My Note on Basic Ubuntu Security 1

My Note on Basic Ubuntu Security

Somchai Saengamnatdej
April 17, 2010

As an end-user of Ubuntu (a beginner, not an expert!), I have read some articles

and tutorials of what could be done to strengthen the ubuntu security and I made this
note for my future use. I am very grateful to all of the writers of the materials listed in
the references below.

1. Dos and Don'ts.

○ Do not change the default settings for networking if you do not know it.
○ Use strong passwords .
○ Do not install software from untrusted sources.
○ Back up regularly . It's also possible to make an image disc for backup files
[1.].
○ Do not give your password away.
○ Do not click on links or open attachments in emails from people you do not
know.

2. Find a program for your browser to restrict JavaScript. This gives some protection
for your computer from an attack of XSS (Cross-Site Scripting).
3. Get a firewall by installing Firestarter (for GNOME) or Guarddog (for KDE).
These are interfaces for iptables, a powerful firewall.
4. Install rootkit detectors such as rkhunter & chrootkit for checking if your
computer has been cracked or installed with a rootkit.
5. Configure your sudoers with visudo to best suit your condition. See Ref. [3.] The
example for the configuration is following the references.
1. Learn how to use vi editor (here, when you use the visudo to edit the file)
2. Read visudo manual by typing "info visudo" in your terminal, or going to Ref.
[5.]. An important part of it is here: " visudo parses the sudoers file after the
edit and will not save the changes if there is a syntax error. Upon finding an
error, visudo will print a message stating the line number(s) where the error
occurred and the user will receive the "What now?" prompt. At this point the
user may enter "e" to re-edit the sudoers file, "x" to exit without saving the
changes, or "Q" to quit and save changes. The "Q" option should be used with
extreme care because if visudo believes there to be a parse error, so will sudo
and no one will be able to sudo again until the error is fixed. If "e" is typed to
edit the sudoers file after a parse error has been detected, the cursor will be
My Note on Basic Ubuntu Security 2

placed on the line where the error occurred (if the editor supports this
feature)."
3. As root, type "visudo", it will open the contents of the /etc/sudoers file in a vi
editor, allow you to edit it, and will then apply the changes. vi session will not
be editing the actual /etc/sudoers file, but a temporary copy of it created by
visudo. After you make the changes and exit the vi, visudo will do the syntax
checks on the file before replacing the actual /etc/sudoers file. [6.]
4. Using the visudo is not very easy. The steps are following [7.] However, I
think that you had better spend some time to study the editor tutorial [8.].
1. # sudo visudo
2. press "i" (To enter edit mode on vi-editor) or press "a" (see the
difference in [8.]) .
3. Go to the end of the sudoers file with cursor keys .
4. Add your lines .
5. Press ESC to exit the edit mode.
6. Enter the command :wq (colon and w and q, to save and exit the editor) .
5. Some said that visudo was only wrapper for providing locking and validation
for sudoers file, so if preferred, nano editor may be used instead.
1. export EDITOR=nano.
2. use the down arrow key to move down to where you want to insert and
type it in. Then, hold down <Ctrl> x to save and exit it. Press Y when it
asks if you want to save it.

6. For more details on vi editor see a tutorial for beginners in Ref.[8.]. Here is an
excerpt:
1. vi editor has two modes: command and insert. The command mode allows the
entry of commands to manipulate text. These commands are usually one or
two characters long, and can be entered with few keystrokes. The insert mode
puts anything typed on the keyboard into the current file.
2. VI starts out in command mode. There are several commands that put the VI
editor into insert mode. The most commonly used commands to get into insert
mode are a and i. These two commands are described below. Once you are in
insert mode, you get out of it by hitting the escape key. If your terminal does
not have an escape key, ^[ should work (control-[). You can hit escape two
times in a row and VI would definitely be in command mode. Hitting escape
while you are already in command mode doesn't take the editor out of
command mode. It may beep to tell you that you are already in that mode.
7. Reduce timeout for sudo. (default is 15 min.)
8. Disallow remote logins. If you are only the user of a computer, you may configure
the host to restrict to your own computer only.
My Note on Basic Ubuntu Security 3

9. For further protection (these are more suitable for your computer in the workplace
or your server.)
1. Set up a BIOS password
2. Set up a Grub password, for details see Ref. [9.].
10.Configuring sshd_config file is also advised [10.]. The file is in
/etc/ssh/sshd_config. There is no such the file in my ubuntu desktop version. It is
probably for server edition..

For more details and useful links, see references.

References

[1.] Security on Ubuntu

http://www.psychocats.net/ubuntu/security
[2.] Basic sudo
http://aplawrence.com/Basics/sudo.html
[3.] HowTo:Sudoers Configuration (Well-written tutorial for beginners.
Recommended!) written by ibuclaw (last updated, April 22nd, 2009) at http://
ubuntuforums.org/showthread.php?t=1132821 accessed on April 17, 2010.
[4.] Sudoers manual
http://www.gratisoft.us/sudo/man/sudoers.html
[5.] Visudo manual
http://www.gratisoft.us/sudo/man/visudo.html
[6.] Visudo Tutorial
http://www.unixtutorial.org/2007/12/visudo-tutorial/
[7.] Editing Sudoers with Visudo
http://ubuntuforums.org/archive/index.php/t-143461.html
[8.] Mastering the VI editor (Recommended)
http://www.eng.hawaii.edu/Tutor/vi.html
[9.] Set Grub password: : http://ubuntuforums.org/showthread.php?t=7353
[10.] Configuring sshd_config file. http://swiss.ubuntuforums.org

The example of configuration of the sudoers file.

My Note on Basic Ubuntu Security 4

This example was given by Ref. [3.].

Defaults env_reset, tty_tickets

# Host alias specification

Host_Alias HOST = jaunty
Host_Alias LAN = 192.168.1.0/255.255.255.0
Host_Alias HOME = HOST,LAN

# User alias specification

# Cmnd alias specification

Cmnd_Alias CRYPT = /usr/bin/truecrypt
Cmnd_Alias USBDEV = /usr/bin/unetbootin,/usr/bin/gnome-format
Cmnd_Alias APT = /usr/bin/apt-get update,/usr/bin/apt-get upgrade
Cmnd_Alias UPDATES = /usr/bin/update-manager
Cmnd_Alias FUSE = /usr/bin/Gmount-iso
Cmnd_Alias MYPROGS = CRYPT,USBDEV,APT,UPDATES,FUSE

# User privilege specification

root ALL=(ALL) ALL

# Members of the admin group may gain root privileges

%admin HOME=(root) ALL
%admin HOME=(root) NOEXEC:/usr/bin/vim
iain HOME=(root) NOPASSWD:MYPROGS