Ubuntu:Feisty th/Security

From

Jump to: navigation, search

Contents

Security

What are the basic things I need to know about securing my Ubuntu

  • Read #General Notes
  • Ensure hard drive is first in BIOS boot-up sequence
    • To prevent trespassers from using Linux Installation CD which allows them to gain root user access
    • To prevent trespassers from using Linux Live CD (e.g. UBUNTU/KNOPPIX/MEPIS) which allows them to destroy/browse/share the entire hard drive
    • To prevent trespassers from installing another Operating System
  • Ensure a password is set for BIOS
    • To prevent trespassers from changing the BIOS boot-up sequence
  • Ensure computer is located at a secured place
    • To prevent trespassers from removing computer's hard drive which allows them to destroy/browse/share the entire hard drive from a different computer
    • To prevent trespassers from removing computer's on-board battery which resets the BIOS password
  • Ensure passwords used on the system cannot be easily guessed
    • To prevent trespassers from cracking password file using brute force attacks (e.g. John the Ripper)
    • Create password with minimum length of 8 characters
    • Create password with mixture of characters/numbers, and upper/lower case
    • Not create a password with just a single or just a typical union of main languages (english, german, french, spanish...) dictionary words
  • Ensure interactive editing control for GRUB menu is disabled
  • Ensure history listing is disabled in Console mode
  • Ensure Ctrl+Alt+Del is disabled in Console mode
  • Ensure interactive option is set for remove, copy and move of files/folders in Console mode
  • For day to day usage, login as a normal user
  • Disable root user account, use "sudo" instead
    • To reduce the amount of time spent with root privileges, and thus the risk of inadvertently executing a command as root
    • "sudo" provides a more useful audit trail (/var/log/auth.log)
    • Read #How to disable root user account
  • Install a Firewall
  • Perform vulnerability test

How to disable all interactive editing control for GRUB menu

  • Run This:
grub-md5-crypt 
Password: 
Retype password: 
$1$tumnZ1$xB/shuXs7MlawZXkLiBDV/
  • Backup your current configuration file
sudo cp /boot/grub/menu.lst /boot/grub/menu.lst_backup
gksudo gedit /boot/grub/menu.lst
  • Find this section
...
## password ['--md5'] passwd
# If used in the first section of a menu file, disable all interactive editing
# control (menu entry editor and command-line) and entries protected by the
# command 'lock'
# e.g. password topsecret
#   password --md5 $1$tumnZ1$xB/shuXs7MlawZXkLiBDV/
# password topsecret
...
  • Add the following line below it
password --md5 $1$tumnZ1$xB/shuXs7MlawZXkLiBDV/ (encrypted password above)
  • Find the section(s) that look like this (note the 'recovery mode' and the word 'single'):
...
title		Ubuntu, kernel 2.6.10-5-386 (recovery mode)
root		(hd0,1)
kernel		/boot/vmlinuz-2.6.10-5-386 root=/dev/hda2 ro single
initrd		/boot/initrd.img-2.6.10-5-386
savedefault
boot
...
  • Add lock between the title and root lines:
...
title		Ubuntu, kernel 2.6.10-5-386 (recovery mode)
lock
root		(hd0,1)
...
  • Save the edited file

This will make it so your grub console will require a password to edit the lines, and the recovery modes won't work unless the password is typed. To access the other grub options at the menu, follow the instructions at the bottom of the screen. It will be something like pressing p and typing your password.

How to disable history listing in Console mode

rm -f .bash_history
gedit ~/.bash_profile
  • Add the following:
export HISTFILESIZE=4
unset HISTFILE=5

# Change this to a reasonable number of lines to save, I like to save only 100.
export HISTSIZE=1

# Ignores duplicate lines next to each other
export HISTCONTROL=ignoredups

This will disable Bash history for the user, retaining keystroke history and recall to use while limiting recall history to 100 lines. This will also not record duplicate lines next to each other.

How to disable Ctrl+Alt+Del from restarting computer in Console mode

sudo cp /etc/inittab /etc/inittab_backup
gksudo gedit /etc/inittab
  • Find this line
...
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
...
  • Replace with the following line
#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
  • Save the edited file
sudo telinit q

How to enable prompt before removal/overwritten of files/folders in Console mode

sudo cp /etc/bash.bashrc /etc/bash.bashrc_backup
gksudo gedit /etc/bash.bashrc
  • Append the following lines at the end of file
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
  • Save the edited file

How to setup a LoJack system for your laptop


What: Quote from Wikipedia: "LoJack is an aftermarket vehicle tracking system that allows cars to be tracked by police after being stolen. The manufacturer claims a 90% recovery rate. The name "LoJack" is a play on the word "hijack," meaning the theft of a vehicle through force."

Why: If your laptop is ever stolen and connected to the Internet. You will be able to find out from what IP it connects to the Internet from and contact the authorities.

How:

  • Get a free dynamic IP account from one of the many providers. Here we will use DynDNS.
sudo apt-get install ddclient 
  • Edit the configuration file /etc/ddclient.conf using you fevorite text editor (emacs, gedit, kedit or even vi)
sudo emacs /etc/ddclient.conf
  • Make it look like this:
# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf
pid=/var/run/ddclient.pid
protocol=dyndns2
use=web
server=members.dyndns.org
login=YourNameHere
password='YourPasswordHere'
YourHostNameHere.gotmyip.com
NOTE:
* Make sure that you use the web IP detection method.
* Specify your own user id instead of the place holder YourNameHere.
* Specify your own password instead of the place holder YourPasswordHere, make sure to surround it with single quotes.
* The last line should specify the hostname you registered with the dynamic IP service.
  • You can now start the ddclient daemon, or wait until your next reboot.
sudo /etc/init.d/ddclient start
  • The hostname you registered with your dynamic IP service should be updated. You can test it with the ping command:
ping YourHostNameHere.gotmyip.com
Even if your laptop has a firewall that prevents pings the hostname should resolve to the IP of the network gateway that your laptop is connected to.
Now all that is left is for someone to steal your laptop.....

References:

Personal tools
Sponsor
  System76