Ubuntu Desktop 10.04 LTS security configuration guide

September 19, 2010

JUN/11/2012 UPDATE: We have updated this article for Ubuntu Desktop 12.04 LTS which we recommend our viewers to read unless you wish to continue with the 10.04 version.


This is an installation guide for Ubuntu Desktop 10.04 LTS that will show you how to enable full disk encryption and confirm that it is working, how to check for and remove unnecessary network services and software, how to enable the firewall and view its rule set, and various security-related software that one may consider installing.

This is not meant to be a guide for creating the most secure or hardened installation of Ubuntu ever. It is meant to cover reasonable approaches to improving security and informing new Ubuntu or Linux users of these options.


Download Ubuntu

Begin by downloading the Alternate install CD image for Ubuntu (the Alternate install is required for full disk encryption). The list of mirrors is locate here: http://www.ubuntu.com/getubuntu/downloadmirrors#mirrors

Once you've downloaded the file, take a MD5 hash of the ISO and compare against Ubuntu's online documentation (https://help.ubuntu.com/community/UbuntuHashes) to confirm that they match.

user@Linux:~$ md5sum ubuntu-10.04-alternate-i386.iso
5b2dadacfd692b4f2d5c7cf034539262  ubuntu-10.04-alternate-i386.iso

(for those trying to ween off MD5, the SHA1 hash should be 59587d7a64d40cbc889b85d853048360900878f1)


Install Ubuntu

The process to install Ubuntu should be straightforward until you reach the following screen:

You have two alternatives to enabling full disk encryption: The easiest one is to let the installer configure the partitioning and encryption settings for you by selecting "Guided - use entire disk and set up encrypted LVM". The second alternative is to select "Manual" and manually setup your partitions (root, swap, boot, etc.), select your file system types, and specify your encryption settings. The guided installation sets up LVM with ext4 as your root partition, using 256-bit AES encryption in cipher-block-chaining mode, whereas in the manual mode for your encryption settings you can select AES, blowflish, serpent, or twofish ciphers in 128, 192 or 256-bit keysizes (depending on the encryption algorithm). Those not comfortable or familiar with setting up partitions for Linux systems should select the Guided approach.

(Later on in this guide after Ubuntu has been installed we will be confirming that full disk encryption is enabled for the entire disk, which includes the swap partition).

Proceed with the installation until you reach this screen:

Here is where you select your disk encryption password which you'll need to specify every time your computer boots up. It is important to stress that the strength of your encryption is highly dependent on the complexity of your passphrase. A passphrase of 20 characters or more in length is recommended. DO NOT forget this passphrase!


Optional: Do not enable encryption of the home directory

You will also be asked whether you wish to encrypt your home directory. If your main concern is protecting the confidentiality of your data at rest when your computer is turned off, encrypting the home directory is not necessary as you are already encrypting your entire hard drive. If you are a bit more paranoid and wish to also encrypt your home directory so that your data remains encrypted when your computer is powered on but you are logged out, then you may wish to also encrypt your home directory however enabling both forms of encryption (i.e. encrypted home directory on top of full disk encryption) will result in a performance hit.

Continue with the installation until it completes and your system boots into Ubuntu for the first time.


Optional: Change button layout

With the 10.04 release of Ubuntu one cosmetic change that some people may not appreciate are the minimize, maximize, and close buttons being located at the top left-hand side of a window. For those accustomed to seeing these buttons on the top right-hand side, this can easily be reinstated by doing the following:

Open a terminal window and type gconf-editor
In the new window drill down to app | metacity | general | button_layout
Edit the button_layout field to contain the value menu:minimize,maximize,close

Close gconf-editor

The changes should be reflected immediately.


Optional: Enable the root account

I do not wish to get into a debate over whether it is more or less secure to use sudo instead of root for system administration, but if you do decide to enable the root account something important to remember is to always configure login services such as SSH to disable root logins as the root account will inevitably be targeted during brute force login attacks (for SSH look in the configuration file /etc/ssh/sshd_config for the parameter "PermitRootLogin" and set it to no) but by default Ubuntu Desktop does not install a SSH server.

To enable the root account in Ubuntu, enter the following command:

user@ubuntu:~$ sudo passwd root

Once prompted, enter your password then enter a new password for the root account twice.


Optional: Force sudo to prompt for the root password instead of the password of the invoking user

Only relevant if you choose to enable the root account, this will require that a user enters the root password instead of their personal password whenever using sudo or performing a task that prompts for an administrative password, such as deploying updates through the update manager.

Use the command "visudo" to edit the configuration file /etc/sudoers. Within this file look for the line that begins with "Defaults" and add ",rootpw" at the end. Once you've made your changes, press CTRL+X to exit the editor, followed by Y to save the file:

Defaults	env_reset,rootpw


Confirm that the full-disk encryption was setup properly

Your first thought after setting up full-disk encryption was hopefully "How do I confirm that my disk is actually encrypted, and that the swap partition is encrypted as well?" Both a quick as well as a more thorough method to confirm this is explained below. If this is not a concern for you, skip to the next section.

A). Quick Method:

Type "cat /etc/crypttab" to discover the name of your encrypted volume. Then run "cryptsetup status" followed by the name of the encrypted volume that you discovered through the cat command. Finally run "pvdisplay -m" to confirm that your swap partition is included within this volume.

root@ubuntu:~# cat /etc/crypttab
sda5_crypt UUID=861bc7e3-499a-4d56-b2fa-75834f7308d1 none luks

root@ubuntu:~# cryptsetup status sda5_crypt
/dev/mapper/sda5_crypt is active: 
  cipher:  aes-cbc-essiv:sha256 
  keysize: 256 bits 
  device:  /dev/sda5 
  offset:  2056 sectors 
  size:    16271352 sectors 
  mode:    read/write 

root@ubuntu:~# pvdisplay -m
  --- Physical volume --- 
  PV Name               /dev/mapper/sda5_crypt 
  VG Name               ubuntu 
  PV Size               7.76 GiB / not usable 1020.00 KiB 
  Allocatable           yes 
  PE Size               4.00 MiB 
  Total PE              1986 
  Free PE               8 
  Allocated PE          1978 
  PV UUID               5Z8kcp-FNFX-0dNL-7QoW-AC3U-9qWG-gbWMTx 
   
  --- Physical Segments --- 
  Physical extent 0 to 1880: 
    Logical volume	/dev/ubuntu/root 
    Logical extents	0 to 1880 
  Physical extent 1881 to 1977: 
    Logical volume	/dev/ubuntu/swap_1 
    Logical extents	0 to 96 
  Physical extent 1978 to 1985: 
    FREE 

B). Thorough Method:

First, run fdisk to confirm the hard drives and partitions:

root@ubuntu:~# fdisk -l
Disk /dev/sda: 8589 MB, 8589934592 bytes 
255 heads, 63 sectors/track, 1044 cylinders 
Units = cylinders of 16065 * 512 = 8225280 bytes 
Sector size (logical/physical): 512 bytes / 512 bytes 
I/O size (minimum/optimal): 512 bytes / 512 bytes 
Disk identifier: 0x0002ebfd 

   Device Boot      Start         End      Blocks   Id  System 
/dev/sda1   *           1          32      248832   83  Linux 
Partition 1 does not end on cylinder boundary. 
/dev/sda2              32        1045     8136705    5  Extended 
/dev/sda5              32        1045     8136704   83  Linux 

Second, run df -h to confirm what is mounted:

root@ubuntu:~# df -h
Filesystem            Size  Used Avail Use% Mounted on 
/dev/mapper/ubuntu-root 
                      7.3G  2.2G  4.7G  32% / 
none                  242M  200K  242M   1% /dev 
none                  249M  248K  249M   1% /dev/shm 
none                  249M   84K  249M   1% /var/run 
none                  249M     0  249M   0% /var/lock 
none                  249M     0  249M   0% /lib/init/rw 
none                  7.3G  2.2G  4.7G  32% /var/lib/ureadahead/debugfs 
/dev/sda1             228M   21M  195M  10% /boot 

Third, run pvdisplay -m to see your physical volume (7.76 GB sda5_crypt, which is composed of two logical volumes: root and swap_1):

root@ubuntu:~# pvdisplay -m

  --- Physical volume --- 
  PV Name               /dev/mapper/sda5_crypt 
  VG Name               ubuntu 
  PV Size               7.76 GiB / not usable 1020.00 KiB 
  Allocatable           yes 
  PE Size               4.00 MiB 
  Total PE              1986 
  Free PE               8 
  Allocated PE          1978 
  PV UUID               5Z8kcp-FNFX-0dNL-7QoW-AC3U-9qWG-gbWMTx 
   
  --- Physical Segments --- 
  Physical extent 0 to 1880: 
    Logical volume	/dev/ubuntu/root 
    Logical extents	0 to 1880 
  Physical extent 1881 to 1977: 
    Logical volume	/dev/ubuntu/swap_1 
    Logical extents	0 to 96 
  Physical extent 1978 to 1985: 
    FREE 

Fourth, run lvdisplay -m to confirm how your logical volumes map to your physical volume (7.35 GB root and 388 MB swap):

root@ubuntu:~# lvdisplay -m

  --- Logical volume --- 
  LV Name                /dev/ubuntu/root 
  VG Name                ubuntu 
  LV UUID                2H8bTU-mFa0-h0IY-LRwP-QCFU-UXT3-hZPaTT 
  LV Write Access        read/write 
  LV Status              available 
  # open                 1 
  LV Size                7.35 GiB 
  Current LE             1881 
  Segments               1 
  Allocation             inherit 
  Read ahead sectors     auto 
  - currently set to     256 
  Block device           252:1 
   
  --- Segments --- 
  Logical extent 0 to 1880: 
    Type		linear 
    Physical volume	/dev/mapper/sda5_crypt 
    Physical extents	0 to 1880 
   
   
  --- Logical volume --- 
  LV Name                /dev/ubuntu/swap_1 
  VG Name                ubuntu 
  LV UUID                PSM0iA-h26H-LyHq-sQKc-fh1n-iM56-wWuD1q 
  LV Write Access        read/write 
  LV Status              available 
  # open                 1 
  LV Size                388.00 MiB 
  Current LE             97 
  Segments               1 
  Allocation             inherit 
  Read ahead sectors     auto 
  - currently set to     256 
  Block device           252:2 
   
  --- Segments --- 
  Logical extent 0 to 96: 
    Type		linear 
    Physical volume	/dev/mapper/sda5_crypt 
    Physical extents	1881 to 1977    

Finally, run cryptsetup status <crypt> to confirm the encryption settings:

  
root@ubuntu:~# cryptsetup status sda5_crypt
/dev/mapper/sda5_crypt is active: 
  cipher:  aes-cbc-essiv:sha256 
  keysize: 256 bits 
  device:  /dev/sda5 
  offset:  2056 sectors 
  size:    16271352 sectors 
  mode:    read/write 

You can somewhat get a visual representation of this by clicking on System | Administration | Disk Utility, clicking on your hard drive and confirming the size of the encrypted volume. Below is the layout of the 8.6 GB hard drive /dev/sda when encryption is enabled:

Below is the same hard drive with no encryption:

In both cases the 255 MB /boot partition on /dev/sda1 isn't encrypted (nor should it be).


Enable the software firewall

By default Ubuntu installs but does not enable a firewall (you can confirm this by typing "iptables -L" and seeing the empty chains). You have two options: You can either build your own iptables firewall rules from scratch, or use one of many available front-ends to simplify this process. For the latter option, two common choices are to use the native ufw (stands for "Uncomplicated Firewall") that comes bundled with Ubuntu, or to download and install firestarter. Both front-ends come with their default ruleset so technically you don't need to create any of the rules yourself to have a working firewall.

This point confuses some users so I'll repeat it here: Neither ufw nor firestarter are firewalls. They are both front-ends to manage iptables, which is the firewall.

To start the firewall with ufw simply type "ufw enable". The iptables firewall will activate and automatically load itself every time your system boots up. If you wish to use firestarter, use synaptic to download the package firestarter then enable it by clicking on Applications | Internet | Firestarter. A firewall wizard will ask you a few simple questions. Once done you can close the window.


Display a list of services that are currently listening

Whenever you build a new Linux system one thing you should do is take a look at the current list of network sockets to see whether there are any unnecessary services listening for connections that should be disabled. This can be done by entering the following command which will display all established, recently terminated, and listening TCP and UDP network connections along with the program name related to each socket:

 
root@ubuntu:~# netstat -anp | grep -e tcp -e udp
tcp        0      0 127.0.0.1:631           0.0.0.0:*         LISTEN      1234/cupsd      
tcp6       0      0 ::1:631                 :::*              LISTEN      1234/cupsd      
udp        0      0 0.0.0.0:42558           0.0.0.0:*                     789/avahi-daemon: r 
udp        0      0 0.0.0.0:68              0.0.0.0:*                     951/dhclient    
udp        0      0 0.0.0.0:5353            0.0.0.0:*                     789/avahi-daemon: r

Above we can see that cupsd is listening for connections on TCP port 631, and avahi-daemon, and dhclient are capable of receiving data on UDP ports 68, 5353, and 42558. Cupsd is the unix printing daemon, dhclient is the DHCP client, and avahi-daemon is the multicast DNS daemon. Use either Google or the man pages to find out more about these programs. For home users I always recommend disabling avahi-daemon. Unless you use static IP addresses and don't need to print, you'll probably want to keep the other two programs.

The next steps will show how to disable any such unnecessary startup scripts as well as removing unneeded software.


Disable startup scripts and daemons

To disable startup scripts and daemons (cups will be used as an example) use the update-rc.d command. You can specify the -n parameter to have update-rc.d demonstrate the changes it would make without actually going through with any changes:

root@ubuntu:~# update-rc.d -n cups disable

If you are happy with the results, omit the -n parameter to implement the changes:

root@ubuntu:~# update-rc.d cups disable

Although you've prevented cups from starting up the next time you boot your computer, the command above won't stop the cups process that is currently running in the background. You can either reboot your computer or call the script through /etc/init.d/ to actually stop it.

root@ubuntu:~# /etc/init.d/cups stop

If you wish to completely remove cups instead of disabling it, use the same command but add -f and replace disable with remove. It has occurred on Debian-based systems that software updates for disabled services re-enabled those services, which is a reason why some people prefer to use remove instead of disable.

root@ubuntu:~# update-rc.d -f cups remove

If you always boot Ubuntu with a GUI (i.e. runlevel 5) which is what most people do, visit the directory /etc/rc5.d/ and the contents of the file /etc/rc.local to see what programs get started automatically on bootup and whether there are any others that you do not need (ex: bluetooth).


Uninstall software

To uninstall software (avahi-daemon will be used as an example), use Synaptic (click on System | Administration | Synaptic Package Manager) and search for avahi-daemon. You will notice that a green box will appear next to the package name which indicates that the package is installed. Right-click on it and select either mark for removal (to uninstall) or mark for complete removal (to uninstall and remove any configuration files). Click on Apply to execute the action.


Install software from the Ubuntu repositories

One thing that is important to notice which you wouldn't necessarily see if you were using apt-get instead of Synaptic is that packages that do not have the Ubuntu icon next to them contain the following text in the description:

"Canonical does not provide updates for <package name>. Some updates may be provided by the Ubuntu community."

For any such packages be aware of any critical security vulnerabilities discovered for that software as unlike the Canonical managed packages, there is no guarantee that these will be automatically updated in the Ubuntu repositories.

Another benefit of using Synaptic instead of apt-get to install software is that Synaptic will keep a history of the software changes you've made. In Synaptic click on File | History to view these.

With that said, consider installing any of the following software packages:

sleuthkit: Collection of tools used for computer forensics.
foremost: Complementary to sleuthkit. Used to do automated file carving.
md5deep: Tool for recursively computing hashes.
bless: Hex editor.
clamav: On-demand virus scanner. For an on-access scanner, fetch clamav-daemon (make sure to analyze the performance of clamav before relying on it for malware detection).
chkrootkit: Rootkit scanner.
curl: Command-line client for retrieving files.
nmap: Network port scanner.

hping3: Used for packet crafting.

Take a look at the following resources section to see a list of other programs that you may wish to install.


Install third party software not included in the Ubuntu repositories

You may wish to install TrueCrypt in order to create encrypted containers for your sensitive files. One of the benefits of using TrueCrypt is that Windows users can install it as well.

Download TrueCrypt from http://www.truecrypt.org/downloads. Select the Linux package "Standard" and download it to a temporary directory (you can delete the files once installed). Type the following commands to extract and install it:

user@ubuntu:~$ gunzip truecrypt-6.3a-linux-x86.tar.gz
user@ubuntu:~$ tar -xvf truecrypt-6.3a-linux-x86.tar
root@ubuntu:~# ./truecrypt-6.3a-setup-x86

Click on Install TrueCrypt to proceed with the installation. Once completed you will be able to launch TrueCrypt either by clicking on Applications | Accessories | TrueCrypt or by typing truecrypt in a terminal window.


Configure Firefox

Although there are countless add-ons and extensions for Firefox that can make your web browsing more secure or private, consider installing Adblock Plus. The reason being that an alarming amount of malware today is pushed through the advertising network. Although malware is not nearly as much of a concern for Linux systems in comparison to Windows, using Adblock will block advertisements and thus prevent any exploits from being automatically pushed onto your computer through an advertisement while browsing a legitimate web site.

Firefox | Tools | Add-Ons

After Firefox restarts, you'll be prompted to select a filter subscription. Choose the one closest to your locale and click Add subscription. If you don't like seeing the red ABP icon in Firefox, you can hide it by clicking on Tools | Adblock Plus Preferences | Options, and unchecking Show in toolbar.


Change permission on home directory

Assuming that you do not need to share any files with other users, change the permissions of your home directory so that only you can access it. By default the permission is 755 which allows other local accounts the ability to cd into your home directory. (If you encrypted your home directory, the permissions by default of the /home/ sub-directories are 700 for logged in users and 500 for those logged out).

user@ubuntu:~$ chmod 750 /home/<your username>


Optional: Modify GRUB settings

Edit /etc/default/grub to change default values, such as the recovery modes or the default 10 second countdown. Once done, run update-grub to reflect the changes in /boot/grub/grub.cfg

root@ubuntu:~# update-grub


Optional: Disable Recent Documents list

If you click on "Places" in your panel you will notice a menu item called Recent Documents that lists all recently opened documents. This is tracked through the a file called ~/.recently-used.xbel in your home directory. You can disable this feature by creating/editing the file ~/.gtkrc-2.0 in your home directory and adding the following line in this file gtk-recent-files-max-age=0.

user@ubuntu:~$ echo gtk-recent-files-max-age=0 >> .gtkrc-2.0

The next time that you restart Ubuntu and open a document, the current list in your document history will clear itself and not re-populate.


Finally although it should be common sense, make sure to install all of the latest software updates pushed by the update manager.


Originally posted May 13, 2010