Secure Ubuntu System - Introduction

This document describes the process of installing an Ultra Secure Ubuntu Server.

The information provided is biased towards the fairly recent release of Ubuntu, but should work with other versions too - perhaps with a few tweaks.

Additional steps should then be taken to harden the server. This hardening will also ensure compatibility with various security standards such as PCI-DSS Compliance.

Ubuntu server is well designed, regularly updated and relatively secure. The Ubuntu Security Team manifests an ongoing effort to keep Ubuntu secure. Regular security updates are available and easy to implement.

By default, Ubuntu Servers are secured as follows:

• No open ports.
• Role-based administration.
• No X server.
• Security updates.
• Kernel and compiler hardening.

Securing Ubuntu is not very different from securing any other system; In order to do it properly, you must first decide what you intend to do with it. After this, you will have to consider that the following tasks need to be taken care of if you want a really secure system.

The tasks can also be thought of as:

• Decide which services you need and limit your system to those. This includes deactivating / uninstalling unneeded services, and adding firewall-like filters, or tcp-wrappers.
• Limit users and permissions in your system.
• Harden offered services so that, in the event of a service compromise, the impact to your system is minimized.
• Use appropriate tools to guarantee that unauthorized use is detected so that you can take appropriate measures.

The Basic Security Tenet is:

• Deny all except that which is specifically permitted.

Hardening is a process which aims at securing a system; absolute security is impossible to reach but reducing the surface attack and reaching an equilibrium between security and cost (where with cost we refer to implementation, maintenance and usability costs) is possible.

Hardening a server means, at the practical level, reducing as much as possible the attack surface, and monitoring what is exposed to detect intrusion.

Hardening a system is much easier if you start from a minimalistic system and then add only the needed services. Hardening a complex system is possible but has a higher cost and is much more complicated, since it is easy to forget some (apparently) harmfulness piece of software somewhere in the machine. Even with modern packet managers, handling installed packages isn't an easy task.

To achieve a state of security:

• Identify the assets you want to protect.
• Identify the risks to those assets.
• Identify who & how assets are accessed.
• Establish checks and balances.
• Develop enforceable security policies.
• Use a layered approach.
• Plan for disasters.
• Get management's sign-off.

The system will include: system analysis, changing settings for additional hardening against attack, installing a firewall maintenance system, scanning for rootkits, and offering a regular maintenance regimen.

• Change settings for increased security.
• Implement firewall settings.
• Automatically blacklist attackers.
• Scan the system for vulnerabilities.
• Detect attempted intrusions.
• Scan the system for open ports.
• Check the system for rootkits.
• Monitor logs.

To install such a system you will need the following:

• A recent version of Ubuntu Server from http://releases.ubuntu.com/releases.
• A hard disk with a minimum of 20G capacity.
• A fast Internet connection.
• A server with at least a single Ethernet card.

Continue to Decisions to Make