Fortified Ubuntu
Fortified Ubuntu is a site for
hardening the security of Ubuntu Desktop 24. Ubuntu is a great platform, easy to use, secure and intuitive, perfect for people considering alternatives to insecure and virus-prone Windows. Ubuntu provides sensible default
security but it can be improved upon.
Symptoms of Comrpromise
.Sudden slowness. Although if you have a newer machine you may not feel it.
.Security settings disabled/downgraded.
.Stalker seeing your every move, across different accounts.
.WiFi connects but can't go online.
.Downloads constantly coming with malware.
The main idea is not to try and unravel what the hacker did. There are a million ways to name files that look proper and hide. And you can't possibly know every part of the OS.
You can use chkrootkit, rkhunter, clamav and Kaspersky virus removal tool (a non-realtime remover meant to be used as a second opinion scanner). But if they are unable to find anything, then it is best to backup your data using Deja-dup/Gnome-backup and re-install Ubuntu. Then harden it so he can't get in again.
Re-installing the OS is a standard way of recovering from compromise except when the machine is a server that cannot tolerate any downtime. The risk of not being able to completely root out the attacker is not an option you want to live with. Once you have made a drive image, it can be done in 10 minutes; the drive image will save you time and time again for a long time to come.
Hardening Ubuntu with multiple security layers is as proactive as you can get. To go beyond that, you will need to be doing it full time as a security professional and take on an assume compromised stance and do active threat hunting and combing through threat intelligence.
Lets continue with protection. In particular the protection offered by the Ubuntu 24.04 Firefox browser does not specifically protect your private documents, pictures and videos And it doesn’t come with an antivirus. Nor does it protect against root kits by default, which hackers install onto systems to hide themselves. We will proceed to fix those items.
Version 24.10 adds a Security app that prompts you when Firefox attempts to access any home directories like Documents. And you can deny it access. So the Documents and Pictures etc folders are somewhat protected.
Also apart from syslog, there is very little logging of important events like sudo commands. It does not let you easily see which packages were installed, by you, or by the attacker.
If you think you have been the victim of hacking or stalking, it is very likely that perpetrator is a technical person. However, there are skill levels when it comes to hacking. It is easy to just buy hacking kits on the dark web. And our hardening will make it difficult for the hacker. The more difficult problem is when the hacker can code and can modify the attacks to bypass defenses.
That is where security monitoring comes in. You cannot expect your security to be install-and-forget. Security requires (daily) monitoring. Attackers will target places that are less well defended.
Thanks to the modular nature of Linux, there are usually several replaceable alternatives to each functionality. If you spot suspicious errors from your Firefox browser or it’s libraries, you can replace it with Chromium, just to give an obvious example. But you have to do the monitoring. Use the SIEM (Security Information and Event Management) that the tutorial suggests, it is good.
Hacking is part of stalking. To counter stalking you have to severely cut down on your social network activity, start new social media and maybe email accounts, watch what you say online, and maybe even replace your sim card and or cell phone. Especially if your cell phone no longer comes with security patches and updates. Legal parental control software are often used as stalking tools.
So let's dig in.
Support me a little: $2, buy me a coffee: https://buymeacoffee.com/fortifiedubuntu.org
Offensive Security and Penetration Testing
There is a catagory of security termed 'offensive security'. It is the use of
hacking tools for defensive purposes. And there is the practice of hiring white
hat hackers to do pentration testing. The company pays them to hack their site
and if the hackers discover some attack vector, they inform the company on how
to mitigate their attack, before someone else exploits it.
Now, automation has come to pen testing and it has become cheaper. It used to be that you have to hire a pen testing company and the process can take several days. There are companies that will now do it for the price of a pair of expensive basketball shoes.
Intruder.io offers a 7 day free trial of their services. We are not affiliated with them. But we recommend you give it a test. You can always cancel the free trial within 7 days.
Note it is important that your defenses are tested and verified. In our setup, we have a firewall. And you can test your firewall with the 'nmap' tool. Install nmap using 'sudo apt install nmap'. Then issue the command 'nmap 192.168.0.0/16'. This tells nmap to scan the entire 192.168.x.x address space. It will report all live machines and any open ports. If no open ports are found, then all is good.
You can also verify that your firejail is working when firefox is open. You do that by 'firejail --list'.
2024-10-11
Use a VPN, even at home
A VPN encrypts your traffic between you and their servers. (The leg of the journey between their servers and the destination web site is unencrypted ) But you gain protection from someone monitoring your PC. This is essential if you suspect that your modem/router is hacked.
Protonvpn has a FREE VPN service, with good privacy policy and is ad free. They are a Swiss company and Swiss laws extend their privacy protection laws covering all nationalities that Swiss companies deal with. Proton has 3 geographic centers for their free severs: America (in US), Europe (in Netherlands) and Asia (in Japan). Each center has something like 30+ servers. I find their servers fast.
What you do is register for the free ProtonVPN service. Go to the Account section and copy the OpenVPN IKEv2 username and password. Then go to the Downloads section and select Platform and Protocol (TCP is better because it has error correction, but is slower than UDP because of the error detection overhead). Then scroll down to your geo region and download as many server configurations as you want.
Then in Ubuntu, go to Settings > Network and click the + for vpn and choose 'Import from file'. Fill in the Identity tab username and password with what you copied above. And click disable on the IPv6 tab. Then all your VPN servers are ready for use at the top right of the screen.
2024-10-20
Modem/Router Attacks
Modem and router attacks are common. If your modem/router has a security vulnerability/bug it is easy to get attacked. Once the attacker succeeds, he can setup a man in the middle(mitm), and he will act as a
middle man between you and your web destination. Then he can read all the web sites you visit. Another example is that he can setup a fake chromestore page, intercept your request, and you will be
installing his malware extensions instead of the real extension. They could also refuse to selectively forward your traffic essentially block you from accessing the internet.
So go to National Vulnerabilty Database it is a vulnerability search engine and search for your router model. If something shows up, go to your router's web page and do an update.
Here is a good site that discusses router security - Router Security.
This National Vulnerability Database can search for any kind of security vulnerabilty including software vulnerabilities. So you can also search for Ubuntu vulnerabilities.
Last modified 2024-12-30
I determined that the riskiest things for me (and most people) are always-running networking daemons and processes (the browser). The daemons systemd-timesyncd, systemd-resovled seems the riskiest. But both are already well protected as seen by their .service specifications in /usr/lib/systemd/system; see all the possible settings at "man systemd.exec". So the remaining one is the browser, which we protected with firejail.
Then we look to risks involving vulnerabilities and cups has a high historical risk. Then we look at other daemons to further reduce our attack surface, even if they didn't have a history of being attacked but pose a risk because it is always actively listening to the internet, like Avahi. ('sudo netstat -tulnp' reveals those.) Avahi belongs to the Apple ecosystem, so it doesn't fulfill a business need for me, so it is candidate for elimination.
Then we look at problematic things elsewhere which can be exploited also in Ubuntu. One problem particular to Windows is that it calls home with various undocumented services. Attackers who know the ip addresses that these services connect to can use a spoofing attack if the service is vulnerable. In my experience using EDR, Windows' services have been coerced to start Powershell. To reduce our attack surface we have to stop these call home traffic if it posses no ill effect. As defenders we have to be proactive and if a service does not fulfill a business need then we should eliminate that. We don't sit there and wait until the day an exploit sequence is coded. So Ubuntu's whoopsie is eliminated. Perhaps borrowing the Windows case is not very sound reasoning if we look into the specifics, but the general idea of exploiting things calling home is. And thirdly such traffic does not fulfill a business need. The whole premise is that attack methods and opportunities can be reused across different situations.
You may have additional risks. Eg. If you run your chat app all day while online gaming, then both should be deemed high risk because they are acting like a daemon; it is accessible to anyone to send them network packets and they are always running. What you might want to do is employ Apparmor and make an Apparmor profile for it and put it in /etc/apparmor.d, then register it with "apparmor_parser -r <profile>". ChatGPT can sometimes make Apparmor profiles that work, but it may take several rounds of modifications because it misses minimum requirements for an app to run properly. When a profile doesn't work, look for the word 'DENIED' in /var/log/syslog.
Encryption is usually the answer to privacy or confidentiality concerns. For example if you value the confidentiality of your documents, then you should consider zulucrypt encrypted folders. (Hint: create 'Veracypt' type folders) It creates an encrypted folder where you can store your documents. If you need to send the file to someone, then create another encrypted folder, put the confidential file inside, and send that encrypted folder-file. Inform the other party of the password using out of band communication like a phone call. The rule is confidential things need to be encrypted in storage as well as in transit.
So think about your risk tolerance for different things you do or care about. Always address the highest risks first. You can then either protect it, replace it, offload the risk to somebody - like a managed security service provider or a cyberisk insurance co, or simply stop doing that thing. Remember that no mitigation is completely 100%, you will always have some residual risk, things do fail. So implement security layers (technical or administrative or physical) and manage it so that the residual risk is acceptable.
Last modified 2024-03-13
Flatpak are a container like snap. Many apps are deployed as flatpaks. If you do like flatpaks there is an app called flatseal which can help
minimize your apps links to your main system. It is at https://flathub.org/apps/com.github.tchx84.Flatseal . When you run it, it displays all the
apps mappings to the outside. You can selectively turn off things and delete mappings. If you get it wrong, there is a reset button where you
start afresh. Worth a look.
last modified 2025-03-21 WiFi Attacks ( particular to Apartment Dwellers )
There are several WiFi attacks that apartment dwellers are subject to, here are some that I have experienced.
A compensating control is to switch to Ethernet. You can buy a $15 USB Ethernet dongle if your laptop does not have a Ethernet jack. $25 will
get a you a 100 foot long cable, Yes, it might mean unsightly wires acoss your living room if you or your partner or parents are concerned about
apperannce, but they can be routed along the foot of walls with clips.
Another compensating control is to use your cell phone's USB hotspot amd a USB wire. Your computer will recognize it as a USB Ethernet device. But,
if you plan to use it full time, you might need a bigger cellular data plan. You can also use this at coffee shops which might justify
the cost. But this is a recurring cost.
Another compensating control is to pre-encrypt the files you send out. And communicate the password to your partner via phone. But this
only covers a small segment of the many risks.
You should consider the above compensating controls if the primary control is not suitable or available to you. ProtonVPN Free currently only has 4
country server centers (Netherlands, Romania, Japan and USA) My locale has a speedy connection, but yours may not. So look around.
And you Must Always
remember to turn on VPN. For the deauthentication attack, the control involve sizable investment if your equiptment does not support WiFi 6. If
your modem+router does not support it, you will have to place an additional WiFi 6 router in between the modem and your laptop or maybe switch to
another ISP which supply WiFi 6 modem+routers. If you have experienced deauthentication attacks, that means a hacker is nearby and will probably
try it again so re-consider investing IF you must use WiFi, or switch to Ethernet - it stops all the WiFi problems. Or you can consider moving
which solves many future hacking problems in the long run.
I have listed the major WiFi attacks and mitigating security controls.
Bookmark this site if you find the information useful. We cannot afford to run never ending Google ads.
Support me a little: $2, buy me a coffee: https://buymeacoffee.com/fortifiedubuntu.org
Ensure your security is Risk based
Flatpak and flatseal