Ubuntu security tweaks

View previous topic View next topic Go down

Ubuntu security tweaks

Post by Ruhe on 4/7/2010, 22:00

As I'm with Linux again here some notes and tweaks how to further increase the by-default very high security of Ubuntu 10.04:


/etc/hosts.deny
Edit this file and add
ALL: ALL
at the end. This has to be the only setting in this file.

/etc/hosts.allow
Edit this file and add
ALL: LOCAL
at the end. This has to be the only setting in this file.

Firefox
Like on Windows install the addon NoScript.

Think about to also set

network.http.sendRefererHeader = 0
network.prefetch-next = false

AppArmor
"AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor's security model is to bind access control attributes to programs rather than to users. AppArmor confinement is provided via profiles loaded into the kernel, typically on boot. AppArmor profiles can be in one of two modes: enforcement and complain. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd). Profiles in complain mode will not enforce policy but instead report policy violation attempts."

AppArmor is already active but not for Firefox. To run Firefox in the enforce mode of AppArmor do the following:

Close Firefox and execute the command

sudo apparmor_status | grep -i firefox

If there is no output then Firefox is currently not under supervision of AppArmor. In this case execute the command

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

Now

sudo apparmor_status | grep -i firefox

should show something like this

/usr/lib/firefox-3.6.6/firefox-*bin
/usr/lib/firefox-3.6.6/firefox-*bin//firefox_java
/usr/lib/firefox-3.6.6/firefox-*bin//firefox_openjdk
Firewall
Users who like or need a Firewall can install Gufw, a graphical frontend to UFW (Uncomplicated Firewall).

General
Don't enable the root account and don't run as root all the time.
What we know as "SUA on Windows" is the default in Ubuntu.
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: Ubuntu security tweaks

Post by ssj100 on 5/7/2010, 03:22

Please excuse my ignorance, but why would you need to tweak the security of an OS with 100% protection by default? All the "experts" and Linux fans I've talked to seem to be adamant that Linux simply doesn't have viruses in the real-world.

Others argue that the only way to get infected on Linux is to install a malciously written file. And even then, the infection can't do anything as the Linux OS is intrinsically so secure that only a small part of the system will be "infected" (or something along those lines haha).

I've played around with Ubuntu and Linux Mint in my VM a few times. Might install and load up the latest Ubuntu in my VM some time. However, these are the problems with running Linux for me (and probably many people):

1. It's a learning curve again (since I'm so used to Windows). Sure, I can do the basics just fine (web browsing, chatting, listening to music etc etc), but I like to know the ins and outs of every OS I use. For example, using the command line (can't remember it's official name now) was not easy to learn/do - I basically ended up copying and pasting from random support forums haha. I guess that's the thing with Linux - if you really want to, you can go really deep into the OS.

2. Linux generally doesn't support games as well as Windows does. This is a known fact. And yes, I do know about WINE. But again, it can be a big bother, and also not all games run under WINE.

3. Linux doesn't support some software I use. For example, there's no Linux version of the software for my car GPS system. Check this 2 year old reply:

TomTom gets more and more inquiry's if there will be made a TomTom HOME
version for Linux soon. It is not currently planned, but they are open
to it if enough users wants a Linux version.

TomTom HOME runs under wine, but it cannot detect the device.
What kind of emulators have you tried?

Please encourage more Linux users to notify us that a TomTom HOME
version should be made. My colleges here at TomTom relays the inquiry's
to me and i will relay them to the management and try to convince them
that it is not good costumer support to ignore Linux users.

With regards,
Tomtom User support.

As you can see, the fact is that most people and corporate facilities use Windows, and software companies simply aren't going to spend time, effort and money developing Linux versions for such a minority group (Linux users). Don't get me wrong, I will consider moving completely to Linux once there is better support for it. The security, monetary etc benefits are simply too huge to ignore.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Ubuntu security tweaks

Post by Ruhe on 5/7/2010, 16:00

ssj100 wrote:Please excuse my ignorance, but why would you need to tweak the security of an OS with 100% protection by default?
It's not mandatory of course, but there are (minor) tweaks to further increase the system security. And be the way, there are also exploits on Linux.


Please no pro/contra Windows/Linux discussion, this is not the intention of this thread.
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: Ubuntu security tweaks

Post by ssj100 on 5/7/2010, 16:24

Sure thing mate. By the way, I'd really like to know what specific exploits there are in Linux. The fact is that 99.99999999% of Linux users don't really care or think about "securing" their Linux OS, since Linux is (apparently) 100% bullet-proof.

I've always wondered if you paid clever hackers enough (that is, if the Linux market increased to be main-stream etc), whether they would be able to create havoc or not. From what I hear, it's (apparently) impossible to cause a significant infection of a Linux OS. But what does "impossible" mean? Is it "impossible" as in Sandboxie 32-bit is "impossible" to be bypassed? Or is it "impossible" like a human being can run at the speed of light with no external help?

Fact is, given the vast majority of Linux users don't care or think about security (and therefore they don't really have a good security approach with newly introduced files etc since it's apparently not needed), you'd only need one exploit to be taken advantage of and then you can destroy the unsuspecting Linux user's system.

But then it's "impossible", isn't it?

The reason I ask is that if Linux is so secure, why do you need to tweak its security further? Are there actually malware samples or POCs out there that we can test out on Linux in such a way that tweaking the Linux OS would prevent the infection etc?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Ubuntu security tweaks

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum