Ubuntu’s default setting should be secure, but if you are paranoid about your system security, you can fine-tune your Ubuntu even more. In this post, I will show you how to improve your Ubuntu’s security by adding extra software and modify some Ubuntu’s default settings. Let get started!
It’s important to stop and permanently deactivate the services that you do not need. On Ubuntu 9.10, you need to install Boot Up Manager before you can deactivate running services. In terminal (shell), you need to type command [sudo aptitude install bum], but if you type [sudo -i] before the previous command, then you need to leave out [sudo] from the previous command, because sudo -i allows you to become root. Next you need to go to System > Administration > BootUp-Manager, pick the services that you do not need and deactivate those. To deactivate the services that you do not need, you need to remove the check marks that are next to the running services. For me, I prefer to deactivate:
- Tool to report program crashes (apport)
- Scanner services (saned)
- Fast remote file copy program (rsync)
- Discover services and hosts on a local network (avahi-daemon)
- Runs system housekeeping chores on specified dates/times (cron)
- Manages print jobs (cups)
- Common interface to speech synthesizers (speech-dispatcher)
- Enables scheduling of jobs (atd)
There are some services that you cannot deactivate, because those are essential to your system stability. This is why you must know which service does what before you decide to deactivate or activate a service. It’s simple really, the less services that you are running on your system, the better it’s in term of security. Why? Some services may or may not open extra software ports, and the more open-ports your computer has, the more ways for hackers to sneak into your system.
Sometimes, you want to run a service locally, but you know that a service you want to run will open a port. You fear that an open-port will lead to insecurity, and so you want to do something about this. This is easy! You need a firewall, really! On Ubuntu, go to Application > Accessories > Terminal, type sudo -i, and type aptitude install guarddog. If you type this command line into a terminal as root or as a sudo user, Aptitude will install guarddog firewall onto your Ubuntu system. Now you need to open up guarddog and configure it. To do this, in terminal, as root or sudo user, type guarddog. Guarddog’s interface will launch, and you’ll see tabs such as Zone, Protocol, Logging, Advanced, Port Reference. You can ignore the zone tab, but you need to click on Protocol tab. On Protocol’s screen, you see Defined Network Zones (Internet, Local), please highlight the Internet zone. On the right of the screen of Protocol tab, you see Network Protocol, and here is where you need to check certain services — to allow Internet and other services to run correctly. By default, Guarddog will not allow any incoming traffic or outgoing traffic to access your system, and this is why you need to allow some services under network protocol of Protocol tab (Internet zone). To allow Internet, you need to allow DNS (Network), and HTTPS(File Transfer) and HTTP(File Transfer). To allow SSH, you need to allow SSH(Interactive Session). You can mess around with other settings within Guarddog when you get a hang of it. Click apply and click OK to activate your Guarddog Firewall.
As root (sudo -i) or a sudo user, you can edit /etc/fstab to set a stricter setting for shared memory. How? Type this into the terminal, vim.tiny /etc/fstab/, type letter i on your keyboard to enter edit mode, go to the very bottom of the file, copy and paste tmpfs /dev/shm tmpfs defaults,ro 0 0, type Esc on your keyboard to exit edit mode, type a colon “:” without the double quotes, type wq, and hit enter to save and exit the file.
Edit /etc/sysctl.conf to stop some spoofing attacks and enhance other security measures. By remove the hash sign # in front of certain command lines within this file, you’ve activated the security functions provided by these command lines within /etc/sysctl.conf. So let remove the hash sign in front of,
- net.ipv4.icmp_echo_ignore_broadcasts = 1
- net.ipv4.icmp_ignore_bogus_error_responses = 1
- net.ipv4.conf.all.accept_redirects = 0
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv4.conf.all.send_redirects = 0
- net.ipv4.conf.all.accept_source_route = 0
- net.ipv6.conf.all.accept_source_route = 0
Save the /etc/sysctl.conf file, and then type in terminal as root with sysctl -p to activate the kernel settings that you have modified.
As root or a sudo user, type aptitude install clamav to install an anti-virus software. To scan a directory for a virus, just do clamscan -r -i [insert-directory-name-here-and-do-not-copy-the-bracket-signs]. To scan a single file for a virus, in a terminal, just do clamscan -i [insert-file-name-here-without-the-bracket-signs]. To update the virus signature database, as root or a sudo user, in a terminal, do freshclam.
By default, Ubuntu has Apparmor installed. Still, you can enhance this setting even more. In terminal, as root or a sudo user, type aptitude install apparmor-profiles. This will add more readily set profiles for your Apparmor to protect zero day attacks from hackers.
In terminal, as root or a sudo user, type aptitude install chkrootkit rkhunter. Chkrootkit and Rkhunter are both rootkit detection scripts. These scripts will alert you about known rootkits inside your system if there is any. Rootkits are the stuffs that you want to get rid off of your system, because these are the doors for hackers to sneak in. You have to run Chkrootkit and Rkhunter manually or as cron jobs to get the rootkit alerts. Let do these manually! For Rkhunter, as root or sudo user, to update the script you need to type in terminal rkhunter –update, and to run rkhunter you need to type in terminal (as root or sudo user) rkhunter -c. For Chkrootkit, as root or sudo user, you only need to type chkrootkit in terminal.
Let remove telnet completely off of your system. Telnet is a very insecure program that allow users to remotely communicate with your system in clear text. To do this, in terminal and as root or sudo user, type aptitude remove telnet.
Additional security software you may want are tiger, lsat, harden, harden-environment, bastille, harden-nids, harden-tools, harden-clients, harden-servers, rats, wipe, and nmap. You can use Aptitude or Synaptic to install these software.
Let make sure you have only the port you need to be opened and nothing else! To check for the open-ports, you can use nmap for this. In terminal and as root or sudo user, type ifconfig to see your eth0 or wlan0 inet addr:192.168.X.X, and use nmap to check on that inet addr IP. Let assume your inet addr is 192.168.0.1, you can type this in terminal as root or sudo user, nmap -sTU 192.168.0.1. If you see an open-port that you do not know about or think it’s not a necessary port, then you can try to deactivate the service that is open such a port, or configure your firewall to block such a port.
I bet there are other security measures that I may have missed, but you can always let me know by commenting under this post.
Update (on November 26th 2009): There is another security measure that I forgot to tell you. It’s about the integrity of your system. To make sure that when someone has modified a file on your Ubuntu system for either good or evil purpose, you could figure out which file got changed; in case a modified file looks suspicious, you may have to put some extra effort in figuring out if your system was modified for malicious purpose or else. You can use fcheck to do this. To install this, go to a terminal as root or sudo user (i.e., sudo -i or sudo [command enter here]) and type in aptitude install fcheck. After installing fcheck, you need to run command fcheck -cadsx to make sure fcheck knows all files that are on your system. In case you don’t know what -cadsx means, you can type in a command man fcheck to see the meaning of each fcheck’s flag. After running fcheck -cadsx, you can run fcheck -adsx to confirm that fcheck is actually working and reporting on your system’s files’ integrity. Just remember that whenever you boot up your system next time, you need to run fcheck -adsx first to see if any file has integrity problem or not. Registering all files with fcheck again by running fcheck -cadsx whenever you updating your Ubuntu system or installing a new software (package).
Update (on Dec 7th 2009): I also found out that sometimes it’s best to be super paranoid. So here is another way to tighten up your Ubuntu 9.10 even more (this work with other Linux and previous Ubuntu versions) by disabling shells for unused accounts and active/inactive services. To do just that, you need to go to a shell (terminal), type in [sudo -i] to become root, and then use either nano or vim.tiny to edit /etc/passwd. In /etc/password, you can disable all shells except user accounts that you are using to login into your Ubuntu 9.10 system. To disable shells for accounts, remove the last part that looks like bash or sh, and replace them with false. Example, whatever:x:x:x:x:/x:/bin/false is correct (insecure setting would be whatever:x:x:x:x:/x:/bin/bash). You can also lock all accounts in /etc/shadow by doing [passwd -l] (example, passwd -l username), but there is an exception — do not lock an account that you want to login to your system with.