General :: Basic Security Practices For Desktop Ubuntu - Use A Limited Account
Apr 30, 2010
Most of us know the basic security practices on Windows:
Use a limited account
Set a password
Disable unused services
Uninstall bloatware
Antivirus / Antimalware
etc.
I haven't ran linux as my main desktop computer before, so I don't know how to properly secure it. I have heard linux is supposed to be more secure than Windows, but I know that the default settings of anything are rarely secure. What are some things I should do as a new Linux user to secure my desktop system from attack?
Can we create a limited user account in ubuntu like XP where user can not be able to change its networking settings (like changing IPs / enable & disable netwrok interface).
I am at my own desktop and I have root access on my own desktop.
I also have root access on a Desktop Ubuntu system (192.168.5.10) on the LAN. I need to create another desktop user account on that 192.168.5.10 system.
So I logged into that system with: ssh -Y myself@192.168.5.10 Then I did: sudo users-admin
This brings up the Users Settings but the Add User and Unlock buttons are disabled. How do I enable these buttons?
I just installed Ubuntu on a desktop. Can anyone give me some guidance on installing basic security software? In particular, I'm looking for a firewall, antivirus, and anti-spyware/malware utilities.
i am using ubuntu 10.04 lts and can only use 16 virtual desktops.and when i open the preference menu it will not let me name the desktops. how do you put a different background on the desktops.
I want to have an account (beta user), on which:I can use the Internet and other programs without administrative rights without the right to install programs with a kind of sandbox for everything that is connected to the Internet, which means: everything that is associated with the web browser's processes and files that I save to hard disk I want to be separated from the rest of the system, so that whatever can catch up on this account will be locked in it, for example any (if at all) possible malicious scripts from Internet or whatever may be dangerous now or invented in the future. Sometimes, for example, I save the web page to disk with all it content.
And in case someone cracked into this account I want make it in that way that he could not do any tricks to read or change passwords, or make any other changes to the system. The best would be if a password for that user might serve only to log in without having any other powers, and I would give that user an automatic login. For now I created a beta user without administrative rights. I understand that the limiting rights of the user are associated with limiting rights to their home directory. There are also groups, and a user may be included or excluded. I excluded that user from admin group but I don't know what else I can limit and how. When I give chmod 0644 for /home of this user he cannot run Firefox. When I give him 0740 he can run applications, so I assume the x attribute must be preserved.
This is a user without sudo rights, so when I type sudo apt-get update a message shows up correctly that this user doesn't belong to the sudoers group. But still it's not what I wanted. When the user runs Gufw and wants to change the settings to disable the firewall, a message shows up asking to type in a password of alpha user = primary user, which is that belonging to the sudoers group, the first / main user that I created during system installation. I wish that there was only the message that the beta user has no power to change anything, which means even completely remove the possibility of asking for sudo.
In addition, I wish that this beta couldn't be able to change the permissions to its home directory, or go to see what is above. Because so far beta can change the file permissions for its /home, even without a sudo password. How can I do it? Do I need to create a kind of chroot jail for this user? I would like any changes to that user account could be made only after the user log off from beta account, and log in on alfa account and that beta could run only programs that ware installed by alpha. And that beta could read and write, but alfa could also read and write or remove, alter files on beta account. Basically, alfa account should be superior to beta account. Can do that?
I'm about to have a web server at home for the first time. I've always missed having full control and not having to contact my hosting company when I need to do some specific changes - and some changes they won't do for you at all.I've chosen the non-GUI Ubuntu Server with LAMP, and nothing more is installed really except for a couple of command line tools from the repository. The LAMP software has been locked down as good as I can by following some guides on the net and using common sense. Like Apache 2 don't have access to the file system except for the www folder, and setting the headers to Prod. MySQL has skip-networking and I've commented out the listen string to localhost. PHP has a truckload of functions that I've disabled in the php.ini, also by following some guides on the net, among some other security enhancing php.ini editing.
The only thing the server will serve is a well known PHP forum and some html docs, and that's all. Nothing advanced or complicated stuff, and I'm definitely not programming PHP myself or letting anyone do it for me.But I do want to sleep well at night knowing that my server is always on and sitting on the edge of my home network! And can I do that? I've heard that you don't need to be worried about getting your Linux server box hacked, but you should be worried about anyone getting root access to it. But is it really that simple? Ubuntu is shipped without root account and you must have the sudo password, right? What's the odds for anyone to get full access to my system?An issue: I've heard that Apache never must run as root. When I do a ps -ef, I see that there are several www-data processes running apache, but there's one root process running apache too. Is this normal and is it safe?An issue: I've heard that PHP can fail pretty easily. But isn't PHP running under apache 2 and limited by the www-data filesystem access?An issue: MySQL is running as a MySQL user, and I guess that's an unprivileged user right?
I suppose that my main Linux user account password serves as my SSH password as well. Is there a way I can modify this? As it turns out, I'd like to have a REALLY secure SSH password for obvious reasons, but a less secure local password, as it makes typing in passwords a heck of a lot easier on a machine. Is there a way I can change my account password in SSH without changing my Linux user password?
I've encrypted my root partition with LUKS and cannot remember my password. My main question is this: is it possible to extract the hash (or key; not sure on the correct terminology here) from the LUKS header and run it through a cracker? The hash type is SHA1 and I can remember the characters I used for the password, just not in the correct order (lots of special characters). That being said, given such a small charset, it should be crackable within a reasonable time, correct? Especially if I used a GPU accelerated cracker. What I don't know how to do is go about getting the hash from the LUKS header. Is any of this possible, or am I SOL? Of course, I have physical access to the system so I can boot it into any utilities I may need to.
Take this scenario If I have rate limited the connections to 4.(i.e if you attempt 4th connection you wont be able to login for some time.) If in a minute I get disconnected 3 times while I was already logged in on the server with a screen session, will I be able to login or I need to keep quite for a minute?
Quote:
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
I am looking for a basic guide to Linux security. I am assessing a multi-server farm and have very limited experience with Linux. Where can I get a list of basic things I should be looking at from a security standpoint, i.e. ports, vulnerabilities, users, etc? Looking for a checklist I can run through. We are running CentOS Linux 5.0.
I have a folder on my server i want to protect with http authentication but i have problem. i created a password htpasswd -c .htpasswd razzera
then i created a .htaccess file in the folder and added AuthType Basic AuthName "Restricted Files" # (Following line optional) AuthBasicProvider file AuthUserFile /.htpasswd Require user razzera
but when i go tho the folder it wont request any login details. why ??
By pressing 'properties' on a folder it freezes and I have to do killall nautilus && nautilus to get it working again. I have found no fix when googling (saying some packages that isn't installed is the problem).
It just takes a really long time to load based on the CPU usage.
My present system consists of 4 computers all running Ubuntu (just upgraded to 10.04) and all have a Virtual windows installations to run applications for which there are no Linux substitutes. The "server" is a NAS that is merely a file repository. I want to replace the NAS with a new computer that acts as both a server and a local workstation. It would act as a repository for common files and would run a mail, calendar, contacts server for the LAN (no outside connections).What are the pros and cons of installing the server version of Ubuntu (or Kubuntu) then adding the appropriate desktop versus installing the desktop and adding some server functions?
I am in the process of creating a USB multi boot with a variety of utilities for working on pc's as well as multiple distributions for testing via live use and for installation. From what I've found YUMI is the tool to use to create this. Is that right or does anyone have a better tool to use? As long as YUMI is the best tool, does anyone have any best practices to pass on? I'm thinking of relating to casper-rw, preventing any fragmentation issues and etc. Anything else to be thinking of as I create this would be very much welcomed. I'm planning to start with a 16GB stick but I'm curious about how much space others are finding they need. I don't know if 16GB is way high or low.Anyway, what all can you pass on to me and others in the forums about planning for and using a multi boot usb.
I have a script that is tar'ing a directory for backup purposes. I am wondering what the best practices are in Linux for where to move the tar file to.I read the 'Linux File System Hierarchy' pdf, but I didn't find any clear direction on where I should write the tar file to in the local file system.Is it taboo to create a /backups folder because some other location is where best practices say to write a tar file that is being kept for backup purposes?
I am writing the files to the local file system, but then backing the entire server up to tape. So I know that I need to keep the backups on a long term media incase the server goes belly up. Again, I'm just looking for best practices for where to write the back to the local file system for local retention.
Where do people generally put third-party source code that must be configured and compiled? For years I've using my home directory for that, but there must be a better way. Are there general standards, or best practices, or guidelines on where to put the software? /usr/local? /usr/src? Is there a document that discusses this?
Basically in addition to the first installation account on my system (my account) ive also set up another user alongside my own. Its not a admin account but 'desktop user' account but in the group id section this account comes as '1001'-what does this 1001 mean? Furthermore are there any risks i should know about arising from setting up another account on my pc?
I started up my computer and suddenly, I saw that there was a new user account. I didn't create it and no one else uses my computer (let alone has access to user account creations). It was called dtc. It didn't seem to have any privileges and the only file in its home folder was called Examples. Should I worry that I might have some kind of malware? I deleted the user and the folder (and it came back after a while). It's main group is dtcgrp. The User ID is 1004.
I am trying to reduce my uptime of my servers. I would like to have a way to bring the systems down during off hours, an come back online during first use. I know about WOL (wake on lan) found in the bios, but it seems as if the OS is missing something to complete the configuration.Are there any good docs (of which I havent found any yet, which is why I ask) on this topic? How about best practices to assist in power management?
Regarding domain names for LDAP root, you should use something like dc = domain, dc = country eg ar, cl, is br. or better use some other domain?That is, suppose the root domain is dominio.es Is it advisable to do so? I ask because I have seen many implementations (especially Microsoft AD), which states rather dominio.local or dominio.int.
I've written an article on my site which lays out steps for installing Wine and running it under its own, separate user account, so that Windows applications cannot access personal files (particularly those in your home directory).[URL}..i'm hoping that there are people on this forum who know Ubuntu inside-out, as I'd like to know how effective the described method is at trapping Windows applications so that they cannot read or write personal files or directories.
The way I understand it, once the process is running under user account wine, it's stuck with the access privileges of user wine. But are there ways in which a rogue application could break out of this prison and gain access to whatever it wishes? I'm guessing that such behaviour would mean someone customising Windows software to recognise Linux, and that such a thing is very unlikely, but I'm still interested to hear what gurus of the Ubuntu internals think of this method.
After reading everything that says you don't need an anti-virus for Linux. OR Linux doesn't get viruses. Guess what I have a Virus. I don't know which one, but it is sending out spam emails from my webmail, MSN, account. I do not have a local client installed. I am guessing it is linking into MSN through Pidgin, getting the addresses there, and sending the spam, somehow, through MSN. Actually one MSN and one Hotmail account. I also have not been able to find an anti-virus program for Ubuntu. There do not seem to be any listed in the software repositories that Ubuntu links into. How do I get rid of it? My contacts are starting to get upset.
Can i login to my server using my root account and create a public+private key for one of my users and then manually paste it into his authorized_keys file and give him the private key?
The user im giving it to has a chrooted FTP account...
Is it still ok that i used the root account to create it? He is not going to have root access or nothing is he? This is not a security breach in any way is it?
The user doesn't have shell access to create their own so this is the only way i can think of doing it...
Also what access should the user have to their .ssh folder + the authorized_keys file...?
Are they allowed to read the key? What about write?
If root is disabled by default, how is it possible that someone managed to SSH into my computer using root? I never enable/set password for root, it's always left as the default as per a fresh install and I always use sudo for any admin tasks.Auth.logFirst there are a whole load of failed attempts then...
Code: Nov 8 11:07:32 Morris-Desktop sshd[3601]: Failed password for root from 94.243.50.53 port 4360 ssh2
I set up a linux 10.10 desktop to run as a "server" for me. I then loaded Xrdp so that we can remote connect to the machine. My issue now is, i need to add users other than the initial account i created, but when i log into the desktop remotely, it will not let me add a new user. I cant seem to use any of the boxes in the User Settings command box. Does anyone have any suggestions?
I am trying to use a guest account in Ubuntu 10.10 however I am unable to stop the guest account from authenticating as a superuser and gaining root permissions dispite removing all permissions from the user-group control panel. The new guest account I created is not part of the admin group. However, with my new guest account I am unable to start a guest session from the panel, AND if I use the guest session from the panel I dont have the problem with the guest session being able to authenticate. How do I prevent super user authentication from an account in this situation? It seems that any account can authenticate and my /etc/sudoers file looks like this:
# /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. #
Defaults env_reset # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL
# Allow members of group sudo to execute any command # (Note that later entries override this, so you might need to move # it further down) %sudo ALL=(ALL) ALL # #includedir /etc/sudoers.d # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL
