Ubuntu security isn't difficult: Hardening your Ubuntu installation is usually a straight forward process. Yet sometimes in our haste, we forget to address important security measures early on. In this article I'll share my essential Ubuntu security hardening techniques.
For most Ubuntu users the idea of using an anti-virus on their desktops is a waste of time. The fact is, Linux anti-virus software actually helps to deal with Windows malware threats. This is the best focus for this type of software, despite it also being able to scan for Linux threats.
So if you're networked with a Windows box, using said software is useful as it prevents infect files from being accidentally sent over to a Windows user. Outside of this, it's completely pointless at this point to bother with it. You'd have to manually "share" the infected file and have the Windows user execute the file for it to be a threat. Best bet is to let the Windows user run the software and leave the security suites to the Windows fans.
The truth is, you're far more likely to run into trouble by running commands or bash scripts you don't understand. And for obvious reasons a Linux anti-virus software isn't going to protect you in this area.
If you truly want to keep your Ubuntu installation safe from harm, mind your ports. This means taking the time to run sudo ufw status verbose in order to see if your computer is protected from outside attacks. Chances are your computer will report back with Status: inactiveand that's dangerous.
It’s important to make sure ufw is set to block any ports that aren't being used on a regular basis. Some common ports you would want to allow access to (and this varies from user to user) include ports for email, web browsing and application-specific needs.
Even something like SSH (Secure Shell) can be exploited because the default port is being used and root is accessible via password authentication. And while merely changing the default port to common applications isn't a solution by itself, doing so with SSH and using secure keys helps protect access to your computer. To further secure your computer, do an audit of which users are authorized to use SSH. If you're seeing an increase in brute forced attacks, I'd also recommend increasing your key strength just to be safe.
The idea behind setting up your firewall to block unwanted connections is simple commonsense. If an application or protocol doesn't have a good reason to be connected, then it's best to play it safe and block that connection.
It's a common assumption that if we have a NAT router that we're secure enough. And while it does offer a layer of protection, adding to that protection ensures you're not going to end up dealing with a great risk. Whether that risk is due to an open port or worse or an unchecked vulnerability.
Let this following statement sink in for a second. You're running a powerful free operating system. In addition to being awesome, it also provides you with a lifetime supply of security updates at no cost whatsoever. The only price you'll ever pay is failing to update your system with these updates.
Included with Ubuntu updates are critical security patches. These security patches are designed to address vulnerabilities in the code running on your computer. By ignoring these updates and not patching your system, you're unnecessarily exposing yourself and potentially others to harmful intent should you fall victim to an unpatched exploit.
Now I realize the above paragraph sounds scary and perhaps even a little over the top. After all, the common belief is that a desktop won't ever see the number of IP address specific visits that a server would. So I go back to my previous point about securing your ports. Because a malicious user or script can use software to look for a way in and test the waters to see if an exploit is possible – desktop or server. Remember, keeping up with your updates is one of the easiest ways to harden your Ubuntu installation.
It's my opinion that your web browser is the single greatest threat to your Ubuntu installation out there. Your browser is a portal to all sorts of random stuff. From discovering a "new command" for speeding up your installation (thus breaking something) to installing some random deb packages.
Then there is the matter of browser extensions. Ask yourself this: how well did you research the extensions for your browser?
Even known-to-be-safe browser extensions can be sold off to others, only to have goodness knows what added to the code. Take this example into consideration. Here's someone who believes – based on some fairly extensive work – that he might be dealing with a malicious extension in his browser. Luckily this is an issue that is showing itself fairly easily with strange page redirects.
Thankfully these days, Firefox recently implemented extension signing. It's critical to remember that installing extensions from random websites is just asking for trouble. To fully harden your browsing experience you could opt to forgo all non-open source extensions entirely.
There was a time when running Java in your browser was as common as running Flash is today. These days Java isn't really a threat to anyone using a desktop operating system. It's actually a very commonly used programming language used in a multitude of cross platform operations.
But it's important to point out that, like anything run in a command line or through an unverified software package, a random Java download isn't something I'd consider secure.
The good news is most malware coming from a rogue Java download is going to be junk: such as product key generators found on file sharing websites. Simply by avoiding these types of shady practices you are fairly certain to never need concern yourself with Java specific malware.
There are a lot of awesome (and safe) applications such as JBidwatcher that run on Java code. And Java, while bloated, isn't dangerous on its own. It's the intention of its designer that is the real threat. Java is a decent programming language for those looking to program once and make their software usable cross platform.
The last item I wanted to touch on is phishing. Sadly, it's very difficult to harden your system from phishing attacks. This is where observing best practices is going to be your best play.
For the tech savvy, this isn't something you'll likely have to worry about….or will you? How many of you click upon random links shared in social media? How many times did you click on links using url shorteners? If you did the latter, you're absolutely exposing yourself to potential phishing schemes.
Let me give you an example. You click a link, it flashes for a moment and suddenly you're on what appears to be your Facebook login. Without thinking, you assume Facebook timed out and you simply need to login again. Wrong – you just fell for a classic social media phishing scheme. Now I used Facebook as an example, as it's incredibly commonly used. While most Linux users would never fail for phishing schemes via email, the same isn't true when it comes to social media.
My advice if you want to harden your Ubuntu install is to be wary when clicking any link on any page. Obviously you're going to click them – that's how the Internet works after all. But if you're suddenly presented with a request to re-login again to the service you were using – stop. Close the browser and browse to the site in question manually to see if you need to login. This might seem heavy-handed, but you'll find you're in a far better position than those who don't give this a second thought.
We often hear about hardening our software or our operating systems. But far too often, the real exploit waiting to be activated is our own ignorance. Install your Ubuntu updates, close unused ports, install software from TRUSTED sources and use common sense when logging into websites.
Follow these simple rules and you'll find that your Ubuntu installation will become much more secure with your future efforts.
Photo courtesy of Shutterstock.