Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Should I harden my Ubuntu 64 bit further?

  1. #11
    Join Date
    Jun 2011
    Location
    The Shadow Gallery
    Beans
    6,803

    Re: Should I harden my Ubuntu 64 bit further?

    Quote Originally Posted by Welly Wu View Post
    I chose to install Firestarter as it is a bit easier than gufw. I configured it to deny all incoming traffic and I configured it to be restrictive by default to whitelist traffic set by my rules. I opened up some common ports such as 80 for http traffic and a couple of other ones that I know that I will need. I read through the firewall sticky and I have to re-read it again as it is kind of complex for a new Ubuntu user like myself.
    Funnily enough when i wrote my post i purposefully missed out firestarter as it is out of date and buggy and not recommended to be honest.

    Also it needs to be removed if you want to use UFW/GUFW as they conflict.

    When you say you opened up the ports such as port 80 cos you know you will need it, you mean you will be running a web server ?

    if not then you dont need to, only allow ports for services you know you will be running.

    also read these as they are easy to understand and cover everything you need to know at this point

    do you need a firewall

    setting up a firewall in ubuntu using 3 different methods

    Cheers
    Last edited by haqking; February 3rd, 2012 at 07:04 AM.
    Feel Free to Bitcoin Tip: 135Rp4pwwYTHEJ4u8bxKaDQiC91N9LUoV2

    Backtrack - Giving machine guns to monkeys since 2006
    Kali-Linux - Adding a grenade launcher to the machine guns since 2013

  2. #12
    Join Date
    Nov 2009
    Location
    Nutley, NJ
    Beans
    551
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Should I harden my Ubuntu 64 bit further?

    I removed Firestarter and I installed gufw. I set it up to deny all in and all out. I also set some specific traffic to be allowed to go out:
    Http 80
    https 443
    IMAP 143
    NTP 123
    POP3 110
    SMTP 25
    BitTorrent 6881:6889
    Pop3s 995
    Https 8080
    SSH 22
    FTP 20-21
    Google 587,993
    Irc 667:7000
    DNS 53
    DHCP 67-68

    How does it look now?

  3. #13
    Join Date
    Jun 2011
    Location
    The Shadow Gallery
    Beans
    6,803

    Re: Should I harden my Ubuntu 64 bit further?

    Quote Originally Posted by Welly Wu View Post
    I removed Firestarter and I installed gufw. I set it up to deny all in and all out. I also set some specific traffic to be allowed to go out:
    Http 80
    https 443
    IMAP 143
    NTP 123
    POP3 110
    SMTP 25
    BitTorrent 6881:6889
    Pop3s 995
    Https 8080
    SSH 22
    FTP 20-21
    Google 587,993
    Irc 667:7000
    DNS 53
    DHCP 67-68

    How does it look now?
    if they are what you need then i guess so, i dont know what you need

    Best to deny all and then allow as you find something not working or you may be letting things which dont necessarily need to be.

    Have you allowed UDP for DNS aswell as TCP and same for DHCP?

    Do you need IMAP as well as POP ?

    I mean i dont know what services you require so cant really say
    Feel Free to Bitcoin Tip: 135Rp4pwwYTHEJ4u8bxKaDQiC91N9LUoV2

    Backtrack - Giving machine guns to monkeys since 2006
    Kali-Linux - Adding a grenade launcher to the machine guns since 2013

  4. #14
    Join Date
    Nov 2009
    Location
    Nutley, NJ
    Beans
    551
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Should I harden my Ubuntu 64 bit further?

    I just added UDP for DNS right now and I reloaded my firewall rules. Thanks for the tip.

    It seems that my list of TCP and one UDP ports is correct because I am able to get access to the Internet through all of my usual software applications. I am not having any problems connecting to the Internet or remote networks that I frequently need access to so far.

    Thank you for your help so far.

    I will work on HIDS and NIDS and AppArmor this weekend. I am going to be out of my home for most of the day today so I don't have an opportunity to read wikis and stickies to harden my Ubuntu 64 bit.

  5. #15
    Join Date
    Jun 2011
    Location
    The Shadow Gallery
    Beans
    6,803

    Re: Should I harden my Ubuntu 64 bit further?

    Quote Originally Posted by Welly Wu View Post
    I just added UDP for DNS right now and I reloaded my firewall rules. Thanks for the tip.

    It seems that my list of TCP and one UDP ports is correct because I am able to get access to the Internet through all of my usual software applications. I am not having any problems connecting to the Internet or remote networks that I frequently need access to so far.

    Thank you for your help so far.

    I will work on HIDS and NIDS and AppArmor this weekend. I am going to be out of my home for most of the day today so I don't have an opportunity to read wikis and stickies to harden my Ubuntu 64 bit.
    cool no worries.

    however like i said, just because things work doesnt mean you need them all, only allow what you actually need.

    I mean you only need IMAP and POP if you access a POP account as well as a IMAP account, you only need FTP if you use it, you only need SSH if you use it and so on.

    Best of luck

    Peace
    Feel Free to Bitcoin Tip: 135Rp4pwwYTHEJ4u8bxKaDQiC91N9LUoV2

    Backtrack - Giving machine guns to monkeys since 2006
    Kali-Linux - Adding a grenade launcher to the machine guns since 2013

  6. #16
    Join Date
    Nov 2009
    Location
    Nutley, NJ
    Beans
    551
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Should I harden my Ubuntu 64 bit further?

    I had to return to this thread to get more help.

    I replaced my ASUS N61JV-X2 notebook PC with a new System76 Lemur Ultra Thin (lemu4). I am using Ubuntu 12.10 64 bit Beta 2.

    I installed rkhunter, chkrootkit, tiger.

    Do I need to install ninja when the root account is disabled by default?

    I enabled ufw and I installed GUFW. This time, I am not running any type of host server like Samba Server. I have nothing listed in GUFW and I don't want to restrict outgoing traffic because I use a lot of software applications that depend upon different ports and protocols and it would be too difficult to keep updating my GUFW list on a daily basis. I use BitTorrent, Firefox, Thunderbird, WiTopia Personal VPN PRO using OpenVPN, CISCO IPSec, IRC, Empathy, etc.

    I minimized the number of PPAs that I added and use. I have the official System76 PPA for the device driver and that's it. I deleted BitDefender and I deleted the unofficial handbrake PPAs. I also deleted Handbrake. I am using the official and partner repositories by default. It's going to stay this way for years to come in the future.

    I am thinking about adding custom Novell AppArmor profiles for Mozilla Firefox and OpenJRE/JDK 7 and its associated programs like mplayer, etc:

    http://rookcifer.blogspot.com/2012/0...ofile-for.html

    http://rookcifer.blogspot.com/2012/1...untu-1204.html

    Otherwise, I wanted to know if this will be sufficient for a full-time Ubuntu user like myself. I am thinking that these additional steps are enough.

    I connect to WiTopia Personal VPN PRO most of the time: http://www.witopia.net even while I am at home on my Verizon FiOS Internet service.

    I have full-disk encryption using dm-crypt and LUKS.

    I think that this should be enough for my needs.

    Do I need to install a file integrity checker like aide or tripwire?

    Should I install and run Bastille?

    What do you recommend?

  7. #17
    Join Date
    Nov 2009
    Location
    Nutley, NJ
    Beans
    551
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Should I harden my Ubuntu 64 bit further?

    This time, I wanted to focus on security that makes sense to me. I don't want to go overboard by installing all of the security tools and configuring everything by hand.

    In light of this preference, what do you recommend that I consider to harden my Ubuntu 64 bit?

  8. #18
    Join Date
    Jan 2010
    Location
    Hyperborea
    Beans
    1,441
    Distro
    Ubuntu

    Re: Should I harden my Ubuntu 64 bit further?

    Not so much for security but more for privacy I run Firefox with AdBlockPlus, NoScript and Ghostery add-ons.
    If I go to a web-site and let NoScript "temporarily allow all" then Ghostery will pop up with lots of blocked trackers. Sometimes about 20 of them!
    Mozilla have an experimental add-on called "Collusion", if you run that you will soon do as I do.
    https://www.mozilla.org/en-US/collusion/
    Don't get paranoid but they are watching you

  9. #19
    Join Date
    Sep 2012
    Beans
    21

    Re: Should I harden my Ubuntu 64 bit further?

    I am currently working on a tutorial for setting up a fully encrypted ubuntu setup. I see your method is close to mine -- the only difference is I have my boot partition on a flash drive around my neck at all times. Along with my YubiKey, I would recommend buying a YubiKey to use with your LastPass account. A YubiKey is a usb OTP generator, it has two configurable slots you could have one that sends a static password and another that sends a OTP.

    Here is a paper they have on using the static password with truecrypt,
    http://static.yubico.com/var/uploads...2011-03-23.pdf

    If you bought a YubiKey you could set it up to have a 64 digit random password that is unknown to you if you want and then change your password to use that aswell -- think of it like a salt in a hashing function...
    Say your old password was cat...
    you change it to catfFEFHjhCjnmPEsTX5aLaJ3T8aWb9UOWF4YKXH5cY9TqSjhp CpiC35G7JDPxgWe8k

    As long as you have your /home partition encrypted and have your home folder encrypted with ecryptfs as well you should be set...

    Also every few months clean junk files with bleachbit, then migrate all your files to a new user account,
    sudo adduser username2 --encrypt-home
    then rsync your old files into the new user and shred the old ecryptfs password files...
    shred -fun1 /home/.ecryptfs/user1/.ecryptfs/*
    or something like that.

  10. #20
    Join Date
    Nov 2009
    Location
    Nutley, NJ
    Beans
    551
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Should I harden my Ubuntu 64 bit further?

    I have two Yubico Yubi keys with my LastPass Premium account.

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •