2. Tech
  3. Basic Ubuntu Security

Basic Ubuntu Security

I just got finished reading (and technically flaming) a article from the ITSecurity site. The article, The Big Ol' Ubuntu Security Resource, starts off by trying to scare you. "So you thought Ubuntu was secure? Think again! I did a Google search with the words Ubuntu and security and you wont believe what I found! ZOMG there are so many back-doors for those root-kits and h@X0rs that if you don't do exactly what I tell you your system will totally be vulnerable!" Sorry for the exaggeration there, it's not what he really said. When you read the article though I cant help but get the feeling like all his information came from the first page of a Google search. So I am going to do the responsible Linux Community member and fight the FUD with facts and then leave the rest up to readers!

Start with the Basics!

The most obvious (at least to security conscious and or paranoid people) thing to employ is a good password policy. Fortunately for you (and me because I'm lazy) I already have an article dedicated to this called Password Security oddly enough.

The reason this must be the first thing done is because you could have all the security software in the world installed. If your admin password is 1234 none of it is worth a damn thing.

To change your password (with the GUI tool) go to System->Administration->Users and Groups.

Just about the only other "basic" fix is to turn on automatic security update and installation. Now assuming your not like me and left the automatic updates to do it's thing then enabling this is simple. Go to System->Administration->Software Sources. Then click on the Updates tab. Towards the middle of the window there is an Automatic Updates section. Select "Install security updates without confirmation."

A cautionary reminder, I typically don't install ANYTHING unless I know what it is and what it does. This goes for updates as well. The reason I say this is because many people add third-party repositories. These repositories are not as rigorously tested as official Ubuntu ones. That does not mean however they take a lax approach to security. It just pays to read what the updates are for is all.

Bonus Tip

This is a bit more advanced but it is worth it since it is not difficult. Ubuntu/Canonical developed a simple command-line interface for using IPTables (The built in firewall to most GNU/Linux systems) called Uncomplicated Firewall (UFW). Unfortunately they have yet to build a GUI front end for it. So the guys over at Tuxfamily.org built one in true open-source fashion!

First you should be running either Ubuntu 8.04.1 or 8.10. Once you have that straitened out, UFW should be installed (but not enabled) by default. Although the syntax is easy, we will just concern ourselves with the GUI interface.

Next head over to the GUFW homepage to grab a compiled .deb. The newest one is always located at:

http://gufw.tuxfamily.org/latest-ufw-deb.html

You can either choose "Open" or "Save." If you save the file, you will need to double click it to install. Either way you should now be looking at Gdebi package installer. The description window will tell you a bit about the package. Clicking on the "Details" and "Included Files" tabs will reveal more information about who made this, what version and what files will end up where.

Click on the [Install Package] button at the top. After supplying the proper password, close out of the two windows once the installation has completed.

Launch GUFW by going to System->Administration->Firewall Configuration.

The first thing to do is enable the firewall. Click check box next to "Firewall Enabled" in the upper right. The current configuration of Deny incoming traffic is correct.

Now go ahead and close this. The firewall rules and everything will be saved so even if you reboot, the firewall will turn on. If you want to turn on the GUI also you can select this in the preferences.

Now the hard part, disable ping requests. This will make it look like your computer is not on the network if someone does a network scan by sending out pings. A little security through obscurity is sometimes a good thing!

To do this we need to edit the system config file for UFW. The file is located at:

/etc/ufw/before.rules

This file handles the rules for what to do with Internet traffic before it actually goes to the firewall for inspection. To edit this file we need to be an administrator.:

sudo gedit /etc/ufw/before.rules

On line 41 it should say "-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT" under the "ok icmp codes" section. We need to comment out this line. This will make the firewall drop all ICMP pings. Put a "#" infront of the line, then save and close the file.

After a full reboot, the new UFW rules will be inplace.

Go ahead and give it a test. Open up a command line on another computer (Windows, Linux OS X or Otherwise) and run:

ping <ip address of Ubuntu machine goes here>

Next time, well take a deeper look at GUFW, UFW, and some more advanced and useful tools.