Should I harden my Ubuntu 64 bit further?

[Welly Wu]

Hi. I installed Ubuntu 11.10 64 bit using the alternative installation .ISO file which I burned to a CD-R disc. I setup a custom installation using full disk encryption using LUKS/LVM (AES-CBC mode 256 bits SHA-256 hash algorithm). I also set a unique, strong, complex passwords for my home directory and LUKS/LVM at boot-up.

I opened up the BASH terminal and I typed in chmod 700 $HOME this morning.

I have not setup custom AppArmor profiles or HIDS / NIDS such as Snort yet. I am still reading the stickies to learn more information before I make that decision.

Which gets me to my point: should I harden my Ubuntu 64 bit by carefully following the stickies?

I have an ASUS N61JV-X2 notebook PC with Crucial 8 gigabytes of DDR3 PC-8500 SDRAM and an Intel 2nd Generation 2.5" 34nm MLC NAND FLASH X25-M 160 gigabyte Solid State Drive. I replaced my previous operating system which was Microsoft Windows 7 Ultimate 64 bit with Ubuntu 11.10 64 bit as my sole operating system of choice less than three weeks ago.

I have an unencrypted /boot partition of 250 megabytes.
I have an encrypted / root partition of 10 gigabytes.
I have an encrypted /home partition of approximately 130.00 gigabytes and I set a unique, strong, complex password using encryptfs because Ubuntu prompted me to set my password after I installed my operating system and I logged into my user account the first time.

I use my computer and Ubuntu 64 bit to surf the Internet, read and write e-mail messages, chat with my online friends in real time, use social media including Facebook, Twitter, Google+, LinkedIn, YouTube, etc, copy and convert my 1,100+ CDs to .FLAC lossless audio files, rip and copy encrypted DVD-Videos that I purchased, watch movies, TV shows, videos, and listen to music. I also write documents using LibreOffice Writer quite heavily. I read documents such as digital magazines, e-books, Adobe .PDF files, etc.

I don't use my computer or Ubuntu to hack into other people's servers or computers and I do not code my own software projects. I am teaching myself how to code in C++, but I just started a few weeks ago so I am a beginner.

I use TrueCrypt to secure my data on removable storage devices such as my Seagate FreeAgent Desk 1.5 terabyte USB 2 external hard disk drive and my Kingston DataTraveler HyperX 128 gigabyte Super Speed USB 3 thumb drive using AES-XTS mode 256 bits with SHA-512 hash algorithm.

Do I need to go further to harden my Ubuntu 64 bit?

Should I install a HIDS and NIDS such as Snort?

Should I create custom AppArmor profiles for frequently used software applications that can access the Internet such as Google Chrome and Mozilla Thunderbird?

Do I need to install my own hardened kernel which requires me to update and patch it on my own?

I feel a lot safer and more secure using Ubuntu 64 bit with full disk encryption even though I know that once I put in my passwords and mount my drives, I am open to attacks.

I check my hardware firewall logs for suspicious activities and unknown users trying to connect to my home network daily. I use WPA2 AES-TKIP to secure my wireless network with MAC authentication for every wireless device.

I also installed Bitdefender for Unices with a free 1 year license and I scan my computer and storage devices daily.

I use Deja Dup to backup my data and I encrypt it using GPG and a unique, strong, complex password.

How much farther should I go to harden my Ubuntu system? Is it really necessary given my usage scenarios?

I rarely take my ASUS N61JV-X2 notebook PC outside of my home. I have Verizon FiOS fiber optic high speed Internet and TV at home.

What do you recommend? Why?

[Welly Wu]

I also set Ubuntu to lock my screen with my user password every 2 minutes or I manually lock it even when I leave my bedroom every time.

[Welly Wu]

I use KeePass2 with a unique, strong, complex password to store my user IDs, passwords, and other login credentials. I have a LastPass Premium account and I store my online login credentials separately from KeePass2 which I use for offline stuff like local passwords. I use the two-factor Sesame authentication with LastPass Premium and my web browsers.

I use Google Chrome all of the time as my primary web browser.

I setup two-factor authentication for my Google account and Facebook account and HTTPS connections are enabled by default.

I know how to select unique, complex, random, strong passwords. I never reuse old passwords. I never use the same IDs and passwords for multiple accounts or encrypted storage devices either.

[Welly Wu]

I am reading the UFW firewall sticky and I plan to deny in and restrict out to essential ports for services later today.

[Ms. Daisy]

Seems like you might benefit from reading the basic security wiki:

https://wiki.ubuntu.com/BasicSecurity

But to answer a couple of your questions, yes. The Apparmor, security & firewall stickys are good to follow.

[Welly Wu]

I saved that wiki so that I can read it offline. I am following some of the recommendations on the wiki, but I have not worked on ufw firewall, Snort, or NIDS. I don't use Mozilla Firefox; I use Google Chrome so some of the add-ons do not exist yet. Accuvant Labs did a research paper looking into the anti-exploitation technologies for all three of the major web browsers using Microsoft Windows as one of their test operating systems and they concluded that Google Chrome scored the highest in terms of anti-exploitation technologies including JIT hardening and sandboxes.

There is a discrepancy between the wiki and the stickies. The stickies seem to cover more advanced topics which are not included in the wiki like Snort.

Thank you for providing a link to that wiki. I have a lot of reading and thinking to do before I decide to harden my Ubuntu 64 bit this weekend.

[Welly Wu]

Ms Daisy,

You are one of the authors of the wiki. Thank you.

[Ms. Daisy]

There is a discrepancy between the wiki and the stickies. The stickies seem to cover more advanced topics which are not included in the wiki like Snort.

The discrepancy is purposeful. The basic security wiki is aimed at first-time linux users. And it wasn't meant to be redundant, so I'd recommend reading the stickies as well.

I don't think it really matters which browser you use, but I would recommend that you try to limit scripts in any of them. I'm pretty sure the equivalent to noscript in Chrome is called Notscript.

[haqking]

Google chromes sandbox was exploited a while ago now though fixed after version 15.xxx or somit or other.

And as Ms Daisy said NotScript is the chrome alternative to NOScript.

Most of your security measures are valid though some are locally based preventative measures for physical access.

For remote security hardening then as you mentioned strong firewall rules both inbound and outbound (refer to the links on the basic security wiki for guides)

UFW is an interface to the Linux firewall Netfilter, interacted with through IPTables directly or UFW as a CLI altrernative or GUFW which is a GUI for UFW, there are also some others but they all use IPTables/Netfilter.

Apparmor to control your applications/ and or SELinux

Most exploits these days on a Linux box are browser based, SSH or running weak services such as VNC (dont run VNC over the internet directly)

Dont do things/log on as root and dont give authorisation for root/sudo actions unless you know you want to authorise them

Read the Wiki and its links and the stickies then come back with more specific questions to suit your services and such like.

Peace

[Welly Wu]

I chose to install Firestarter as it is a bit easier than gufw. I configured it to deny all incoming traffic and I configured it to be restrictive by default to whitelist traffic set by my rules. I opened up some common ports such as 80 for http traffic and a couple of other ones that I know that I will need. I read through the firewall sticky and I have to re-read it again as it is kind of complex for a new Ubuntu user like myself.