Securing your Ubuntu box, don’t worry it’s easy!

Linux is generally regarded as secure:

But as preachy as Ubuntu gets about not using a root terminal, you’d think that they must ship this really secure operating system, right?

Well….yes and no.

They actually have a pretty good security framework, the bad news is that most of it is turned off by default, meaning that an Ubuntu box would be a relatively easy target for a malicious hacker should a security hole be found and exploited, I know that this hasn’t normally been an issue on Linux, but the idea of exposing a system without even a basic firewall or application security policy to the open internet is still a really bad one, so I implore you to spend 5 minutes of your time locking things down, and be assured that this will not likely affect performance or inconvenience you in any way.

The different approaches to security by Ubuntu and Fedora:

Fedora ships with SELinux with a Targeted policy, in a nutshell, the Targeted policy was a compromise between securing the whole system and not securing anything, it’s designed to protect the most likely services to be abused by a hacker, you can also deploy the Strict policy by downloading it and applying it in the SELinux configuration program, but this has about a 6-7% overhead and it really is overkill and will likely pretty much destroy your day to day operations on the system if used.

You can make your own SELinux policies, yes, but you really have to be a wizard to do it, and go on an application by application basis, for example, if I specify a list of what runmozilla.sh is allowed to do, then Firefox doesn’t inherit that because it’s a different process, and major changes require you to wait forever while it goes through the file system marking the changes.

Ubuntu on the other hand includes AppArmor, which used to be a sheerly Novell-centric thing, but has been getting picked up by most distributions besides any of the Red Hat variety, this is because SELinux, while probably more capable, is like hiring Delta Force to guard a temp agency, and using AppArmor is a breeze compared with SELinux, not only is there no noticable degradation in performance, but the level of security is also quite good, the only problem with AppArmor in Ubuntu is that only one service is protected by default, CUPS (Common UNIX Printing System), we’re going to change that.

To enable AppArmor and have it guard all critical processes:

Open a terminal, and issue the command:

sudo apt-get install apparmor-profiles

When that is done, issue this command:

sudo aa-enforce /etc/apparmor.d/*

You should see it setting about 14 services to Enforce.

You can check AppArmor’s status with:

sudo apparmor_status

Now let’s enable the firewall:

Issue this command:

sudo ufw enable

then

sudo ufw default deny

That tells it if in doubt, throw it out. :)

Further reading:

How to create your own AppArmor policies:

How to use UFW

Note in UFW you can accomplish quite a lot from the command line, you can set it to allow or deny traffic from or to any ip address or port or a combination of both, obviously a DENY or ENABLE rule takes priority over what the firewall would have done with the packet by default regardless the global policy.

---

Possibly related posts: (automatically generated)

• AppArmor
• Quick Tip - Exchange 2007 Upgrading the Default Email address policy…
• Security policies and settings in the 2007 Office system

July 6, 2008 - Posted by Ryan | Linux | apparmor, computers, fedora, Linux, novell, security, selinux, Ubuntu | 1 Comment