Ubuntu Desktop 10.04 LTS security configuration guide
JUN/11/2012 UPDATE: We have updated this article for Ubuntu Desktop 12.04 LTS which we recommend our viewers to read unless you wish to continue with the 10.04 version.
This is an installation guide for Ubuntu Desktop 10.04 LTS that will show you how to enable full disk encryption and confirm that it is working, how to check for and remove unnecessary network services and software, how to enable the firewall and view its rule set, and various security-related software that one may consider installing.
This is not meant to be a guide for creating the most secure or hardened installation of Ubuntu ever. It is meant to cover reasonable approaches to improving security and informing new Ubuntu or Linux users of these options.
Begin by downloading the Alternate install CD image for Ubuntu (the Alternate install is required for full disk encryption). The list of mirrors is locate here: http://www.ubuntu.com/getubuntu/downloadmirrors#mirrors
Once you've downloaded the file, take a MD5 hash of the ISO and compare against Ubuntu's online documentation (https://help.ubuntu.com/community/UbuntuHashes) to confirm that they match.
user@Linux:~$ md5sum ubuntu-10.04-alternate-i386.iso 5b2dadacfd692b4f2d5c7cf034539262 ubuntu-10.04-alternate-i386.iso
(for those trying to ween off MD5, the SHA1 hash should be 59587d7a64d40cbc889b85d853048360900878f1)
The process to install Ubuntu should be straightforward until you reach the following screen:
You have two alternatives to enabling full disk encryption: The easiest one is to let the installer configure the partitioning and encryption settings for you by selecting "Guided - use entire disk and set up encrypted LVM". The second alternative is to select "Manual" and manually setup your partitions (root, swap, boot, etc.), select your file system types, and specify your encryption settings. The guided installation sets up LVM with ext4 as your root partition, using 256-bit AES encryption in cipher-block-chaining mode, whereas in the manual mode for your encryption settings you can select AES, blowflish, serpent, or twofish ciphers in 128, 192 or 256-bit keysizes (depending on the encryption algorithm). Those not comfortable or familiar with setting up partitions for Linux systems should select the Guided approach.
(Later on in this guide after Ubuntu has been installed we will be confirming that full disk encryption is enabled for the entire disk, which includes the swap partition).
Proceed with the installation until you reach this screen:
Here is where you select your disk encryption password which you'll need to specify every time your computer boots up. It is important to stress that the strength of your encryption is highly dependent on the complexity of your passphrase. A passphrase of 20 characters or more in length is recommended. DO NOT forget this passphrase!
Optional: Do not enable encryption of the home directory
You will also be asked whether you wish to encrypt your home directory. If your main concern is protecting the confidentiality of your data at rest when your computer is turned off, encrypting the home directory is not necessary as you are already encrypting your entire hard drive. If you are a bit more paranoid and wish to also encrypt your home directory so that your data remains encrypted when your computer is powered on but you are logged out, then you may wish to also encrypt your home directory however enabling both forms of encryption (i.e. encrypted home directory on top of full disk encryption) will result in a performance hit.
Continue with the installation until it completes and your system boots into Ubuntu for the first time.
Optional: Change button layout
With the 10.04 release of Ubuntu one cosmetic change that some people may not appreciate are the minimize, maximize, and close buttons being located at the top left-hand side of a window. For those accustomed to seeing these buttons on the top right-hand side, this can easily be reinstated by doing the following:Open a terminal window and type gconf-editor
In the new window drill down to app | metacity | general | button_layout
Edit the button_layout field to contain the value menu:minimize,maximize,close
The changes should be reflected immediately.
Optional: Enable the root account
I do not wish to get into a debate over whether it is more or less secure to use sudo instead of root for system administration, but if you do decide to enable the root account something important to remember is to always configure login services such as SSH to disable root logins as the root account will inevitably be targeted during brute force login attacks (for SSH look in the configuration file /etc/ssh/sshd_config for the parameter "PermitRootLogin" and set it to no) but by default Ubuntu Desktop does not install a SSH server.
To enable the root account in Ubuntu, enter the following command:
user@ubuntu:~$ sudo passwd root
Once prompted, enter your password then enter a new password for the root account twice.
Optional: Force sudo to prompt for the root password instead of the password of the invoking user
Only relevant if you choose to enable the root account, this will require that a user enters the root password instead of their personal password whenever using sudo or performing a task that prompts for an administrative password, such as deploying updates through the update manager.
Use the command "visudo" to edit the configuration file /etc/sudoers. Within this file look for the line that begins with "Defaults" and add ",rootpw" at the end. Once you've made your changes, press CTRL+X to exit the editor, followed by Y to save the file:
Confirm that the full-disk encryption was setup properly
Your first thought after setting up full-disk encryption was hopefully "How do I confirm that my disk is actually encrypted, and that the swap partition is encrypted as well?" Both a quick as well as a more thorough method to confirm this is explained below. If this is not a concern for you, skip to the next section.A). Quick Method:
Type "cat /etc/crypttab" to discover the name of your encrypted volume. Then run "cryptsetup status" followed by the name of the encrypted volume that you discovered through the cat command. Finally run "pvdisplay -m" to confirm that your swap partition is included within this volume.
root@ubuntu:~# cat /etc/crypttab sda5_crypt UUID=861bc7e3-499a-4d56-b2fa-75834f7308d1 none luks root@ubuntu:~# cryptsetup status sda5_crypt /dev/mapper/sda5_crypt is active: cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/sda5 offset: 2056 sectors size: 16271352 sectors mode: read/write root@ubuntu:~# pvdisplay -m --- Physical volume --- PV Name /dev/mapper/sda5_crypt VG Name ubuntu PV Size 7.76 GiB / not usable 1020.00 KiB Allocatable yes PE Size 4.00 MiB Total PE 1986 Free PE 8 Allocated PE 1978 PV UUID 5Z8kcp-FNFX-0dNL-7QoW-AC3U-9qWG-gbWMTx --- Physical Segments --- Physical extent 0 to 1880: Logical volume /dev/ubuntu/root Logical extents 0 to 1880 Physical extent 1881 to 1977: Logical volume /dev/ubuntu/swap_1 Logical extents 0 to 96 Physical extent 1978 to 1985: FREEB). Thorough Method:
First, run fdisk to confirm the hard drives and partitions:
root@ubuntu:~# fdisk -l Disk /dev/sda: 8589 MB, 8589934592 bytes 255 heads, 63 sectors/track, 1044 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x0002ebfd Device Boot Start End Blocks Id System /dev/sda1 * 1 32 248832 83 Linux Partition 1 does not end on cylinder boundary. /dev/sda2 32 1045 8136705 5 Extended /dev/sda5 32 1045 8136704 83 Linux
Second, run df -h to confirm what is mounted:
root@ubuntu:~# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/ubuntu-root 7.3G 2.2G 4.7G 32% / none 242M 200K 242M 1% /dev none 249M 248K 249M 1% /dev/shm none 249M 84K 249M 1% /var/run none 249M 0 249M 0% /var/lock none 249M 0 249M 0% /lib/init/rw none 7.3G 2.2G 4.7G 32% /var/lib/ureadahead/debugfs /dev/sda1 228M 21M 195M 10% /boot
Third, run pvdisplay -m to see your physical volume (7.76 GB sda5_crypt, which is composed of two logical volumes: root and swap_1):
root@ubuntu:~# pvdisplay -m --- Physical volume --- PV Name /dev/mapper/sda5_crypt VG Name ubuntu PV Size 7.76 GiB / not usable 1020.00 KiB Allocatable yes PE Size 4.00 MiB Total PE 1986 Free PE 8 Allocated PE 1978 PV UUID 5Z8kcp-FNFX-0dNL-7QoW-AC3U-9qWG-gbWMTx --- Physical Segments --- Physical extent 0 to 1880: Logical volume /dev/ubuntu/root Logical extents 0 to 1880 Physical extent 1881 to 1977: Logical volume /dev/ubuntu/swap_1 Logical extents 0 to 96 Physical extent 1978 to 1985: FREE
Fourth, run lvdisplay -m to confirm how your logical volumes map to your physical volume (7.35 GB root and 388 MB swap):
root@ubuntu:~# lvdisplay -m --- Logical volume --- LV Name /dev/ubuntu/root VG Name ubuntu LV UUID 2H8bTU-mFa0-h0IY-LRwP-QCFU-UXT3-hZPaTT LV Write Access read/write LV Status available # open 1 LV Size 7.35 GiB Current LE 1881 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 252:1 --- Segments --- Logical extent 0 to 1880: Type linear Physical volume /dev/mapper/sda5_crypt Physical extents 0 to 1880 --- Logical volume --- LV Name /dev/ubuntu/swap_1 VG Name ubuntu LV UUID PSM0iA-h26H-LyHq-sQKc-fh1n-iM56-wWuD1q LV Write Access read/write LV Status available # open 1 LV Size 388.00 MiB Current LE 97 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 252:2 --- Segments --- Logical extent 0 to 96: Type linear Physical volume /dev/mapper/sda5_crypt Physical extents 1881 to 1977
Finally, run cryptsetup status <crypt> to confirm the encryption settings:
root@ubuntu:~# cryptsetup status sda5_crypt /dev/mapper/sda5_crypt is active: cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/sda5 offset: 2056 sectors size: 16271352 sectors mode: read/write
You can somewhat get a visual representation of this by clicking on System | Administration | Disk Utility, clicking on your hard drive and confirming the size of the encrypted volume. Below is the layout of the 8.6 GB hard drive /dev/sda when encryption is enabled:
Below is the same hard drive with no encryption:
In both cases the 255 MB /boot partition on /dev/sda1 isn't encrypted (nor should it be).
Enable the software firewall
By default Ubuntu installs but does not enable a firewall (you can confirm this by typing "iptables -L" and seeing the empty chains). You have two options: You can either build your own iptables firewall rules from scratch, or use one of many available front-ends to simplify this process. For the latter option, two common choices are to use the native ufw (stands for "Uncomplicated Firewall") that comes bundled with Ubuntu, or to download and install firestarter. Both front-ends come with their default ruleset so technically you don't need to create any of the rules yourself to have a working firewall.
This point confuses some users so I'll repeat it here: Neither ufw nor firestarter are firewalls. They are both front-ends to manage iptables, which is the firewall.
To start the firewall with ufw simply type "ufw enable". The iptables firewall will activate and automatically load itself every time your system boots up. If you wish to use firestarter, use synaptic to download the package firestarter then enable it by clicking on Applications | Internet | Firestarter. A firewall wizard will ask you a few simple questions. Once done you can close the window.
Display a list of services that are currently listening
Whenever you build a new Linux system one thing you should do is take a look at the current list of network sockets to see whether there are any unnecessary services listening for connections that should be disabled. This can be done by entering the following command which will display all established, recently terminated, and listening TCP and UDP network connections along with the program name related to each socket:
root@ubuntu:~# netstat -anp | grep -e tcp -e udp tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1234/cupsd tcp6 0 0 ::1:631 :::* LISTEN 1234/cupsd udp 0 0 0.0.0.0:42558 0.0.0.0:* 789/avahi-daemon: r udp 0 0 0.0.0.0:68 0.0.0.0:* 951/dhclient udp 0 0 0.0.0.0:5353 0.0.0.0:* 789/avahi-daemon: r
Above we can see that cupsd is listening for connections on TCP port 631, and avahi-daemon, and dhclient are capable of receiving data on UDP ports 68, 5353, and 42558. Cupsd is the unix printing daemon, dhclient is the DHCP client, and avahi-daemon is the multicast DNS daemon. Use either Google or the man pages to find out more about these programs. For home users I always recommend disabling avahi-daemon. Unless you use static IP addresses and don't need to print, you'll probably want to keep the other two programs.
The next steps will show how to disable any such unnecessary startup scripts as well as removing unneeded software.
Disable startup scripts and daemons
To disable startup scripts and daemons (cups will be used as an example) use the update-rc.d command. You can specify the -n parameter to have update-rc.d demonstrate the changes it would make without actually going through with any changes:
root@ubuntu:~# update-rc.d -n cups disable
If you are happy with the results, omit the -n parameter to implement the changes:
root@ubuntu:~# update-rc.d cups disable
Although you've prevented cups from starting up the next time you boot your computer, the command above won't stop the cups process that is currently running in the background. You can either reboot your computer or call the script through /etc/init.d/ to actually stop it.
root@ubuntu:~# /etc/init.d/cups stop
If you wish to completely remove cups instead of disabling it, use the same command but add -f and replace disable with remove. It has occurred on Debian-based systems that software updates for disabled services re-enabled those services, which is a reason why some people prefer to use remove instead of disable.
root@ubuntu:~# update-rc.d -f cups remove
If you always boot Ubuntu with a GUI (i.e. runlevel 5) which is what most people do, visit the directory /etc/rc5.d/ and the contents of the file /etc/rc.local to see what programs get started automatically on bootup and whether there are any others that you do not need (ex: bluetooth).
To uninstall software (avahi-daemon will be used as an example), use Synaptic (click on System | Administration | Synaptic Package Manager) and search for avahi-daemon. You will notice that a green box will appear next to the package name which indicates that the package is installed. Right-click on it and select either mark for removal (to uninstall) or mark for complete removal (to uninstall and remove any configuration files). Click on Apply to execute the action.
Install software from the Ubuntu repositories
One thing that is important to notice which you wouldn't necessarily see if you were using apt-get instead of Synaptic is that packages that do not have the Ubuntu icon next to them contain the following text in the description:
"Canonical does not provide updates for <package name>. Some updates may be provided by the Ubuntu community."
For any such packages be aware of any critical security vulnerabilities discovered for that software as unlike the Canonical managed packages, there is no guarantee that these will be automatically updated in the Ubuntu repositories.
Another benefit of using Synaptic instead of apt-get to install software is that Synaptic will keep a history of the software changes you've made. In Synaptic click on File | History to view these.
With that said, consider installing any of the following software packages:sleuthkit: Collection of tools used for computer forensics.
foremost: Complementary to sleuthkit. Used to do automated file carving.
md5deep: Tool for recursively computing hashes.
bless: Hex editor.
clamav: On-demand virus scanner. For an on-access scanner, fetch clamav-daemon (make sure to analyze the performance of clamav before relying on it for malware detection).
chkrootkit: Rootkit scanner.
curl: Command-line client for retrieving files.
nmap: Network port scanner.
hping3: Used for packet crafting.
Take a look at the following resources section to see a list of other programs that you may wish to install.
Install third party software not included in the Ubuntu repositories
You may wish to install TrueCrypt in order to create encrypted containers for your sensitive files. One of the benefits of using TrueCrypt is that Windows users can install it as well.
Download TrueCrypt from http://www.truecrypt.org/downloads. Select the Linux package "Standard" and download it to a temporary directory (you can delete the files once installed). Type the following commands to extract and install it:user@ubuntu:~$ gunzip truecrypt-6.3a-linux-x86.tar.gz
user@ubuntu:~$ tar -xvf truecrypt-6.3a-linux-x86.tar
Click on Install TrueCrypt to proceed with the installation. Once completed you will be able to launch TrueCrypt either by clicking on Applications | Accessories | TrueCrypt or by typing truecrypt in a terminal window.
Although there are countless add-ons and extensions for Firefox that can make your web browsing more secure or private, consider installing Adblock Plus. The reason being that an alarming amount of malware today is pushed through the advertising network. Although malware is not nearly as much of a concern for Linux systems in comparison to Windows, using Adblock will block advertisements and thus prevent any exploits from being automatically pushed onto your computer through an advertisement while browsing a legitimate web site.
Firefox | Tools | Add-Ons
After Firefox restarts, you'll be prompted to select a filter subscription. Choose the one closest to your locale and click Add subscription. If you don't like seeing the red ABP icon in Firefox, you can hide it by clicking on Tools | Adblock Plus Preferences | Options, and unchecking Show in toolbar.
Change permission on home directory
Assuming that you do not need to share any files with other users, change the permissions of your home directory so that only you can access it. By default the permission is 755 which allows other local accounts the ability to cd into your home directory. (If you encrypted your home directory, the permissions by default of the /home/ sub-directories are 700 for logged in users and 500 for those logged out).
user@ubuntu:~$ chmod 750 /home/<your username>
Optional: Modify GRUB settings
Edit /etc/default/grub to change default values, such as the recovery modes or the default 10 second countdown. Once done, run update-grub to reflect the changes in /boot/grub/grub.cfg
Optional: Disable Recent Documents list
If you click on "Places" in your panel you will notice a menu item called Recent Documents that lists all recently opened documents. This is tracked through the a file called ~/.recently-used.xbel in your home directory. You can disable this feature by creating/editing the file ~/.gtkrc-2.0 in your home directory and adding the following line in this file gtk-recent-files-max-age=0.
user@ubuntu:~$ echo gtk-recent-files-max-age=0 >> .gtkrc-2.0
The next time that you restart Ubuntu and open a document, the current list in your document history will clear itself and not re-populate.
Finally although it should be common sense, make sure to install all of the latest software updates pushed by the update manager.