at a scheduled time.
  • * * * * * means: minute hour date month year
  • Edit the crontab file: 
 export EDITOR=gedit &&  sudo crontab -e

or, simply, 

gksudo gedit crontab -e
  • Append a line similar to the following line at the end of file. In this example, scanning will be done at 02:04am every day of every month of every year. 
04 02 * * *  sudo clamscan -r /location_of_files_or_folders
Retrieved from "http://ubuntuguide.org/wiki/Ubuntu:Feisty/Security"