Tag Archives: Ubuntu

Let’s Encrypt with Apache on Ubuntu

Clone the Let’s Encrypt repository
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Access the letsencrypt directory
cd /opt/letsencrypt

Auto install all dependencies

sudo -i
./letsencrypt-auto

Generate certificates for your domains

Execute the interactive installation and obtain a certificate for each domain.

./letsencrypt-auto certonly --webroot -w /var/www/faix/wordpress/ -d faix.cz -d www.faix.cz
./letsencrypt-auto certonly --webroot -w /var/www/zviretnik/wordpress/ -d zviretnik.eu -d www.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/owncloud/ -d owncloud.zviretnik.eu -d cloud.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/faix/wordpress/ -d faix.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/sikora/Gallery/ -d sikora.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/silhavy/gallery/ -d silhavy.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/martinek/ -d martinek.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/smrtak/gallery/ -d smrtak.zviretnik.eu

First time you will be asked to provide an email address for lost key recovery and notices:
ue]tod[kinterivznull]ta[retsamtsop

You can find the generated certificate files at:
/etc/letsencrypt/live/SITE.NAME/fullchain.pem

Certificate Auto Renewal

Edit the crontab to create a new job that will run this command every week.

crontab -e

00 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

Apache SSL configuration

/etc/apache2/sites-available/00zviretnik-ssl

SSLCertificateFile /etc/letsencrypt/live/zviretnik.eu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zviretnik.eu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/zviretnik.eu/chain.pem

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+AES:AES256-SHA:AES128-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH:!EXP:!SRP:!DSS:!LOW;
SSLHonorCipherOrder on
SSLVerifyClient none
SSLVerifyDepth 1
SSLCompression off

Update Let’s Encrypt Client

cd /opt/letsencrypt
sudo git pull

How to setup OpenVPN with bridging on Ubuntu 12.04

https://help.ubuntu.com/12.04/serverguide/openvpn.html
http://ubuntuguide.org/wiki/OpenVPN_server

# Setup your router to forward port 1194 to OpenVPN server or place server in DMZ (all incoming traffic is forwaded to OpenVPN server)

# install OpenVPN and bridge utilities
apt-get -y install openvpn bridge-utils

# setup bridge br0 interface and modify primary interface eth0 (assign eth0 IP address to br0 interface)
/etc/network/interfaces

auto eth0
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

auto br0
iface br0 inet static
bridge_ports eth0 tap0
address 10.0.0.100
netmask 255.255.255.0
gateway 10.0.0.138
dns-nameservers 8.8.8.8 8.8.4.4

Restart networking:
service networking restart

# Allow NAT using ufw as firewall
http://blog.philippklaus.de/2010/09/openvpn/
/etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

In /etc/ufw/sysctl.conf uncomment

net.ipv4.ip_forward=1

Restart the firewall:
ufw disable && sudo ufw enable

# Create certificates

mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

/etc/openvpn/easy-rsa/vars

export KEY_COUNTRY="CZ"
export KEY_PROVINCE=""
export KEY_CITY="Praha"
export KEY_ORG="Company name"
export KEY_EMAIL="my@email.cz"
export KEY_CN=openvpn-server
export KEY_NAME="OpenVPN Seerver"
export KEY_OU=""
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# CA

cd /etc/openvpn/easy-rsa/

# whichopensslcnf was broken so I had to hard code:
# export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf"
# or cp openssl-1.0.0.cnf openssl.cnf
source vars
./clean-all
./build-ca

# server certs

./build-key-server server
./build-dh
cd keys/
cp server.crt server.key ca.crt dh1024.pem /etc/openvpn/

# client certs

cd /etc/openvpn/easy-rsa/
source vars
./build-key client1

# copy the following files to the client using a secure method:
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/client1.crt
/etc/openvpn/easy-rsa/keys/client1.key

# server config

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

/etc/openvpn/server.conf
local 10.0.0.100
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
# router ip, netmask, first assigned IP, last assigned IP to client
server-bridge 10.0.0.138 255.255.255.0 10.0.0.90 10.0.0.99
push "route 10.0.0.0 255.255.255.0"
up "/etc/openvpn/up.sh br0 eth0"
keepalive 10 120
comp-lzo
;user nobody
;group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 3
mute 20
script-security 2

/etc/openvpn/up.sh

#!/bin/sh

BR=$1
ETHDEV=$2
TAPDEV=$3

/sbin/ip link set "$TAPDEV" up
/sbin/ip link set "$ETHDEV" promisc on
/sbin/brctl addif $BR $TAPDEV

chmod 755 /etc/openvpn/up.sh

# client config
# install OpenVPN client on Linux/Windows/OSX
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /home/user/openvpn/client.conf
/home/user/openvpn/client.conf

client
dev tap
proto udp
remote YOUR.SERVER.IP 1194
# if needed, adjust path to following certificates
ca ca.crt
cert client1.crt
key client1.key
;tls-auth ta.key 1
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
;ns-cert-type server
comp-lzo
verb 3

# install and configure ufw

apt-get -y install ufw
ufw allow 1194

Don’t forget to allow ssh port 22 if you need it!

# start openvpn on the server
service openvpn start

# Check bridge status
Both interfaces eth0 and tap0 should be part of the br0.
brctl show

bridge name  bridge id    STP enabled  interfaces
br0    8000.000e2eac3d6a  no    eth0
              tap0

# install the client.conf and keys on the client, and connect!

Repair splash screen of Ubuntu or Linux Mint

Quick Tip: Fix for Ugly Plymouth themes in Ubuntu / Mint
http://www.ubuntugeek.com/quick-tipplymouth-themes-in-ubuntu-10-04-lucid-lynx.html

Quick tip for those having trouble with their splash screens in Ubuntu / Mint.

To change the default splash screen:

sudo update-alternatives --config default.plymouth
sudo update-initramfs -u

To fix the delayed loading of the splash:

sudo -s
echo FRAMEBUFFER=y >>/etc/initramfs-tools/conf.d/splash
update-initramfs -u

Installing WordPress on Ubuntu

http://www.ubuntugeek.com/installing-wordpress-3-0-on-ubuntu-10-04-lucid-lynx.html

Installation
apt-get install apache2 libapache2-mod-php5 mysql-server php5-mysql php5-curl php5-gd libssh2-php

cd /var/www/
wget http://wordpress.org/latest.tar.gz
tar -zxvf latest.tar.gz
ls -la
chown -R www-data:www-data wordpress
rm -f latest.zip

Apache
/etc/apache2/sites-available/wordpress.conf

<VirtualHost *:80>
        ServerAdmin my@email.com
        ServerName www.example.org
        ServerAlias example.org
        DocumentRoot /var/www/wordpress

        Redirect permanent / https://www.example.org/

        ErrorLog /var/log/apache2/example.org-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/example.org-access.log combined
</VirtualHost>

/etc/apache2/sites-available/wordpress-ssl.conf

<VirtualHost *:443>
        ServerAdmin my@email.com
        ServerName www.example.org
        ServerAlias example.org
        DocumentRoot /var/www/wordpress/

        <Directory /var/www/wordpress>
                Options -Indexes +FollowSymLinks +MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
                DirectoryIndex index.php
        </Directory>

        Alias /wordpress /var/www/wordpress

        ErrorLog /var/log/apache2/example.org-ssl-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/example.org-ssl-access.log combined

        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
        SSLCertificateFile /etc/ssl/example.org.cer
        SSLCertificateKeyFile /etc/ssl/private/example.org.key
        SSLCertificateChainFile /etc/ssl/startssl.sub2.ca.pem
        SSLCACertificateFile /etc/ssl/startssl.root.cs.pem
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

        CustomLog /var/log/apache2/example.org-ssl-request.log \
         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

/var/www/wordpress/.htaccess

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

Activate both new sites and modules:

a2ensite wordpress wordpress-ssl
a2enmod ssl rewrite headers

MySQL

mysql -u root -p
SHOW DATABASES;
SELECT User FROM mysql.user;
DROP DATABASE drupal6;
DELETE FROM mysql.user WHERE User=`drupal6`;
CREATE DATABASE `wp_db`;
CREATE USER `wp_user`;
SET PASSWORD FOR 'wp_user' = PASSWORD('mysecretpassword');
GRANT ALL PRIVILEGES ON `wp_db`.* TO 'wp_user'@'localhost' IDENTIFIED BY 'mysecretpassword';
FLUSH PRIVILEGES;
EXIT
rm -f ~/.mysql_history

service mysql restart

Configuration

cd /var/www/wordpress
cp wp-config-sample.php wp-config.php
chown www-data:www-data wp-config.php

/var/www/wordpress/wp-config.php

    DB_NAME: Database Name used by WordPress
    DB_USER: Username used to access Database
    DB_PASSWORD: Password used by Username to access Database
    DB_HOST: The hostname of your Database Server

https://api.wordpress.org/secret-key/1.1/salt/

    AUTH_KEY
    SECURE_AUTH_KEY
    LOGGED_IN_KEY
    NONCE_KEY

service apache2 restart

http://your.domain/wp-admin/install.php

Installation of new computer

Installation

Installation of new computer (Debian Testing)
Installation images (Debian Testing)
Installation images AMD64 (STABLE / unofficial / non-free / including-firmware)
Installation images AMD64 (TESTING / unofficial / non-free / including-firmware)

Create installation USB:
dd if=firmware-9.3.0-amd64-netinst.iso of=/dev/sdX
During installation, do NOT fill in root password, account will be disabled and new user will be member of sudo group.

New disk partitions:

/
/home
/opt

/etc/fstab

/dev/sda1 / ext4 errors=remount-ro 0 1
/dev/sda2 /home ext4 defaults 0 2
/dev/sda5 /opt ext4 defaults 0 2
192.168.122.1:/disk /disk nfs rw,rsize=8192,wsize=8192,timeo=14,intr   0  1

Skeleton:
/etc/default/useradd

HOME=/home
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

Users:

useradd -G users username
usermod -a -G users username

Sudo:
visudo
Add or modify following line.

%sudo ALL=(ALL) NOPASSWD:ALL

Firmware:
apt-get install firmware-linux-free firmware-linux-nonfree firmware-iwlwifi

Multimedia:
apt-get install deb-multimedia-keyring

XFCE + Web browser:
apt-get install xorg lightdm xfce4 iceweasel iceweasel-l10n-cs gksu

XFCE tools:
apt-get install network-manager-gnome ttf-mscorefonts-installer unrar flashplayer-mozilla openjdk-7-jre icedtea-7-plugin

System core tools:
apt-get install apt-utils adduser sudo aptitude base-files bash coreutils cups-bsd debconf findutils grep grub-pc gzip hostname ifupdown iptables iproute less lsof menu locales netbase passwd portmap tar time mtr-tiny wget curl ncdu whois hwinfo traceroute logrotate lshw lsof postfix gnupg dirmngr procinfo inxi apt-transport-https

Optional core tools:
apt-get install ntp vim nmap htop iotop iftop iptraf acpid eject screen usbutils pciutils ethtool cryptsetup openssh-server lshw ufw ipcalc mc parted hddtemp smartmontools numlockx rsyslog lm-sensors links logrotate pm-utils speedometer sysv-rc-conf bsdutils btrfs-tools fuse-utils hddtemp hdparm smbclient cups-client atop fsarchiver sysstat logwatch fail2ban mutt needrestart

Basic operator tools:
apt-get install p7zip gnome-system-monitor libreoffice-bundled brasero deluge cheese vlc gnome-mplayer totem pidgin guake openvpn baobab epiphany-browser tsclient libwebcam0 gnome-disk-utility network-manager-openvpn-gnome libwebcam0 rdesktop gimp

HP printer dependencies:
apt-get install cups cups-client cups-bsd system-config-printer hplip printer-driver-hpijs foomatic-db-compressed-ppds printer-driver-hpcups

Non-free tools:
apt-get install flashplayer-chromium flashplayer-mozilla

Virtual box dependencies:
apt-get install fakeroot linux-headers-$(uname -r) busybox initramfs-tools gcc cpp dkms binutils make

Java dependencies:
apt-get install java-common openjdk-9-jre

HP LIP Debug:
apt-get install libcups2 cups libcups2-dev cups-bsd cups-client libcupsimage2-dev libdbus-1-dev build-essential ghostscript openssl libjpeg-turbo8-dev libsnmp-dev libtool libusb-dev python-imaging policykit-1 policykit-1-gnome python-qt4 python-qt4-dbus python-dbus python-gobject python-dev python-notify python python-reportlab libsane libsane-dev sane-utils xsane

Optional international fonts:
apt-get install xfonts-thai

Configuration

Skype:
https://wiki.debian.org/skype

dpkg -s apt-transport-https > /dev/null || bash -c "sudo apt-get update; sudo apt-get install apt-transport-https libappindicator1 -y"
echo "deb [arch=amd64] https://repo.skype.com/deb stable main" | sudo tee /etc/apt/sources.list.d/skypeforlinux.list
sudo apt-get update && sudo apt-get install skypeforlinux -y 

Logwatch:
mkdir /var/cache/logwatch
/usr/share/logwatch/default.conf/logwatch.conf

Detail = High

Locales:
(Debian)
/etc/locale.gen
(Ubuntu)
/var/lib/locales/supported.d/local

cs_CZ.UTF-8 UTF-8
en_US.UTF-8 UTF-8

/etc/default/locale

LANG="en_US.UTF-8"
LANGUAGE="en_US.UTF-8"
LC_TIME="cs_CZ.UTF-8"
LC_NUMERIC="cs_CZ.UTF-8"
LC_MONETARY="cs_CZ.UTF-8"
LC_PAPER="cs_CZ.UTF-8"
LC_NAME="cs_CZ.UTF-8"
LC_ADDRESS="cs_CZ.UTF-8"
LC_TELEPHONE="cs_CZ.UTF-8"
LC_MEASUREMENT="cs_CZ.UTF-8"
LC_IDENTIFICATION="cs_CZ.UTF-8"

locale-gen

Timezone:
/etc/timezone

Europe/Prague
dpkg-reconfigure tzdata

NTP:
/etc/ntp.conf

server tik.cesnet.cz
server tak.cesnet.cz
service ntp restart

Postfix:
/etc/postfix/main.cf
/etc/aliases

SSH – restore keys:
/etc/ssh/
sshd_config ssh_host_dsa_key.pub ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub ssh_host_dsa_key ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key

UFW rules:
copy from backup /lib/ufw/user.rules

Autologin:
/etc/lightdm/lightdm.conf
autologin-user=username

Multisystem:

deb http://liveusb.info/multisystem/depot all main
deb-src http://liveusb.info/multisystem/depot all main

Virtualbox:
deb http://download.virtualbox.org/virtualbox/debian wheezy contrib

Google Talk plugin:
apt-get install google-talkplugin

deb http://dl.google.com/linux/talkplugin/deb/ stable main

Add apt keys:
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 54422A4B98AB5139 07DC563D1F41B907 3EE67F3D0FF405B2 A040830F7FAC5991 4E940D7FDD7FB8CC

/etc/apt/sources.list

deb http://ftp.cz.debian.org/debian/ stretch main contrib non-free
deb-src http://ftp.cz.debian.org/debian/ stretch main contrib non-free

deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free

deb http://ftp.cz.debian.org/debian/ stretch-updates main contrib non-free
deb-src http://ftp.cz.debian.org/debian/ stretch-updates main contrib non-free

deb http://ftp.cz.debian.org/debian/ stretch-backports main contrib non-free
deb-src http://ftp.cz.debian.org/debian/ stretch-backports main contrib non-free

## only for laptops and desktops
# Debian Multimedia repository
deb http://www.deb-multimedia.org/ stretch main non-free
deb-src http://www.deb-multimedia.org/ stretch main

# Linux Mint Debian Edition (LMDE 3) repository is Cindy (older is Betsy)
deb http://mirrors.nic.cz/linuxmint-packages/ cindy main upstream import backport.
deb http://extra.linuxmint.com/ betsy main

Notebook tools:
apt-get install cpufreqd

Xfce4-sensors plugin:
chmod u+s /usr/sbin/hddtemp

What to backup

/home/
/root
/usr/local/bin/
/var/spool/cron/
/var/cache/apt/
/var/lib/apt/
/var/lib/mysql
/var/www/
/etc/*
(hostname, passwd, shadow, group, gshadow, fstab, crypttab, sudoers, mailname, aliases, networks, crontab, issue, motd, ssh/*, apt/*, ufw/*, cups/*, ntp.conf, rsnapshot.conf)

/etc/network/interfaces

192.168.122.1 / 255.255.255.224 / 192.168.122.30

/etc/resolv.conf

nameserver 8.8.8.8
nameserver 8.8.4.4

/etc/hosts

127.0.0.1 localhost
192.168.1.30 home-router home-router.local router
192.168.1.1 home-laptop home-laptop.local laptop

Post install configuration

Sensors (sensors-detect)
Postfix
Securing a New Linux Installation (Logwatch, RKHunter, HostsDeny, Fail2Ban)
SmartmonTools (/etc/default/smartmontools, start_smartd=yes)
HDD temp (/etc/default/hddtemp, RUN_DAEMON="true")
CUPS
GRUB
SSH server
UFW firewall
NFS server-client
Aptitude unattended-upgrades
Linux counter
DynDNS client

Repair blank boot splash screen (Ubuntu / Mint):

sudo -s
echo FRAMEBUFFER=y>>/etc/initramfs-tools/conf.d/splash
update-alternatives --config default.plymouth
update-initramfs -u

Change repository source (fast czech mirror):
/etc/apt/sources.list
deb http://mirrors.nic.cz/linuxmint-packages/ debian main upstream import backport

Clean unused packages:
apt-get autoremove

List of all packages

acpi acpid adduser airport-utils and apt apt-utils aptitude at aufs-tools autoconf automake avahi-utils baobab base-files base-passwd bash bind9-host bleachbit brasero bsd-mailx bsdmainutils bsdutils btrfs-tools busybox bzip2 cabextract cheese chromium chromium-l10n cli-common coreutils cpio cron cryptsetup cups-pdf curl dash dconf-tools debconf debian-archive-keyring debianutils debootstrap deluge dia diffutils dkms dmidecode dnsutils dpkg duplicity dvd+rw-tools e2fsprogs ed efibootmgr eog fail2ban fetchmail file findutils fonts-liberation fonts-thai-tlwg foomatic-db-gutenprint fortune-mod fortunes fortunes-cs fortunes-min ftp fsarchiver fusesmb fuseiso gedit gettext-base ghostscript-x git gksu gnupg gparted grep groff-base growisofs gthumb guake gucharmap gufw gvncviewer gzip hello host hostname htop hwinfo iftop ifupdown info initramfs-tools ioping iotop ipcalc iperf iproute iproute2 iptables iptraf iputils-arping iputils-ping iputils-tracepath keyboard-configuration kismet kmod krb5-locales laptop-detect laptop-mode-tools less locales login logrotate logwatch lsb-base lshw lsof ltrace lxc lynx m4 makedev man-db mawk mbr mc memtest86+ menu mime-support mlocate mount mplayer2 mtools mtr-tiny mutt myspell-cs namebench nano nbtscan ncurses-base net-tools netbase netcat-traditional network-manager-openvpn network-manager-openvpn-gnome network-manager-pptp network-manager-pptp-gnome nfs-common nmap ntpdate numlockx openssh-client openvpn p7zip passwd pastebinit patch pciutils perl pidgin pinta pkg-config postfix pppconfig pppoe pppoeconf pptp-linux procinfo procmail procps psensor pulseaudio pulseaudio-utils python rdesktop rdiff-backup readline-common reiser4progs reiserfsprogs rpcbind rsnapshot rsync rsyslog samba screen sed smartmontools sshfs strace sudo syslinux syslinux-common sysstat sysv-rc-conf tar tcpdump telnet texinfo time traceroute ttf-freefont tzdata ucf udev ufw unattended-upgrades unicode-screensaver unrar unshield update-notifier usbutils user-setup util-linux uuid-runtime vim vim-common vim-tiny vinagre vino vnc4server w3m wavemon wget whois winetricks wireshark wodim xchat xclip xfce4-screenshooter-plugin xinput xrdp xtightvncviewer xtrans-dev xvnc4viewer zip

Ubuntu Security

In an effort to reduce the number of stickies, this sticky is what I consider “the basics” and if you are new to Security on Ubuntu / Linux you should start with this thread.

Additional security related threads would include:

Introduction to AppArmor – This thread will get you started using Apparmor.

Host-based Intrusion Detection Systems (HIDS)– This thread will introduce to monitoring your system for unauthorized access / system changes.

Network Intrusion Detection Systems (Snort) – This thread will introduce you to network monitoring options.

If anyone is interested in helping maintain this information or has feedback / changes / updates / or other suggestions please send me a PM on these forums ~ bodhi.zazen
I am writing this guide as a concerned member of the Ubuntu Community. Security is a concern for us all and in welcoming new (and experienced) users to Ubuntu I would like to demystify the complexities of security that come with your new OS.

Disclaimer : I am not an expert in security. This document is intended as a security overview for new users. This thread is not intended as an all inclusive how-to or discuss the merits of any particular security measure. I offer no guarantee that by running Ubuntu with any or all of these suggestions your security will be foolproof or that you will never be cracked.

I would like to direct any general security discussions to the Servers & Security and any comments on this introductory sticky here.

I would like to thank the Ubuntu Staff, especially jdong and compiledkernel for their review and suggestions.

The two most common cracks posted on these forums are ssh and vnc, both running with password authentication.

If you wish to run these services, please secure them.

 
Introduction : Security is an ongoing process and, like an onion, it has layers and stinks. The best defense you have is to read and learn how to secure your OS.

Alas, there is no single action you can take to achieve absolute security (the only safe computer is one that is turned off, disconnected from the Internet, and in a locked vault) and security concerns and “ease of use” are sometimes competing concerns.

Clarification of terms:

The “Windows Mindset” is intended as exactly that. I assume most new users are coming from Windows and the issues under this section are both most familiar to them and areas of FAQ on the forums (how often do we see questions from the “Ubuntu Mindset” on ABT?).

The “Ubuntu Mindset” is thus likely new information for most new users.

Those divisions/titles are intended to divide security information into familiar/unfamiliar territory (assuming the reader comes from a Windows background) or to lighten up an otherwise dry topic. Specifically it is my intention that the “Windows mindset” will help users new to Linux (Ubuntu) feel more at home by starting with familiar themes. These titles or divisions are certainly not intended to convey more or less importance to any particular issue, those decisions I leave for “self determination”.
Summary: There is no such thing as “security in a box ™”. Information security is an active job — it is not installing some product on the system and sitting back and relaxing.

The good news ~ Ubuntu (Linux) is fairly secure “out of the box”.

How to proceed: Prepare to read, read, read … do not expect to get through this document in one session.

Contents:

1. Intro

Basics

2. Windows mindset

Antivirus

Wine

Firewall

Adware

3. Ubuntu mindset

Permissions and Encryption

GPG

Truecrypt

Installation into an Encrypted Partition

Root kits

Intrusion detection

compiledkernel’s suggested applications

Secure servers

Hardened kernels

Logs

How to perform a hardened installation

Screening your system for potential security holes

4. Forensics

5. References

Basics

This advice is fairly generic and applies to almost any OS. These simple steps offer a solid foundation that you should be able to implement almost immediately.

  • Enforce strong passwords http://en.wikipedia.org/wiki/Password_strength
  • In general, do not write your passwords down, and if you must, keep them in a secure place (Do not put them on a sticky note attached to your monitor for example).
  • Limit root access (Do not log in or run programs as root). Ubuntu accomplishes this by locking the root account and the use of sudo.

     

  • Physical access (physical access = big security hole). Physical access allows root access to your system (via a live CD if necessary).
  • Do not install software or add repositories from untrusted sources (See also “Social engineering” below).
    • This includes running scripts that modify your /etc/apt/sources.list Take care not to let the “need” to run the newest/latest/greatest compromise security.

     

  • Likewise, do not run code or enter commands into the terminal from untrusted sources. If you are unsure of what a command might do best do a google search first.
  • Keep your system up to date. Updates, particularly security updates, bring you the newest and latest fixes.
  • If you run a server, it is your responsibility to learn how to secure it.

Psychocats ~ Security on Ubuntu

Thanks to Johan! for the advice on 3rd party repos

Note: Social Engineering. Click here for more information.

Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.[1] While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.

~ Quote from Wikipedia

 

The Windows Mindset

If you are coming from a Windows background you are used to terms like antivirus, spyware, and firewalls. Linux is different and these are not as important. They are discussed first because these are FAQ on the forums. Unfortunately, it is sometimes difficult for new users to wade through some of the FUD (some of which is produced by anti-virus companies) …
Viruses

The fact of the matter is: viruses/worms take advantage of flaws or holes in the code. At this time of this writing, there are no significant Linux viruses “in the wild”. Linux boxes are no less targets than any other OS, many of the large (ie valuable) Internet sites run on *nix so there is no lack of motivation to crack into *nix.

Do not believe the suggestion that the Linux community is complacent or “behind the times” in terms of viruses, or any other security issue. Linux developers have not “ignored” viruses, rather the OS is built to be highly resistant to them and since the code is “Open” there are literally thousands of eyes watching …

This is an example of what it would take to install malware on an Ubuntu box :

Install evilmalware

(Don’t worry, that link will NOT install anything )

For the most part, Linux anti-virus programs scan for Windows viruses which do not run on Linux. There are increasing reports, however, that Windows malware may run in wine, as such I added a section reviewing what I feel you should know about security if you choose to install and run wine (see below).

Please understand, anti-virus programs, and in fact most HIDS, are “reactive” in that they can only protect you from known viruses. They can only protect you against malware after it is developed and incroporated into HIDS, not before. Furthermore the “fix” will be to close any hole(s) in the code, these fixes will be available through security updates (which are more frequent in Linux then your previous OS if you are coming from Windows).

Reasons AGAINST antivirus on Ubuntu:

  1. They scan primarily for Windows viruses.
  2. There is a high rate of false positives.
  3. Isolation/inoculation is poor.
  4. And currently there are no known active Linux viruses (so there is essentially nothing to detect).

Reasons FOR antivirus on Ubuntu:

  • You are running a file or mail server with Windows clients.
  • You wish to scan files before transferring them, by email, flash drive, etc., to a Windows machine.

Running antivirus can make some sense if you are intending to “protect” Windows users, however, IMO, for a variety of reasons, it is best if Windows users learn to protect themselves.

Note: There have been many documented cases in Windows and Linux that a buffer overflow in an antivirus product has been an attack vector!

If you would like to run an antivirus program on Ubuntu you have several choices :

A few comments on wine

Discussions about running Windows viruses on wine crop up from time to time and it is possible to run some Windows viruses on wine.

See these links :

So what do you need to know about Windows viruses if you want to run wine?

1. First, the “golden rule” : DO NOT RUN WINE AS ROOT. If you are NOT running wine as root then wine will not have the necessary permissions to affect system files.

2. So, if you are running wine as a user, a Windows virus will be confined to your home directory.

3. You can further confine the “fake c drive” located at ~/.wine if you remove any symbolic links outside ~/.wine. With a default installation there is link with a default installation / configuration of wine :

  • ~/.wine/dosdevices/z: -> links to /

A link from ~/.wine/dosdevices to the root directory ( / ) should concern you for obvious reasons.

You can remove it with :

Code:

unlink ~/.wine/dosdevices/z:

Do not worry, that command will not affect wine at all, I run it all the time

You may need to make a link in ~/.wine/dosdevices to your cdrom and/or you may be tempted to link to your home directory, but I advise against keeping using these links (beyond the time needed for actually installing applications).

I advise against any links to removable devices (it should not be *that* difficult to copy files needed to the appropriate location in ~/.wine/drive_c ).

4. Consider running an antivirus program and scanning ~/.wine and any removable devices or other locations you use outside of ~/.wine to store programs or data to be used with wine. Scan any data / applications you use with Windows.

5. Consider confining wine with Apparmor.

6. Be sure to file a bug report with the wine project as they have a very active security team (it is unrealistic, however, to expect the wine team to be able to protect you from all Windows viruses all the time). Wine Bug Reports

7. Take the same precautions with wine as you would with Windows. Do not install untrusted applications from untrusted sources.

If you follow the above advice, Windows viruses will be confined to ~/.wine and they do not have permission to change system files. This means to remove them you simply:

Code:

rm -rf ~/.wine

Please take care, this command deletes everything in your wine directory including all data and all applications.

You then need to restore your wine directory from a known good backup (you do keep backups ?).
Firewall

Edit: I posted a series of 3 blogs introduction firewall configuration :

GUFW (gui)

UFW – Desktops

UFW – Servers

Discussions about firewalls often are passionate (just search the Ubuntu forums). By default, Ubuntu includes a firewall, iptables, but by default nothing is engaged. This is reasonable as a default Ubuntu install opens zero ports to the outside world, so a firewall is redundant. However, installing “server software” will cause ports to open, so some people like to use a firewall as a catch-all layer to find mistakes in their configuration.

Another use for firewalls is for the administrator to forcibly impose network policies on the user. For example, users may not talk to example.com, open up a listening port for remote connections, and so on.

Also, a periodic audit of the system for open ports is a good practice. For example, running the “nmap” command from another machine, or using one of many online port scanners:

http://nmap-online.com/

https://www.grc.com/x/ne.dll?bh0bkyd2

Remember, what you care about are open ports. Closed ports and stealth ports are equally secure, in that they are inaccessible to the public.

Iptables references :

update: I wrote an iptables reference here : bodhi’s iptables primer.

The “problem” with iptables is that it is not particularly friendly to new users. Fortunately, there are several more user friendly interfaces available to allow you to manipulate your firewall (UFW, Firestarter, and Guarddog) :

A source of confusion sometimes occurs when users feel the need to be running firestarter/Guarddog for their firewall to be active. This is untrue ! Keep in mind that these applications are not firewalls, but rather configuration tools for ip tables. These applications should be run only to configure your firewall. Once configured, IP tables (the actual firewall) is active (at boot) without having to run firestarter/guarddog. firestarter will monitor traffic, but it runs as root and there are better monitoring programs, so configure you firewall, shut down firestarter/grauddog, and let IP tables do the rest .
Browser / Spyware : Java/Flash/Ad-ware/Trackers/Cookies

This is where most users will have the most risk. We all want Java/Flash, but our Internet browser opens us to attacks.

I advise :

  1. Deny all cookies and add trusted sites, allowing only for session.
  2. Install NoScript. Again block all and add trusted sites to a white list.
  3. Install Safe History
  4. Adblocking : I block with a hosts file rather then Adblock Plus or Adblock Filterset.G because a hosts file protects more then just firefox.

     

Edit: Thank you Seisen for pointing out that No Script also blocks flash.
See this link for additional information : How to Secure Firefox

 

The Ubuntu Mindset

Permissions and Encryption

The first layer of defense is file permissions. Permissions are used to set access and thus protect both system and user files.

Basic permissions

Ubuntu wiki File Permissions

See also umask at the bottom of that link. The umask value can be set in ~/.bashrc.

To set a “private home”, as a user,

Code:

chmod 700 $HOME

Sharing files in UNIX

Encryption is used as an additional layer of protection. One limit of encryption is that protection is only offered when mounting an encrypted partition (once the partition is mounted it is accessible/crackable just like any other file). The tools included with Ubuntu include GPG, LUKS, and ecryptfs.

GPG

Advanced GnuPG Concepts – Advanced Key Generation

LUKS

LUKS is available as an option on the “alternate” CD.

How to install Ubuntu into an encrypted partition using the Alternate CD

Herman’s guide – Ubuntu Encrypted Flash Memory Installation ~ Thank you Herman

Additional links on LUKS:

Ecryptfs

With ecryptfs you can encrypt your home directory (both desktop and alternate CD as of Ubuntu 9.04 Jaunty), swap, a private directory, or any other directory.

bodhi.zazen’s Ecryptfs tutorial

Truecrypt

http://www.howtoforge.com/truecrypt_data_encryption

Root kits

From http://en.wikipedia.org/wiki/Rootkit :

The term rootkit (also written as root kit) originally referred to a set of recompiled Unix tools such as ps, netstat, w and passwd that would carefully hide any trace of the intruder that those commands would normally display, thus allowing the intruders to maintain root access (highest privilege) on the system without the system administrator even seeing them.

The term is no longer restricted to Unix-based operating systems …

Root kit detection:

rkhunter

chkrootkit

Intrusion Detection

Note: Adding an intrusion detection system like Snort that analyzes network traffic for attack patterns, it can potentially introduce additional vulnerabilities. There have been documented examples of vulnerabilities in Snort’s preprocessor that granted hackers Snort user, or even root user, access to the system!

My initial suggestions are OSSEC HIDS and Snort.

See : Ubuntu Forums ~ Intrusion Detection

How to’s:

Compiledkernel’s Suggested Applications

compiledkernel’s suggested applications (Nagios, ntop, and darkstat are in the Ubuntu Repositories, check the home page to see if newer versions are available):

  • Nagios ~ A host and service monitor designed to inform you of network problems.
  • ZenOSS ~ An open source IT monitoring product that delivers the functionality to effectively manage the configuration, health, performance of networks, servers and applications through a single, integrated software package.
  • ntop ~ A network traffic probe that shows the network usage, similar to what the popular top Unix command does.
  • darkstat ~ A packet sniffer that runs as a background process on a cable/DSL router, gathers all sorts of statistics about network usage, and serves them over HTTP.

Running Server(s)

Part of setting up a server is reading/learning how to secure it. Common servers include NFS, Samba, FTP, SSH, VNC, RDP, and HTTP. If the “how-to” you are following does not review security, you need to keep looking …“Desktops” become “Servers” if server software is installed.

Questions to ask yourself include:

  1. What port(s) or services does this software provide?
  2. Who will be able to connect to this? (i.e. is it restricted to a range of IP addresses Password protected?)
  3. What level of access will the visitor have to the system? (i.e. does the server run under a restricted user, or the root acount? What can this restricted user do in a worst case scenario?)
  4. Does this service expose any additional information that’s useful to a hacker? (i.e. does it allow users to transmit their passwords in cleartext? Does it have a ‘statistics’ view that reveals logged-in users, ip addresses, network configuration, or other potentially helpful information?)
  5. What is the security history of this software? Does it have a history of vulnerability and patch after patch? Or has it had a relatively unmarred history?

Examples :

SSH

VNC

Apache
Hardened Kernels

Hardened kernels are modifications to the Linux kernel that add additional security measures. This could include:

  1. The randomization of ports, memory addresses, process ID’s, and other information that is typically predictable. This can thwart off many types of common attacks.
  2. Identify and prevent buffer overflow attacks from resulting in compromise by killing compromised processes (PaX bundled with grsecurity, or Redhat’s Exec-Shield combined with prelink randomization). Edgy and higher contain GCC stack protection enforced in most applications, but is unable to respond to several kinds of attacks that a kernel-layer enforcer could. Likewise, PaX and friends have weakness that GCC stack protection helps cover, so the two work great as a duo.
  3. Hiding information that Linux usually allows everyone to see, including all running processes on the system, load averages, CPU info, IP addresses, etc. Obscuring this information can help keep attackers “in the dark” so to speak.
  4. More aggressive enforcement of buffer overflow protection than what Ubuntu’s standard gcc stack protector can do.
  5. Adding additional restrictions on the capabilities of regular users that prevent channels of attack.
  6. Additional permissions systems that allow finer-grained tuning of various aspects of Linux.

These techniques combined have been shown to be very effective in the real world in guarding against unknown attacks. For example, many administrators of hardened kernel servers either report or even prove that their hardened systems were invulnerable to newly discovered security holes, or that the severity of a breach was significantly reduced.

The most common hardened kernel patch is called “grsecurity2” (http://grsecurity.org/), which does everything on this list. This requires, however, that you manually patch and recompile the kernel. SELinux and AppArmor do the “additional permissions systems” part. The basic theory is that by providing finer definitions of permissions than UNIX users and the “chmod” bits, even a successful attack against one service is virtually useless to attacking the rest of the system.

Note: AppArmor is installed by default as of Hardy, Ubuntu 8.04. There are , however, minimal profiles and they are set to complain mode.

AppArmor Links

AppArmor ~ Ubuntu Community Wiki

AppArmor Geeks (OpenSUSE)

bodhizazen’s (and others) AppArmor repository

All of these hardened systems, however, take effort on the administrator’s behalf to implement. They also take a lot of trial-and-error to find the correct balance of user functionality and security restrictions. Tightening the rules too much could cause various applications to stop working, and not tightening them enough could lead to a weaker security setup.

If you run a large multiuser system where you must grant people shell access, or run services that have that unfortunate long history of attacks, then it is highly recommended that you look into setting up a hardened kernel.
Reading the Logs

Learn how to read your system logs and become familiar with “normal” activity. It should go without saying, your first introduction to system logs should *not* be when you suspect your system has been compromised.

You should also be aware that if someone has root access they can alter system logs. This is when it is most helpful to be aware of “normal” activity.

Ubuntu wiki ~ Linux Log Files

There is a package called “logwatch” that e-mails to you the new portions of your log every night. This can help make log reading more enjoyable.
How to perform a hardened installation

This how to will walk you through a hardened install with an encrypted root partition and other goodies.

This is a link to a how to for Debian :

Towards a moderately paranoid Debian laptop setup

You will need to use the “Alternate” install disk.

How to Alternate Install

Thank you to Uwe Hermann for posting a How-to for the moderately paranoid and hermanzone for the How-to with the alternate CD
Screening your system

There is a package, tiger, which will screen your system for potential security holes. While not complete it may be an excellent place to start (tiger does not check your firewall for example).

For an overview of tiger see man tiger , scroll to the bottom and you will see a listing and brief description of the tests performed (modules).

Install by any means, tiger john chkrootkit

Code:

sudo apt-get install tiger john chkrootkit

Run tiger from the command line with :

Code:

sudo tiger -H

The -H flag will produce a very nice HTML document.

The command tigexp can be used to explain the results.

$ /usr/sbin/tigexp pass014w

The listed login ID is disabled in some manner (‘*’ in passwd field, etc),

but the login shell for the login ID is a valid shell (from /etc/shells

or the system equivalent). A valid shell can potentially enable the

login ID to continue to be used. The login shell should be changed to

something that doesn’t exist, or to something like /bin/false.

Tiger should give you some ideas on things to research. As always there can be false positives so take care not to either panic or blindly make system changes without understanding what you are doing and how to undo your changes (ie make backups of system files before you edit them).

Forensics

What to do when you think you have been cracked :

  1. Power off.
  2. Disconnect/disable your Internet connectivity.
  3. Now take a deep breath, re-boot, and read the logs. Ask for help if needed, but you really need to confirm that your system has been compromised.
  4. If you have been compromised, and have the time and interest, boot a live CD and image your hard drive. This image can then be used for forensic analysis.
  5. Re-install. Unfortunately, IMHO, there is no way to trust a compromised system.
  6. When you install, be sure to install off line, use a stronger password, and research intrusion detection.

Intrusion References

CERT® Coordination Center (CERT/CC)

CERT® Coordination Center ~ Intruder Detection Checklist

Linux Forensic Analysis Part 1

Linux Forensic Analysis Part 2

Linux Distro listing – Penetration Testing Specific
Whew …
Further Reading:

Ubuntu wiki ~ Security page

Ubuntu wiki ~ Installing Security Tools

UDSF Security Analysis Tools

The Big Ol’ Ubuntu Security Resource

Locking Down Ubuntu

Ubuntu geek ~ Security category

Security references Topics include Basics, firewall, Intrusion detection, Chroot, Forensics/Recovery, and Securing networked services.