Ubuntu users guide security

Материал из NNLUG Wiki.

Содержание 1 Безопасность 1.1 What are the basic things I need to know about securing my Ubuntu 1.2 How to disable all interactive editing control for GRUB menu 1.3 How to disable history listing in Console mode 1.4 How to disable Ctrl+Alt+Del from restarting computer in Console mode 1.5 How to enable prompt before removal/overwritten of files/folders in Console mode

Безопасность

What are the basic things I need to know about securing my Ubuntu

• Read #General Notes
• Ensure hard drive is first in BIOS boot-up sequence
  • To prevent trespassers from using Linux Installation CD which allows them to gain root user access
  • To prevent trespassers from using Linux Live CD (e.g. UBUNTU/KNOPPIX/MEPIS) which allows them to destroy/browse/share the entire hard drive
  • To prevent trespassers from installing another Operating System
• Ensure a password is set for BIOS
  • To prevent trespassers from changing the BIOS boot-up sequence
• Ensure computer is located at a secured place
  • To prevent trespassers from removing computer's hard drive which allows them to destroy/browse/share the entire hard drive from a different computer
  • To prevent trespassers from removing computer's on-board battery which resets the BIOS password
• Ensure passwords used on the system cannot be easily guessed
  • To prevent trespassers from cracking password file using brute force attacks (e.g. John the Ripper)
  • Create password with minimum length of 8 characters
  • Create password with mixture of characters/numbers, and upper/lower case
• Ensure interactive editing control for GRUB menu is disabled
  • To prevent trespassers from modifying kernel boot-up arguments which allows them to have root user access
  • Read #How to disable all interactive editing control for GRUB menu
• Ensure history listing is disabled in Console mode
  • To prevent trespassers from seeing previously issued commands
  • Read #How to disable history listing in Console mode
• Ensure Ctrl+Alt+Del is disabled in Console mode
  • To prevent trespassers from restarting the system without permission in Console mode
  • Read [[#How to disable Ctrl+Alt+Del from restarting computer in Console mode]]
• Ensure interactive option is set for remove, copy and move of files/folders in Console mode
  • To prevent accidental removal/overwritten of files/folders
  • Read #How to enable prompt before removal/overwritten of files/folders in Console mode
• For day to day usage, login as a normal user
  • To prevent accidental deletion/modification of system files/folders
  • Read #How to add/edit/delete system users
• Disable root user account, use "sudo" instead
  • To reduce the amount of time spent with root privileges, and thus the risk of inadvertently executing a command as root
  • "sudo" provides a more useful audit trail (/var/log/auth.log)
  • Read #How to disable root user account
• Install a Firewall
  • A firewall does not guarantee security but it is in most environments the first line of defense against network based attacks
  • Read #How to install Firewall (Firestarter)
• Perform vulnerability test
  • Nessus is a great tool designed to automate the testing and discovery of known security problems
  • Read #How to install Vulnerability Scanner (Nessus)

How to disable all interactive editing control for GRUB menu

• Read #General Notes

grub

grub> md5crypt
Password: ****** (ubuntu)
Encrypted: $1$ZWnke0$1fzDBVjUcT1Mpdd4u/T961 (encrypted password)
grub> quit

sudo cp /boot/grub/menu.lst /boot/grub/menu.lst_backup
sudo gedit /boot/grub/menu.lst

• Find this section

...
## password ['--md5'] passwd
# If used in the first section of a menu file, disable all interactive editing
# control (menu entry editor and command-line) and entries protected by the
# command 'lock'
# e.g. password topsecret
#   password --md5 $1$gLhU0/$aW78kHK1QfV3P2b2znUoe/
# password topsecret
...

• Add the following line below it

password --md5 $1$ZWnke0$1fzDBVjUcT1Mpdd4u/T961 (encrypted password above)

• Find this section

...
title		Ubuntu, kernel 2.6.10-5-386 (recovery mode)
root		(hd0,1)
kernel		/boot/vmlinuz-2.6.10-5-386 root=/dev/hda2 ro single
initrd		/boot/initrd.img-2.6.10-5-386
savedefault
boot
...

• Replace with the following lines

#title		Ubuntu, kernel 2.6.10-5-386 (recovery mode)
#root		(hd0,1)
#kernel		/boot/vmlinuz-2.6.10-5-386 root=/dev/hda2 ro single
#initrd		/boot/initrd.img-2.6.10-5-386
#savedefault
#boot

• Save the edited file

How to disable history listing in Console mode

• Read #General Notes

rm -f $HOME/.bash_history
touch $HOME/.bash_history
chmod 000 $HOME/.bash_history

How to disable Ctrl+Alt+Del from restarting computer in Console mode

• Read #General Notes

sudo cp /etc/inittab /etc/inittab_backup
sudo gedit /etc/inittab

• Find this line

...
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
...

• Replace with the following line

#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

• Save the edited file

sudo telinit q

How to enable prompt before removal/overwritten of files/folders in Console mode

• Read #General Notes

sudo cp /etc/bash.bashrc /etc/bash.bashrc_backup
sudo gedit /etc/bash.bashrc

• Append the following lines at the end of file

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

• Save the edited file