The Big Ol' Ubuntu Security Resource

Updated: May 26, 2009

Introduction

If you've recently switched from Windows to the Linux distribution Ubuntu, you've probably experienced a decrease in spyware -- and malware in general -- on your system. But although Ubuntu is billed as the ultra-secure solution, you should know that even though Ubuntu's default install has its flaws, like every other operating system.

To combat these weaknesses, IT Security has prepared a guide to help you close your system's backdoors and protect you from some of the common Ubuntu exploits. Look at this big ol' Ubuntu security resource as an introductory guide to securing Ubuntu, along with a list of the software you'll need to stay protected.

Analysis

Getting Started

Surprisingly, many new Ubuntu users fail to take the most basic steps toward securing their install, even when they know better. Thankfully, the list of critical changes isn't long. Making modifications may not excite you as much as, say, adding a whole new security program, but these simple changes will go a long way to closing up Ubuntu's security weaknesses.

Modifying Default Settings

The first set of basic critical changes requires you to modify three insecure default system settings:

  • Reconfiguring shared memory
    Load your favorite text editor, open the file "/etc/fstab" and add the following line of code:
  • tmpfs /dev/shm tmpfs defaults,ro 0 0

  • Disabling SSH root login
    Load your favorite text editor, open the file "/etc/ssh/sshd_config" and add change the following line of code:
  • PermitRootLogin yes

    to

    PermitRootLogin no

  • Limiting access to the "su" program
    Open the terminal by clicking "Applications" selecting "Accessories" and choosing "Terminal." From there enter the commands:
  • sudo chown root:admin /bin/su sudo
    chmod 04750 /bin/su

Enabling Automatic Security Updates

Having made the three most critical default system settings changes, you have better ensured that your Ubuntu install will start out relatively secure. But keeping it that way means being vigilent about updating your system. Because so many of us forget to update regularly, enabling automatic security updates is one surefire way to make sure it gets done.

To enable automatic security updates, click on "System" select "Administration" and choose the "Software Sources" menu. From there select the "Internet Updates" tab and enable "Check for updates automatically" (specify "Daily"). Now every time Ubuntu issues a new security release you will be notified via the "Update Manager" icon in the system tray. From there it's up to you to click the icon and allow the Update Manager to download and install the files.

Securing the Home directory

The final critical change we recommend, is that you protect your personal documents by securing your home directory. The easiest way to do this is by clicking "Applications" selecting "Accessories" and choosing "Terminal." From there enter the command:

chmod 0700 /home/username (replace username with the name you use to login to your computer).

Now that you've successfully made these basic system setting modifications, you're ready to move on and start installing software that protects your system from being compromised.

Essential Security Installs

Unlike the Windows operating system, the Ubuntu Linux distribution is not ultra vulnerable to widespread virus and spyware infections, therefore the style of security used to protect one's machine is slightly different than that of a typical Windows machine.

Instead of spending hundreds of dollars on sophisticated firewalls, spyware blockers and intrusion detection and prevention systems, Ubuntu users simply have to install several free programs that protect the kernel from exploits, prevent the execution of malicious code and keep programs and users from accessing areas of the computer outside of their designated access level.

Important Software

To keep your computer secure, install the following software:

  • grsecurity - A complete security suite for protecting Linux's kernel.
  • PaX - The most critical piece of grsecurity, prevents memory exploits. (Comes standard with grsecurity, you only need to install this if you have no intention of installing grsecurity.)
  • Pro Police - IBM's solution for protecting against stack smash attacks.
  • DigSig - Verifies the integrity of executables via user defined digital signatures before running it. If a program is modified without your consent the digital signature changes and DigSig denies the program the ability to run.

Bootup Security

An often overlooked yet highly vulnerable area of computing is protection for machines while they're booting up. While simply keeping unauthorized users from having access to your computer is the best policy, sometimes that isn't possible. Thus this guide, over at the UbuntuForums, gives detailed instructions for protecting your computer while it's booting up.

The steps involved in this security measure are a bit more complex than the skillset of the average user, and it requires a small of amount of scripting, so we recommend that you only attempt to perform this security measure if you're really comfortable with Ubuntu, and Linux in general.

Second Level Security Software Installs

Congratulations, by this point you have completed the mandatory steps for a baseline securing of your Ubuntu install. You can now feel reasonably comfortable in the security of your install, but there are certainly still some lingering vulnerabilities. At this point it's up to you whether you want to take your system's security to the next level by integrating a few more applications of your choice.

Rootkit Protection

Ahh yes rootkit, the ultimate swear word to a Linux user. Although this guide is designed to prevent attackers from installing rootkits and backdoors onto your machine in the first place, breakdowns can occassionally happen. Thus it's a good idea to regularly scan for rootkits using the following software to make sure that your computer hasn't been compromised.

  • chkrootkit - Scans your computer for rookits, worms and LKM trojans.
  • Rootkit Hunter - Excellent tool for detecting rootkits.

Antivirus

I know what you're thinking, antivirus?...This is Linux! However true that may be, it is still important to provide protection for all inbound and outbound files you might be transmitting in order to protect the less than fortunate Windows computers you might come in contact with.

  • Clam AntiVirus - One of the most popular UNIX based antivirus solutions. Works well with email gateways.
  • AVG Anti-Virus - Free version of a popular commercial virus scanner.
  • BitDefender - On demand command line/shell script scanner.
  • Panda Antivirus - Uses sophisticated software to remove viruses from workstations connected to a Linux server.

Firewall

Installing and configuring an efficient firewall is a great way to keep attackers out. The stricter your rule-set and security policies are, the less likely it is that an attacker will find a way to exploit your system.

  • Firestarter - Versatile user friendly firewall.
  • SmoothWall - Highly configurable and extremely powerful network firewall solution.
  • HardWall Firewall - Iptables based packet filterer.
  • Firewall Builder - Generates rule sets for popular firewalls including iptables, ipfilter and pf.
  • BullDog - Very restrictive iptables based firewall. Recommended for advanced users only.

Network Tools

These tools are essential for monitoring and securing your network.

  • Nagios - Complete network monitoring suite.
  • Network Mapper - Uses IP packets to scan the network and determine various security information on the available hosts and network nodes.
  • Wireshark - Comprehensive tool for monitoring and analyzing network protocols.
  • Nessus - The definitive solution for scanning networks for vulnerabilities.
  • EtherApe - Graphical network monitoring suite.
  • tcpdump - Simple yet powerful tool for network monitoring.
  • tcptrace - Analyzes tcpdump output.

Miscellanous

In addition to the above resources, here are a few other programs we recommend for getting the most out of your computing experience.

  • Snort - The leading open source solution for intrusion prevention and detection.
  • OpenSSH - Allows you to secure transfer data to remote hosts.
  • OpenVPN - Secure virtual private network.
  • strongSwan - IPsec based virtual private network.
  • Kismet - Wireless network detector, sniffer and intrusion detection system.
  • GNU Privacy Guard - A superb command line encryption and digital signature tool.
  • TrueCrypt - Allows you to create virtual encrypted disks.
  • Thunderbird - Mozilla's secure email client.

One Last Note

Remember your computer (and network for that matter) can only be secure as the users allow it. Failing to use strong passwords, falling victims to social engineering scams, installing software without first verifying its integrity and over using the root account are all common ways to have your network compromised. To have a truly safe system, you must be committed to having a secure mindset and you must lay out strict guidelines for the people using your computer and or network. Otherwise one of them might misplace a password one day, and your entire client database or purchasing records will be stolen the next.

Sources

For more information on securing Ubuntu, check out the sources we used when writing this article.

Featured Research