Ubuntu:Edgy th/Security
From
Security
What are the basic things I need to know about securing my Ubuntu
- Read #General Notes
- Ensure hard drive is first in BIOS boot-up sequence
- To prevent trespassers from using Linux Installation CD which allows them to gain root user access
- To prevent trespassers from using Linux Live CD (e.g. UBUNTU/KNOPPIX/MEPIS) which allows them to destroy/browse/share the entire hard drive
- To prevent trespassers from installing another Operating System
- Ensure a password is set for BIOS
- To prevent trespassers from changing the BIOS boot-up sequence
- Ensure computer is located at a secured place
- To prevent trespassers from removing computer's hard drive which allows them to destroy/browse/share the entire hard drive from a different computer
- To prevent trespassers from removing computer's on-board battery which resets the BIOS password
- Ensure passwords used on the system cannot be easily guessed
- To prevent trespassers from cracking password file using brute force attacks (e.g. John the Ripper)
- Create password with minimum length of 8 characters
- Create password with mixture of characters/numbers, and upper/lower case
- Not create a password with just a single or just a typical union of main languages (english, german, french, spanish...) dictionary words
- Ensure interactive editing control for GRUB menu is disabled
- To prevent trespassers from modifying kernel boot-up arguments which allows them to have root user access
- Read #How to disable all interactive editing control for GRUB menu
- Ensure history listing is disabled in Console mode
- To prevent trespassers from seeing previously issued commands
- Read #How to disable history listing in Console mode
- Ensure Ctrl+Alt+Del is disabled in Console mode
- To prevent trespassers from restarting the system without permission in Console mode
- Read #How to disable Ctrl+Alt+Del from restarting computer in Console mode
- Ensure interactive option is set for remove, copy and move of files/folders in Console mode
- To prevent accidental removal/overwritten of files/folders
- Read #How to enable prompt before removal/overwritten of files/folders in Console mode
- For day to day usage, login as a normal user
- To prevent accidental deletion/modification of system files/folders
- Read #How to add/edit/delete system users
- Disable root user account, use "sudo" instead
- To reduce the amount of time spent with root privileges, and thus the risk of inadvertently executing a command as root
- "sudo" provides a more useful audit trail (/var/log/auth.log)
- Read #How to disable root user account
- Install a Firewall
- A firewall does not guarantee security but it is in most environments the first line of defense against network based attacks
- Read #How to install Firewall (Firestarter)
- Perform vulnerability test
- Nessus is a great tool designed to automate the testing and discovery of known security problems
- Read #How to install Vulnerability Scanner (Nessus)
How to disable all interactive editing control for GRUB menu
- Read #General Notes
- Run This:
grub-md5-crypt
Password: Retype password: $1$tumnZ1$xB/shuXs7MlawZXkLiBDV/
- Backup your current configuration file
sudo cp /boot/grub/menu.lst /boot/grub/menu.lst_backup gksudo gedit /boot/grub/menu.lst
- Find this section
... ## password ['--md5'] passwd # If used in the first section of a menu file, disable all interactive editing # control (menu entry editor and command-line) and entries protected by the # command 'lock' # e.g. password topsecret # password --md5 $1$tumnZ1$xB/shuXs7MlawZXkLiBDV/ # password topsecret ...
- Add the following line below it
password --md5 $1$tumnZ1$xB/shuXs7MlawZXkLiBDV/ (encrypted password above)
- Find the section(s) that look like this (note the 'recovery mode' and the word 'single'):
... title Ubuntu, kernel 2.6.10-5-386 (recovery mode) root (hd0,1) kernel /boot/vmlinuz-2.6.10-5-386 root=/dev/hda2 ro single initrd /boot/initrd.img-2.6.10-5-386 savedefault boot ...
- Add lock between the title and root lines:
... title Ubuntu, kernel 2.6.10-5-386 (recovery mode) lock root (hd0,1) ...
- Save the edited file
This will make it so your grub console will require a password to edit the lines, and the recovery modes won't work unless the password is typed. To access the other grub options at the menu, follow the instructions at the bottom of the screen. It will be something like pressing p and typing your password.
How to disable history listing in Console mode
- Read #General Notes
- From Gentoo Wiki:
rm -f .bash_history gedit ~/.bash_profile
- Add the following:
export HISTFILESIZE=4 unset HISTFILE=5 # Change this to a reasonable number of lines to save, I like to save only 100. export HISTSIZE=1 # Ignores duplicate lines next to each other export HISTCONTROL=ignoredups
This will disable Bash history for the user, retaining keystroke history and recall to use while limiting recall history to 100 lines. This will also not record duplicate lines next to each other.
How to disable Ctrl+Alt+Del from restarting computer in Console mode
- Read #General Notes
sudo cp /etc/inittab /etc/inittab_backup gksudo gedit /etc/inittab
- Find this line
... ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now ...
- Replace with the following line
#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
- Save the edited file
sudo telinit q
How to enable prompt before removal/overwritten of files/folders in Console mode
- Read #General Notes
sudo cp /etc/bash.bashrc /etc/bash.bashrc_backup gksudo gedit /etc/bash.bashrc
- Append the following lines at the end of file
alias rm='rm -i' alias cp='cp -i' alias mv='mv -i'
- Save the edited file
How to setup a LoJack system for your laptop
- Read #General Notes
- Read #How to add extra repositories
- Read #How to assign Hostname to local machine with dynamic IP using free DynDNS service
What: Quote from Wikipedia: "LoJack is an aftermarket vehicle tracking system that allows cars to be tracked by police after being stolen. The manufacturer claims a 90% recovery rate. The name "LoJack" is a play on the word "hijack," meaning the theft of a vehicle through force."
Why: If your laptop is ever stolen and connected to the Internet. You will be able to find out from what IP it connects to the Internet from and contact the authorities.
How:
- Get a free dynamic IP account from one of the many providers. Here we will use DynDNS.
- Install ddclient. In the section #How to assign Hostname to local machine with dynamic IP using free DynDNS service we installed the package ipcheck, here we prefer to use ddclient because it can get the IP from an external source on the Internet instead of getting it from a network adapter.
sudo apt-get install ddclient
- Edit the configuration file /etc/ddclient.conf using you fevorite text editor (emacs, gedit, kedit or even vi)
sudo emacs /etc/ddclient.conf
- Make it look like this:
# Configuration file for ddclient generated by debconf # # /etc/ddclient.conf pid=/var/run/ddclient.pid protocol=dyndns2 use=web server=members.dyndns.org login=YourNameHere password='YourPasswordHere' YourHostNameHere.gotmyip.com
- NOTE:
- * Make sure that you use the web IP detection method.
- * Specify your own user id instead of the place holder YourNameHere.
- * Specify your own password instead of the place holder YourPasswordHere, make sure to surround it with single quotes.
- * The last line should specify the hostname you registered with the dynamic IP service.
- You can now start the ddclient daemon, or wait until your next reboot.
sudo /etc/init.d/ddclient start
- The hostname you registered with your dynamic IP service should be updated. You can test it with the ping command:
ping YourHostNameHere.gotmyip.com
- Even if your laptop has a firewall that prevents pings the hostname should resolve to the IP of the network gateway that your laptop is connected to.
- Now all that is left is for someone to steal your laptop.....
References:
BlogMarks
del.icio.us
digg
Fark
Furl
Newsvine
reddit
Segnalo
Simpy
Slashdot
smarking
Spurl
Wists
