Friday, May 11, 2012

Securing Ubuntu 12 Code name Precise palingon

Table of Contents

-Installation and Partitioning
-Firewall Configuration
-Application Security
-Web Security


As you’re probably well aware the release of Ubuntu 11.10 Oneiric Ocelot is upon us and many new users are flocking to see what Ubuntu is all about. Many of those users are interested in Ubuntu because it promises to be more secure than Windows or Mac OS X and for the most part this is true. This guide should serve as a quick start guide to best practices under Ubuntu 11.10, a lot of this information will be the same as previous versions of Ubuntu so if you’re a more experienced user this guide may not be for you.

Installation and Partitioning

In this section we will discuss installation and partitioning in a secure method : this guide is not an installation guide and does not cover topics such as dual booting with Windows. This assumes the only Operating System you have on your machine is Ubuntu 11.10 Oneiric Ocelot. If that is not the case and or you already have a working install you may skip this section entirely. Moving on to Firewall Configuration.
If you need support installing Ubuntu 11.10 or partitioning in a different scheme to dual boot I highly suggest going to Ubuntu Forums for support.

Updating Prior to Install

Ubuntu makes it easier than ever to keep your system up to date, during install time you have the option to download necessary updates, including security updates before you even boot into your new operating system for the first time. I suggest doing this, as it will save us time once we install, if you are not connected to the internet during installation you will not have this option.

Username and Password

At this point you will be prompted to choose your username and password. You need to make sure you pick a strong password. A strong password consists of at least 16 of the following : uppercase letters, lowercase letters, numbers, white spaces, and special characters. Your password should not be based on a dictionary word (even modified) or contain personal information about you.
an example of a strong password is the following : fMx2! Bvb ttyu$ PoO03#

Home Folder Encryption

It is also at this point that you may choose home folder encryption. Home folder encryption uses ecryptfs to encrypt the data in your home folder. This prevents data in your home folder from being compromised even if it is stolen. It is suggested that you enable this option.

After installation is complete on your first login you will be prompted to record the encryption pass phrase to your private home folder. It is important that you do it at this time.
It is recommended that you allow ecrypt-fs to generate your passphrase, you should use a strong passphrase consisting of at least 32 of the following : uppercase letters, lowercase letters, numbers, white spaces, and special characters.
Once you have entered the pass phrase, you will be given a 128 bit (16 character) hash, store this in a safe and secure place it is the key to recovering the data from your home directory if you ever have to manually recover.


If you didn’t update during installation, or you skipped the Installation and Partitioning part of this guide, the first thing we will do is update our operating system. Keeping your system up to date is crucial to obtaining the latest security patches for your system.
Ubuntu makes staying up to date easier than ever.
To update your system simply press ctrl and t at the same time, you will be taken to a terminal window, this may seem similar to the command prompt in the Windows world. Simply type the following
1sudo apt-get update && sudo apt-get upgrade
You will be prompted for your user password, provide it and your updates will be installed.
You should regularly update your installation to be sure you have the latest security patches, I would recommend at least once a week.

Firewall Configuration

The next step in our journey toward a safer desktop computing experience takes us to firewall configuration. For this we will be using Uncomplicated FireWall (UFW). UFW is a front end for the Linux built in kernel firewall iptables. Iptables syntax can be a bit confusing for newcomers, so can UFW. Since this guide is targeted toward users just switching to Ubuntu for the first time, and perhaps those who used another version but are not yet proficient at the command line interface we will be using an application called GUFW which is a graphical interface to manage UFW.

Installing GUFW

Ubuntu 11.10 Oneiric Ocelot does not come with GUFW , the graphical interface for UFW, by default, however installing it is very easily accomplished. Simply open the Ubuntu Software Center (it looks like a little shopping bag) on the left side Unity Launcher. In the search box at the top type “gufw”.
Click on the application “Firewall Configuration” and choose install.
Once installation is complete you can close the Ubuntu Software Center, and go to the Unity Dash (the little Canonical Circle logo in the upper left hand corner of your screen). Search for Firewall Configuration and your newly installed program will pop up. Click on it and you will be presented with your firewall configuration interface. You need to click the pad lock in the lower right hand corner and enter your password prior to making any changes.

Configuring A Basic Firewall

For most users a basic firewall will be adequate, this should deny all inbound connections. To enable this type of firewall simply slide the switch next to status to the “on” position. This will set a default policy of denying incoming traffic but allowing outgoing traffic. This will give you a basic firewall.

Configuring A More Advanced Firewall

* note : this is for slightly more advanced users and is optional you can skip this and go directly to Application Security if you want.
If you’re slightly more paranoid, or security conscious (whichever you prefer to call yourself) ; you can create a more restrictive set of rules. However, doing this requires that you know a little bit about the services that you use. A more restrictive firewall would include only allowing outbound traffic to the services that you use regularly. In this example we will enable outbound traffic to DNS, HTTP, HTTPS, POP mail, and SMTP mail. You may have more services, most applications will describe in their documentation what ports they need to communicate, so if you have questions about a particular program, consult its documentation.
Creating Firewall Rules Using GUFW
To add new, more restrictive rules to our firewall’s outbound policy we will click the + symbol in the lower left corner of the GUFW window. Once you do this you will get a window that looks like this
Under the tab labeled simple we are going to set ports 25, 53, 80, 110, and 443 TCP to allowed out. Once it is set up properly click Add.
Since DNS (Domain Name Service) needs port 53 UDP also, we will also add a rule for that.

Once you have done clicked add, you may now close the rules window, and in the original firewall configuration window change the outgoing policy to DENY. Once you are done it should look like this
That’s it you’re all done with your firewall, don’t forget if you’re using a restrictive outbound policy if you need access to more services you need to enable them in your firewall before they will function properly. You can now close the firewall configuration.
Advanced Firewall Creation Using iptables (OPTIONAL)
This is entirely optional, but I thought I would throw it in here for the sake of completeness. I personally prefer not to use UFW/GUFW but iptables. Again, UFW is just a frontend for iptables, so it’s really not doing anything we can’t here. Iptables just gives you a little more control over what exactly your firewall is doing.
In this section I will provide a sample iptables firewall script based on what we had done earlier in this guide for those who wish to use it instead. Keep in mind UFW and iptables if used together can conflict, I usually remove ufw entirely on my installs by doing the following.
1sudo apt-get remove --purge ufw
Below you will find the iptables script used to create a firewall similar to the one we created earlier with GUFW.
02iptables --flush
03iptables -P INPUT DROP
04iptables -P FORWARD DROP
05iptables -P OUTPUT DROP
06iptables -A INPUT -i lo -j ACCEPT
07iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
08iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
09iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
10iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
11iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
12iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
13iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
14iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
*note : this script will need to be made executable (chmod +x or 755) and executed as root(sudo).
As I said this is completely optional and a matter of personal preference alone.

Application Security

Now that we’ve configured our firewall, we can configure Apparmor. Apparmor basically limits what an application has permission to do. This is important because in the event an attack against an application occurs and is successful this will help mitigate what an attacker can do. Apparmor and creating profiles for it, are more advanced topics, you could write an entire guide about Apparmor and likely still miss some of the minute controls it offers. If you are interested in Apparmor, due to the lack of GUI tools for configuring and utilizing Apparmor I can’t keep you out of the command line for this part.
We will briefly cover how Apparmor works, what it does, the basics of an Apparmor profile and how we may create our own. As well I will provide some pre-created profiles for commonly used applications. If you are a newer user it should be understood that creating Apparmor profiles incorrectly and enforcing them can break your installation’s functionality. If you wish to skip this section you may skip to Web Security. Or just keep reading.

How Apparmor Works

Apparmor works by adding what are known as Mandatory Access Controls as opposed to Linux/UNIX standard Discretionary Access Control scheme. Mandatory Access Controls provide finer grain tuning over what an applicaton can and can not access. It’s important to understand that Apparmor, while it tries to achieve the same goals as SELinux does it in a slightly different way. SELinux labels files , users and groups and gives each a set of permissions. Apparmor deals with permissions on a path by path basis. This provides the ability to create Apparmor profiles more easily, however it leaves some flaws in the system. Of course neither system is perfect, and both have been compromised in the past. As always it is about adding an extra layer of protection, no system will ever be invulnerable to attack. SELinux makes it easier in some cases to launch a kernel based attack, while Apparmor is weaker when it comes to passing code to other applications to escalate privileges.

Apparmor Profiles

As we discussed Apparmor defines a set of controls on a by-application basis, these controls are defined in an Apparmor profile. Apparmor profiles are stored in /etc/apparmor.d
Elements of an Apparmor Profile
The following is an example profile commented so that you can see the various elements of the profile.

# This section gives access to paths used by other programs, these are included to shorten the length of a profile
#include < tunables/global >
/usr/bin/transmission-gtk {
#include < abstractions/audio >
#include < abstractions/base >
#include < abstractions/dbus >
#include < abstractions/dbus-session >
#include < abstractions/evince >
#include < abstractions/gnome >
#include < abstractions/ibus >
#include < abstractions/nameservice >

# owner @{HOME}/ r signifies that the owner of the process can read in /home this is the same as saying /home/* /root r,
# r = read
# w = write
# k = lock access
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/** r,
owner @{HOME}/.cache/transmission/favicons/** rw,
owner @{HOME}/.config/gtk-2.0/** rw,
owner @{HOME}/.config/transmission/ rw,
owner @{HOME}/.config/transmission/lock rwk,
owner @{HOME}/.config/transmission/** rw,
owner @{HOME}/.recently-used.* krw,
# @{PROC}/ works like @{HOME} did, this is referring to reading of process directories. [0-9] matches any numbers 0-9 , * matches any file.
@{PROC}/[0-9]*/fd/ r,
#x = execute
#i = inherit privileges from the directory above
# ** gives access to all files and directories below the current path
/usr/bin/transmission rix,
/usr/lib/ r,
/usr/local/share/** r,
/usr/share/ r,
/usr/share/** r,
/dev/.udev/db/* r,
/etc/udev/udev.conf r,
/sys/devices/**/block/**/uevent r,
Creating Apparmor Profiles
If you wish to create an apparmor profile for a program you can do the following.
*note you will need apparmor-utils package installed for this portion
1sudo apt-get install apparmor-utils

1sudo aa-genprof transmission-gtk
*note : in this case we are creating an apparmor profile for transmission.
You will be notified you are creating a profile for /usr/bin/transmission-gtk ; you are given the option to scan for system events by pressing S. At this point before we do this we are going to exercise the functionality of transmission. Start it, load a torrent, start downloading, and close the application.
After exercising the functionality of transmission , we can scan for system events by pressing S. At this point you will be given a list of options for your paths and options to add parameters for them. Choose the appropriate options based on the confinement needs and continue through. Once you have done this you may save the profile and place it in complain mode. Afterwards : you can run
1sudo aa-logprof
to debug any inappropriate apparmor events related to your new profile and determine if you need to make changes to allow full functionality. You may also use a text editor to edit your profile to fit your needs better.
Installing Apparmor Profiles
Once you download, or create an Apparmor profile, you will need to make sure it is placed properly in the /etc/apparmor.d/ directory. Then you must enforce the profile.
You can do so by utilizing the following command
1sudo aa-enforce usr.bin.firefox
Where usr.bin.firefox is the filename of your profile.
note : you may need to install apparmor-utils package to do this
1sudo apt-get install apparmor-utils
Likewise if you wish to place an apparmor profile in complain mode instead you may use
1sudo aa-complain usr.bin.firefox
Do not forget to restart Apparmor if you make adjustments to your profiles
1sudo /etc/init.d/apparmor restart
By the time it’s all said and done your profile should look something like this

#include < tunables/global>

/usr/bin/transmission-gtk {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/dbus>
#include <abstractions/dbus-session >
#include  <abstractions/evince>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
deny capability dac_override,
capability dac_read_search,
owner @{HOME}/ r,
owner @{HOME}/** rw,
@{PROC}/[0-9]*/fd/ r,
/dev/.udev/db/* r,
/etc/udev/udev.conf r,
/home/*/.Xauthority r,
/home/*/.config/transmission/blocklists/ r,
/home/*/.config/transmission/* w,
/home/*/.config/transmission/* rw,
/home/*/.config/transmission/lock rwk,
/home/*/.config/transmission/resume/** rw,
/home/*/.config/transmission/resume/** rw,
/home/*/.config/transmission/* rw,
/home/*/.config/transmission/torrents/ r,
/home/*/.config/transmission/torrents/* rw,
/home/*/.config/user-dirs.dirs r,
/home/*/.gtk-bookmarks r,
/home/*/.local/share/recently-used.xbel r,
/home/*/Downloads/ r,
/home/*/Downloads/** w,
/home/*/*/.Private/*/** rw,
/proc/sys/kernel/random/uuid r,
/root/.cache/transmission/favicons/* r,
/root/.cache/transmission/favicons/* r,
/sys/devices/**/block/**/uevent r,
/usr/bin/transmission rix,
/usr/lib/ r,
/usr/local/share/** r,
At this point we are set to enforce our profile via
1sudo aa-enforce usr.bin.transmission-gtk
Don’t forget to restart apparmor if you haven’t yet either.
1sudo /etc/init.d/apparmor restart

Pre-Made Apparmor Profiles

In the event that the brief introduction to Apparmor given was not enough to really get you motivated to create your own profiles, but you still want to use some apparmor profiles. The following have been tested under a default installation (following this guide) of Ubuntu 11.10 Oneiric Ocelot Desktop DVD i386.
- Google Chrome (NOT CHROMIUM)
- FireFox 7.01
- Transmission

Web Security

Most users spend a lot of time browsing the web, who can blame them it’s addictive. That being said, many attack methodologies are utilizing websites that are, or appear trusted by the user. Some attacks are so realistic the user may not even know they’ve been a victim (this includes cross site scripting and cross site request forgery). These attacks can be devestating as they often target sensitive information and or log in credentials.
In order to protect against them we are going to use a browser addon called NoScript.

note : this guide utilizes the default browser that ships with Ubuntu, which is
Firefox. If you use Chromium/Chrome you can use an extension called NotScripts instead.
In order to install NoScript simply navigate your browser to and click the Install button on the web page
Once you do it will give you the option to “Allow” Firefox to install it, click allow and another Window will pop up asking you if you want to install now, choose install now. After it is done Firefox will restart and you will then be protected by NoScript.

How NoScript Works

NoScript works by blocking Javascript, and Flash as well as other script types that can be harmful to you. However, sometimes it blocks things that isn’t supposed to, in the case that it does, you can simply click on the NoScript icon next to your URL bar in Firefox and choose “Allow From this Site” or to “Allow Temporarily” from this site, depending on the frequency with which you use the site.
Once you’re done with this you’re done configuring NoScript, you’re good to go for this section.


Hopefully this guide has been informative and useful to you in your efforts for a more secure desktop experience. I truly hope that you enjoy everything Ubuntu has to offer.

No comments:

Post a Comment