Insecure authentication x window ubuntu. Security in Linux is a relative concept. Let's encrypt the file system in Linux for more complete Linux security

Many users consider Ubuntu pop, and Ubuntu Server not serious. Many people forget that Ubuntu Server has been supported for 5 years, and Debian 5.0 was on the market for 3 years - from 2009 to 2012.

At support prices - Ubuntu Server compared to Red Hat, one can and should say - you got it for free, even if you order 24/7 support 24x7x365.

See what security solutions are implemented in all versions of Ubuntu and make it safe and reliable.

Possibilities

Security Capability Matrix

No open ports

The default Ubuntu installation does not have any open ports accessible from outside the network. The only exception to this rule is for network infrastructure services, such as DHCP client and mDNS (Avahi/ZeroConf).

When Ubuntu Server is installed, the administrator can install additional network services, such as the Apache web server. But by default, on a newly installed system, if you do netstat -an --inet | grep LISTEN | grep -v 127.0.0.1 , then you can easily make sure that Ubuntu does not unnecessarily open ports for access from networks to the system.

Password hash

The system password used to log into Ubuntu is stored in /etc/shadow. Once upon a time, a DES password hash was stored in /etc/passwd. But modern Linux has been storing hashes in /etc/shadow for a long time, and at first a hash based on MD5 with salt was used (salted MD5-based hashes crypt id 1). Since the same passwords had the same hashes without the use of a salt, the introduction of a salt made it possible to improve security and make it more difficult to crack the passwords of many users of the system.

Now MD5 is considered unreliable and with the increase in the computing capabilities of computers, with Ubuntu 8.10 the SHA-512 hash with salt is used (salted SHA-512 based password hashes crypt id 6). This does the hack brute force by going through all the options - incredibly complex and time-consuming.

More details about man crypt.

Use test-glibc-security.py for tests.

SYN cookies

When the system is flooded with new network connections, the SYN cookie mechanism helps reduce the damage from SYN flood attacks.

File system capabilities

The need for setuid applications that run with higher permissions than the person running them can be reduced by using file system capabilities such as xattrs. Such features reduce the risk of abuse of potentially dangerous setuid applications.

The Linux kernel provides support and tooling libcap2-bin for using xattrs-type file capabilities to enhance the security of setuid applications.

Use test-kernel-security.py for tests.

Configurable firewall

ufw is a frontend for iptables, which is installed and used in Ubuntu, but the user must enable it independently. UFW is designed to provide an easy-to-use interface for people not familiar with the concepts of the iptables firewall, with its chains and tables.

At the same time, UFW simplifies complex iptables commands to help the administrator who knows what he's doing.

UFW is an assistant and the basis for graphical frontends.

Use ufw tests for tests.

PR_SET_SECCOMP

AppArmor

SELinux

SELinux is a mandatory access control system based on the concept of inode - a file system index descriptor.

Installing the selinux package will make the necessary changes and adjustments while the PC boots.

Use test-kernel-security.py for tests.

SMACK

SMACK is a flexible mandatory access control system based on the concept of inode - a file system index descriptor.

Use test-kernel-security.py for tests.

File system encryption

LVM encryption

Users using the Alternate installer can install Ubuntu on an encrypted LVM (Logical Volume Manage), which will encrypt all partitions, including the swap partition.

eCryptfs

Encrypted folders were first implemented in Ubuntu 8.10 as a secure place to store important user information.

The Alternate and Server disk installer allows you to set up encrypted folders for the first user.

In Ubuntu 9.04, support for folder encryption was expanded and the user could encrypt the entire home folder. Home folder encryption is supported in the Alternate installer and Desktop installer via the user-setup/encrypt-home=true parameter.

Strengthening User Space Security

Many security features are implemented through compilation flags when building software packages and the kernel.

Stack protection

The gcc -fstack-protector flag provides stack overflow protection by placing a small random number as a marker. This method makes stack overflows more difficult for various exploits.

Not a large number of programs do not work well if compiled with this parameter and -fstack-protector is disabled for them.

Use test-gcc-security.py for tests.

Heap protection

GNU C Library heap protection (automatically by ptmalloc and manually) provides corrupted-list/unlink/double-free/overflow protection in the glibc memory manager.

This prevents the possibility of executing arbitrary code through a heap memory overflow, thereby corrupting the structure of the heap region.

This defense has evolved over time, adding more and more defense options. IN current state glibc 2.10 successfully resists even subtle attack conditions.

Obfuscated pointer

Some glibc pointers are obfuscated via PTR_MANGLE/PTR_UNMANGLE macros internally in glibc, preventing the pointers from being overwritten at runtime.

Use test-glibc-security.py tests.

Random placement in the address space. Address Space Layout Randomisation (ASLR)

ASLR is implemented in the kernel and the ELF loader places the most important structures in random addresses: stack, heap, shared libraries, etc.

This makes it difficult to predict addresses when an attacker tries to use exploits.

ASLR is changed globally via /proc/sys/kernel/randomize_va_space. Before Ubuntu 8.10 the value was "1" (enabled). In later releases that include brk ASLR, the value is set to "2" (enabled with brk ASLR).

ASLR stack

The results of each program execution are placed in different parts of the stack. It is difficult to find in memory and attack the program by adding malicious payload.

Libs/mmap ASLR

Libraries are loaded dynamically into different memory locations, making it difficult for an attacker to find a return point.

Protection is available from kernel 2.6.15 (Ubuntu 6.06).

Exec ASLR

Programs built with the "-fPIE -pie" option are loaded into different memory locations. This makes it difficult to attack or jump to an address to perform a memory modification attack.

Protection is available from kernel 2.6.25 (Ubuntu 8.04 LTS).

brk ASLR

Like exec ASLR, brk ASLR regulates memory addresses between exec and brk for small memory allocation requests. Randomization brk exec memory offset was added in kernel 2.6.26 (Ubuntu 8.10).

VDSO ASLR

Each time the program is run, the results are placed in a different vdso. First appeared in kernel 2.6.18 (x86, PPC) and 2.6.22 (x86_64), but was not included in Ubuntu 6.10 due to COMPAT_VDSO, which was removed in Ubuntu 8.04 LTS.

Protects against jump-into-syscall attacks.

Only x86 was supported by glibc 2.6. glibc 2.7 (Ubuntu 8.04 LTS) already supported x86_64 ASLR vdso.

Those who need the ancient static pre-libc6 vdso can use "vdso=2" as a kernel parameter and get COMPAT_VDSO again.

Building with PIE

All programs that are compiled with Position Independent Executables (PIE) with the "-fPIE -pie" option can take advantage of exec ASLR protection.

This protects against "return-to-text" attacks and makes conventional memory modification attacks useless.

Due to PIE, there is a large performance drop (5-10%) on architectures with a small number of general purpose registers (such as x86).

Therefore, PIE is used for a small number of security-critical packets.

PIE for x86_64 has no performance issues and is used for all packages, but needs better testing.

Build with Fortify Source

Programs built with "-D_FORTIFY_SOURCE=2" (and -O1 or higher) enable several compilation and runtime protections in glibc:

• calls "sprintf", "strcpy" with their undefined boundaries are replaced with related functions with limited N, when the buffer size is known in advance. This protects against memory overflows.
• stopping an attack via string format "%n" when the string is in a memory segment with write access.
• require checking the return codes of the most important functions and arguments (for example, for system, write, open).
• require an explicit indication of the mask when creating the file.

Assembly with RELRO

Tightening of ELF programs to combat bootloader memory overwriting. Reduces the likelihood of a GOT-overwrite-style attack.

Use test-gcc-security.py tests.

Building with BIND_NOW

Marks ELF programs to resolve dynamic characters at startup instead of on-demand, also known as "immediate binding".

This makes the GOT completely read-only, in combination with the RELRO parameter.

Use test-built-binaries.py tests.

Non-Executable Memory

Modern processors protect data memory areas (heap, stack) from code execution.

This technology is known as Non-eXecute (NX) or eXecute-Disable (XD). Protection reduces the ability of an attacker to place arbitrary code.

Protection requires "PAE", which also allows addressing above 3 GB of RAM. 64bit and 32bit -server and -generic-pae kernels are already built with PAE.

Starting with Ubuntu 9.10, protection is partially emulated on 32-bit cores for processors that do not support NX hardware.

After downloading, you can see the level of NX protection support:

• Hardware: [ 0.000000] NX (Execute Disable) protection: active
• Emulation:
  [ 0.000000] Using x86 segment limits to approximate NX protection

If you don't see any mention of NX, check your BIOS settings. As of Ubuntu 11.04, BIOS settings for NX are ignored by the kernel.

Use test-kernel-security.py tests.

Protect /proc/$pid/maps

When ASLR is running, the current memory maps of the processes become very valuable to the attacker. The map file is readable only by the process itself and the process owner.

Available since kernel 2.6.22.

Use test-kernel-security.py tests.

Limitations of symbolic links

The most common way to exploit this defect is to force root to use a symbolic link created by an attacker in order to perform a malicious action with root privileges.

As of Ubuntu 10.10, symbolic links in directories like /tmp cannot be followed unless the "follower" and the owner of the directory are the same as the owner of the symlink.

This mechanism is controlled by the Yama mechanism /proc/sys/kernel/yama/protected_sticky_symlinks. Yama was developed by Canonical.

Use test-kernel-security.py tests.

Limitations of Hard Links

If the /etc/ and /home/ directories are located on the same partition, a normal user can create a hard link to the /etc/shadow file with password hashes in their home folder. Of course, if a certain file is not readable or writable by any user, a hard link to this file will have the same rights and therefore will also not be available to this user. However, using hard links, an attacker can “slip” such a file to an application that has rights to access it.

Yama allows you to block this attack by preventing users who do not have permission to access the source files from creating hard links.

The behavior is controlled by /proc/sys/kernel/yama/protected_nonaccess_hardlinks Yama.

ptrace scope

Without appropriate Yama protection, any process with the CAP_SYS_PTRACE privilege can access the memory of all processes with the same UID. When using Yama, you can limit the scope of access to only the memory owned by the descendants of that process.

On Ubuntu 10.10 and older, users cannot debug processes using ptrace unless they are descendants of it.

The behavior is controlled by /proc/sys/kernel/yama/ptrace_scope Yama.

Use test-kernel-security.py tests.

Strengthening kernel protection

Enabled kernel defense mechanisms to make attacks more difficult.

0-address protection

Since the kernel and user space share virtual memory addresses, "NULL" memory must be protected and "user" memory cannot start at address 0, thereby preventing kernel address dereference - a "NULL dereference" attack.

Protection is available from kernel 2.6.22 via the sysctl parameter "mmap_min_addr". As of Ubuntu 9.04, mmap_min_addr is built into the kernel - address 64k for x86, 32k for ARM.

Use test-kernel-security.py tests.

Protect /dev/mem

Some applications, such as Xorg, require direct access to physical memory in user space. The special file /dev/mem provides such access.

In the past, it was possible to view and modify kernel memory through this file if the attacker gained root access.

The CONFIG_STRICT_DEVMEM option was introduced to block such attempts (the option was originally called CONFIG_NONPROMISC_DEVMEM).

Use test-kernel-security.py tests.

/dev/kmem disabled

For the modern user, /dev/kmem is not relevant, since it was mostly used by attackers to download rootkits.

CONFIG_DEVKMEM is now set to "n".

The /dev/kmem file exists in releases from Ubuntu 8.04 LTS to Ubuntu 9.04, but was not associated with anything in the kernel and is not used.

Use test-kernel-security.py tests.

Blocking module loading

In Ubuntu 8.04 LTS and earlier, it was possible to remove the CAP_SYS_MODULES feature and thereby prevent the loading of new kernel modules.

This was another level of protection to avoid downloading rootkits when a compromised system starts.

In kernel 2.6.25 (Ubuntu 8.10), this functionality disappeared. As of Ubuntu 9.10, it is now possible to disable modules again by setting /proc/sys/kernel/modules_disabled to "1".

Use test-kernel-security.py tests.

Read-only data section

Marking the kernel data section as read-only ensures that changes are blocked. This helps protect against some rootkits. Enabled via the CONFIG_DEBUG_RODATA option.

Use test-kernel-security.py tests.

Kernel stack protection

Like protecting ELF programs in user space, the kernel can protect its internal stack through the CONFIG_CC_STACKPROTECTOR option.

Use test-kernel-security.py tests.

RO/NX module

This feature extends CONFIG_DEBUG_RODATA to include restrictions on loaded kernel modules. This helps prevent exploits. Enabled via the CONFIG_DEBUG_MODULE_RONX parameter.

Use test-kernel-security.py tests.

Kernel Address Display Restriction

When attackers try to develop a anywhere exploit using kernel vulnerabilities, they need to know the location of the internal kernel structures.

Kernel addresses, as important information, are not available to ordinary users.

Starting with Ubuntu 11.04, /proc/sys/kernel/kptr_restrict is set to "1" and blocks leaks of kernel address information.

Besides, various files and directories are made read only by root
/boot/vmlinuz*, /boot/System.map*, /sys/kernel/debug/, /proc/slabinfo

Use test-kernel-security.py tests.

Black list of rare protocols

Typically the kernel allows all network protocols to be automatically loaded on demand via the MODULE_ALIAS_NETPROTO(PF_...) macros.

Since many of these protocols are outdated, rare, and even of little use for regular user Ubuntu and may contain unknown vulnerabilities, they are blacklisted starting from Ubuntu 11.04.

Blacklisted: ax25, netrom, x25, rose, decnet, econet, rds and af_802154.

If any of these protocols are needed, they can be loaded via modprobe or by editing /etc/modprobe.d/blacklist-rare-network.conf.

Use test-kernel-security.py tests.

System call filtering

Programs can filter kernel calls using seccomp_filter.

This is done in containers or sandboxes to further limit potentially untrustworthy software.

Use test-kernel-security.py tests.

Bottom line

After reading, it is clear that in Canonical takes Ubuntu security seriously. Two projects, AppArmor and Yama, have long been associated with Ubuntu and help improve security. Ubuntu by default does not open unnecessary ports-doors on the network and does not wait for connections-adventures to come its way. AppArmor profiles have been created for key programs that work with the network, which keep programs in check.

Your computer will be safe with Ubuntu!

At the annual LinuxCon conference in 2015, the creator of the GNU/Linux kernel, Linus Torvalds, shared his views on system security. He emphasized the need to mitigate the effect of certain bugs with competent protection, so that if one component malfunctions, the next layer covers the problem.

In this material we will try to cover this topic from a practical point of view:

7. Install firewalls

The maximum harm for encrypted HTTPS or SSH connections is interruption of the connection, but an attacker can insert new content, including malware, into unprotected traffic. A firewall is suitable to protect against such attacks.

Block access using Firewall

Firewall is one of the most important tools for blocking unwanted incoming traffic. We recommend allowing only really necessary traffic and completely blocking all others.

For packet filtering, most Linux distributions have an iptables controller. It is usually used by advanced users, and for simplified setup you can use the UFW utilities in Debian/Ubuntu or FirewallD in Fedora.

8. Disable unnecessary services

If your system is configured via inetd, then in the /etc/inetd.conf file you can edit the list background programs“demons”, to disable the loading of the service, just put a “#” sign at the beginning of the line, turning it from executable into a comment.

If the system uses xinetd, then its configuration will be in the /etc/xinetd.d directory. Each directory file defines a service that can be disabled by specifying disable = yes, as in this example:

Service finger ( socket_type = stream wait = no user = nobody server = /usr/sbin/in.fingerd disable = yes )
It's also worth checking for persistent processes that are not managed by inetd or xinetd. You can configure startup scripts in the /etc/init.d or /etc/inittab directories. After the changes have been made, run the command under the root account.

/etc/rc.d/init.d/inet restart

9. Protect the server physically

To enter the data center, all visitors must go through certain authentication steps. It is also strongly recommended to use motion sensors in all areas of the center.

10. Protect the server from unauthorized access

For example, the tools Tripwire and Aide collect a database of system files and protect them with a set of keys. Psad is used for tracking suspicious activity using firewall reports.

Bro is designed to monitor the network, track suspicious activity patterns, collect statistics, execute system commands and generate alerts. RKHunter can be used to protect against viruses, most often rootkits. This utility checks your system against a database of known vulnerabilities and can identify unsafe settings in applications.

Conclusion

Hello everyone... All novice administrators under Ubuntu have the task of setting up network interfaces (network, network cards). In this article I will show you how to do this... It is done very simply...

If somehow you missed setting up the network or saw difficulty in installing the distribution, then now we will do it manually. And so we have the distribution installed and is waiting for us in the assault... We need to configure 2 network cards..... One of us faces the provider and the other faces the local network. Let’s agree right away and designate our interfaces and addresses.

eth0— 192.168.0.1 (let’s say this is the address issued by the provider) Interface that looks at the Internet (provider)
eth1— 10.0.0.1 (the address that we want to give to this interface) The interface facing the local network

First of all, let's check which interfaces we have already launched with the command ifconfig You will see something like this (only with your data instead of xxxxx)

Eth0 Link encap:Ethernet HWaddr хх:хх:хх:хх:хх:хх inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxxx.xxx Mask:255.255.255.252 inet6 addr: xxx::xxx:xxx :xxx:xxxx/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:31694097 errors:0 dropped:0 overruns:0 frame:0 TX packets:15166512 errors:0 dropped:0 overruns:0 carrier: 0 collisions:0 txqueuelen:100 RX bytes:2215593127 (2.2 GB) TX bytes:1577680249 (1.5 GB) Memory:b8820000-b8840000 eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx inet addr:10.0. 0.1 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 xxxx: xxxx::xxxx:xxxf:xxx:xxx/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11352041 errors:0 dropped:0 overruns :0 frame:0 TX packets:21539638 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1262641422 (1.2 GB) TX bytes:1922838889 (1.9 GB) Memory:b8800000-b8820000 lo Link encap:Local loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3823 errors:0 dropped:0 overruns: 0 frame:0 TX packets:3823 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:717663 (717.6 KB) TX bytes:717663 (717.6 KB)

If one of the interfaces does not display, then it’s okay. It's just disabled, let's turn it on with the command sudo ifconfig eth1 up(instead of eth1, type your interface, if you have 2 network cards, then there are only 2 interfaces: eth0 and eth1) And so we enable our interface:

And so let's start setting up.

Let's assign the eth0 interface the IP address issued by the provider with the following command:

And specify the network mask:

Settings made in this way are reset after the server is rebooted.
To prevent this from happening, you need to change the settings in configuration file network interfaces. For this you need Root rights. Let's get the rights Root with the following command:

The network interfaces configuration file is located at /etc/network/interfaces To edit it we use the Nano editor (you can use your own editor) I like it Nano

We see the following:

It is necessary to reduce it to the following form

Save the changes by pressing Ctrl + O and exit by pressing Ctrl + X

Addresses DNS servers can be set in the /etc/network/interfaces file, but DNS server addresses in Ubuntu are managed through the /etc/resolv.conf file; for me it looks like this:

Let's configure DNS; to do this, enter the following command in the line:

Sudo nano /etc/resolv.conf # IP addresses of your provider's DNS servers nameserver хх.ххх.ххх.ххх nameserver ххх.ххх.хх.ххх

Let's save Ctrl+O and we go out Ctrl +x you also need to reboot the network with the following command.

None of us wants personal information to fall into the wrong hands. But how to protect your system from attacks and data theft? Do you really have to read kilometer-long manuals on setup and encryption algorithms? Not at all necessary. In this article, I will tell you how to make a Linux system secure in literally 30 minutes.

Introduction

We live in an age mobile devices and permanent online. We go to a cafe with a laptop and run web servers exposed to the Internet on our home machines. We register on hundreds of sites and use the same passwords for web services. We always have a smartphone in our pockets, with dozens of passwords stuffed into it, and keys to several SSH servers. We are so accustomed to third-party services taking care of our privacy that we have stopped paying attention to it.

When I lost my smartphone, I was very lucky that the anti-theft installed on it turned out to be functional and allowed me to remotely erase all data from the device’s memory. When I inadvertently opened an SSH port on a home machine with a user without a password (!) to the outside world (!!), I was very lucky that script kids got onto the machine and, apart from a funny shell history, did not leave any serious traces of their presence in system. When I accidentally posted a listing on the Internet with my Gmail password, I was very lucky that there was a kind person who warned me about it.

Maybe I’m a goofball, but I’m firmly convinced that similar incidents have happened to many who read these lines. And it’s good if these people, unlike me, took serious care of protecting their car. After all, the anti-theft might not have worked, and instead of a script kiddy, serious people might have gotten into the car, and I might have lost not a smartphone, but a laptop, which had no other protection besides the user password. No, you definitely shouldn’t rely on Google two-factor authentication and stupid passwords in this day and age, you need something more serious.

This article is a guide for a paranoid Unixoid, dedicated to the total protection of a Linux machine from anything and everything. I hesitate to say that everything described here is mandatory for use. Quite the contrary, this is a collection of recipes, information from which you can use to protect yourself and your data at those levels where it is needed in your specific situation.

Password!

It all starts with passwords. They are everywhere: in the login window in a Linux distribution, in registration forms on Internet sites, on FTP and SSH servers and on the lock screen of a smartphone. The standard for passwords today is 8–12 characters in mixed case and including numbers. Generating such passwords with your own mind is quite tedious, but there is an easy way to do it automatically:

$ openssl rand -base64 6

None external applications, no extensions for web browsers, OpenSSL is available on any machine. Although, if it is more convenient for someone, they can install and use pwgen for these purposes (they say the password will be more strong):

$ pwgen -Bs 8 1

Where to store passwords? Today, every user has so many of them that it is simply impossible to store everything in his head. Trust your browser's autosave system? It’s possible, but who knows how Google or Mozilla will treat them. Snowden said that it was not very good. Therefore, passwords must be stored on the machine itself in an encrypted container. The Founding Fathers recommend using KeePassX for this. The thing is graphical, which the founding fathers themselves don’t really like, but it works everywhere, including the famous Android Google probe (KeePassDroid). All that remains is to transfer the database with passwords to where needed.

Let's encrypt

Encryption - there is so much in this word... Today encryption is everywhere and nowhere at the same time. We are forced to use HTTPS versions of websites, but we don’t care. They tell us: “Encrypt your home directory,” and we say: “Then I’ll set it up.” They tell us: “The favorite pastime of Dropbox employees is laughing at users’ personal photos,” and we: “Let them laugh.” Meanwhile, encryption is the only absolute means of protection today. It is also very affordable and smoothes out wrinkles.

Linux has tons of encryption options for everything from hard drive partitions to single files. The three most well-known and time-tested tools are dm-crypt/LUKS, ecryptfs and encfs. The first encrypts entire disks and partitions, the second and third encrypt directories with important information, each file separately, which is very convenient if you need to make incremental backups or use it in conjunction with Dropbox. There are also several lesser-known tools, including TrueCrypt for example.

Let me make a reservation right away that encrypting the entire disk is a difficult task and, most importantly, useless. There is nothing particularly confidential in the root directory and there cannot be, but the home directory and swap are simply a treasure trove of information. Moreover, the second one is even larger than the first one, since data and passwords can get there already in decrypted form (normal programmers prohibit the system from throwing such data into a swap, but such people are in the minority). Setting up encryption for both is very simple, just install the ecrypts tools:

$ sudo apt-get install ecryptfs-utils

And, in fact, enable encryption:

$ sudo ecryptfs-setup-swap $ ecryptfs-setup-private

Next, just enter your password used for login and re-login to the system. Yes, it's really that simple. The first command will encrypt and remount the swap, changing required lines in /etc/fstab. The second will create the ~/.Private and ~/Private directories, in which encrypted and decrypted files will be stored, respectively. When you log in, the PAM module pam_ecryptfs.so will be triggered, which will mount the first directory to the second with transparent data encryption. After unmounting, ~/Private will be empty, and ~/.Private will contain all files in encrypted form.

It is not forbidden to encrypt the entire home directory. In this case, performance will not drop much, but all files, including the same one, will be protected network directory~/Dropbox. This is done like this:

# ecryptfs-migrate-home -u vasya

By the way, there should be 2.5 times more disk space than vasya’s data, so I recommend cleaning it up in advance. After completing the operation, you should immediately log in as the user vasya and check the functionality:

$mount | grep Private /home/vasya/.Private on /home/vasya type ecryptfs ...

If everything is ok, you can overwrite the unencrypted copy of the data:

$ sudo rm -r /home/vasya.*

Covering our tracks

OK, passwords are in a safe place, personal files too, what now? And now we must take care that some pieces of our personal data do not fall into the wrong hands. It's no secret that when a file is deleted, its current content remains on the media even if formatting is done afterwards. Our encrypted data will be safe even after erasing, but what about flash drives and other memory cards? Here we need the srm utility, which not only deletes the file, but also fills the remaining data blocks with garbage:

$ sudo apt-get install secure-delete $ srm secret-file.txt home-video.mpg

# dd if=/dev/zero of=/dev/sdb

This command will erase all data on the sdb flash drive. Next, all that remains is to create a partition table (with one partition) and format it into the desired file system. It is recommended to use fdisk and mkfs.vfat for this, but you can also get by with graphical gparted.

Preventing BruteForce attacks

Fail2ban is a daemon that scans logs for attempts to guess passwords for network services. If such attempts are found, the suspicious IP address is blocked using iptables or TCP Wrappers. The service is able to notify the host owner about an incident via email and reset the blocking after a specified time. Fail2ban was originally developed to protect SSH; today ready-made examples are offered for Apache, lighttpd, Postfix, Exim, Cyrus IMAP, named, and so on. Moreover, one Fail2ban process can protect several services at once.

In Ubuntu/Debian, to install we type:

# apt-get install fail2ban

The configs are located in the /etc/fail2ban directory. After changing the configuration, you should restart fail2ban with the command:

# /etc/init.d/fail2ban restart

Threat from outside

Now let's take care of the threats emanating from the depths world wide web. This is where I should start talking about iptables and pf running on a dedicated machine running OpenBSD, but all this is redundant when there is ipkungfu. What it is? This is a script that will do all the dirty work of configuring the firewall for us, without having to write kilometer-long lists of rules. Install:

$ sudo apt-get install ipkungfu

Editing the config:

$ sudo vi /etc/ipkungfu/ipkungfu.conf # The local network, if there is, write the network address along with the mask, if not, write the loopback address LOCAL_NET="127.0.0.1" # Our machine is not a gateway GATEWAY=0 # Close the necessary ports FORBIDDEN_PORTS="135 137 139" # Block pings, 90% kiddies will fall off at this stage BLOCK_PINGS=1 # Dropping suspicious packets (various types of flood) SUSPECT="DROP" # Dropping "wrong" packets (some types of DoS) KNOWN_BAD="DROP" # Scanning ports? Thrash! PORT_SCAN="DROP"

To enable ipkungfu, open the file /etc/default/ipkungfu and change the line IPKFSTART = 0 to IPKFSTART = 1. Run:

$sudo ipkungfu

Additionally, let's make changes to /etc/sysctl.conf:

$ sudo vi /etc/systcl.conf # Drop ICMP redirects (against MITM attacks) net.ipv4.conf.all.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 # Enable the TCP syncookies mechanism net.ipv4 .tcp_syncookies=1 # Various tweaks (anti-spoofing, increasing the queue of “half-open” TCP connections, etc.) net.ipv4.tcp_timestamps=0 net.ipv4.conf.all.rp_filter=1 net.ipv4.tcp_max_syn_backlog=1280 kernel .core_uses_pid=1

Activate the changes:

$ sudo sysctl -p

Detecting intrusions

Snort is one of the favorite tools of admins and a main figure in all security guides. A thing with a long history and enormous capabilities, to which entire books are devoted. What does it do in our guide to quick setup secure system? And this is where it belongs; Snort doesn’t need to be configured:

$ sudo apt-get install snort $ snort -D

All! I am not kidding, standard settings Snort is more than enough to protect typical network services, if, of course, you have them. You just need to look at the log from time to time. And in it you can find lines like these:

[**] MS-SQL probe response overflow attempt [**] http://www.securityfocus.com/bid/9407]

Oops. Someone tried to cause a buffer overflow in MySQL. There is also a link to a page with a detailed description of the problem. Beauty.

Someone inherited...

Someone especially smart was able to bypass our firewall, get past Snort, get root rights in the system and now logs into the system regularly using an installed backdoor. Not good, the backdoor needs to be found, removed, and the system updated. To search for rootkits and backdoors we use rkhunter:

$ sudo apt-get install rkhunter

Let's launch:

$ sudo rkhunter -c --sk

The software will check the entire system for the presence of rootkits and display the results on the screen. If the malware is still found, rkhunter will point to the location and it can be erased. A more detailed log is located here: /var/log/rkhunter.log. It is better to run rkhunter as a cron job daily:

$ sudo vi /etc/cron.daily/rkhunter.sh #!/bin/bash /usr/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Results" [email protected]

We replace Vasya’s email address with ours and make the script executable:

$ sudo chmod +x /etc/cron.daily/rkhunter.sh

$ sudo rkhunter --update

By the way, you can add it before the check command in the cron script. Two more rootkit search tools:

$ sudo apt-get install tiger $ sudo tiger $ sudo apt-get install lynis $ sudo lynis -c

Essentially, they are the same Faberge eggs from a bird's eye view, but they have different bases. Perhaps with their help it will be possible to identify what rkhunter missed. And for starters, debsums is a reconciliation tool. checksums files, installed packages with the standard. We put:

$ sudo apt-get install debsums

Let's run the check:

$ sudo debsums -ac

As always? the launch can be added to cron jobs.

Outside

Now let's talk about how to maintain your anonymity on the Internet and gain access to sites and pages blocked at the request of various copyright holder organizations and other Mizulins. The easiest way to do this is to use one of the thousands of proxy servers around the world. Many of them are free, but often cut the channel to the speed of an ancient analog modem.

To easily browse websites and only turn on a proxy when necessary, you can use one of the many extensions for Chrome and Firefox, which can easily be found in the directory at the request of proxy switcher. We install, enter the list of required proxies and switch to the required one, seeing instead of the page the sign “Access to the page is limited at the request of Mr. Skumbrievich.”

In situations where the entire site came under the filter and its address was blacklisted on the side of the providers' DNS servers, you can use free DNS servers whose addresses are published. Just take any two addresses you like and add them to /etc/resolv.conf:

Nameserver 156.154.70.22 nameserver 156.154.71.22

To prevent various DHCP clients and NetworkManagers from overwriting the file with addresses received from the provider or router, we make the file non-rewriteable using extended attributes:

$ sudo chattr +i /etc/resolv.conf

After this, the file will become write-protected for everyone, including root.

To further anonymize your browsing experience, you can also use the dnscrypt daemon, which will encrypt all requests to the DNS server in addition to the proxy server used to connect to the site itself. Install:

$ wget http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.3.2.tar.bz2 $ bunzip2 -cd dnscrypt-proxy-*.tar.bz2 | tar xvf - $ cd dnscrypt-proxy-* $ sudo apt-get install build-essential $ ./configure && make -j2 $ sudo make install

Specify the loopback address in /etc/resolv.conf:

$ vi /etc/resolv.conf nameserver 127.0.0.1

Let's start the daemon:

$ sudo dnscrypt-proxy --daemonize

By the way, there are versions of dnscrypt for Windows, iOS and Android.

Onion routing

What is onion routing? This is Tor. And Tor, in turn, is a system that allows you to create a completely anonymous network with Internet access. The term “onion” is used here in relation to the operating model in which any network packet will be “wrapped” in three layers of encryption and will pass through three nodes on the way to the recipient, each of which will remove its own layer and transmit the result further. Everything, of course, is more complicated, but the only important thing for us is that this is one of the few types of network organization that allows you to maintain complete anonymity.

However, where there is anonymity, there are also connection problems. And Tor has at least three of them: it is monstrously slow (thanks to encryption and transmission through a chain of nodes), it will create a load on your network (because you yourself will be one of the nodes), and it is vulnerable to traffic interception. The latter is a natural consequence of the ability to access the Internet from the Tor network: the last node (output) will remove the last layer of encryption and can gain access to the data.

However, Tor is very easy to install and use:

$ sudo apt-get install tor

That's it, now the local machine will have a proxy server leading to Tor network. Address: 127.0.0.1:9050, you can enter it into the browser using the same extension, or add it through the settings. Keep in mind that this is a SOCKS, not an HTTP proxy.

INFO

To entered into command line the password was not saved in history, you can use a clever trick called “add a space at the beginning of the command.”

It is ecryptfs that is used to encrypt the home directory in Ubuntu.

Fight against flooding

I will give a few commands that can help with flooding your host.

Counting the number of connections per specific port:

$ netstat -na | grep ":port\ " | wc -l

Counting the number of "half-open" TCP connections:

$ netstat -na | grep ":port\ " | grep SYN_RCVD | wc -l

View the list of IP addresses from which connection requests come:

$ netstat -na | grep ":port\ " | sort | uniq -c | sort -nr | less

Analyzing suspicious packets using tcpdump:

# tcpdump -n -i eth0 -s 0 -w output.txt dst port port and host of the IP server

We drop the attacker's connections:

# iptables -A INPUT -s attacker's IP -p tcp --destination-port port -j DROP

We limit the maximum number of “half-open” connections from one IP to a specific port:

# iptables -I INPUT -p tcp --syn --dport port -m iplimit --iplimit-above 10 -j DROP

Disable responses to ICMP ECHO requests:

# iptables -A INPUT -p icmp -j DROP --icmp-type 8

conclusions

That's all. Without going into details and without the need to study manuals, we created a Linux-box that is protected from external intrusion, from rootkits and other infections, from direct human intervention, from traffic interception and surveillance. All that remains is to regularly update the system, prohibit password login via SSH, remove unnecessary services and avoid configuration errors.

At the annual LinuxCon conference in 2015, the creator of the GNU/Linux kernel, Linus Torvalds, shared his views on system security. He emphasized the need to mitigate the effect of certain bugs with competent protection, so that if one component malfunctions, the next layer covers the problem.

In this material we will try to cover this topic from a practical point of view:

7. Install firewalls

The maximum harm for encrypted HTTPS or SSH connections is interruption of the connection, but an attacker can insert new content, including malware, into unprotected traffic. A firewall is suitable to protect against such attacks.

Block access using Firewall

Firewall is one of the most important tools for blocking unwanted incoming traffic. We recommend allowing only really necessary traffic and completely blocking all others.

For packet filtering, most Linux distributions have an iptables controller. It is usually used by advanced users, and for simplified setup you can use the UFW utilities in Debian/Ubuntu or FirewallD in Fedora.

8. Disable unnecessary services

If your system is configured via inetd, then in the /etc/inetd.conf file you can edit the list of background “daemon” programs; to disable loading the service, just put a “#” sign at the beginning of the line, turning it from executable to a comment.

If the system uses xinetd, then its configuration will be in the /etc/xinetd.d directory. Each directory file defines a service that can be disabled by specifying disable = yes, as in this example:

Service finger ( socket_type = stream wait = no user = nobody server = /usr/sbin/in.fingerd disable = yes )
It's also worth checking for persistent processes that are not managed by inetd or xinetd. You can configure startup scripts in the /etc/init.d or /etc/inittab directories. After the changes have been made, run the command under the root account.

/etc/rc.d/init.d/inet restart

9. Protect the server physically

To enter the data center, all visitors must go through certain authentication steps. It is also strongly recommended to use motion sensors in all areas of the center.

10. Protect the server from unauthorized access

For example, the Tripwire and Aide tools collect a database of system files and protect them using a set of keys. Psad is used to monitor suspicious activity using firewall reports.

Bro is designed to monitor the network, track suspicious activity patterns, collect statistics, execute system commands and generate alerts. RKHunter can be used to protect against viruses, most often rootkits. This utility checks your system against a database of known vulnerabilities and can identify unsafe settings in applications.

Conclusion