Ubuntu Desktop 12.04 LTS security configuration guide

June 28, 2012

This is an installation guide for Ubuntu Desktop 12.04 LTS that will show you how to enable full disk encryption and confirm that it is working, how to check for and remove unnecessary network services, how to enable the firewall and view its rule set, how to enable AppArmor beyond the default profile, and various other security and privacy related changes.

This is not meant to be a guide for creating the most secure or hardened installation of Ubuntu ever. It is meant to cover reasonable approaches to improving security and informing new Ubuntu or Linux users of these options. Some of the commands below include more steps than necessary however this is purposely done in order to provide a better understanding.


Download Ubuntu

Begin by downloading the alternate install CD image for Ubuntu (the alternate install is required for full disk encryption). The list of mirrors is locate here: http://www.ubuntu.com/download/desktop/alternative-downloads#mirrors

Note: This tutorial uses the 64-bit version which has the filename ubuntu-12.04-alternate-amd64+mac.iso There are a few ways you can confirm whether your system would support running a 64-bit OS. Here are some examples:

Check if a CPU supports 64-bit by entering the command below. In the output of the flags section, you will see many entries. Look for a 2 character entry (surrounded by spaces - not part of another word) called "lm".

user@linux:~$ cat /proc/cpuinfo | grep lm

If you're unsure whether the Linux OS that you are currently running is 64-bit, you can enter the following command and look for the value x86_64 in the output as opposed to something like i686, i586, and so on:

user@linux:~$ uname -m
x86_64

Similarly to above, you can also check if a given Linux executable is 64-bit. In the case below we examine the /bin/ls executable and look for the string "ELF 64-bit LSB executable" as opposed to "ELF 32-bit LSB executable":

user@linux:~$ file /bin/ls
/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses
shared libs), for GNU/Linux 2.6.24

If your system does not support 64-bit, then the ISO you would need to download is ubuntu-12.04-alternate-i386.iso. Once you've downloaded the file, take a MD5 hash of the ISO and compare against Ubuntu's online documentation (https://help.ubuntu.com/community/UbuntuHashes) to confirm that they match:

user@linux:~$ md5sum ubuntu-12.04-alternate-amd64+mac.iso
e2d4e21d99d6199396f5f45d1ccd0c3d  ubuntu-12.04-alternate-amd64+mac.iso

Burn the ISO to an optical disc or onto a removable USB drive (for the latter Ubuntu has an application called Startup Disk Creator that can do this for you) and proceed to installing Ubuntu.

Install Ubuntu

The process to install Ubuntu should be straightforward until you reach the following screen:

Here is where you are asked whether you with to encrypt your home directory. If your main concern is protecting the confidentiality of your data at rest when your computer is turned off, encrypting the home directory is not necessary as we are going to be encrypting the entire hard drive. If you are a bit more paranoid and wish to also encrypt your home directory so that your data remains encrypted when your computer is powered on but you are logged out, then you may wish to also encrypt your home directory however enabling both forms of encryption (i.e. encrypted home directory on top of full disk encryption) will result in a performance hit.

Proceed with the installation until you reach this screen:

You have two alternatives to enabling full disk encryption: The easiest one is to let the installer configure the partitioning and encryption settings for you by selecting "Guided - use entire disk and set up encrypted LVM". The second alternative is to select "Manual" and manually setup your partitions (root, swap, boot, etc.), select your file system types, and specify your encryption settings. The guided installation sets up LVM with ext4 as your root partition, using 256-bit AES encryption in cipher-block-chaining mode, whereas in the manual mode for your encryption settings you can select AES or serpent ciphers in 128, 192 or 256-bit keysizes. Those not comfortable or familiar with setting up partitions for Linux systems should select the Guided approach.

Continue on until you reach this screen:

Here is where you select your disk encryption password which you'll need to specify every time your computer boots up. It is important to stress that the strength of your encryption is highly dependent on the complexity of your passphrase. A passphrase of 20 characters or more in length is recommended. DO NOT forget this passphrase!

Continue with the installation until it completes and your system boots into Ubuntu for the first time. Once it boots up, it shouldn't be long until you get prompted to install many updates. Do so, reboot, and continue on.


Optional: Enable the root account

I do not wish to get into a debate over whether it is more or less secure to use sudo instead of root for system administration, but if you do decide to enable the root account something important to remember is to always configure login services such as SSH to disable root logins as the root account will inevitably be targeted during brute force login attacks (for SSH look in the configuration file /etc/ssh/sshd_config for the parameter "PermitRootLogin" and set it to no) but by default Ubuntu Desktop does not install a SSH server.

To enable the root account in Ubuntu, enter the command sudo passwd root. When you see the phrase "Enter new UNIX password" this is to define the password for the root account:

user@ubuntu:~$ sudo passwd root
[sudo] password for user:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

Optional: Force sudo to prompt for the root password instead of the password of the invoking user

Only relevant if you choose to enable the root account, this will require that a user enters the root password instead of their personal password whenever using sudo.

Use the command "visudo" to edit the configuration file /etc/sudoers. Within this file look for the line that begins with "Defaults" and add ",rootpw" at the end. Once you've made your changes, press CTRL+X to exit the editor, followed by Y then ENTER to save the file (/etc/sudoers.tmp). In other words there should be a Defaults entry that appears as follows after you've made your changes:

Defaults        env_reset,rootpw
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin <snip>


Optional: Confirm that the full-disk encryption was setup properly

Your first thought after setting up full-disk encryption was hopefully "How do I confirm that my disk is actually encrypted, and that the swap partition is encrypted as well?" The fact that you are getting prompted to enter an encryption password whenever you boot up tells you that there is encryption in place, but leaves you guessing as to the scope of the encryption. You can somewhat get a visual representation of this by clicking on Dash, and searching for and starting the Disk Utility application. Once launched, click on your hard drive and confirm the size shown for the encrypted volume makes sense. Below I can confirm that my 10 GB encrypted volume is the same size as my LVM volume:

Note that the 255 MB ext2 /boot partition on the left isn't encrypted (nor should it be).

To do some more thorough verification through the command line, type "cat /etc/crypttab" to discover the name of your encrypted volume. Then run "cryptsetup status" followed by the name of the encrypted volume that you discovered through the cat command (sda5_crypt) to confirm the encryption settings. Finally run "pvdisplay -m" and "lvdisplay -m" to confirm your physical and logical volume attributes.

root@ubuntu:~# cat /etc/crypttab
sda5_crypt UUID=fa5a6f0a-f8ce-1ea9-c1a1-23231a98b65e none luks

root@ubuntu:~# cryptsetup status sda5_crypt
/dev/mapper/sda5_crypt is active and is in use.
  type:    LUKS1
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/sda5
  offset:  4096 sectors
  size:    20463616 sectors
  mode:    read/write

root@ubuntu:~# pvdisplay -m
  --- Physical volume ---
  PV Name               /dev/dm-0
  VG Name               ubuntu
  PV Size               9.76 GiB / not usable 4.00 MiB
  Allocatable           yes (but full)
  PE Size               4.00 MiB
  Total PE              2497
  Free PE               0
  Allocated PE          2497
   
  --- Physical Segments ---
  Physical extent 0 to 2368:
    Logical volume	/dev/ubuntu/root
    Logical extents	0 to 2368
  Physical extent 2369 to 2496:
    Logical volume	/dev/ubuntu/swap_1
    Logical extents	0 to 127
   
root@ubuntu:~# lvdisplay -m
  --- Logical volume ---
  LV Name                /dev/ubuntu/root
  VG Name                ubuntu
  LV Write Access        read/write
  LV Status              available
  # open                 1
  LV Size                9.25 GiB
  Current LE             2369
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           252:1
   
  --- Segments ---
  Logical extent 0 to 2368:
    Type		linear
    Physical volume	/dev/dm-0
    Physical extents	0 to 2368
   
  --- Logical volume ---
  LV Name                /dev/ubuntu/swap_1
  VG Name                ubuntu
  LV Write Access        read/write
  LV Status              available
  # open                 2
  LV Size                512.00 MiB
  Current LE             128
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           252:2
   
  --- Segments ---
  Logical extent 0 to 127:
    Type		linear
    Physical volume	/dev/dm-0
    Physical extents	2369 to 2496

Enable the software firewall

By default Ubuntu installs but does not enable a firewall (you can confirm this by typing "iptables -L" and seeing the empty chains). You have two options: You can either build your own iptables firewall rules from scratch, or use one of many available front-ends to simplify this process. For the latter option, two common choices are to use the native ufw (stands for "Uncomplicated Firewall") that comes bundled with Ubuntu, or to download and install firestarter. At this time of writing firestarter does not appear to be in active development, so my recommendation is to use ufw.

This point confuses some users so I'll repeat it here: Neither ufw nor firestarter are firewalls. They are both front-ends to manage iptables, which is the firewall. For most desktop users, below are the steps you'll wish to perform the first time you use ufw. For the average desktop system these steps are all that is necessary to have a working firewall:

root@ubuntu:~# ufw status
Status: inactive

root@ubuntu:~# ufw default deny
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)

root@ubuntu:~# ufw enable
Firewall is active and enabled on system startup

root@ubuntu:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

From this point on the iptables firewall is active and will automatically load itself every time your system boots up. Although ufw stands for Uncomplicated Firewall, it still requires a certain amount of know-how in order to use it properly if you need to make changes beyond the default configuration (type the command ufw show raw to examine this). The best tutorial for using ufw is likely this one and the man pages are a good reference as well. Those intimidated by a command-line firewall can optionally install Gufw which is a graphical front-end for ufw.

Last thing to note is that the logs for ufw are stored in /var/log/ufw.log. Below is the difference between the different logging levels:

off:    disables ufw managed logging.

low:    logs all blocked packets not matching the default policy (with rate limiting)
        as well as packets matching logged rules.

medium: log level low, plus all allowed packets not matching the default policy, all INVALID
        packets, and all new connections.  All logging is done with rate limiting.

high:   log level medium (without rate limiting), plus all packets with rate limiting.

full:   log level high without rate limiting.


Review the list of services that are currently listening

Whenever you build a new Linux system one thing you should do is take a look at the current list of network sockets to see whether there are any unnecessary services listening for connections that should be disabled. This can be done by entering the following command which will display all established, recently terminated, and listening TCP and UDP network connections along with the program name related to each socket:

root@ubuntu:~# netstat -anp | grep -e tcp -e udp
tcp       0      0 127.0.0.1:53         0.0.0.0:*       LISTEN      760/dnsmasq     
tcp       0      0 127.0.0.1:631        0.0.0.0:*       LISTEN      618/cupsd       
udp       0      0 0.0.0.0:47062        0.0.0.0:*                   602/avahi-daemon: r
udp       0      0 0.0.0.0:5353         0.0.0.0:*                   602/avahi-daemon: r
udp       0      0 127.0.0.1:53         0.0.0.0:*                   760/dnsmasq     
udp       0      0 0.0.0.0:68           0.0.0.0:*                   706/dhclient    
udp6      0      0 :::5353              :::*                        602/avahi-daemon: r
udp6      0      0 :::51225             :::*                        602/avahi-daemon: r

Above we can see that dnsmasq is listening for connections (although only on the 127.0.0.1 local loopback interface) on TCP port 53, cupsd on TCP port 631, and avahi-daemon and dhclient are capable of receiving data on various UDP ports. Cupsd is the unix printing daemon, dhclient is the DHCP client, and avahi-daemon is the multicast DNS daemon. Dnsmasq is a local DNS resolver and its presence in Ubuntu desktop is new in 12.04 (you will notice that /etc/resolv.conf points to 127.0.0.1. Details here). For home users I always recommend disabling avahi-daemon. Unless you use static IP addresses and don't need to print, you'll probably want to keep dhclient and cups. If you are a bit hesitant to run a service such as dnsmasq on a desktop (I have to admit I'm still unsure about this one even though dnsmasq brings certain technical benefits -- anything related to DNS resolution should be treated with caution), you can disable it by editing /etc/NetworkManager/NetworkManager.conf and commenting out the line dns=dnsmasq, then running the command restart network-manager for the changes to take effect.

The next steps will show how to remove undesired software


Uninstall software

You have a few options to uninstall software. You can use the Ubuntu Software Center, or Synaptic (requires that you install Synaptic first), or use apt-get at the command line. In the paragraph above we detected that avahi-deamon was a service which was listening for network connections. You can use any of these options to uninstall avahi-daemon. Below is how this would be done at the command line:

root@ubuntu:~# apt-get remove avahi-daemon

Note about installing software from the Ubuntu repositories

One thing that is important to notice which you wouldn't necessarily see if you were using apt-get is that some packages contain the following clause in the package information:

"Canonical does not provide updates for <package name>. Some updates may be provided by the Ubuntu community."

The screen capture above is taken from Ubuntu Software Center when you select a package and click on More Info. For any such packages be aware of any critical security vulnerabilities discovered for that software as unlike the Canonical managed packages, there is no guarantee that these will be automatically updated in the Ubuntu repositories.

For those who are paranoid about trusting software, you can find more information about a program such as the maintainers, change log, open bugs, list of files, etc. by searching for it in the Ubuntu Packages (some of this can be found by examining the package in Synaptic as well). Take a look at our resources section to see a list of other programs that you may wish to install.


Note about installing software from PPAs

Keep the following in mind when deciding to install software from PPAs (Personal Package Archives). The following excerpt is taken from the Ubuntu Wiki SecurityTeam FAQ: There are no security verifications done on packages in PPAs. When you install a package from a PPA, you are implicitly trusting the owner of the PPA. There are no mechanisms in place to prevent the owner of a PPA from publishing malicious, trojaned, or simply broken packages.


AppArmor

This topic alone could span its own book. AppArmor can be quite intimidating to learn however the following steps are simple and do not require a lot of effort on your end in order to enhance the AppArmor protection of your system. You are encouraged to read up on AppArmor to learn the benefits it brings. If you wish to take AppArmor beyond what the default installation gives you (and you should, because exploits are always tested to make sure they work against the default configuration), then you will likely need to install the following additional packages:

apparmor-utils
apparmor-profiles
apparmor-notify

The following document shows you the difference between the default AppArmor profiles that comes bundled with Ubuntu 12.04, and the ones that are included within the apparmor-profiles package (note that the apparmor-profiles package also includes some profiles which are unmaintained but could be a good starting point if you wish to create your own profiles - these are stored in /usr/share/doc/apparmor-profiles/extras. You should probably ignore these for now until you become comfortable with using AppArmor).

Begin by installing all 3 AppArmor packages above.

root@ubuntu:~# apt-get install apparmor-utils apparmor-profiles apparmor-notify

Installing apparmor-utils will add the following additional commands to your disposal:

aa-audit
aa-autodep
aa-complain
aa-decode
aa-disable
aa-easyprof
aa-enforce
aa-exec
aa-genprof
aa-logprof
aa-unconfined
aa-update-browser

By default AppArmor does not protect Firefox (notice the blank output after the first command below. See this article for some background on why this is the case). Given that Firefox would likely be targeted if attempting to exploit Ubuntu systems, you should protect Firefox by entering the following commands:

root@ubuntu:~# aa-status | grep firefox

root@ubuntu:~# aa-enforce /etc/apparmor.d/usr.bin.firefox
Setting /etc/apparmor.d/usr.bin.firefox to enforce mode.

root@ubuntu:~# aa-status | grep firefox
   /usr/lib/firefox/firefox{,*[^s][^h]}
   /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
   /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
   /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper

As a demonstration below is a screen capture of the pop-up that appears on your Desktop via apparmor-notify when AppArmor blocks Firefox. In this case Firefox was attempting to open a file that AppArmor does not grant it access to, even though it is a world readable file.

For your information, the configuration for AppArmor is in /etc/apparmor, and AppArmor profiles are stored in /etc/apparmor.d/. Also you may get the following error when attempting to use aa-notify:

root@ubuntu:~# aa-notify -l
aa-notify: ERROR: 'user' must be in 'admin' group. Aborting.
Ask your admin to add you to this group or to change the group in
/etc/apparmor/notify.conf if you want to use aa-notify.

If this occurs, modify the file /etc/apparmor/notify.conf and for the entry use_group="admin", change this to use_group="sudo"


Add a system load indicator

Although this may seem odd, adding system monitors to your tray on top not only assists in providing feedback to you as to the reason why your system might be responding slowly, it does to a certain degree become a security monitoring tool as the feedback can also help inform you of potentially suspicious activity that is occurring on your system unbeknownst to you and warrants investigation. For example if you are on your computer reading an article and suddenly see your network activity light up solid for apparently no reason, it might be worth investigating the cause to confirm that this is within normal system behavior.

Begin by installing a package called indicator-multiload. Once installed configure it to startup automatically by launching Startup Applications in Dash, then clicking on Add and adding an entry that runs the command /usr/bin/indicator-multiload.

Once the system load indicator starts up (you can either reboot your computer to start it or manually launch it the first time by running the command "/usr/bin/indicator-multiload &") right-click on it, select Preferences, and add monitors for resources such as Processor, Memory, Network, Harddisk, etc. You may wish to also tweak the system monitor update interval as it does use considerably more processing power to animate it faster (you can confirm this by opening a terminal, starting top and observing the %CPU column for the indicator-multiload process).

Now in the event that you ever notice unexpected activity (again using the example of your system uploading data for no apparent reason) you can perform a quick and preliminary investigation by using tcpdump, wireshark, or netstat to determine what type of data is being sent and where.


Firefox Add-ons

Although there are countless add-ons and extensions for Firefox that can make your web browsing more secure or private, we recommend that you consider Adblock Plus, Ghostery, and HTTPS-Everywhere, for the reasons below:

Adblock Plus: An alarming amount of malware today is pushed through the advertising network. Although malware is not nearly as much of a concern for Linux systems in comparison to Windows, using Adblock will block advertisements and thus prevent any exploits from being automatically pushed onto your computer through advertisements delivered on legitimate web site. After you install the plugin and restart Firefox, you'll be prompted to select a filter subscription. Choose the one closest to your locale and click Add subscription. Now I do realize that there currently aren't any public reports of people purposely paying money to display malicious advertisements that target Ubuntu systems, however I still recommend the installation of Adblock Plus since running it typically does not cause any problems.

Ghostery: Ghostery allows you to detect and block trackers that are a part of most major web sites. Ghostery will produce a brief alert box in the top-right corner of Firefox showing the content it is blocking whenever you visit a page that has trackers. Given that the alert box can be distracting, you can disable this by going into the Ghostery options, and clicking on the Advanced tab, and unchecking "Show Alert Bubble". In addition from here you can configure Ghostery to delete Flash and Silverlight cookies whenever your web browser exits.

HTTPS-Everywhere: Certain web sites that use both HTTP and HTTPS reserve HTTPS only for communication of the most sensitive information (usually credentials and payment information) and default back to HTTP for everything else even though you might prefer not to have that data sent in the clear. For example certain popular webmail sites were known to use HTTPS on the login page, but once you had logged in everything that you accessed including reading or composing emails was in regular unencrypted HTTP. This add-on forces web sites to keep using HTTPS throughout the entire session.


Optional: Change permission on home directory

Assuming that you do not need to share any files with other users on your local system, you can change the permissions of your home directory as a minor safety precaution. By default the permission is 755 which allows other local accounts the ability to cd into your home directory. (Note: If you encrypted your home directory, the permissions by default of the /home/ sub-directories are 700 for logged in users and 500 for those logged out).

user@ubuntu:~$ chmod 750 /home/<your_username>

Review Privacy Settings

New in Ubuntu 12.04 is the option to centrally manage your privacy settings. Click on the Dash icon, search for privacy, and start the Privacy application. From here configure your privacy settings as needed.



Optional: Remove the guest account login

You may have noticed that when Ubuntu boots up and waits at the login screen, there is a Guest account that is present (notice the line "Guest Session" below):

You can remove this by editing /etc/lightdm/lightdm.conf and adding the following line at the end:

allow-guest=false


Optional: Disable webcam

If you have a laptop that has a built-in webcam that does not have a cover which you can slide over it, and you cannot disable the webcam through the BIOS, and you dislike the concept of a video camera always being pointed at your face, you can disable it by adding the line "blacklist uvcvideo" (without quotes) in the file /etc/modprobe.d/blacklist.conf. Once you reboot your system the webcam should no longer be functional. Contrast the output of dmesg before and after disabling the webcam:

user@ubuntu:~$ dmesg | grep video
[    0.711982] pci 0000:00:02.0: Boot video device
[   24.422753] Linux video capture interface: v2.00
[   24.448704] uvcvideo: Found UVC 1.00 device 1.3M WebCam
[   24.470185] usbcore: registered new interface driver uvcvideo
(we proceed to blacklist and reboot)
user@ubuntu:~$ dmesg | grep video
[    0.720463] pci 0000:00:02.0: Boot video device

Finally although it should be common sense, make sure to continue installing all of the latest software updates whenever pushed by the update manager.


Originally posted June 10, 2012