GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → xairy → Ubuntu Hardening

xairy / Ubuntu Hardening

Random tips improving security of Ubuntu Desktop

Labels

ubuntu

Projects that are alternatives of or similar to Ubuntu Hardening

Linux face unlock
A face authentication system for Ubuntu that works while logging in and running "sudo" commands with a friendly CLI to operate it.
Stars: ✭ 55 (-23.61%)
Mutual labels:  ubuntu
Unattended upgrades repos
Generates system-specific repositories to be added in configuration file for silently updating all packages via unattended upgrades.
Stars: ✭ 62 (-13.89%)
Mutual labels:  ubuntu
Jdk switcher
A yet another Ubuntu/Debian-specific tool that makes switching between multiple JDK versions a one liner
Stars: ✭ 69 (-4.17%)
Mutual labels:  ubuntu
Mulimgviewer
MulimgViewer is a multi-image viewer that can open multiple images in one interface, which is convenient for image comparison and image stitching.
Stars: ✭ 57 (-20.83%)
Mutual labels:  ubuntu
Airspy Fmradion
Software decoder for FM/AM broadcast radio with AirSpy R2 / Mini, Airspy HF+, and RTL-SDR
Stars: ✭ 59 (-18.06%)
Mutual labels:  ubuntu
Ubuntu Dev Machine Setup
Configure your Ubuntu 20.04 LTS and 20.10 Desktop
Stars: ✭ 63 (-12.5%)
Mutual labels:  ubuntu
Backintime
Back In Time - A simple backup tool for Linux
Stars: ✭ 1,066 (+1380.56%)
Mutual labels:  ubuntu
Vfs495
Validity VFS495 (138a:003f) drivers & utilities for Linux
Stars: ✭ 71 (-1.39%)
Mutual labels:  ubuntu
Docker Ubuntu1804 Ansible
Ubuntu 18.04 LTS (Bionic) Docker container for Ansible playbook and role testing.
Stars: ✭ 61 (-15.28%)
Mutual labels:  ubuntu
Hardware
The devices I have, what runs on them, their configurations, issues, solutions, and associated projects
Stars: ✭ 67 (-6.94%)
Mutual labels:  ubuntu
X11vnc Desktop
Docker image for Ubuntu with X11 and VNC
Stars: ✭ 57 (-20.83%)
Mutual labels:  ubuntu
Yaru Plus
Yaru++, an elegant and modern third-party icons theme, based on Ubuntu's Yaru
Stars: ✭ 59 (-18.06%)
Mutual labels:  ubuntu
Avalonstudio
Cross platform IDE and Shell
Stars: ✭ 1,132 (+1472.22%)
Mutual labels:  ubuntu
Dotfiles
💻 macOS / Ubuntu dotfiles
Stars: ✭ 1,074 (+1391.67%)
Mutual labels:  ubuntu
Ucaresystem
An all-in-one, one click system maintenance application for Ubuntu/Debian operating systems and derivatives
Stars: ✭ 69 (-4.17%)
Mutual labels:  ubuntu
Caddy Script
🐳 Caddy installation script
Stars: ✭ 53 (-26.39%)
Mutual labels:  ubuntu
Dragonfire
the open-source virtual assistant for Ubuntu based Linux distributions
Stars: ✭ 1,120 (+1455.56%)
Mutual labels:  ubuntu
Docker Headless Vnc Container
Collection of Docker images with headless VNC environments
Stars: ✭ 1,176 (+1533.33%)
Mutual labels:  ubuntu
Debreate
A utility for creating Debian packages.
Stars: ✭ 70 (-2.78%)
Mutual labels:  ubuntu
Dotfiles
My personal configuration management system
Stars: ✭ 66 (-8.33%)
Mutual labels:  ubuntu
View All Similar Projects ➔

ubuntu-hardening

Some random simple tips on how to improve security of an Ubuntu Desktop installation. The instructions are based on Ubuntu 16.04.2 (and Linux Mint 18.1). I definitely recommend reading up on each step yourself instead of just blindly following them.

Set BIOS/UEFI password

Enable and set BIOS/UEFI password. The exact steps for this depend on the particular hardware and firmware that you have. Google it.

Enable full disk encryption

During installation select the checkbox Encrypt the new Ubuntu installation for security.

Update packages

sudo apt-get update && sudo apt-get dist-upgrade

Set Grub password

Generate password hash:

$ grub-mkpasswd-pbkdf2
Enter password: 
Reenter password: 
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.06FF[...]

Add the following lines to etc/grub.d/40_custom:

$ cat etc/grub.d/40_custom
...
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.06FF[...]

Regenerate grub config:

sudo update-grub2

Now reboot.

Disable unneeded services

By default Ubuntu enables and starts a few services that listen on external network:

$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      856/cupsd       
tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      1050/dnsmasq    
tcp6       0      0 ::1:631                 :::*                    LISTEN      856/cupsd       
udp        0      0 0.0.0.0:47622           0.0.0.0:*                           1050/dnsmasq    
udp        0      0 0.0.0.0:33349           0.0.0.0:*                           855/avahi-daemon: r
udp        0      0 0.0.0.0:631             0.0.0.0:*                           993/cups-browsed
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           855/avahi-daemon: r
udp        0      0 127.0.1.1:53            0.0.0.0:*                           1050/dnsmasq    
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1038/dhclient   
udp6       0      0 :::39773                :::*                                855/avahi-daemon: r
udp6       0      0 :::5353                 :::*                                855/avahi-daemon: r

Disable cupsd:

sudo systemctl disable cups.socket cups.path cups.service
sudo systemctl kill --signal=SIGKILL cups.service
sudo systemctl stop cups.socket cups.path

Disable cups-browsed:

sudo systemctl disable cups-browsed
sudo systemctl stop cups-browsed

Disable avahi-daemon:

sudo systemctl disable avahi-daemon.socket avahi-daemon.service
sudo systemctl stop avahi-daemon.socket avahi-daemon.service

For Linux Mint disable ntp:

sudo systemctl stop ntp
sudo systemctl disable ntp

Now reboot and make sure these services are not running.

Restrict information exposed by the kernel

Add the following lines to /etc/sysctl.conf.

Disable system log being visible to anybody:

kernel.dmesg_restrict=1

Run sudo sysctl -p after adding settings to /etc/sysctl.conf here and below.

Check:

$ dmesg
dmesg: read kernel buffer failed: Operation not permitted

Disable kernel pointers being shown:

kernel.kptr_restrict=2

Check:

$ sudo cat /proc/kallsyms
0000000000000000 A irq_stack_union
0000000000000000 A __per_cpu_start
0000000000000000 A exception_stacks
0000000000000000 A gdt_page
0000000000000000 A espfix_waddr
0000000000000000 A espfix_stack
...

Disable unprivileged user namespaces

This significantly reduces kernel attack surface.

Add this line /etc/sysctl.conf:

kernel.unprivileged_userns_clone=0

Check:

$ unshare -U
unshare: unshare failed: Operation not permitted

Disable unprivileged BPF

Add this line /etc/sysctl.conf:

kernel.unprivileged_bpf_disabled=1

Enable firewall

Disable unwanted incoming packets:

sudo ufw enable
sudo ufw default deny incoming

Disable IPv6

Add these lines to /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1  
net.ipv6.conf.lo.disable_ipv6=1

Change /etc/default/grub as:

...
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
...

Update Grub config:

sudo update-grub2

Now reboot.

Make sure that you don't see inet6 address in ifconfig:

ifconfig | grep inet6

Disable LightDM guest sessions

Not required on Linux Mint.

Create /etc/lightdm/lightdm.conf.d/50-no-guest.conf file with the following content:

$ cat /etc/lightdm/lightdm.conf.d/50-no-guest.conf
[Seat:*]
allow-guest=false

Now reboot.

Make sure login as guest is not available on the login screen.

More

Other things you can do.

  • Whitelist kernel modules
  • Whitelist USB devices
  • Custom kernel / grsecurity
  • AppArmor / SELinux
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].