Hardening new ubuntu installation

Kent Borg kentborg at borg.org
Mon May 18 19:30:07 UTC 2009 

Knute Johnson wrote :
> The first an simplest thing you can do is to turn on the firewall.

If you have done a default install, there will be no software listening
for any inbound network connections, so blocking things with a firewall,
though it won't specifically hurt, won't help you either; it isn't
necessary.  In fact, there is one way a firewall can hurt: if it makes
you think it does offer some sweeping security features which it does
not, it can lead to complacency.  Also, a firewall can be confusing to
setup (iptables are confusing...) and if you get it wrong it can be
useless, break things, etc.

My security suggestions are 6:

 1. Be smug that you are not running MS Windows, you are already sooooo
much safer.  In fact, you are nearly done.

 2. The default Ubuntu install is quite secure (remember, by installing
Ubuntu you are nearly done), but if you start installing new stuff or
changing the configuration of the system, you might change that. 
Understand what you install.  If it is an application that is part of
Ubuntu and one that only runs when you run it, and if it doesn't
otherwise change the operation of the system, you are pretty safe. 
However, if you install some server software or if you install software
you download from some random web site (run by...?), you might get into
trouble.  Stick with the software you install with Synaptic, and try to
understand what you install.

 3. Keep you computer up to date.  Ubuntu will want to install software
updates, let it do so.  When they stop releasing security updates
(regular releases get updates for 18-months), upgrade to a newer version
of Ubuntu.

 4. Be afraid of Javascript.  Every web site seems to want to use it,
but most Firefox security holes that are discovered require Javascript. 

  Do you really want any hacker who can put up a web site or buy an ad
to be allowed run *his* software on *your* computer?  That's what
Javascript let's him do.  Yes, there are restrictions to what Javascript
can do, but there always seems to be another vulnerability to be fixed. 
Also, Firefox lets you open up a bunch of windows and tabs at once, if
they are all busily running Javascript your computer can slowdown.

  I recommend you install the Firefox extension "NoScript", it lets you
decide whether to let a website run Javascript (a little menu in the
bottom corner of the browser window makes it easy), by default most web
sites are not allowed.  Turn on Javascript for your bank, turn it on for
favorite sites you trust, but mostly keep it off.  You will be much
safer and your computer will run faster.

 5. Be suspicious of e-mailed attachments.  Is it from someone you
know?  Is it expected?  (In other words, really from the claimed
sender?  It could be a forgery.)  Mostly the evil software you receive
will only work on Windows, but this will change as Linux becomes more
popular, so start being wary now.

 6. Do NOT recycle passwords between different web sites and accounts. 
This is more general advice and it is the most radical, I know. 

 Most people have just one or a small number of passwords they use all
over the place.  This is dangerous, it is like having one (or several)
master key(s) to your life and then giving copies to everyone you ever
do business with!  Do I want the restaurant or convenience store I stop
at to have a key to my house?  Recycling passwords is like that, giving
lots of people copies of just a couple passwords is bad.

 Instead use different passwords for different purposes.  If you want to
be fancy and find a way to keep the list encrypted somehow, cool.  But
if that is too complicated and frightening (lose the master password or
have a technical malfunction...), get a piece of paper and write down
your passwords there, all in one long list. 

 People like to repeat old advice about never writing down a password,
but if writing them down is what it takes to not recycle passwords, then
it is a good idea.  A nasty hacker half way around the world isn't going
to be able to read the passwords you have written down in your wallet,
but if that hacker breaks into (or runs!) a website that you give your
password to...

  Yes, choose good passwords.  And if you want to somehow obscure the
passwords you write down (some regular transposition maybe) that will
make you safer if you lose your wallet.  If you make a photocopy
periodically and keep it separate you will be able to change all your
passwords the day you might lose your wallet.


Forget about the firewall--or turn on a firewall--but either way please
consider the advice above.


-kb, the Kent who knows people will disagree with him.

More information about the ubuntu-users mailing list