Ubuntu Security

The Windows Mindset

If you are coming from a Windows background you are used to terms like antivirus, spyware, and firewalls. Linux is different and these are not as important.

Viruses

The fact of the matter is: viruses/worms take advantage of flaws or holes in the code. There are no significant Linux viruses "in the wild". Linux boxes are no less targets than any other OS.

Do not believe the suggestion that the Linux community is complacent or "behind the times" in terms of viruses, or any other security issue. Linux developers have not "ignored" viruses, rather the OS is built to be highly resistant to them and since the code is "Open" there are literally thousands of eyes watching .

For the most part, Linux anti-virus programs scan for Windows viruses which do not run on Linux.


Reasons AGAINST antivirus on Ubuntu:

1. They scan primarily for Windows viruses.
2. There is a high rate of false positives.
3. Isolation/inoculation is poor.
4. And currently there are no known active Linux viruses (so there is essentially nothing to detect).

Reasons FOR antivirus on Ubuntu:

• You are running a file or mail server with Windows clients.
• You wish to scan files before transferring them, by email, flash drive, etc., to a Windows machine.

Running antivirus can make some sense if you are intending to "protect" Windows users, however, for a variety of reasons, it is best if Windows users learn to protect themselves.

Note: There have been many documented cases in Windows and Linux that a buffer overflow in an antivirus product has been an attack vector!

If you would like to run an antivirus program on Ubuntu you have several choices :

• Antivirus
• ClamAV
• http://www.avast.com/eng/avast-for-l...rkstation.html
• http://www.pandasoftware.com/download/linux.htm
• http://www.centralcommand.com/linux_server.html
• http://www.f-prot.com/products/home_use/linux/

Comments on wine

Discussions about running Windows viruses on wine crop up from time to time and it is possible to run some Windows viruses on wine.

See these links :

• McAfee Avert Labs Blog
• Running Windows viruses in wine

Take the same precautions with wine as you would with Windows. Do not install untrusted applications from untrusted sources.

Windows viruses will be confined to ~/.wine and they do not have permission to change system files. This means to remove them you simply:

Code:

rm -rf ~/.wine

Please take care, this command deletes everything in your wine directory including all data and all applications.

You then need to restore your wine directory from a known good backup (you do keep backups ?).


Firewall

GUFW (gui)

UFW - Desktops

UFW - Servers

Ubuntu includes a firewall, iptables, but by default nothing is engaged. This is reasonable as a default Ubuntu install opens zero ports to the outside world, so a firewall is redundant. However, installing "server software" will cause ports to open, so some people like to use a firewall as a catch-all layer to find mistakes in their configuration.

Another use for firewalls is for the administrator to forcibly impose network policies on the user.Also, a periodic audit of the system for open ports is a good practice. Running the "nmap" command from another machine, or using one of many online port scanners:

http://nmap-online.com/
https://www.grc.com/x/ne.dll?bh0bkyd2

Remember, what you care about are open ports. Closed ports and stealth ports are equally secure, in that they are inaccessible to the public.

Iptables references :

• bodhi's iptables primer
• https://www.redhat.com/docs/manuals/...-iptables.html

The "problem" with iptables is that it is not particularly friendly to new users. Fortunately, there are several more user friendly interfaces available to allow you to manipulate your firewall (UFW, Firestarter, and Guarddog) :

• UFW (Uncomplicated Firewall) is the newest tool. It is a command line tool and is, superior to the gui tools.
  
  
  • To Configure iptables , UFW uses both configuration files /etc/default/ufw and /etc/ufw/before.rules and the command line. Howto: Use, setup, and Take advantage of the New Ubuntu Uncomplicated Firewall UFW
  • If you prefer a GUI tool, gufw is a graphical front end for ufw.
  
  
  
• Firestarter is one of the most popular GUI front ends.
  
  

  How to Firestarter
  

  
  
  
• Guard dog uses the KDE libraries.
  
  

  Guarddog Online Guide
  

  
  
  

A source of confusion sometimes occurs when users feel the need to be running firestarter/Guarddog for their firewall to be active. This is untrue ! Keep in mind that these applications are not firewalls, but rather configuration tools for ip tables. These applications should be run only to configure your firewall. Once configured, IP tables (the actual firewall) is active (at boot) without having to run firestarter/guarddog. firestarter will monitor traffic, but it runs as root and there are better monitoring programs, so configure you firewall, shut down firestarter/grauddog, and let IP tables do the rest


Browser / Spyware : Java/Flash/Ad-ware/Trackers/Cookies

This is where most users will have the most risk.
We all want Java/Flash, but our Internet browser opens us to attacks.

1. Deny all cookies and add trusted sites, allowing only for session.
2. Install NoScript. Again block all and add trusted sites to a white list.
3. Install Safe History
4. Adblocking : I block with a hosts file rather then Adblock Plus or Adblock Filterset.G because a hosts file protects more then just firefox.
   
   
   • http://www.mvps.org/winhelp2002/hosts.htm
   • Linux script : http://hostsfile.mine.nu/downloads/updatehosts.sh.txt
   
   
   

See this link for additional information : How to Secure Firefox

The Ubuntu Mindset

Permissions and Encryption

The first layer of defense is file permissions. Permissions are used to set access and thus protect both system and user files.

Basic permissions
FilePermissions

See also umask at the bottom of that link. The umask value can be set in ~/.bashrc.

To set a "private home", as a user,

Code:

chmod 700 $HOME

How to's:

• Intrusion Detection
• http://www.howtoforge.com/intrusion_...ith_ossec_hids
• How to Snort

Running Server(s)

Common servers include NFS, Samba, FTP, SSH, VNC, RDP, and HTTP. Desktops become Servers if server software is installed.

Questions to ask yourself include:

1. What port(s) or services does this software provide?
2. Who will be able to connect to this? (i.e. is it restricted to a range of IP addresses Password protected?)
3. What level of access will the visitor have to the system? (i.e. does the server run under a restricted user, or the root account? What can this restricted user do in a worst case scenario?)
4. Does this service expose any additional information that's useful to a hacker? (i.e. does it allow users to transmit their passwords in cleartext? Does it have a 'statistics' view that reveals logged-in users, ip addresses, network configuration, or other potentially helpful information?)
5. What is the security history of this software? Does it have a history of vulnerability and patch after patch? Or has it had a relatively unmarred history?

Examples :

SSH
VNC
Apache

Forensics

What to do when you think you have been cracked :

1. Power off.
2. Disconnect/disable your Internet connectivity.
3. Now take a deep breath, re-boot, and read the logs. Ask for help if needed, but you really need to confirm that your system has been compromised.
4. If you have been compromised, and have the time and interest, boot a live CD and image your hard drive. This image can then be used for forensic analysis.
5. Re-install. Unfortunately, there is no way to trust a compromised system.
6. When you install, be sure to install off line, use a stronger password, and research intrusion detection.

Intrusion References
CERT® Coordination Center (CERT/CC)
CERT® Coordination Center ~ Intruder Detection Checklist


My goodness ...


Further Reading:

Ubuntu wiki ~ Security page

Ubuntu wiki ~ Installing Security Tools

UDSF Security Analysis Tools

The Big Ol' Ubuntu Security Resource

Locking Down Ubuntu

Ubuntu geek ~ Security category

Security references Topics include Basics, firewall, Intrusion detection, Chroot, Forensics/Recovery, and Securing networked services.


Changing poison into medicine,
Nam-myoho-renge-kyo
 Technicowl
A person with ubuntu is open and available to others, affirming of others, does not feel threatened that others are able and good, for he or she has a proper self-assurance that comes from knowing that he or she belongs in a greater whole and is diminished when others are humiliated or diminished, when others are tortured or oppressed. ~ Archbishop Desmond Tutu, 1999

President Obama tells Haiti

Video: You will not be forsaken

Haiti's Other Earthquake

Restavek and Child Slavery: Haiti's Other Earthquake

Haiti holds a romantic and tragic place in the historical imagination -- a nation birthed by a successful slave rebellion, it was the first to abolish slavery in the Western hemisphere and briefly served as a beacon of hope for American abolitionists. However, it never realized its promise, for reasons that scholars and analysts can debate ad infinitum.

Perhaps most egregiously, its grinding poverty is so pervasive that an estimated 300,000 children have been given up by their parents to become restavèks -- a creole term for children sent to become house servants to wealthier Haitians. According to human rights workers and survivors of the child-slavery system, these children are forced to work long hours, are often kept out of school, are barely fed and clothed, and are routinely abused physically, emotionally and sexually.


Now, professional recruiters have made the situation even worse by making a business out of the longstanding informal practice. Last June, a United Nations expert on contemporary forms of slavery, Gulnara Shahinian, visited Haiti at the invitation of the government and issued a report that included the recommendations summarized below:

Since it is still struggling to recover from devastating storms in 2008 and will now be focusing effort on earthquake rescue, relief and repair, it's not likely that Haiti will have the resources to enact the reforms advocated by the UN, so private efforts such as Cadet's take on greater significance. Other high-profile philanthropic efforts include Haitian American musician Wyclef Jean's Yele Foundation. In 2008, Jean spoke to Al Jazeerah about his efforts to combat Haiti's food crisis:
Jean also sprang into action about the earthquake via Twitter,tweeting a way to contribute to the relief effort via text message.

Jean's efforts to combat poverty in Haiti are complemented by the work of other philanthropists, including former Pres. Bill Clinton, who serves as the UN special envoy to Haiti. He toured the island in March, 2009 with UN Secretary Ban Ki-Moon to survey efforts by his foundation and other organizations to expand education and nutrition programs. Clinton has been upbeat about Haiti's future, saying it...
"...offers unique opportunities for public and private investment to improve health and education in ways that will be good for Haitians and all their partners in our interdependent world."

Now that the earthquake has delivered to the country what Mr. Ban has called "catastrophic" and Haitian President Rene Preval has called "unimaginable," considerably more effort will be required to ensure that those investments are made and the benefits trickle down to the poorest Haitians so that they will be able to feed and care for their own children. Ultimately, only economic development and sustained human rights activism will finally allow the island to realize the dream that its founders fought so desperately to achieve more than 200 years ago.

How to help - Haiti- Charitable Organizations

A list of charitable organizations active in the nation

msnbc.com

updated 11:11 p.m. CT, Tues., Jan. 12, 2010

• Action Against Hunger
• American Red Cross
• American Jewish World Service
• AmeriCares
• Beyond Borders
• CARE
• Catholic Relief Services
• Childcare Worldwide
• Direct Relief International
• Doctors Without Borders
• Feed My Starving Children
• Friends of WFP
• Haitian Health Foundation
• Hope for Haiti
• International Medical Corps
• International Relief Teams
• Medical Teams International
• Meds and Food for Kids
• Mercy Corps
• Operation USA
• Oxfam
• Partners in Health
• Samaritan's Purse
• Save the Children
• UNICEF
• World Concern
• World Vision
• Yele Haiti
  Wyclef Jean's grassroots org
  Text Yele to 501 501 to donate $5 via your cellphone

The U.S. State Department Operations Center said Americans seeking information about family members in Haiti should call 1-888-407-4747. Due to heavy volume, some callers may receive a recording. "Our embassy is still in the early stages of contacting American citizens through our Warden Network," the U.S. State Department said in a statement. "Communications are very difficult within Haiti at this time."

For those interesting in helping immediately, simply text "HAITI" to "90999" and a donation of $10 will be given automatically to the Red Cross to help with relief efforts, charged to your cell phone bill

Toshiba Satellite E205 with Intel 802.11n Wireless Display Technology

The E205 will be available for $999 on Best Buy’s site on January 12, (TODAY) and will appear in retail stores several days later.

The coolest feature of the E205? With the push of a button you can beem wirelessly whatever you're watching then stream 720p video from the notebook to (like Hulu) to your big-screen TV, courtesy of Intel’s new Wireless Display technology. The video is carried over 802.11n to the Netgear box, and is then converted to a wired HDMI signal. Best Buy bundles a special box from Netgear that acts as a wireless receiver and plugs into your HDTV via HDMI.

 

Wi-Fi Alliance

 The Wi-Fi Alliance is a global, non-profit industry trade association formed in 1999 to certify interoperability of Wireless Local Area Network products based on the IEEE 802.11 standard and amendments with more than 200 member companies devoted to promoting the growth of WLANs. Certification programs ensure the interoperability WLAN products from different manufacturers, with the objective of enhancing the wireless user experience.

Wi-Fi Alliance Certification Programs address: Wi-Fi products based on IEEE radio standards 802.11a/b/g/n Wi-Fi Protected Access certification , wireless network security(WPA, WPA2 and WPS for personal and enterprise deployments), authentication mechanisms used to validate the identity of network devices (EAP), and support for multimedia content over Wi-Fi networks (WMM and WMM Power Save. (WPS) Wi-Fi Protected Setup certification.

802.11n is Ratified - Cisco Celebrates with New Lower Prices

Tweet this

Cisco Celebrates with New Lower Prices!

The Industry's Favorite 802.11n AP Now at a Fraction of the Cost

Your users want a wireless network that can provide 7x more video and 9x the speed. Your business needs the investment protection that comes with the fastest-growing and most widely deployed 802.11n technology. You want the confidence that comes from deploying a ratified standard, but for a low price.

Cisco is leading the market transition toward 802.11n and for a limited time only, we're offering an exclusive deal that removes the barriers to adoption of the industry's most powerful wireless technology.
Take advantage of the 11n Acceleration Kit, which includes:

• The Cisco Aironet 1140 Series Access Point at a significantly reduced price
• Up to 10 percent trade-in credits for your existing wireless gear
• Attractive financing options including no payments or interest for three months*
• Try-before-you buy programs*
• Even greater savings when bundled with Cisco 5500 Series Wireless LAN controller, designed for 802.11n performance**
• Plus, you can get expert help with wireless migration services from Cisco and our partners.
  Set your ideas in motion with Cisco 802.11n and start saving today.
  https://sales.liveperson.net/hc/74453203/?cmd=file&file=visitorWantsToChat&site=74453203&forceOffline=true&SESSIONVAR!OfflineTrigger=OFFLINEOUTCOME&referrer=%28button%20dynamic-button:chat-wireless-sales-english-wireless_offer1-copy%28802.11n%20Is%20Ratified%20-%20Cisco%20Celebrates%20with%20New%20Lower%20Prices!%29%29%20http://www.cisco.com/web/offers/wireless/80211n/11naccelkit.html

» Learn more about Cisco 802.11n
» Learn more about Scalable Wireless Performance
Accelerate your adoption of 802.11n technology by taking advantage of this exclusive deal.

1-877-330-3409

When calling, use code:
"Celebrate"

Register for the
11n Acceleration Kit promotion.
https://apps.cisco.com/gdrp/coiga/showsurvey.do?surveyCode=5016&keyCode=184584_5