Ubuntu’s default setting should be secure, but if you are paranoid about your system security, you can fine-tune your Ubuntu even more. In this post, I will show you how to improve your Ubuntu’s security by adding extra software and modify some Ubuntu’s default settings. Let get started!
It’s important to stop and permanently deactivate the services that you do not need. On Ubuntu 9.10, you need to install Boot Up Manager before you can deactivate running services. In terminal (shell), you need to type command [sudo aptitude install bum], but if you type [sudo -i] before the previous command, then you need to leave out [sudo] from the previous command, because sudo -i allows you to become root. Next you need to go to System > Administration > BootUp-Manager, pick the services that you do not need and deactivate those. To deactivate the services that you do not need, you need to remove the check marks that are next to the running services. For me, I prefer to deactivate:
- Tool to report program crashes (apport)
- Scanner services (saned)
- Fast remote file copy program (rsync)
- Discover services and hosts on a local network (avahi-daemon)
- Runs system housekeeping chores on specified dates/times (cron)
- Manages print jobs (cups)
- Common interface to speech synthesizers (speech-dispatcher)
- Enables scheduling of jobs (atd)
There are some services that you cannot deactivate, because those are essential to your system stability. This is why you must know which service does what before you decide to deactivate or activate a service. It’s simple really, the less services that you are running on your system, the better it’s in term of security. Why? Some services may or may not open extra software ports, and the more open-ports your computer has, the more ways for hackers to sneak into your system.
Sometimes, you want to run a service locally, but you know that a service you want to run will open a port. You fear that an open-port will lead to insecurity, and so you want to do something about this. This is easy! You need a firewall, really! On Ubuntu, go to Application > Accessories > Terminal, type sudo -i, and type aptitude install guarddog. If you type this command line into a terminal as root or as a sudo user, Aptitude will install guarddog firewall onto your Ubuntu system. Now you need to open up guarddog and configure it. To do this, in terminal, as root or sudo user, type guarddog. Guarddog’s interface will launch, and you’ll see tabs such as Zone, Protocol, Logging, Advanced, Port Reference. You can ignore the zone tab, but you need to click on Protocol tab. On Protocol’s screen, you see Defined Network Zones (Internet, Local), please highlight the Internet zone. On the right of the screen of Protocol tab, you see Network Protocol, and here is where you need to check certain services — to allow Internet and other services to run correctly. By default, Guarddog will not allow any incoming traffic or outgoing traffic to access your system, and this is why you need to allow some services under network protocol of Protocol tab (Internet zone). To allow Internet, you need to allow DNS (Network), and HTTPS(File Transfer) and HTTP(File Transfer). To allow SSH, you need to allow SSH(Interactive Session). You can mess around with other settings within Guarddog when you get a hang of it. Click apply and click OK to activate your Guarddog Firewall.
As root (sudo -i) or a sudo user, you can edit /etc/fstab to set a stricter setting for shared memory. How? Type this into the terminal, vim.tiny /etc/fstab/, type letter i on your keyboard to enter edit mode, go to the very bottom of the file, copy and paste tmpfs /dev/shm tmpfs defaults,ro 0 0, type Esc on your keyboard to exit edit mode, type a colon “:” without the double quotes, type wq, and hit enter to save and exit the file.
Edit /etc/sysctl.conf to stop some spoofing attacks and enhance other security measures. By remove the hash sign # in front of certain command lines within this file, you’ve activated the security functions provided by these command lines within /etc/sysctl.conf. So let remove the hash sign in front of,
- net.ipv4.conf.default.rp_filter=1
- net.ipv4.conf.all.rp_filter=1
- net.ipv4.tcp_syncookies=1
- net.ipv4.icmp_echo_ignore_broadcasts = 1
- net.ipv4.icmp_ignore_bogus_error_responses = 1
- net.ipv4.conf.all.accept_redirects = 0
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv4.conf.all.send_redirects = 0
- net.ipv4.conf.all.accept_source_route = 0
- net.ipv6.conf.all.accept_source_route = 0
Save the /etc/sysctl.conf file, and then type in terminal as root with sysctl -p to activate the kernel settings that you have modified.
As root or a sudo user, type aptitude install clamav to install an anti-virus software. To scan a directory for a virus, just do clamscan -r -i [insert-directory-name-here-and-do-not-copy-the-bracket-signs]. To scan a single file for a virus, in a terminal, just do clamscan -i [insert-file-name-here-without-the-bracket-signs]. To update the virus signature database, as root or a sudo user, in a terminal, do freshclam.
By default, Ubuntu has Apparmor installed. Still, you can enhance this setting even more. In terminal, as root or a sudo user, type aptitude install apparmor-profiles. This will add more readily set profiles for your Apparmor to protect zero day attacks from hackers.
In terminal, as root or a sudo user, type aptitude install chkrootkit rkhunter. Chkrootkit and Rkhunter are both rootkit detection scripts. These scripts will alert you about known rootkits inside your system if there is any. Rootkits are the stuffs that you want to get rid off of your system, because these are the doors for hackers to sneak in. You have to run Chkrootkit and Rkhunter manually or as cron jobs to get the rootkit alerts. Let do these manually! For Rkhunter, as root or sudo user, to update the script you need to type in terminal rkhunter –update, and to run rkhunter you need to type in terminal (as root or sudo user) rkhunter -c. For Chkrootkit, as root or sudo user, you only need to type chkrootkit in terminal.
Let remove telnet completely off of your system. Telnet is a very insecure program that allow users to remotely communicate with your system in clear text. To do this, in terminal and as root or sudo user, type aptitude remove telnet.
Additional security software you may want are tiger, lsat, harden, harden-environment, bastille, harden-nids, harden-tools, harden-clients, harden-servers, rats, wipe, and nmap. You can use Aptitude or Synaptic to install these software.
Let make sure you have only the port you need to be opened and nothing else! To check for the open-ports, you can use nmap for this. In terminal and as root or sudo user, type ifconfig to see your eth0 or wlan0 inet addr:192.168.X.X, and use nmap to check on that inet addr IP. Let assume your inet addr is 192.168.0.1, you can type this in terminal as root or sudo user, nmap -sTU 192.168.0.1. If you see an open-port that you do not know about or think it’s not a necessary port, then you can try to deactivate the service that is open such a port, or configure your firewall to block such a port.
I bet there are other security measures that I may have missed, but you can always let me know by commenting under this post.
Update (on November 26th 2009): There is another security measure that I forgot to tell you. It’s about the integrity of your system. To make sure that when someone has modified a file on your Ubuntu system for either good or evil purpose, you could figure out which file got changed; in case a modified file looks suspicious, you may have to put some extra effort in figuring out if your system was modified for malicious purpose or else. You can use fcheck to do this. To install this, go to a terminal as root or sudo user (i.e., sudo -i or sudo [command enter here]) and type in aptitude install fcheck. After installing fcheck, you need to run command fcheck -cadsx to make sure fcheck knows all files that are on your system. In case you don’t know what -cadsx means, you can type in a command man fcheck to see the meaning of each fcheck’s flag. After running fcheck -cadsx, you can run fcheck -adsx to confirm that fcheck is actually working and reporting on your system’s files’ integrity. Just remember that whenever you boot up your system next time, you need to run fcheck -adsx first to see if any file has integrity problem or not. Registering all files with fcheck again by running fcheck -cadsx whenever you updating your Ubuntu system or installing a new software (package).
Update (on Dec 7th 2009): I also found out that sometimes it’s best to be super paranoid. So here is another way to tighten up your Ubuntu 9.10 even more (this work with other Linux and previous Ubuntu versions) by disabling shells for unused accounts and active/inactive services. To do just that, you need to go to a shell (terminal), type in [sudo -i] to become root, and then use either nano or vim.tiny to edit /etc/passwd. In /etc/password, you can disable all shells except user accounts that you are using to login into your Ubuntu 9.10 system. To disable shells for accounts, remove the last part that looks like bash or sh, and replace them with false. Example, whatever:x:x:x:x:/x:/bin/false is correct (insecure setting would be whatever:x:x:x:x:/x:/bin/bash). You can also lock all accounts in /etc/shadow by doing [passwd -l] (example, passwd -l username), but there is an exception — do not lock an account that you want to login to your system with.
AVG is a good security software that I’ve been using for my Windows machines. It has a free version that you can download at its website. Paid version is around $35 per year. Today, AVG announces that it launches version 9.0, though this new version is only available for paid users. The free version will get upgrade to version 9.0 later this month.
When comparing AVG against other security software, I found out that AVG was less resource intensive. It gets better, AVG is promising that with version 9.0 and depending on the system configuration, the anti-virus scanning process has up to 50% less resource intensive than its previous version which means the scanning process can be done faster. I found this fact is true as I have tested AVG 9.0. Fresh installation or newly update of AVG 9.0, it will ask you to allow it to scan for trusted files on your computer, and if you allow this function to process, the next time you scan your computer for virus, the trusted files on your computer won’t have to be scanned again, and this is how AVG 9.0′s scan process is faster than its previous versions. Of course you can reconfigure AVG to scan every file on your computer, though this will be slower.
Just like any other good security software, AVG has features that allow you to prevent spams from accessing your email programs, prevent you from being tricked to access malicious websites, detect and remove malware, detect and remove rootkits, and protect you from Identity Theft. The free version has less features than the paid version. For some people, the free version is more than good enough, but for others like me, I prefer extra features that may come in handy, and so the paid version is the way to go.
AVG has a firewall that allows you to configure to allow certain trusted applications to access your network and to block unknown applications and protocols. AVG’s firewall allows you to create profiles for different networks that you have access to. For examples, you can configure the firewall to be stricter when you using Starbucks’s network and less strict when using a network at home. Another cool feature that AVG has is by default AVG configures to watch out for viruses and worms that spread from the use of instant messengers belong to Yahoo, Microsoft, and AOL, and others. Source.
From the read at Venturebeat, ZoneAlarm has just toughened up its software, and now more people can be better protected against computer viruses and worms. One feature that has caught my attention is that ZoneAlarm provides keystroke encryption. This very feature allows ZoneAlarm to encrypt whatever you type on your computer in real time, and as ZoneAlarm claims, it will stop keyloggers. Keyloggers are programs that stay hidden on your computer and logging what you had typed down; this can be used by hackers to retrieve passwords and other confidential information from you. Also as more laptops get sell than ever before, protecting data on laptop is now even more important, and so ZoneAlarm is now providing hard-drive encryption. Hard-drive encryption is important for laptops since laptops are easily be stolen or lost.
[poll id="3"]
What is a router? Router is like a smart switch, but it’s much more. Router allows you to hook up multiple computers onto a single network that is using a single Internet connection — meaning DSL, Cable, and so on. There are two types of routers, the enterprise routers and the typical routers. Enterprise routers are for big companies to use as those companies have complex networks that require stronger and smarter routers. A typical home network only needs a regular router.
A regular router that you can get in your electronic stores has four Ethernet ports, but make sure you get the router that also allows wireless connectivity. With wireless connectivity, your router will be able to permit 10 or more wireless devices connect to the Internet, and it’s all depending on how fast is your Internet connection. Regular routers cost from $80 to $160.
For your information, using Ethernet ports are better, because these ports provide better security than wireless connection. Why? Hackers need to hack your router directly before he can see your internal network IP addresses, and each Ethernet port represents an internal network IP address. Internal network IP address starts with 192.168.x.x. Wireless connection is easier to hack as hackers have wireless scanners that can sniff wireless activities as if a dog is sniffing for senses. To confuse the hackers, you must use wireless encryptions. To improve your wireless security you can use WPA or WPA2 wireless encryption standard. Don’t use WEP wireless encryption standard, because it’s not as secure as WPA and WPA2.
A typical router also comes with a firewall known as Stateful Packet Inspection (SPI). Many routers allow you to turn on the firewall or otherwise easily by checking or unchecking some options in the admin’s panel. If your router is not turning the firewall on by default, you must do it manually, because firewall is there to help protect your network from prying eyes (hackers). For your information, no firewall is hacker proof, but it’s better to have a firewall than nothing at all.
Some people set up their routers incorrectly by allowing default setting to stay exactly that, and so their network can be hacked easily. Make sure to change admin’s default password to something harder, and also adding a longer and harder to guess WPA/WPA2 passphrase. Each time a wireless device wants to access a router, a router will ask it for a secret passphrase, and if a wireless device cannot answer with a correct passphrase, the router won’t allow a wireless device connects to the network.
Some routers allow you to block or permit only specific wireless devices to access the network by filtering the MAC addresses. Each wireless or ethernet card has a unique MAC address, and if you are physically taking a look at the card, you’ll be able to see a MAC address on the card itself. By only allowing a registered MAC address of each wireless device connects to the network, the router is effectively permit or prevent a wireless device from accessing the router, ultimately the network and the Internet connection. Still, there are hackers that know how to spoof (fake) the MAC address, and so this feature is not hacker proof.
Many routers have a log capability. This allows a router to record the incoming and outgoing requests of each wireless device on the network. By looking at the log, you can see who had accessed the router and the destinations’ IP addresses.
If you’re using Linksys router, you may be able to use DD-WRT firmware to turn your $80 Linksys router into one of those enterprise routers. For your information, enterprise routers are much more expensive as these carry more features. DD-WRT allows your normal Linksys to have more features. Please be careful when applying DD-WRT to your router, because doing it without following the correct instruction may render your router unusable.
There are various Linux versions that you can install onto your computer. Still don’t know what is Linux? If you are tired of using Windows such as XP and Vista, you could always install Linux as the alternative operating system for your computer. It’s free to download, and it’s legal to do so. How come? Just like any other software that is available on this earthly world, each Linux version comes with a license, and Linux’s licenses are there to protect computer users like you and me. If you read Linux licenses clearly, you may be surprised that you could download Linux’s source code, change the source code, recompile the source code, repackage the source code, make the source code as your own, and so on. If you are totally new to Linux, you probably think that this is bogus! What make you think that way? You and I, and so many other people — we grew up accustomed to proprietary software, and the only way to get these proprietary software is to buy them. Linux and other open source software are under open source community — in this way you and I get to use these software with less restrictions.
People who are loyal Linux users love to brag about how much more secured Linux is when it’s compared to Windows Vista and other Windows versions. Though it’s not nice to trash other software just because you are in love with another comparable software, it’s true that Linux is much more secured than Windows. Why? Linux was designed to be secured from the very beginning! Linux has smaller user base, and this is why not too many hackers are fond to attack Linux users. Linux has always applied various methods to allow Linux users to define files/system permissions. Windows Vista is trying to do the same but not as restrictive as Linux’s permission system; Windows Vista and its predecessors has always emphasized user-friendly user-interface over security. There are no known virus that could affect Linux, but you could not say the same for Windows. One could argue that some hackers could create viruses that specifically target Linux, but it’s so much harder for a virus to do harm to Linux since Linux employs much more restrictive OS environment; hackers don’t want to waste their time on creating viruses for Linux. You could say that you don’t need virus scanner for Linux OS. Some Linux users installed a virus scanner such as Clam AntiVirus just to scan their computer files to make sure that only uninfected files on Linux get transferred to Windows — in this way Windows computers won’t get infected by viruses. The virus infected files themselves could not harm Linux system!
Linux is not too hard to use if you try to learn it at a steady pace, but impatient users may find that Linux is much harder to learn and to use than Windows. Luckily, Linux versions such as Ubuntu, openSuse, Fedora, Mandriva, PCLinuxOS, and other flavors are beginning to make friendly GUI(s) (Graphical User Interface), and so new Linux users may find that it’s not too hard to learn how to use Linux.
If you are new to Linux, you may find that most Windows software won’t be able to run on Linux, but Linux has a software called Wine that could emulate Windows environment, and in this way you may be able to run some Windows software on Linux. Wine is free as most other Linux’s software. If you are worrying about being less productive on Linux OS, don’t be! Linux has so many free software that are basically providing similar functions to Windows’ software. Open Office, Gimp, Evince, Gedit, Pidgin Internet Messenger, Brasero Disc Burning, VLC, and thousands of other software that Linux carries are perfect examples of why you can still be very productive when using Linux. Want to make your Linux looks as cool as Vista? You can do this too by installing correct software packages and do some configurations. (Hint: Compiz) The capability of making your Linux plays videos, MP3, share files, write documents, spreadsheets, hosting websites, hosting email servers, programming, and so on are all there. It’s up to you to take up Linux as your next favorite Operating System!
If you go back a decade ago, installing Linux was a scary thing to do, but now a day it’s not the case anymore. I suggest you try Ubuntu out, because Ubuntu is very easy to install. What’s Ubuntu? Ubuntu is Linux! You can find all type of Linux at Distrowatch.com. Searching through Google is another fine way to find documentations that show you how to use Linux.
Here are some tips that I suggest you should do when installing Linux! If the Linux version that you are installing has an option that automatically partition your hard-drive, and since you are new to Linux, I suggest that you should use that option. You could also partition your hard-drive the manual way. If you plan to partition your hard-drive the manual way, I think you should make your boot partition with the size of 100 MB. You should also make your swap partition doubles the size of your available RAM (a type of computer memory that could be accessed randomly). You could also make a /home mount point as a separate partition, because when you reinstall Linux again, you could keep your users’ files. Making your /var mount point as a separate partition is also a good idea, because /var is where Linux dynamically write files to. Other people also suggest that you could make your /tmp mount point as a separated partition for security purpose, but there are only so much separated partition you could make, I suggest you plan this out carefully. In theory, you could create 3 primary partitions, 1 extended partition, and 64 logical partitions. Those logical partitions will have to go inside your extended partition. Making this easy, you could create /boot with 100 MB size as your first partition, /home as your secondary partition, /swap as your third partition, / as your extended partition, and inside / you could create more partitions for various mount points. For examples, you could create /tmp, /var, /opt, /etc, /root, /bin, /sbin, /mnt, /dev, and so on as your logical partitions. I think you don’t need that many logical partitions, and those that you need are probably /var, and /tmp.
Let say you pass the point of default installation from a Linux DVD or CD, I suggest you that do not connect your computer to Internet yet! It’s best that you have a readily firewall software on CD, USB flash drive, or DVD; by installing the firewall onto your brand new Linux installation before connecting to the Internet is one of the best practices in securing your computer from prying script kiddies. You could always grab APF firewall from http://www.rfxn.com/projects/advanced-policy-firewall/, then place this on CD, USB flash drive, or DVD before you begin your Linux installation process. Installing APF on your Linux computer is easy! Copy the APF tar.gz file onto your computer, open up a shell terminal, do “tar xzvf apf-current.tar.gz,” go into the extracted apf directory, and then do “./install.sh.” You need to configure your APF firewall before it works correctly to protect your Linux computer. The configuration file for APF firewall is in /etc/apf/ and the file is called conf.apf. To edit conf.apf, you have to be a root user. APF’s configuration file is pretty much self explanatory, and so you should read it carefully before you edit it. Also don’t forget to start your APF firewall! How? On Ubuntu you do “sudo /usr/local/sbin/apf -s,” but on other Linux system you need to be root and then do “/usr/local/sbin/apf -s.”
After you got a firewall going on your Linux computer, you should do an update for your Linux. Why? If you are installing Linux from a CD or DVD, then those Linux’s system files are pretty darn old. Updating those files help ironed out security issues. Updating your operating system is very important! Doing this help your operating system stays up to date and avoid security holes. If you are using Ubuntu, udpating is easy! For Ubuntu and similar Linux versions (Debian), you could do “sudo aptitude update,” and then “sudo aptitude safe-upgrade.” You could also do “sudo synaptic” to see thousands of available software/packages that you could install onto your Linux system. I suggest that you should only install what you need, because the more software you install, the less secure your computer gets — this is true for all operating systems. Why? Many software have unfixed security problems, or unknown security problems, and by installing only the software you need, you are minimizing the risk of exposing your computer to security issues. You should also search the web using Google to find out what other useful commands that you could use on Linux through shell terminal. If you prefer using Linux’s GUI only, you could, but shell terminal allows you to do much much more than what GUI is offering.
Have fun playing with Linux!
Recent Comments