the psycho cat on an HP Mini with Ubuntu
* Off-site link
You may also want to consider donating directly to the Ubuntu project.
Security on Ubuntu
DisclaimerI am not a security expert at all. This is written strictly from the standpoint of an end-user who has had spyware and adware in Windows and who has read other users' advice (those users may or may not be security experts) about security practices in general.
This is not intended to be a comprehensive guide to what will absolutely provide you the best security or what theoretical ways your security can be breached. The point of this document is explain some basic, practical measures you can take to be relatively secure.
This is targeted at home desktop users. I know a very little about that, but I know nothing about securing servers.
Many of these principles can be applied to other Linux distributions as well, but the content is focused mainly on Ubuntu.
What are some security best practices?
So, do I need a firewall, anti-virus, anti-spyware tools?By default, Ubuntu ships with no open ports on public interfaces. In other words, a "port scan" would show all closed ports, nothing open. As a result, putting up a firewall would provide no more security than not putting one up. Remember that open ports provide services that hackers can connect to, and only if they can connect to these services can they be potentially abused and exploited.
A firewall, however, adds the benefit of peace-of-mind from accidentally installing a server program that opens up a port by default. Also, it satisfies curiosity by logging potential "hits." Linux comes with a very strong, secure, and powerful firewall called iptables, but it is relatively difficult to use from a new user's standpoint. As a result, there are many graphical tools that give you a simple user interface for configuring iptables, such as Firestarter for GNOME or Guarddog for KDE. There are many more in the repository, too. Remember—these all use iptables in the background, so find your favorite interface—they all offer the same great protection. [These last two paragraphs contributed by jdong from the Ubuntu Forums. Thanks, jdong!]
Conventional wisdom in the Linux community says that there are either no or very few Linux viruses out in "the wild," and that most are just proof-of-concept theoretical viruses. Some people recommend installing a virus scanner like ClamAV in order to protect your Windows-using friends from Windows viruses you might accidentally send them. I don't really see how that's an issue, though. If you have an attachment you created in Linux, why would it have a Windows virus in it? If your computer has been compromised in such a way that you don't have control over what you send other people, then you have a lot more to worry about than spreading viruses to your Windows-using friends!
I've never heard of any self-propagating viruses in Linux... ever. Still, if you're super-paranoid, stick to software in the repositories. And if you don't trust even the software in the repositories, why are you installing Ubuntu at all? The operating system and the software are packaged by the same people.
Some real dangers out there are rootkits and cracking. It doesn't happen often that a Ubuntu user gets a rootkit installed or has her computer cracked, but both have happened, and I've seen threads about them in the Ubuntu Forums. There are rootkit detectors in the repositories—rkhunter and chkrootkit, for example. I'm not sure what to do about cracking except some of the advice I gave before—stick with the default network settings unless you know what you're doing, and use strong passwords.
Windows XP allows you to make it more secure by creating limited user accounts and using the Run As... option to run only particular tasks or programs as administrator (similar to the su feature in most Linux distributions). Run As... is crippled in its implementation, though. If you use Run As... to install Windows Updates, the updates do not install properly. Also, you have to find the particular launcher files (extension of *.cpl) for Control Panel applications in order to use the Run As... option on them. The way to run Explorer (the file browser) as administrator from within a limited user account isn't simple.
Unfortunately, in addition to Run As... being crippled, many third-party (not Microsoft) software companies design their applications to be run as administrator (since that is the Windows default, which is Microsoft's fault).
This has improved greatly in Windows 7. Even though it is not the default setup in Windows, you can use a limited user account as your main account, and you will automatically be prompted for an administrator account password authentication if you try to install software or do any other action that requires modifying system folders.
Contrary to what some Linux advocates keep repeating, it is not that difficult to secure Windows. I've outlined here the steps to do that.
Ubuntu's default user operates as a limited user most of the time but has the ability (since she belongs to the admin group) to temporarily assume administrator (also known as root) privileges for particular tasks, and this setup is not only the default setup, but it is also fully functional.
While that's somewhat true, personal files are usually more important to a user than system files. After all, I can reinstall Ubuntu in half an hour and have it running again the way I want it to within two hours. If I lost all my personal files, it would take me months to recreate a lot of them, and some I would not be able to recreate at all.
This is why it's really important to back up whatever files are important to you.
When you run as an admin in Ubuntu, you're almost always a limited user. If you preface a terminal command with the word sudo or preface a graphical command with gksudo or kdesudo, you allow yourself (and only with password authentication) to temporarily assume root privileges for that one task. This would be like having your belongings in a safe with a combination lock or keeping all your money in a bank, where you can access your account through an ATM card and PIN code.
There is a fifteen-minute "timeout" for sudo. If you launch one command with sudo, you'll be prompted for a password, and within the same shell, you won't be prompted again for other sudo commands for the next fifteen minutes. If you want, you can change the sudo timeout to something lower so that you'll always be prompted for a password on every sudo command.
As an illustration, take a look at this excerpt from the Seinfeld episode "The Robbery," in which Jerry buys a secure "operating system," and Kramer plays the "dumb user."
ELAINE: [from the bathroom] JERRY! [enters the living-room] Jerry, oh, hi, welcome back. How were the shows?
JERRY: Great, I had fun, where's the TV, where's the VCR. [Elaine looks guilty] What?
ELAINE: They were stolen.
JERRY: Stolen? When?
ELAINE: A couple a hours ago, the police are coming right over.
ELAINE: [Kramer enters the apartment] Someone left the door open. [it's clear that she means Kramer; she walks to the bathroom]
JERRY: [to Kramer] You left the door open?!
KRAMER: Uh, Jer, well ya know, I was cookin' and I, I uh, I came in to get this spatula...and I left the door open, 'cause I was gonna bring the spatula right back!
JERRY: Wait, you left the lock open or the door open?
KRAMER: [bobs his head guiltily] The door.
JERRY: The door? You left the door open?
KRAMER: Yeah, well, I was gonna bring the spatula right back.
JERRY: Yeah, and?
KRAMER: Well, I got caught up... watching a soap opera...[with a broken voice] The Bold and the Beautiful
JERRY: So the door was wide open?
KRAMER: Wide open!
JERRY: [Elaine enters the living-room] And where were you?
ELAINE: I was at Bloomingdale's...waiting for the shower to heat up.
KRAMER: Look, Jerry, I'm sorry, I'm uh, you have insurance, right buddy?
KRAMER: [looks shocked] How can you not have insurance?
JERRY: Because...I spent my money on the Clapgo D. 29, it's the most impenetrable lock on the market today...it has only one design flaw: the door...[shuts the door] must be CLOSED.
Text transcription from SeinfeldScripts.com
Further ReadingSome more advice/explanation on security in Ubuntu
HOWTO: Password protect your GRUB entries
Ubuntu Forums Security Sticky
Does Ubuntu need antivirus?
Last updated 04/29/11 11:31
I will not give help to people posting in the above places. If you require technical support, start a support thread on the Ubuntu Forums. That is the appropriate place to ask for help.