/ubuntu-security

Practical security and privacy for Ubuntu Desktop users.

ubuntu-security

Practical security & privacy guide for Ubuntu Desktop users.

The document is not a guide yet. Currently it's just a draft with links, snippets & code in no particular order. Whatever I find relevant, I will put below.

echo "Updating Packages..." apt-get -qq -y update

*Checar que onda con bugs y version actualizada de OpenSSl echo "Installing OpenSSL..." rvm package install openssl

execute "gsettings set com.canonical.Unity.Lenses remote-content-search 'none'"
"Turn off 'Remote Search' so that search terms in Dash do not get sent over the internet"

execute "gsettings set com.canonical.Unity.ApplicationsLens display-available-apps false"
"Disable Dash 'More suggestions' section"

` # Install tools for compiling/building software from source.

install_package "Build Essential" "build-essential"

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# GnuPG archive keys of the Debian archive.

install_package "GnuPG archive keys" "debian-archive-keyring"

install_package "Chromium" "chromium-browser"

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

install_package "cURL" "curl"

`

keep your packages upgraded. with apt-get update & upgrade. I believe there is also a tool that send periodic mail with vulnerable software versions.

Check shellsheck for bash vulnerable software

Investigate into disposable-vms or sandbox technology for linux desktop users.

Apparently its possible to dockerize GUI apps in ubuntu. Great way to add a layer of security. https://blog.jessfraz.com/post/docker-containers-on-the-desktop/ http://fabiorehm.com/blog/2014/09/11/running-gui-apps-with-docker/

General Tips

  • use monitoring tools. snort?
  • disable unnecesary network services
  • use chrooting / jails for some system services. They are not in jails by default.
  • use log analysis software
  • limit ssh to certain commands
  • web browsers security
  • crypto on local system
  • vpns section
  • use automatic binary integrity checking
  • use BIOS password, boot sequence.
  • Picking a safe password
  • Disabling inetd.d or it's services
  • Remove unnecesary packages
  • subscribe to Debian/Ubuntu security mailing list
  • enable Automatic Security Updates
  • Remove root prompt on the kernel
  • Restricting the use of the Magic SysRq key advanced topic
  • User login actions: edit /etc/login.defs. You can set password policy expiration here. Althought I think this is only for people with good discipline. Change DEFAULT_HOME to no. Change SHA_CRYPT_MIN_ROUNDS to 10000 to make bruteforce more difficult. Start loggin succesfull logins with LOG_OK_LOGINS yes
  • Be carefull with Log files permissions.
  • Check interesting kernel patches. lids, trustees, selinux, exec-shield, grsecurity
  • Check ext3 specific file attributes. i, a, etc.
  • automatic setuid checks
  • protect against ARP attacks
  • system snapshot? Deepfreeze style?
  • Check into X11 protection
  • Check into using pf for a firewall
  • Check into Bastile Linux for hardening. Is an automated tool used in RedHat apparently.
  • How to protect against rootkits
  • Using chattr +i to make certain binaries unmodifiable / inmmutable. The problem is with system upgrades.. Maybe a script that locks them and unlocks them.
  • Removing banners for services. Avoid fingerprinting.
  • Blacklisting, whitelisting kernel modules
  • On security limits, prevent coredumps. Only useful for developers
  • On backups.
  • On disk encription ubuntu
  • AppArmor. Kind of sandbox?

SSH TIPS

  • If you run local servers for testing & developing. You should attach them to specific interface. Loopback

  • Disable rootlogin on ssh

  • Obscure sshd port?

  • Allow only certain users to access the machine via ssh. AllowUsers alex ref me@somewhere. Whitelist

  • You should disable Password Authentication in favor of public-key authentification

  • Add a warning for legal protection. /etc/some_file

  • Investigate about changing openssl for libressl

  • Limiting file transfers to specific enviroment.

  • Fail2Ban

  • Restricting DMESG

  • Look into DNSCrypt

  • Using checksec http://www.trapkit.de/tools/checksec.html

  • Mount /tmp With noexec,nodev,nosuid in RAM..

  • GrSecurity, PAX for improved ADSLR https://micahflee.com/2016/01/debian-grsecurity/

  • Talk about sending documents anonymously using OnionShare.

  • Follow the steps on https://fixubuntu.com/

  • Ubuntu hardening script. Interesting to take a look. https://github.com/micahflee/linux_harden

  • torbrowser-launcher

  • Set a Private HOME 700

  • Check security with tiger

SOURCES