Important: community effort to harden Ubuntu

[Welly Wu]

I've made a ton of mistakes lately since I got my System76 Lemur Ultra Thin (lemu4) notebook PC back on July 5th, 2012. I have had to re-install Ubuntu, OpenSuSe from scratch repeatedly because I made too many mistakes that locked me out of my PC or made it impossible for me to log in to my PC. This time, I want to try a different approach. I admit that I don't know enough about how to harden and secure GNU/Linux and I am turning to the community for help.

I re-installed Ubuntu 12.10 64 bit from scratch this past Monday. I have done a minimal amount of effort to harden or secure it. 1. I have added, downloaded, installed, and updated BitDefender for Unices Free and it is fully licensed, 2. I have enabled my firewall and I installed GUFW to open up TCP ports 4242 for CrashPlan so my family members and friends can backup to my System76 PC plus I have enabled IPP Port 631 so that I can print to my Canon Pixma MX870 all-in-one printer, 3. I have downloaded and installed my LastPass extension for Mozilla Firefox and I downloaded and execute LastPass Pocket so that I can download my LastPass vault offline. That's it so far.

I have had problems with ninja locking me out of my administrator account when I used Ubuntu 12.10 64 bit Beta 2. I sent a private message to Bohdi Zazen seeking guidance on how to install and setup ninja properly so that this won't happen again. I have also asked if it is even necessary to use ninja when I would rather prefer to restrict access to su and passwd as an alternative. I don't want to install and setup ninja until I receive more feedback from him or other community members regarding Ubuntu 12.10 64 bit or any future versions that I plan to upgrade to every April and October of each year.

I read all of the security sticky threads. I need help choosing among AIDE, Tripwire, or integrit to monitor local folders and files for changes. Which one is easiest and simplest? It seems to be AIDE. However, I have had problems trying to get AIDE to work on Ubuntu 12.10 64 bit Beta 2 and I need more help when I am ready to tackle this mini project.

I need help with OpenVAS. I don't have enough experience to know how to make it work properly. At least I'm being open and honest with the community so I need help when I am ready to download and install and set it up later.

I am skittish about SNORT. I read all the warnings about how it can introduce more vulnerabilities and I have little knowledge about SNORT or postegr and Apache. When I am ready to deal with this, I will need lots of help and support.

I am comfortable with Novell AppArmor and I prefer to use Rookcifer's custom Novell AppArmor profiles for Mozilla Firefox and Google Chrome along with its related software packages. However, I will still need some help from Rookcifer because I use Ubuntu 12.10 64 bit and some of his custom Novell AppArmor profiles clearly indicate it is designed for Ubuntu 12.04. When I am ready, I will need to ask questions and get more help and support.

That should cover it for now. There will undoubtedly be more questions and more need for specific help.

I want help from the said community members in this thread. I want to open it up to the community to reply and contribute for others that may have similar or related questions. Basically, I don't want to repeat the same old mistakes all over again. I don't want to re-install any operating system from scratch all over again. This is why I need my own thread to focus on my issues and to offer help to others that may reply with their own problems, issues, and questions.

The community here is terrific for these kinds of things. Security is a process and staying alert is key. I don't know enough on how to obtain a reasonably safe and secure Ubuntu installation so I am asking for help and support. My GNU/Linux skills are moderate to advanced depending on the topics covered so far. I am strongest in my knowledge about anti-malware, firewalls, cryptography, Novell AppArmor and to a lesser degree file integrity tools. I have to get more help with NIDS and ninja in particular and I need lots of hand holding and support.

Thank you.

[Welly Wu]

Let me be clear: my goal with this thread of mine is to achieve a reasonably strong desktop security that covers most of the bases in the security sticky threads. I need to be told when I am crossing the line and I am going overboard based upon further replies that I make or others contribute in this thread. Thank you.

[Welly Wu]

I sent a PM to rookcifer and I created and enforced his custom Novell AppArmor profiles for Mozilla Firefox, X-Chat, Pidgin, etc. and I noticed that I can not customize my Firefox extensions or add-ons and the Ubuntu Unity web apps desktop integration is broken. Can you please reply with help to fix these problems? I am using Mozilla Firefox 17 and Ubuntu 12.10 64 bit. Thank you.

[Bucky Ball]

I sent a PM to rookcifer and I created and enforced his custom Novell AppArmor profiles for Mozilla Firefox, X-Chat, Pidgin, etc. and I noticed that I can not customize my Firefox extensions or add-ons and the Ubuntu Unity web apps desktop integration is broken. Can you please reply with help to fix these problems? I am using Mozilla Firefox 17 and Ubuntu 12.10 64 bit. Thank you.

This should be the subject of a new thread as it has little to do with the original post and description of this thread. I advise you post a new thread regarding this issue. You will broaden your chances of getting help with it.

[Welly Wu]

Okay. Will do soon.

[Ms. Daisy]

The OP has all been done already, the result was the Basic Security Wiki. IMO anything past that is overkill for a standard home user.

Honestly it seems like you're trying to tackle the most difficult concepts first. Start simple & start with the big obvious vulnerabilities (like the stuff covered in the basic security wiki). Once you've mastered that then try deploying apparmor. If you misconfigure security tools, you might be creating more vulnerabilities than you're fixing.

You could also watch this:
http://www.irongeek.com/i.php?page=v...stem-hardening

[Welly Wu]

I read it and I applied most of the guides. I'm looking for more advanced security topics and I need help.

I installed integrit, psacct, rkhunter, chkrootkit, and apparmor-profiles. I was messing around with Rookcifer's custom Novell AppArmor profiles for Mozilla Firefox, but those are for Ubuntu 12.04 LTS. I had some problems with them so I deleted his profiles and I created a new .mozilla folder to get Firefox to start anew again.

I still need help with Novell AppArmor profiles for Google Chromium and Mozilla Firefox that were written for Ubuntu 12.10 64 bit.

I also need guidance on ninja before I even think about trying to install and set it up again. This will be the last thing that I do. I am also thinking about failog, but I have not tried it yet. Basically, I am avoiding security packages and tools that can get me locked out if I make a mistake because I don't know what I'm doing for now. I want to leave that stuff for the very end when I gather enough help and support for failog and and ninja.

I got the basic security down pat. I'm more interested in the advanced security packages and tools that I mentioned earlier.

It's been slow going, but I have not made any terrible mistakes yet. I want to do this piecemeal in stages over a couple of days to test out how everything works under normal conditions.

I need more people to reply with answers and support.

[SeijiSensei]

I'll just say that I've run Linux servers that are exposed to the Internet day in and day out for over fifteen years and never did any of the things you seem to think are important. Other than a carefully-written set of iptables rules that allow only specific types of connections, there is nothing else running from a security perspective. I had one hacking incident a decade ago because I failed to keep Apache up to date. That's it.

Now desktop usage can be more dangerous if you visit dicey sites, but I don't. I did encounter the Javascript-based phony virus scanner ("Antivirus 2010") while reading an article at the New York Times, but it was pretty obviously a scam: the application claimed to be scanning my "C:" drive!

[Welly Wu]

Keep those replies coming because I am gaining valuable knowledge. I plan to work on GUFW and my iptables tomorrow afternoon. I already have a list of iptables connection rules that I need. I do keep my Ubuntu 12.10 64 bit desktop up to date to the second. I did read the basic security guide and I followed most of the recommendations and guidelines. So, I should be very safe and secure right now which I am. I just want to kick it up a notch or two. I want to deepen my knowledge of Ubuntu security packages and tools and I want to harden and lock down my Ubuntu desktop to make it reasonably safe and secure to use on a daily basis. I am willing to trade in convenience for security.

On Saturday, I plan to look for custom Novell AppArmor profiles for Mozilla Firefox and Google Chromium. I will create a new thread for them for Ubuntu 12.10 64 bit.

[Hungry Man]

I'd be willing to work with someone on an 'Advanced Security' wiki for users if that's what's being asked for.

Let me be clear: my goal with this thread of mine is to achieve a reasonably strong desktop security that covers most of the bases in the security sticky threads. I need to be told when I am crossing the line and I am going overboard based upon further replies that I make or others contribute in this thread. Thank you.

I would say anything beyond the basic security wiki is overboard for a typical user. The wiki explains AppArmor, which will make systems pretty secure with only a bit of effort.

Beyond that I think it ends up recompiling the kernel from source with PaX and Grsecurity. Using a minimal install and manually selecting packages to reduce attack surface. Creating user/group for applications and configuring IP tables to work with it, along with various other ACL functions.

Ninja sounds like a pain in the *** to deal with. I'd rather set up RBAC via Grsecurity as that patch will more completely prevent privilege escalation.

I'd be willing to work on an Advanced Security Wiki that goes in depth into more difficult and time consuming ways to secure a system if there's some demand for that.