How to Secure Your Newly Installed Ubuntu

Without a doubt, a freshly installed Linux system is less susceptible to malware, spyware and hacking than a freshly installed Windows system. However, most Linux systems are configured with some default settings that are inherently insecure. Some Linux distros are designed to be installed with very secure defaults, but this results in systems that have a significant difficulty for new users, especially those who are not computer security professionals.

Ubuntu is arguably the most popular Linux distro today, and this is due to a large number of factors, one of which is its friendliness to new users. Many of Ubuntu’s default settings are geared towards allowing users to use their systems immediately after installation with as little disruption as possible. While this has its positives, it also results in a system that has a few weaknesses, trading them for user convenience. This article will walk you through some basic but powerful configuration changes that show you how to secure your newly installed Ubuntu from many of the common attack methods.

Most of these security changes require editing configuration files, and these files are usually editable only through root (super user) access. Configuration files can be opened with root access in many ways, but three common ways are outlined below. Assuming the file we want to open is “/file/config”.

To open via a terminal:

secure-ubuntu-sudoedit

Or if using Gnome, press “Alt + F2” and type:

Or if using KDE, press “Alt + F2” and type:

Note: in the screenshots below, all the editing is done using the terminal, so all the configuration files are opened using sudoedit.

These are configuration steps that are dependent on how you intend to use your system. The first basic change is to set a password for your user. Even if you are the only user on the system, it is important to password protect your computer. If you are likely to give access of your system to other users, create a Guest account (password protected also) which you would give to your guests. Linux was built as a multi-user system from inception, so switching users and multiple users on the same system is an integral part of Linux’s use.

By default, the shared memory space (/run/shm) is mounted read/write, with the ability to execute programs. This has been noted in the security community as vulnerable, with many exploits available where “/run/shm” is used while attacking running services. For most desktop and server configurations, it is advisable to mount this as read-only by adding the following line to the file “/etc/fstab.”

Open the “/etc/fstab” file:

Add the following line to the end of the file:

However, there are a few programs that would not work if “/run/shm” is mounted read only, such as Google Chrome. If you use Chrome as your browser (or intend to use Chrome), then “/run/shm” should be mounted read/write, and you should add the following line instead:

secure-ubuntu-editfstab

Other than your own personal account, Ubuntu also comes with a Guest account, so you can quickly switch to it and lend your laptop to your friend. “su” is a program that enables a user to execute a program as another user on the machine. This is very useful when used correctly and is a vital part of Linux’s famed security system. However, it can be abused on a default Ubuntu system. To deny Guest account access to the “su” program, type the following in a terminal

secure-ubuntu-denysu

Your home directory, by default, can be accessed by every other user on the system. So if you have a guest account, your guest user can open your home directory and browse through all your personal files and documents. With this step, your home directory will be unreadable by other users. Open a terminal and enter the following command (Note: replace “username” with your user account name).

secure-ubuntu-protect-home

Alternatively, you can set a permission of 0750 (read here to find out more about file permission in Linux) to grant access to users in the same group as you.

By default, Ubuntu doesn’t allow direct SSH access to the root user. However, if you set a password for your root account, this can be a potentially huge security risk. You might not have sshd installed on your system. To confirm if you have an SSH Server installed, type in a terminal

You will get a “Connection refused” error message if you don’t have an SSH Server installed, which means you can safely ignore the rest of this tip.

If you have an SSH Server installed, it can be configured via the configuration file located at “/etc/ssh/sshd_config.” Open this file and replace the following line

with this line

Congratulations. You have a measurably secure Ubuntu system. With the above configuration changes, we have blocked some of the most common attack vectors and penetration methods used to exploit Ubuntu systems. For more Ubuntu security tips, tricks and in-depth information visit Ubuntu Wiki.

10 comments

  1. Another excellent article, thanks.
    Anybody could tell me how to secure a hard drive in my system, I only use this drive for back-up. This is not my / or /home.
    I want to limit the access to myself, like the example of /home in the article.
    Thanks

  2. You could edit your /etc/fstab so that the drive is mounted for your user only.
    Example
    /dev/sdb1 /media/backup ext4 umask=0022,gid=1000,uid=1000 0 0

    where /dev/sdb1 = your hard drive
    /media/backup = your mount point
    gid=1000 = your user group id
    uid=1000 = your user id

  3. Please don’t use octal numbers on chmod, there are symbolic that is much easier for beginners and makes it harder to do mistakes.
    And it tells you what you really want to do, like remove write rights for group and others.

    chmod go-w /home/username

    And changes could be combined, like this.

    chmod g-w,o-rwx /home/username

    or

    chmod u=rwx,g=rx,o-rwx /home/username

    or
    chmod ug=rwx,o-rwx /home/username

    or to mark something executable

    chmod +x /home/username

    There are more ways of combine this with ugo (user, goup, other) and =+- (absolut, add, remove) and rwx (read, write, execut).

    • Interesting observation Anders Jackson.
      We have an excellent article (linked above) that describes the octal notation in full, but I also see how the verbose method can seem easier for beginners.

  4. Great article. I have a two questions. If by default, the shared memory space (/run/shm) is mounted read/write, with the ability to execute programs, why do I need to add “none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0” to the fstab file?

    I installed Xubuntu 14.04 LTS on my laptop. I would never need to SSH into my laptop. Can I disable (or uninstall) SSH so no SSH secession can be made to my laptop?

    Thanks.

    • The option “noexec” basically ensures that programs cannot be executed from the /run/shm.

      For ssh, first confirm that ssh is installed by running “ssh localhost”. If you get a “Connection refused”, ssh sessions cannot be made to your laptop.

      However, if you get anything else, you have to figure out which ssh server is installed and then uninstall it. Most likely Open SSH, which can be uninstalled by

      sudo apt-get remove openssh-server

  5. On a default Ubuntu install, what programs require /run/shm read/write. Chrome is not a default program.

Comments are closed.

Sponsored Stories