Fortified Ubuntu
Fortified Ubuntu is a site for hardening the security of Ubuntu Desktop 24. Ubuntu is a great platform, easy to use, secure and intuitive, perfect for people considering alternatives to insecure and virus-prone Windows. Ubuntu provides sensible default security but it can be improved upon.
Symptoms of Comrpromise
-
.Sudden slowness. Although if you have a newer machine you may not feel it.
.Security settings disabled/downgraded.
.Stalker seeing your every move, across different accounts.
.WiFi connects but can't go online.
.Downloads constantly coming with malware.
The main idea is not to try and unravel what the hacker did. There are a million ways to name files that look proper and hide. And you can't possibly know every part of the OS.
You can use chkrootkit, rkhunter, clamav and Kaspersky virus removal tool (a non-realtime remover meant to be used as a second opinion scanner). But if they are unable to find anything, then it is best to backup your data using Deja-dup/Gnome-backup and re-install Ubuntu. Then harden it so he can't get in again.
Re-installing the OS is a standard way of recovering from compromise except when the machine is a server that cannot tolerate any downtime. The risk of not being able to completely root out the attacker is not an option you want to live with. Once you have made a drive image, it can be done in 10 minutes; the drive image will save you time and time again for a long time to come.
Hardening Ubuntu with multiple security layers is as proactive as you can get. To go beyond that, you will need to be doing it full time as a security professional and take on an assume compromised stance and do active threat hunting and combing through threat intelligence.
Lets continue with protection. In particular the protection offered by the Ubuntu 24.04 Firefox browser does not specifically protect your private documents, pictures and videos And it doesn’t come with an antivirus. Nor does it protect against root kits by default, which hackers install onto systems to hide themselves. We will proceed to fix those items.
Version 24.10 adds a Security app that prompts you when Firefox attempts to access any home directories like Documents. And you can deny it access. So the Documents and Pictures etc folders are somewhat protected.
Also apart from syslog, there is very little logging of important events like sudo commands. It does not let you easily see which packages were installed, by you, or by the attacker.
If you think you have been the victim of hacking or stalking, it is very likely that perpetrator is a technical person. However, there are skill levels when it comes to hacking. It is easy to just buy hacking kits on the dark web. And our hardening will make it difficult for the hacker. The more difficult problem is when the hacker can code and can modify the attacks to bypass defenses.
That is where security monitoring comes in. You cannot expect your security to be install-and-forget. Security requires (daily) monitoring. Attackers will target places that are less well defended.
Thanks to the modular nature of Linux, there are usually several replaceable alternatives to each functionality. If you spot suspicious errors from your Firefox browser or it’s libraries, you can replace it with Chromium, just to give an obvious example. But you have to do the monitoring. Use the SIEM (Security Information and Event Management) that the PDF suggests, it is good.
Hacking is part of stalking. To counter stalking you have to severely cut down on your social network activity, start new social media and maybe email accounts, watch what you say online, and maybe even replace your sim card and or cell phone. Especially if your cell phone no longer comes with security patches and updates. Legal parental control software are often used as stalking tools.
All open source security tools are free. So let's dig in. The how-to document is a PDF file which you can view with your browser and download.
Fortified Ubuntu desktop hardening 24.04.pdf - updated 2025-01-04
Support me a little: $2. https://buymeacoffee.com/fortifiedubuntu.org
Offensive Security and Penetration Testing
There is a catagory of security termed 'offensive security'. It is the use of
hacking tools for defensive purposes. And there is the practice of hiring white
hat hackers to do pentration testing. The company pays them to hack their site
and if the hackers discover some attack vector, they inform the company on how
to mitigate their attack, before someone else exploits it.
Now, automation has come to pen testing and it has become cheaper. It used to be that you have to hire a pen testing company and the process can take several days. There are companies that will now do it for the price of a pair of expensive basketball shoes.
Intruder.io offers a 7 day free trial of their services. We are not affiliated with them. But we recommend you give it a test. You can always cancel the free trial within 7 days.
Note it is important that your defenses are tested and verified. In our setup, we have a firewall. And you can test your firewall with the 'nmap' tool. Install nmap using 'sudo apt install nmap'. Then issue the command 'nmap 192.168.0.0/16'. This tells nmap to scan the entire 192.168.x.x address space. It will report all live machines and any open ports. If no open ports are found, then all is good.
You can also verify that your firejail is working when firefox is open. You do that by 'firejail --list'.
2024-10-11
Use a VPN, even at home
A VPN encrypts your traffic between you and their servers. (The leg of the journey between their servers and the destination web site is unencrypted ) But you gain protection from someone monitoring your PC. This is essential if you suspect that your modem/router is hacked.
Protonvpn has a FREE VPN service, with good privacy policy and is ad free. They are a Swiss company and Swiss laws extend their privacy protection laws covering all nationalities that Swiss companies deal with. Proton has 3 geographic centers for their free severs: America (in US), Europe (in Netherlands) and Asia (in Japan). Each center has something like 30+ servers. I find their servers fast.
What you do is register for the free ProtonVPN service. Go to the Account section and copy the OpenVPN IKEv2 username and password. Then go to the Downloads section and select Platform and Protocol (TCP is better because it has error correction, but is slower than UDP because of the error detection overhead). Then scroll down to your geo region and download as many server configurations as you want.
Then in Ubuntu, go to Settings > Network and click the + for vpn and choose 'Import from file'. Fill in the Identity tab username and password with what you copied above. And click disable on the IPv6 tab. Then all your VPN servers are ready for use at the top right of the screen.
2024-10-20
Modem/Router Attacks
Modem and router attacks are common. If your modem/router has a security vulnerability/bug it is easy to get attacked. Once the attacker succeeds, he can setup a man in the middle(mitm), and he will act as a
middle man between you and your web destination. Then he can read all the web sites you visit. Another example is that he can setup a fake chromestore page, intercept your request, and you will be
installing his malware extensions instead of the real extension. They could also refuse to selectively forward your traffic essentially block you from accessing the internet.
So go to National Vulnerabilty Database it is a vulnerability search engine and search for your router model. If something shows up, go to your router's web page and do an update.
Here is a good site that discusses router security - Router Security.
This National Vulnerability Database can search for any kind of security vulnerabilty including software vulnerabilities. So you can also search for Ubuntu vulnerabilities.
last modified 2024-11-28
Security Principles
Now lets go over some Security Principles. These should guide you to implement
security on your systems.
Least Privilege
Everybody's account should only be able to run things that are required for their role/job. For example, Mary the accountant should only be able to run her accounting software and not be able to install programs, setup security, access the Research & Development department, etc.
So in Ubuntu, Mary should not have sudo rights; so she wouldn't be able to install programs using apt, apt-get nor modify configurations in /etc. She also does not need to run curl or wget.
Minimization
If you only have the absolute necessary programs and libraries installed, then you will reduce your attack surface. A system with lots of programs and daemons (services) gives the attacker an increased chance of success because if he knows how to exploit one of them then he will be able to set foot on the system. Minimization lessens that chance.
Minimization also gives you a clearer picture of your attack surface. If there are only 3 things that talks to the network, lets say time synchronization systemd-timesyncd and DNS resolution systemd-resolved and your browser, then when compromised you only have to figure out which of the 3 was attacked. And you know which 3 things you can swap out to eliminate the threat after restore from backup image.
In the PDF we only eliminated the printing system daemon cups, because of it's long history of vulnerabilities, there are more things that you can remove. Things ending with a 'd' is usually a daemon in the Linux naming convention. A daemon/service is a program which is always running and talking either to the net or other programs. You can uninstall the unneeded ones that talk to the network. Use the command 'ps aux | less' to see what programs and daemon are running. Use the command 'man <programName>' to see what it does. Use the command 'sudo netstat -tunp' to see what programs are currently active on the net. Finally use 'sudo apt remove <programName>' to uninstall it.
Complexity is at odds with security. With a system that has many knobs and switches you won't necessarily know which settings combination is secure because of the complex way things interact. A wrong configuration setting here and there can lead to a compromise. An attacker can perform an attack sequence, first gaining low privileges on a network facing daemon followed by an attack on a non-networking daemon which has powerful root permissions. Then he will be able to do anything. So minimization reduces your attack surface and lowers complexity.
Default Deny & Whitelisting
Default Deny means if there are no rules provided for a security control, the default action is to deny whatever is being controlled. An example is your Apparmor profiles. The rules provide a list of allowed actions, and whatever is not stated is denied. You can take a look at your Apparmor profiles at /etc/apparmor.d . The rules are a Whitelist, which spells out what is allowed. When looking for a security solution, it is best to find those that use default deny.
For example, most antivirus solutions are black lists. They define what are not allowed and anything else not stated is allowed to pass. So they are looking for specific things to quarantine. Blacklists do serve a purpose sometimes, as in this example. But they are not as safe. Because you risk missing something that should be blocked. And antiviruses are known to miss out on detecting new viruses. Apparmor would not miss, because if the rules are not complete and allow everything that an application needs to use, the whole application will not start. Then you will know that something is wrong with your rules. When a hacker exploits a weakness in an application, he is trying to inject something extra into the program space. That will cause Apparmor to block. Because it is default deny, and will not allow non whitelisted things to run.
Some security controls use both blacklists and whitelists, like firewalls. One can specify what to block, and also specify what to allow. In this case, one needs to make a Block Everything rule as the bottom most rule, so as to implement the default deny concept. This is the general practice for writing firewall rules. Not all firewalls behave the same way. For example, Ubuntu's firewall, ufw, has a policy setting that enables default deny; but one has to specify it.
Default deny security controls are easier to manage: you will know if the whitelist is not complete, and they will block anything that has not been pre-allowed.
Defense in Depth
Defense in Depth means you should have multiple 'layers' of security controls; if one fails, you still have another control that might stop or detect the attack. So your attacker tries to exploit a standard component that exits in a default install, but find that you have removed it (hardening is one layer), so he tries another. This time the exploit is aiming at a daemon that does exist and is running. However, the default systemd protection stops him (that's another layer). So he has to try yet another attack, lets say aiming at your timesyncd daemon. This time your protection fails. When protection fails, you fall back to detection. So lets say your SIEM or EDR detects it or you find something out of the ordinary in your logs (another few layers). So now you are aware of an attack and proceed to investigate and then re-image from golden-image. Then you replace the clock daemon with something else not so vulnerable; or you found a CVE documenting a vulnerability and decide to disable it temporarily and wait for the patch or you decide to temporarily switch to the distro's beta stream and get an update right away.
There are 3 ckasses of security controls: administrative, technical and physical.
Administrative or procedural. Examples: 1) Always disconnect from internet when connecting your backup drive to do backups or restores. 2) Checking for CVS vulnerabilities regularly. 3) Security audits where you check your security to see if they are configured properly and running.
Technical. Examples: 1) Antivirus 2) Rootkit remover 3) Intrusion Prevention System (IPS) like Snort or Suricata.
Physical. Examples: 1) Locked office door 2) Security guard 3) Burglar alarm.
Last modified 2024-12-30
I determined that the riskiest things for me (and most people) are always-running networking daemons and processes (the browser). The daemons systemd-timesyncd, systemd-resovled seems the riskiest. But both are already well protected as seen by their .service specifications in /usr/lib/systemd/system; see all the possible settings at "man systemd.exec". So the remaining one is the browser, which we protected with firejail.
Then we look to risks involving vulnerabilities and cups has a high historical risk. Then we look at other daemons to further reduce our attack surface, even if they didn't have a history of being attacked but pose a risk because it is always actively listening to the internet, like Avahi. ('sudo netstat -tulnp' reveals those.) Avahi belongs to the Apple ecosystem, so it doesn't fulfill a business need for me, so it is candidate for elimination.
Then we look at problematic things elsewhere which can be exploited also in Ubuntu. One problem particular to Windows is that it calls home with various undocumented services. Attackers who know the ip addresses that these services connect to can use a spoofing attack if the service is vulnerable. In my experience using EDR, Windows' services have been coerced to start Powershell. To reduce our attack surface we have to stop these call home traffic if it posses no ill effect. As defenders we have to be proactive and if a service does not fulfill a business need then we should eliminate that. We don't sit there and wait until the day an exploit sequence is coded. So Ubuntu's whoopsie is eliminated. Perhaps borrowing the Windows case is not very sound reasoning if we look into the specifics, but the general idea of exploiting things calling home is. And thirdly such traffic does not fulfill a business need. The whole premise is that attack methods and opportunities can be reused across different situations.
You may have additional risks. Eg. If you run your chat app all day while online gaming, then both should be deemed high risk because they are acting like a daemon; it is accessible to anyone to send them network packets and they are always running. What you might want to do is employ Apparmor and make an Apparmor profile for it and put it in /etc/apparmor.d, then register it with "apparmor_parser -r <profile>". ChatGPT can sometimes make Apparmor profiles that work, but it may take several rounds of modifications because it misses minimum requirements for an app to run properly. When a profile doesn't work, look for the word 'DENIED' in /var/log/syslog.
Encryption is usually the answer to privacy or confidentiality concerns. For example if you value the confidentiality of your documents, then you should consider zulucrypt encrypted folders. (Hint: create 'Veracypt' type folders) It creates an encrypted folder where you can store your documents. If you need to send the file to someone, then create another encrypted folder, put the confidential file inside, and send that encrypted folder-file. Inform the other party of the password using out of band communication like a phone call. The rule is confidential things need to be encrypted in storage as well as in transit.
So think about your risk tolerance for different things you do or care about. Always address the highest risks first. You can then either protect it, replace it, offload the risk to somebody - like a managed security service provider or a cyberisk insurance co, or simply stop doing that thing. Remember that no mitigation is completely 100%, you will always have some residual risk, things do fail. So implement security layers (technical or administrative or physical) and manage it so that the residual risk is acceptable.
Support me a little: $2 https://buymeacoffee.com/fortifiedubuntu.org
Bookmark this site if you find the information useful. We cannot afford to run never ending Google ads.
Ensure your security is Risk based