Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Find the answer to your Linux question:
Site Navigation
Linux Forums
Linux Articles
Product Showcase
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds
Free Publications


Security is an important issue in computing. Unfortunately, many computers allow a cracker to gain access to them and retrieve sensitive information, or just make life hard. This article will review the basics in general security and explain how to apply it to two Linux distributions--Ubuntu and Kubuntu.

Preliminaries

This article assumes that you know how to install programs on either Ubuntu or Kubuntu. It also assumes that you have some knowledge of basic computer networking principles. If you do not know how to install programs on Ubuntu, go tohttps://help.ubuntu.com/community/InstallingSoftware. If you do not know much about networking, go to http://www.faqs.org/docs/linux_network/x-087-2-intro.html. This article also assumes that you are using Ubuntu or Kubuntu 6.06(Dapper Drake), but the Firewall section can be adapted for any recent Linux distribution.


Downloading Security Updates

A program is only secure if it has no vulnerabilities. Even the most popular software can have a hidden one. When someone fixes the vulnerability,a new version of the program is usually released. Both Ubuntu and Kubuntu have software repositories dedicated to security updates.When a vulnerability is fixed, a package of the program is released so that you can download it. Ubuntu and Kubuntu usually enable some of their security update repositories by default, but it is always a good idea to check to see if all of them are enabled. You may also want to specify how often you want your computer to look for security updates--and even install them--while you're at it (for Ubuntu 6.06only).

If you are using Ubuntu, click on System -- Administration --Software Properties and click on the Installation Mediatab. Now scroll down until you see a repository with the wordSecurity in it. Make sure that it is checked. If it is not,click on the check box to enable it.

On Kubuntu, click on Kmenu -- System -- Adept (PackageManager). Enter your password and then click on Adept and then on Manage Repositories. Find a line that contains the words deb http://security.ubuntu.com/ubuntu. Those are security repositories. If it is grayed out, right click on the entry,select Enable, and click Apply. It is important to enable every grayed-out security repository that you can find.

Now you can configure how often you want your computer to check for new updates. With Ubuntu, click on System -- Administration --Software Properties and click on the Internet Updates tab.Check the box that is marked Check for updates automaticallyand from the drop down menu select how often you want your computer to look for updates. You can even configure Ubuntu to automatically download updates and install security updates. When there are new updates available, Ubuntu will alert you by starting Update-Manager.The Update-Manager's notification icon will appear in the system tray. Click on it to install new updates.

Kubuntu uses a program called adept_updater which appears in your system tray when new updates are available. You can click on the iconto install new updates. As of this writing, you can not configureadept_updater to install security updates automatically.


Securing the /home directories

There may be times when you want to protect your data from malicious users, but you don't want the hassle of encrypting that data. As long as no one else on your computer can log in as root, (the super administrator account) your data will be hidden from other users' eyes. To make your data safer, go to Applications -- Accessories --Terminal (on Ubuntu) or Kmenu -- System -- Konsole (onKubuntu) and type: chmod 0700 /home/your-user-name (where your-user-name is the name you use to login to your computer). You can also use this command for individual files and folders if you want to keep other users fromviewing any of your files. (For more information on securing your home directory, go to https://wiki.ubuntu.com/SecureHome).

Firewalls

The best way to protect yourself from attackers on the Internet is to disconnect yourself from the Internet. The next best way is to install a firewall, which is like a lock on a door to a room inside of a building. It allows only authorized programs and protocols to open the door between your computer and the Internet. It also locks the door from the outside, keeping people and programs from opening the "door", walking in, and harming your computer. A firewall uses filters that either allow or prevent programs from sending or receiving data. If there is protocol with a security hole in your computer, you can configure the firewall to block all incoming connections to that protocol until the hole is fixed.

Although both Ubuntu and Kubuntu are fairly secure--they do not leave any ports open by default--it is always a good idea to install a firewall. Since firewalls are important to making a computer more secure, two firewalls are evaluated in this article: Firestarter and Guarddog. Each has strengths and weaknesses, both in the GUIs(Graphical User Interface) and the way they run, so it is a matter of personal preference. Both of them work on any official Ubuntu distribution or other popular Linux distributions (such as SUSE or Fedora Core). The following instructions will show you how to set up Firestarter for Ubuntu and Guard dog for Kubuntu, but they work just fine vice versa. Even though the firewalls are different, there are some firewall security principles that apply to any firewall and operating system. All firewalls either white-list or blacklist IP addresses (Internet Protocol address) and protocols. A white-list isan explicit list of protocols and IP addresses that the firewall lets pass through. A blacklist is the exact opposite of a white-list: it is an explicit list of protocols and IP addresses that the firewall will block.

There are some common protocols that you will either want to white-list not want to blacklist. They are:

Http/Https(Common web site protocol)

Ftp, (A file transfer protocol. Many web sites use this to upload and download files)

Smpt(An email sending protocol)

Pop3(An email receiving protocol)

(A list of more ports can be found at:http://www.chebucto.ns.ca/~rakerman/port-table.html)

Allow the firewall to permit only the few protocols and/or IP addresses that you will be using. If you don't recognize a protocol, block it. You can unblock any protocol later when you have a need for it.


Firestarter(For Ubuntu)

Firestarter(based on the GTK GUI toolkit) focuses on simplicity. Firestarter allows the white-listing of good connections; it blocks all connections from the start, both incoming and outgoing. After you have installed Firestarter, go to Applications -- System Tools-- Firestarter to start it. You should see a blue icon appearing your system tray. The first time you run Firestarter, a wizard is automatically launched. If you need to return to the wizard later,you can access it from the Firewall menu. All of the choices that you make in the wizard can be changed by going to Edit --Preferences.

Click on the Policy tab to get started. You will see a drop down menu next to the word Editing. Click on it and select the Outbound traffic policy. Now make sure the radio button that saysRestrictive by default, causing the firewall to block all traffic that is not white-listed. This will make your computer very secure by only allowing a few programs to open the "door".

The next step is to tell Firestarter what protocols you don't want to lock down. Right click on the Allow Service Portand For tables. Click on Add Rule, select a name from the drop down menu, or enter your own protocol name and port. You have the option to allow any computer on the Internet or network, the firewall host (your computer), or IP address (a specific computer Internet Protocol address on the Internet or your network).Select the appropriate source and click Add. Do this for any protocol you want to use (such as email, web, etc). You can use this same process to allow incoming connections (click on Incoming traffic policy next to the word Editing instead ofOutgoing traffic policy).

(Insert firestarter.jpg here)

When Firestarter blocks a connection, the icon in the system tray turns red. If you are having trouble with either connecting to another computer or browsing the web, click on the red icon and then click onthe Events tab. This will show you what protocol(s)Firestarter has blocked and you can now white-list the protocol if you need to use it.

If you notice that Firestarter blocks a particular computer's IP and you recognize it (as it may be a family member or colleague's computer),add the IP to the Allow connections from host table under the appropriate outgoing or incoming policies.


Guarddog(For Kubuntu)

Guarddog(which uses Qt for it GUI toolkit) differs from Firestarter because it lets you configure a firewall for numerous networks such as the Internet, your local computer, and your Local Area Network. The advantage of using Guarddog is that you can configure a firewall for as many different networks as you want. To configure Guarddog, go to Kmenu -- System -- Guarddog.Enter your password to continue. After you enter your password, click on the Protocol tab and select on the the "zone"(what Guarddog calls the configurations for different networks) that you would like to configure. On the right you will notice the Zone Properties tree. Click on the tree category that you would like to configure (such as Chat)and it will expand, revealing several common protocols. Guarddog automatically blocks every protocol by default so you will have to white-list the protocols you'd like the firewall to accept, and blacklist the protocols you'd like the firewall to outright reject.You should click on the Network tree and enable DNS andICMP Redirect if you can not browse the web.

To to add a protocol that is not in any of the trees, click on the Advancedtab and add a new protocol under User Defined Protocols to be able to enable or disable it in the Protocol tab. To block a certain IP address or domain, create a new zone and leave all the check boxes blank (to block all protocols).

If you use a router to connect to the Internet and/or are behind a NAT you should create a new zone for the Local Area Network that you belong to. You should d enable the Internet and Localzones so that you will be able to connect to the Internet and the Local zones. Now click on the Protocol tab and check to see if the new zone you have created is selected under Protocols Served from Zone. Configure the firewall to allow the protocols you need to pass through it for the Local and Internet column. By selecting the check boxes in both columns you allow your computer to use the checked protocols on your local area network (which goes to your router which is connected to the Internet).

Now move over to the Protocol tab and make sure that Protocols Served from Zone is set to your newly created zone. Check the protocols you need to enable. By turning these on for the LocalorInternetzones, you allow your computer to use the checked protocols in the new zone you created.

(Insert guarddog.png here)

When you are finished with configuring your changes, click Apply to change the settings. If your firewall keeps you from browsing theweb, or starting certain system services you can temporarily disable it until you find out what it's blocking; click on the Advancedtab, check Disable Firewall and click Apply.


Testing your firewall

To see if your firewall is doing what you want it to do you can test it athttp://www.grc.com at the Gibson Research Center. Go toShields Up or Leak Test to try out your firewall.


Summing it up

You now have a fairly secure system. It will be hard for a cracker to break into your computer, or for some other user on your computer to read sensitive data (you may want to encrypt that data to be even safer).Always remember that your computer will remain secure if you are careful and do not accidentally enable a protocol that you don't use,or copy sensitive data to a folder that anyone can read.

 
Rate This Article: poor excellent
 
Comments about this article
encrypted disk
writen by: _mind on 2006-12-05 02:14:09
It is so incredibly easy to set up encrypted root/swap partitions that demand a passphrase on boot. I hope the next installer will give you the choice to do it automatically, but until then, you have to jump through a few hoops (google and some linux experience will get you through). It definitely deserves a mention, laptop _or_ desktop
RE: encrypted disk written by _mind:
One particularly large problem
writen by: Steve on 2006-12-05 08:02:08
One particularly large problem I recently noticed in Ubuntu is the fact that if you choose "Recovery Mode" from the Grub loader... you are booted into a command line terminal as root (NO PASS REQUIRED!) very insecure if you ask me.. any one know of any way to keep recovery mode on grub but fix this issue?
RE: One particularly large problem written by Steve:
recovery mode
writen by: Mark on 2006-12-05 08:06:18
RE: recovery mode written by Mark:
Title
writen by: Chris on 2006-12-05 16:52:26
Nevermind the fact that Ubuntu does not set a root password at install, you have to set one manually (the account is locked by default of course).
RE: Title written by Chris:
hiding your ip
writen by: ping on 2006-12-05 19:18:54
I have been looking for a way to avoid broadcasting my ip. What would be available in linux?
RE: hiding your ip written by ping:
Onion Routing
writen by: imneat on 2006-12-05 21:31:56
RE: Onion Routing written by imneat:
root password
writen by: Edward on 2006-12-06 12:47:02
RE: root password written by Edward:
writen by: Anonymous on 2006-12-06 13:53:40
RE: written by Anonymous:
writen by: Anonymous on 2006-12-06 15:40:49
RE: written by Anonymous:
./
writen by: ./ on 2006-12-12 13:33:55
RE: ./ written by ./:
root password
writen by: ste on 2007-02-02 15:35:57
I noticed this too and enabled root passwd #sudo passwd root It seems that disabling it afterwards the access without passwd is not possible anymore. But the only secure way is a BIOS password, not for grub. Anyone with a Linux live cd can hack in the system.
RE: root password written by ste:
root password
writen by: Mark featherston on 2007-02-21 23:50:36
RE: root password written by Mark featherston:
mbr password, remote servers
writen by: Graeme on 2007-02-22 08:16:56
RE: mbr password, remote servers written by Graeme:
encrypted disk
writen by: mbanks on 2007-04-29 15:18:16
this is best left up to the chip/bios/hardware/DRIVE makers. will not matter what o.s. i am not convinced that the encryption is all that good. wait a few years until the drive people get all the kinks worked out.
RE: encrypted disk written by mbanks:
Re: BIOS Passwords
writen by: Dan on 2007-05-08 11:19:47
RE: Re: BIOS Passwords written by Dan:
di
writen by: anaconda on 2008-02-05 02:53:11
RE: di written by anaconda:
Mr
writen by: Joel Merrick on 2008-06-11 08:33:21
RE: Mr written by Joel Merrick:
RE:
writen by: JohnD on 2008-11-14 18:04:28
RE: RE: written by JohnD:
writen by: pmcoleman on 2009-01-25 20:40:39
RE: written by pmcoleman:
linux
writen by: ubuntu on 2009-04-13 12:36:38
good ubuntu blog http://my.opera.com/ubuntunerd1/blog/
RE: linux written by ubuntu:
can apps contain virus on ubuntu
writen by: HNLhosting on 2010-11-16 07:09:19
i just got my brother to build me this awesome local network dataserver at my graphic design office in hawaii.

i put lots of cool multimedia software on it from the install new apps menu...

when I go to shut down it gives me a message that something is still running in the background... can I get keyloggers hidden in these apps??? how do I know what is running..... I think the name of the program said something like SPI, ... I am not sure if it could be spi ware or a keylogger...???

Is this possible on linux?

How can I find out what this app is and remove it.
RE: can apps contain virus on ubuntu written by HNLhosting:
can apps contain virus on ubuntu
writen by: HNLhosting on 2010-11-16 07:09:19
i just got my brother to build me this awesome local network dataserver at my graphic design office in hawaii.

i put lots of cool multimedia software on it from the install new apps menu...

when I go to shut down it gives me a message that something is still running in the background... can I get keyloggers hidden in these apps??? how do I know what is running..... I think the name of the program said something like SPI, ... I am not sure if it could be spi ware or a keylogger...???

Is this possible on linux?

How can I find out what this app is and remove it.
RE: can apps contain virus on ubuntu written by HNLhosting:
weird skype behaviour after tests!
writen by: Sciezyna on 2011-02-03 10:09:42
Hi,

I have Ubuntu 10.04

I did go to the site mentioned above. xhttp://www.grc.com (remove the x). Performed few tests, assured by the Gibson Research Corporation that they are ABSOLUTELY safe!

Well, right after the test I noticed problems with my Skype (Beta 2.1.0.81). Virtually right after the tests I started to receive some stupid spam from weird users not known to me Skype install. This never happened before because I had ticked the "Allow chats from..." only from person I know. It seems that this option had been changed.

Is there anyone who had similar experience that after those test weird things started to happen?

I will copy this post to Ubuntu site to see if anything like that occured.

Juliusz
RE: weird skype behaviour after tests! written by Sciezyna:

Comment title: * please do not put your response text here