Page 2 of 6 FirstFirst 1234 ... LastLast
Results 11 to 20 of 58

Thread: Important: community effort to harden Ubuntu

  1. #11
    Join Date
    Nov 2009
    Location
    Nutley, NJ
    Beans
    551
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Important: community effort to harden Ubuntu

    I can't help you to author the advanced security guide for Ubuntu.

    I do agree that I am going overboard with security again, but this is my nature and I am going to proceed.

    I just modified my IP Tables using GUFW so I have all of the ports and protocols configured the way that I need them to work for my specific usage case. This should be the remaining steps that I need to take to harden and secure my Ubuntu 12.10 64 bit installation from the basic security guide. The next thing that I am going to work on is Novell AppArmor profiles on Friday afternoon. I plan to look at Bodhi Zazen's custom Novell AppArmor profiles along with yours and Rookcifer.

    Expect a lot of questions and I need lots of help and support.

    I know that my Ubuntu 12.10 64 bit installation is very secure right now. I am very safe from most attackers because well nobody is targeting me for an attack to my knowledge. I monitor my logs and my network traffic from my router to my Ubuntu.

    Indulge me by continuing to post replies and suggestions. Expect me to continue my hardening process over the next two weeks.

  2. #12
    Join Date
    Aug 2006
    Beans
    1,374
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Important: community effort to harden Ubuntu

    You'r doing great monitoring your system. Learn to interpret the outcomes.
    Do use Wireshark: enable networkname resolution via preferences. Learn to add rules via Wireshark into iptables. That can be done via Wireshark using netfilter/iptables.

  3. #13
    Join Date
    Nov 2009
    Location
    Nutley, NJ
    Beans
    551
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Important: community effort to harden Ubuntu

    Whose custom Novell AppArmor profiles should I go with for Google Chromium, Mozilla Firefox, MPLayer, X-Chat, Open Java, Pidgin, etc.? Rookcifer has the most comprehensive, but they work with Ubuntu 12.04. I have not tried Hungry Man's yet. Bodhi Zazen has some old profiles for Ubuntu 10.04. Who else should I consider? What about the default profiles provided in Ubuntu 12.10 64 bit?

    Can someone please tell me what works for Ubuntu 12.10 64 bit?

  4. #14
    Join Date
    Dec 2007
    Location
    Bombay
    Beans
    5,846
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: Important: community effort to harden Ubuntu

    Quote Originally Posted by Welly Wu View Post
    Whose custom Novell AppArmor profiles should I go with ...
    Wouldn't the appropriate "custom" profile be the one you construct yourself, ab initio?
    de gustibus et coloribus non est disputandum -- Wiktionary

  5. #15
    Join Date
    Nov 2009
    Location
    Nutley, NJ
    Beans
    551
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Important: community effort to harden Ubuntu

    I'm going to wind up creating a custom Novell AppArmor profile that is too restrictive and it will break functionality with the said software applications. I've done this before with VM Ware Workstation 9.0.1 64 bit and my guest virtual machine got corrupted. I had to re-install it from scratch.

    I would rather look at someone else's custom Novell AppArmor profile and import it and enforce it. It's going to save me time and effort.

  6. #16
    Join Date
    Nov 2009
    Location
    Nutley, NJ
    Beans
    551
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Important: community effort to harden Ubuntu

    I see that Ubuntu 12.10 64 bit ships with basic Mozilla Firefox and Google Chromium Novell AppArmor profiles. I am having problems with the Google Chromium Novell AppArmor profile. Google Chromium won't launch after I enforce it. How do I modify it so that it will launch properly?

  7. #17
    Join Date
    Nov 2009
    Location
    Nutley, NJ
    Beans
    551
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Important: community effort to harden Ubuntu

    I imported and enforced StoneCold1995's Novell AppArmor profile:

    http://ubuntuforums.org/showthread.p...pparmor&page=2

    It works.

    I also installed apparmor-profiles and I enforced smbd, nmbd, evince, xchat, Mozilla Firefox, and StoneCold1995's Google chromium Novell AppArmor profiles.

    It works.

    I know that these provide only basic protection, but I am quite happy with that for now. I plan to learn more about Novell AppArmor next week so that I can create more custom and powerful AppArmor profiles myself.

  8. #18
    Join Date
    Oct 2004
    Beans
    12,944

    Re: Important: community effort to harden Ubuntu

    My opinion, if one goes to over kill mode with regards to a home PC you will ruin your computing experience to the point where you might as well turn it off put in a a box and read the newspaper and start playing sports.

    I would not recommend 90% of this stuff to home users and 50 % to a security dependant corporate.

    If one exercises common sense in "browsing habits" and computer practice you do not need this stuff, after for 95% of home users what is someone going to get, pics of the family and shoe size.
    This account is not active.

  9. #19
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Important: community effort to harden Ubuntu

    Welly Wu, if you're doing all of this strictly to learn, then go for it. But the whole point of learning is to go through the process. I'd encourage you to build your own profiles, you'll learn more about what apparmor is doing & how it's doing it that way.

    If you doing it because you feel you need this much security, then I encourage you to take a step back & identify the actual threats to your system. Once you identify your biggest risks then just defend against those things. There's no point in securing against an attack that will never come.

  10. #20
    Join Date
    Nov 2009
    Location
    Nutley, NJ
    Beans
    551
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Important: community effort to harden Ubuntu

    I got a lot of confidential and critical data on my drives that I can not share with anyone. Thus, I need extra high security. I think that I have mentioned this before in another thread. Basically, my System76 PC is my life and I live on the Internet.

    I want to work on fwSnort and PSAD tomorrow afternoon. I am new to these topics so I will do lot of reading and research and I will ask a lot of questions.

    I am reading the official Ubuntu Security guide: https://help.ubuntu.com/community/Security. It's pretty good and it covers a lot of the topics in the security sticky except the documentation is clearer to understand and to implement.

    I'll be reading it throughout today.

    I installed the libdvdread4 package and I executed the install.sh script. Now, I am able to copy my massive DVD-Video disc library and convert them into tiny compressed .M4V video files. This is good for me.

    I am going to finish my CrashPlan+ initial remote data backup by December 16th, 2012 at 11:30 PM EST or much sooner. I'm working on a 64.4 GB VMDK flat file right now and it's about 90 percent done. Hopefully, there won't be a ton of new data on my /home folder to backup and data de-duplication will kick in which will speed up my total backup time quite dramatically. I've been waiting for this to happen all week since I re-installed Ubuntu 12.10 64 bit from scratch this past Monday.

    So, I have a comprehensive data backup plan in place for emergencies and disasters.

    My Ubuntu 12.10 64 bit installation is quite secure now. I still need to add NIDS using fwSnort and PSAD tomorrow.

    I'm looking into Stricter Defaults, Bastille Linux, and MyDLP today. If I have questions, then I will post them here.

Page 2 of 6 FirstFirst 1234 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •