Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: How to fully secure and harden a Ubuntu 20.04 laptop?

  1. #1
    Join Date
    Mar 2019
    Beans
    246

    How to fully secure and harden a Ubuntu 20.04 laptop?

    Hi,
    I am trying to secure my Ubuntu 20.04 laptop to make sure it does not connect to the internet, either by accident or through an attack. (I use another computer for research on the internet).

    So far I have done the following:
    -I have disabled ethernet, wifi, Bluetooth in the bios and only have the USB port enabled for my USB sticks
    -I have activated the uncomplicated firewall using the command sudo ufw enable
    -I thought it might be a good idea to generate logs, using sudo ufw logging on
    -I don't want any ports to be open and wonder if I need to execute any particular commands to ensure no port can be accessed?
    -I encrypted the hard drive when I installed Ubuntu 20.04
    -What kind of passwords do I definitely need to set up?
    -Is there anything else I need to adjust in the bios?

    Thanks for the tips.
    Last edited by bhubunt; December 7th, 2021 at 10:15 PM.

  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How to fully secure and harden a Ubuntu 20.04 laptop?

    Don't want to connect to the internet?
    a) Don't plug in any ethernet cable.
    b) Disable wifi in the BIOS.
    c) Disable bluetooth in the BIOS.
    d) Don't connect any USB devices of any sort, since they might have extra network features.

    Enabling ufw only enables the default rules ... which is typically "deny incoming". It does nothing for outbound traffic.

    netstat -tun will show ports. There are other commands - like ss. Don't worry about 127.x.x.x/8 ports/listeners. That's just the lo device and Unix systems use it to talk to themselves.

    Stay patched.
    Have daily, automatic, versioned, backups - that are "taken when off-line.

    But this doesn't guarantee security. Someone with physical access and 5 seconds could change many of those settings.

    There is no absolutes when it comes to computer security. It is about risk mitigation based on the attack surface. A 16 yr old trying to protect his laptop from a 7 yr old little brother has a vastly different attack surface than someone helping an organization with billions of USD on the line ... or lives on the line. The probable attackers matter.

    You didn't mention 2FA for the encrypted HDD. Do you take security serious?

  3. #3
    Join Date
    Jun 2010
    Location
    London, England
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: How to fully secure and harden a Ubuntu 20.04 laptop?

    Have you set a password for the UEFI/BIOS settings utility? How easy is it to reset the machine back the manufacturer's hardware defaults? Open the case; remove a lithium coin battery; wait a few minutes and replace the coin battery? Is it that easy? Are you going to glue the case parts together?

    Regards
    It is a machine. It is more stupid than we are. It will not stop us from doing stupid things.
    Ubuntu user #33,200. Linux user #530,530


  4. #4
    Join Date
    Aug 2021
    Location
    Carson City, Nv
    Beans
    97
    Distro
    Ubuntu 22.04 Jammy Jellyfish

    Re: How to fully secure and harden a Ubuntu 20.04 laptop?

    Code:
     sudo ufw default deny outgoing
    then restart the firewall
    Code:
     sudo ufw disable && sudo ufw enable
    Last edited by psychohermit; December 8th, 2021 at 06:31 AM.

  5. #5
    Join Date
    Aug 2011
    Location
    52.5° N 6.4° E
    Beans
    6,849
    Distro
    Xubuntu 22.04 Jammy Jellyfish

    Re: How to fully secure and harden a Ubuntu 20.04 laptop?

    Only slightly joking, but does your laptop have microphone and speakers? Those could be set up to create a com link to a different device, even from inside a Faraday cage, with a range of several meters and completely bypassing all bluetooth security or firewalls.

  6. #6
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How to fully secure and harden a Ubuntu 20.04 laptop?

    Quote Originally Posted by Impavidus View Post
    Only slightly joking, but does your laptop have microphone and speakers? Those could be set up to create a com link to a different device, even from inside a Faraday cage, with a range of several meters and completely bypassing all bluetooth security or firewalls.
    That's true. Remember reading about a printer being forced to make specific noises so a fax machine in the same room could dial out reproducing the saved pages at a remote spying location. Both the printer and fax were hacked.

    There have been proof of concept demonstrations of wired keyboards and mice events (keypresses) being captured 50m away from the keyboard. With wireless versions, the range is much farther. https://www.theatlantic.com/technolo...t-away/492962/ Some POC demonstrations were with smartphones "listening" to the typing. After a short time of listening, heuristics can be applied to figure out the sound of each key.

    Be careful using USB: https://www.reuters.com/article/us-c...0G00K420140731 This has been a known issue for years. USB devices can contain their own driver and self-install that driver with root privileges and no user knowledge.

    But we're off in super-secret-squirrel-spy land now.
    Last edited by TheFu; December 8th, 2021 at 03:33 PM.

  7. #7
    Join Date
    Mar 2019
    Beans
    246

    Re: How to fully secure and harden a Ubuntu 20.04 laptop?

    Quote Originally Posted by TheFu View Post
    1 -Don't connect any USB devices of any sort, since they might have extra network features.


    2 - Stay patched.
    Have daily, automatic, versioned, backups - that are "taken when off-line.

    3 - But this doesn't guarantee security. Someone with physical access and 5 seconds could change many of those settings.

    4 - You didn't mention 2FA for the encrypted HDD. Do you take security serious?

    Thanks so much for these great comments. I have numbered the points I'll reply to, with more questions. The computer, just to clarify, is always off-line.

    1 - I had a feeling that USBs might be a problem as I read somewhere that they could also function as antenna's? So I won't be using USBs anymore but then how do I save my LibreOffice docs? They're on the hard drive but I'd like to have separate backups on another device, as well. How to do this since I do not want to go online? Would an external hard drive not offer a similar security risk?

    2- Pardon my newbie status, but I am not sure what staying patched means and how I would activate those backups off-line.

    3- I carry my lightweight computer in my backpack and never leave it at home or out of sight.

    4- How do I install 2FA on a computer that is always offline?

    Regards

  8. #8
    Join Date
    Mar 2019
    Beans
    246

    Re: How to fully secure and harden a Ubuntu 20.04 laptop?

    Quote Originally Posted by grahammechanical View Post
    Have you set a password for the UEFI/BIOS settings utility? How easy is it to reset the machine back the manufacturer's hardware defaults? Open the case; remove a lithium coin battery; wait a few minutes and replace the coin battery? Is it that easy? Are you going to glue the case parts together?

    Regards
    Thanks so very much for the reply. Yes, I have set a password for a UEFI/BIOS settings utility. I always carry the laptop with me, never leave it out of sight, but thanks for letting me know about the battery replacement loophole...

    Regards

  9. #9
    Join Date
    Mar 2019
    Beans
    246

    Re: How to fully secure and harden a Ubuntu 20.04 laptop?

    Quote Originally Posted by psychohermit View Post
    Code:
     sudo ufw default deny outgoing
    then restart the firewall
    Code:
     sudo ufw disable && sudo ufw enable
    Super! I will definitely block all outgoing traffic as well. Thanks so much.

  10. #10
    Join Date
    Mar 2019
    Beans
    246

    Re: How to fully secure and harden a Ubuntu 20.04 laptop?

    Quote Originally Posted by Impavidus View Post
    Only slightly joking, but does your laptop have microphone and speakers? Those could be set up to create a com link to a different device, even from inside a Faraday cage, with a range of several meters and completely bypassing all bluetooth security or firewalls.
    Yes, the laptop has microphone and speakers. Are you suggesting it's best to have those removed if you want a totally secure off-line laptop?

    Thanks so much for the reply.

Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •