| Zolved community solution |
 new article edit article
|
Top Ten basic things to know about securing Ubuntu
Below are the ten basic things to follow to secure Ubuntu.
Follow these ten basic know how's to secure Ubuntu.
1. Ensure hard drive is first in BIOS boot-up sequence.
This prevents hackers from using Linux Installation CD to gain access as root user.
2. Ensure a password is set for BIOS
To prevent users from changing BIOS boot up sequence.
3. Ensure interactive editing control for GRUB menu is disabled
- First get the encrypted password by typing the command $grub-md5-crypt at command prompt.
.jpg)
- Back up your configuration file by typing the command $sudo cp /boot/grub/menu.lst /boot/grub/menu.lst_backup
- Now open the menu.lst file with command $gksudo gedit /boot/grub/menu.lst
.jpg)
- Find this section in the file as shown...
# password ['--md5'] passwd
# If used in the first section of a menu file, disable all interactive editing
# control (menu entry editor and command-line) and entries protected by the
# command 'lock'
# e.g. password topsecret
# password --md5 $1$tumnZ1$xB/shuXs7MlawZXkLiBDV/
# password topsecret
- ...Add the following line below this...
password --md5 $1$tumnZ1$xB/shuXs7MlawZXkLiBDV/ (encrypted password above)
- ...Look for content...
...
title Ubuntu, kernel 2.6.10-5-386 (recovery mode)
root (hd0,1)
kernel /boot/vmlinuz-2.6.10-5-386 root=/dev/hda2 ro single
initrd /boot/initrd.img-2.6.10-5-386
savedefault
boot
...
- ...Add lock between the title and root lines...
...
title Ubuntu, kernel 2.6.10-5-386 (recovery mode)
lock
root (hd0,1)
...
.jpg)
- ...Save the file.
To access the other grub options at the menu, follow the instructions at the bottom of the screen. It will be something like pressing p and typing your password.
4. Disable history listing in Console mode
- Type the following commands at prompt.
$rm -f .bash_history
$gedit ~/.bash_profile
- Add the following lines and save the file.
$export HISTFILESIZE=4
$unset HISTFILE=5
.jpg)
This will disable Bash history for the user, retaining keystroke history and recall to use while limiting recall history to 100 lines.
This will also not record duplicate lines next to each other.
5. Disable Ctrl+Alt+Del from restarting computer in Console mode
- Type the following commands.
$sudo cp /etc/inittab /etc/inittab_backup
$gksudo gedit /etc/inittab
- Find the following line
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
- Replace the above line with
#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
- Save the file.
6. Enable prompt before removal/overwritten of files/folders in Console mode.
$sudo cp /etc/bash.bashrc /etc/bash.bashrc_backup
$gksudo gedit /etc/bash.bashrc
- Add the following lines at the end of file.
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
- Save the file.
7. For day to day usage, login as a normal user.
Type the command $sudo useradd jim to add a user.
.jpg)
8. Disable root user account, use "sudo" instead.
Type the $sudo passwd -l root to disable root user.
.jpg)
9. Install a Firewall.
Type the command $sudo aptitude install firestarter to install firewall.
.jpg)
To make the firestarter start automatically, go to System > Preference > Startup Programs > Add (Or New)
Name field (if there): Firestarter
Command Field : sudo firestarter --start-hidden
.jpg)
.jpg)
Press OK.
10. Perform vulnerability test:
Open a terminal window and type $sudo apt-get install nessus
.jpg)
$sudo apt-get install nessusd
.jpg)
$sudo nessus-adduser
.jpg)
$sudo ln -fs /etc/init.d/nessusd /etc/rc2.d/S20nessusd
$sudo /etc/init.d/nessusd start
$sudo gedit /usr/share/applications/Nessus.desktop
.jpg)
Add following lines into the new file.
.jpg)
After that you can find Nessus in the Gnome menu under Applications > System Tools.
.jpg)
|
del.icio.us
stumble
print
- Posted by: mocoloco_3059 at 04 Jan 09:54 permalinkSteps 1-5 are only necessary if you're concerned about who has physical access to your computer, so unless you're letting in nuts from off the street it's probably overkill, plus defeats the purpose of a recovery mode if you forget passwords, etc. On a laptop it might be a good idea if you're concerned about your data if you ever lose your computer.
Step 9 having firestarter run hidden is NOT necessary. Firestarter is not the actual firewall, just a frontend to make it easy to edit the bult-in firewall, which is called IPTables. IPTables will start automatically, even if you've never installed Firestarter, and it's pre-configured to not have any unnecessary ports open, so Firestarter is useful only if you want to change things, say install a web server and open ports for it.
