In 2016, keeping your Ubuntu network secure is more important than ever. Despite what some people might think, there's much more to this than merely putting up a router to protect a network. You must also configure each of your PCs properly to ensure you're operating within a secure Ubuntu network. This article will show you how.
Much like avoiding a break-in or a home invasion, absolute Ubuntu network security in most environments is a myth. The best we can hope for is to make it extremely difficult to have your network compromised. In my case, this means protecting an Ubuntu network with as much security as practical.
To be clear, the only way you can achieve 100% network security is to turn off your devices, put them into a safe and never use them again. Why is this? Simple – because most security issues come from our own mistakes. Human error is the number one issue you'll run into with network security in my opinion.
Placing blind trust in any firewall appliance, user "best practices," or "security through obscurity" is just asking for trouble. All it takes is a flash drive, phishing scheme or even a failure to successfully apply a patch and you could be putting your Ubuntu network in danger.
Because there is no silver bullet to keep your network safe, I recommend using all the tools at our disposal. In addition to that, it's also important to verify that everything is operating correctly on a schedule. For myself personally, I usually setup an "audit" day once a month to really drill down on everything. This means checking logs, verifying applied patches and looking for anything out of the ordinary.
Many of you might believe that security for your network starts at your router. I disagree and instead recommend starting your security overhaul on each individual PC on your network. Ubuntu (and other distros), Windows and Mac PCs need to all be locked down as much as possible. In an era of laptops, it's just too easy to take a poorly locked down computer over to a secondary network and expose said laptop to who knows what type of network security.
Because of this, I recommend doing the following with all of your Ubuntu powered (and other distros) PCs.
If you want to dive deep into securing your system even further, you can also secure your tmp directory, shared memory and even limit the number of allowed services. I do not recommend doing any of these things without fully exploring what misconfiguring each of these things can do to your system. And since most of you are running workstations and not public facing servers, I'd suggest avoiding such things.
Now that we have the Ubuntu PCs locked down, the next step is to make sure all data in transit from these PCs is secure. To do this, I recommend using SSH for remote access to each PC and utilizing SSL whenever possible over the Internet. An example of this would be if you decided to setup a CCTV setup using ZoneMinder, but needed to access it remotely over the Internet. My recommendation would be to setup a user specific SSL certificate. This would allow you to remotely access it with apps such as zmNinja. All traffic between your ZoneMinder Ubuntu PC and the Android phone running zmNinja would be encrypted.
Speaking of accessing Ubuntu PCs over your network, let's talk about the right way to setup SSH. First off, use a SSH key rather than a password. From there, you'll want to then disable SSH password access on any SSH enabled server. As an added precaution, I'd also disable root SSH access altogether. If you find in your weekly log audits that you're seeing a lot of traffic trying to get into your system over SSH, you can install Fail2Ban to block malicious login attempts. Do not rely on odd ball ports as a solution – security through obscurity isn't the answer.
Finally, let's talk about securing samba/NFS and printer shares. To be frank, none of these things are all that secure by default. My recommendation is to use strong passwords for your network shares. In addition, make sure to use ufw to only allow access from within the LAN. If you feel you need addition security, you can research how to use groups and permissions to further lock down samba shares. My default recommendation is to limit write access to read only. And for goodness sake, never-ever samba share over the Internet. That's just asking for trouble.
The router or firewall you decide to run is a deeply personal choice. I happen to use pfSense for my home network. However, you might prefer a dd-wrt or similar instead to handle your Internet facing needs.
At the very minimum, here's what you shouldn't use: default router login credentials for your router. Additionally, please check for firmware updates for your router. Those two things alone can make all the difference. And finally, audit how exposed you are when running IoT devices. You'll have to Google around to find what works for the devices you own. But when in doubt, check for updates or don't use them. That's my genuine heartfelt advice on how to keep your network as secure as possible.
What say you? How confident that your Ubuntu network security is setup as well as possible? Perhaps you've found other distros to be more secure overall and thus providing you with better network security? Hit the Comments and tell me about it.