Friday, November 19, 2010

Linux / Ubuntu hardening tips

Here are some tips that you can use to harden the security of your systems.

Its a good idea to divide your file system into various partitions to fine tune permissions and functionality. Also aids in linux OS migration and backup as well.

Set a BIOS password ONLY. Sure you can also set HDDlock passwords to password protect your hardisks which is good but there is one downside to doing so. If your computer was stolen and your system requires a password to bootup (or unlock the hard disks) , provided that you used a secure password, chances are that this predator would not be able to boot into your machine at all. He then may dispose of this machine or just simply get a new hard drive. When either of these happen, you can pretty much kiss this machine good bye as it would be almost impossible to recover. What i prefer to do is to just set a BIOS password so that no one can make changes into the BIOS but are able to still boot into the OS into a restricted account. Once the machine gets an internet connection our hidden "prey" software that i discussed in the previous blog post can do its job and start reporting information to us. This setup might not be applicable for businesses but for a typical home user, i think it should do fine (who wouldn't want to catch the culprit and recover their stolen goods in the process? :P ).

You would also want to set the boot priority to boot from your hard disk first and not removeable media. This aids in preventing the use of live linux CD's or removeable media from being able to boot and mount your hard disk. With your BIOS password set, modifying the boot sequence of your computer would become a daunting task to the average user trying to do so. Although you can get around this easily by taking out the hard disk so the computer boots from its next boot device, not everyone would think about doing so, therefore this helps in giving you some security.

Perform an update as soon as you install your new OS. These commands should do: # apt-get update && apt-get upgrade

Enable Automatic updates. Would want to schedule your updater to check for updates at least once a week. Would also suggest that you allow the OS to automatically download and install updates wihtout confirmation when available.

Download and install your preferred firewall (i recommend firestarter). Go ahead and block incomming connections. the only connections that should be allowed through your firewall is traffic that was originally initiated from your box.

Download and install a virus scanner (clamav should do). Most viruses are for windows so chances are you wont get infected. However, you can potentially be hosting a virus that may or may not spread onto other hosts. For instance, you may have an infected pdf file that you can open in linux and have to effect what so ever because the exploit was designed for a windows system. If you decide to carry this file with you on a usb key and copy it on the windows system that virus would now stand a much better chance to infect its windows host.

I recommended using firefox for the best web browsing security. You would want to install the "noscript" plug-in for added security against scripting attacks.

Refrain from using the root account. Create a new user and give priveleges to this user via the sudoer file using the command "visudo" to modify it. Try to be restrictive as possible. If you give yourself too much priveleges and your account was to be compromised, then its game over.

After you do a fresh install of Ubuntu and did all the updates, you would want to generate a list of all installed programs as a baseline. You can do this again later then compare it to your baseline and note the differences. Chances are you may spot some programs that shouldn't be there. The command that i use to generate this list is :
# dpkg --get-selections | grep -v "deinstall" > Installed_Baseline-`date +%F`.lst

Remove unecessary services especially the ones that start on boot. Identify the services that you do not need and remove them.
example: # sudo /etc/init.d/cups stop && update-rc.d -f cups remove

As mentioned above, i would recommend having some sort of locked down guest account. This way, if my laptop was to get stolen, its in me best interest to want to allow them easy access into my system where they can connect to the internet and browse the web. This way my "prey" software can report on my laptops where abouts so i have a great chance of recovering my PC

Install "prey". You can read about it in my previous post. This here puts your mind at ease knowing that if your machine gets stolen, there is still hope that you can recover it.

Always try to have some type of log management strategy. Search or create scripts that would parse through your log files and extract relevant information. Getting this right can be time consuming but may pay off one day. Try to log as much as possible. The more data you have, the more you have to work with.

By default all user home directories created with the adduser utility will have world read/execute permissions. This is not very desirable from a security stand point. To verify every users home directory permissions: # ls -ld /home/*.
Far added security do : # sudo chmod 0750 /home/username

Avoid using default service ports. For example, your default ssh server install will more than likely listen on port 22. Its in your best interest to put this on some random port number like 26374. Hackers may see port 22 and automatically assume that theres an ssh server running in the background but seeing port 26374 might make there lives a little bit harder in trying to identify the type of service listening on this port. Sometimes they might just not bother putting in the extra effort into getting into that system as things aren't as trivial for them.

Lock down your services and applications. As an example with ssh, i like to restrict root logons, restrict password authentication once i get public key authentication working and force the usage of ssh protocol version 2.

Resources/Good Reading:
https://help.ubuntu.com/9.10/serverguide/C/security.html

No comments:

Post a Comment