Without a doubt, a freshly installed Linux system is less susceptible to malware, spyware and hacking than a freshly installed Windows system. However, most Linux systems are configured with some default settings that are inherently insecure. Some Linux distros are designed to be installed with very secure defaults, but this results in systems that have a significant difficulty for new users, especially those who are not computer security professionals.
Ubuntu is arguably the most popular Linux distro today, and this is due to a large number of factors, one of which is its friendliness to new users. Many of Ubuntu’s default settings are geared towards allowing users to use their systems immediately after installation with as little disruption as possible. While this has its positives, it also results in a system that has a few weaknesses, trading them for user convenience. This article will walk you through some basic but powerful configuration changes that show you how to secure your newly installed Ubuntu from many of the common attack methods.
Most of these security changes require editing configuration files, and these files are usually editable only through root (super user) access. Configuration files can be opened with root access in many ways, but three common ways are outlined below. Assuming the file we want to open is “/file/config”.
To open via a terminal:
Or if using Gnome, press “Alt + F2” and type:
gksudo gedit /file/config
Or if using KDE, press “Alt + F2” and type:
kdesu kate /file/config
Note: in the screenshots below, all the editing is done using the terminal, so all the configuration files are opened using
The Basic Stuff
These are configuration steps that are dependent on how you intend to use your system. The first basic change is to set a password for your user. Even if you are the only user on the system, it is important to password protect your computer. If you are likely to give access of your system to other users, create a Guest account (password protected also) which you would give to your guests. Linux was built as a multi-user system from inception, so switching users and multiple users on the same system is an integral part of Linux’s use.
Reconfigure shared memory
By default, the shared memory space (/run/shm) is mounted read/write, with the ability to execute programs. This has been noted in the security community as vulnerable, with many exploits available where “/run/shm” is used while attacking running services. For most desktop and server configurations, it is advisable to mount this as read-only by adding the following line to the file “/etc/fstab.”
Open the “/etc/fstab” file:
Add the following line to the end of the file:
none /run/shm tmpfs defaults,ro 0 0
However, there are a few programs that would not work if “/run/shm” is mounted read only, such as Google Chrome. If you use Chrome as your browser (or intend to use Chrome), then “/run/shm” should be mounted read/write, and you should add the following line instead:
none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0
Deny “su” program to non-admins
Other than your own personal account, Ubuntu also comes with a Guest account, so you can quickly switch to it and lend your laptop to your friend. “su” is a program that enables a user to execute a program as another user on the machine. This is very useful when used correctly and is a vital part of Linux’s famed security system. However, it can be abused on a default Ubuntu system. To deny Guest account access to the “su” program, type the following in a terminal
sudo dpkg-statoverride --update --add root sudo 4750 /bin/su
Secure your home directory
Your home directory, by default, can be accessed by every other user on the system. So if you have a guest account, your guest user can open your home directory and browse through all your personal files and documents. With this step, your home directory will be unreadable by other users. Open a terminal and enter the following command (Note: replace “username” with your user account name).
chmod 0700 /home/username
Alternatively, you can set a permission of 0750 (read here to find out more about file permission in Linux) to grant access to users in the same group as you.
chmod 0750 /home/username
Disable SSH Root Login
By default, Ubuntu doesn’t allow direct SSH access to the root user. However, if you set a password for your root account, this can be a potentially huge security risk. You might not have sshd installed on your system. To confirm if you have an SSH Server installed, type in a terminal
You will get a “Connection refused” error message if you don’t have an SSH Server installed, which means you can safely ignore the rest of this tip.
If you have an SSH Server installed, it can be configured via the configuration file located at “/etc/ssh/sshd_config.” Open this file and replace the following line
with this line
Congratulations. You have a measurably secure Ubuntu system. With the above configuration changes, we have blocked some of the most common attack vectors and penetration methods used to exploit Ubuntu systems. For more Ubuntu security tips, tricks and in-depth information visit Ubuntu Wiki.