I tend to have a nasty habit of reinstalling over and over again. Nerds won’t ask why, they surely do the same thing. Let’s say that with each new Ubuntu release – at least – I reinstall in order to have a clean system. It’s endless, I know…
Still, each time I reinstall, there are a few things I do having the security of my system in mind. I’d figured out I would share this, since this is the place and time where I rule all. And eventually, in the end, it’ll help a few of you.
These things go from installing an encrypted file home directory, to a simple browser extension. Ubuntu is a system that’s very safe by default. But there is room to do better, let’s go!
I. Make yourself a nice /home
The first step I do is to set up my /home directory to be encrypted. I’ve described before how to do this very simply. It’s just a couple of clicks away, even only one click if you – like me, and you should as well – use the Alternate CD in order to install Ubuntu.
Additionally, it is very easy now, using the Alternate CD, to install your system using an encrypted file-system. Just pick the “Encrypted LVM” entry while installing your system. I’d recommend using this for both / and swap, and using encrypted directories for /home directories. The reason is, encrypting the /home directory use a per user encryption that’s more suitable to our security concerns regarding a multi-user system.
Next, once my system is installed, before moving anything into my /home, I make it private. By default, your /home directory has permissions for files and folders set as “DIR_MODE=0755″. This means that yourself can read/write/execute files, and other member of your group or anyone else can read/execute files.
In my case, where I don’t share files in my home network from my home folder, it make no sense, which is why I change this so that only I can read/write/execute from /home, and others have no right whatsoever. Let’s do it this way :
$ chmod 700 $HOME
II. Secure the shared memory
In Ubuntu, the /dev/shm folder is a shared memory folder, referred as tmpfs and intended to appear as a mounted file-system itself. It is a mean to pass data from one program to another. By default, in Ubuntu, /dev/shm is mounted in read/write. While in the past exploits have been performed using /dev/shm (here is one example, out of many others existing), keeping it mounted read/write is unsafe in my opinion. Which is why I change it so that it is mounted in read-only mode, without the ability to execute code or change a program’s UID.
In order to do so, I add this line to my /etc/fstab :
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
To enable the change, either reboot or remount /dev/shm :
$ sudo mount -o remount /dev/shm
III. Secure SSH
If you plan to use SSH, the mighty SSH I love and use so much, there are a few things you need to do in order to secure it. To sum-up, here is what I change to my SSH configuration file :
- I disable root login
- I reduce the login Grace Time to almost zero
- I restrict users able to login through SSH
While the first step is pretty obvious, the second and third might be more obscure. The SSH deamon allows for a user to be connected for a certain amount of time before authentication. By default, this time is set to 120 seconds. It’s a lot, a whole lot of time for a hacker to perform an attack on the deamon. Reducing the login Grace Time is an easy step worth taking in my opinion.
Restricting users able to login through SSH has a pretty obvious measure, especially if you have a multiple user environment.
In order to change these settings, you’ll edit the SSH configuration file :
$ sudo nano /etc/ssh/sshd_config
Search the above mentioned parts and change them if you’d like, here is what I set (the first two lines are modified, the last one is added to the configuration file) :
PermitRootLogin no
LoginGraceTime 15
AllowUsers john
To be continued ! These are the first three steps I take but, as you can guess, there are others. They will be covered soon in another post. So keep an eye on your feeds !
