security in ubuntu

Discussion in 'all things UNIX' started by The Red Moon, Jun 6, 2012.

Thread Status:
Not open for further replies.
  1. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    hi
    Im new to ubuntu os and im currently running it in oracle virtualbox.
    What security measures do i need if any.av firewall etc.
    Kind regards.o_O
     
  2. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    here some Guide to Help you in your quest

    -https://help.ubuntu.com/community/Security-
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    By default Ubuntu is more secure than Windows. If you configure it to use AppArmor you'll be in very good shape.
     
  4. guest

    guest Guest

    Technically? How so? I think Windows (latest) is more secure by default, unless you take into account security through obscurity/minority.
     
  5. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Obscurity + minority + security on my wallet. Updates to the OS are free.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    You question someone's statement by a counter-opinion "I think"?

    And you're too focused on what you want to say than reading.

    It says - by default - so yes, Linux with the normal user mode vs. Windows admin mode is more secure. And I don't want to talk about code portability, market share, services, mitigation technologies, etc, as they are truly irrelevant.

    By default, the Linux configuration allows for fewer non-deliberate mistakes by users, hence, it has more non-deterministic security.

    Mrk
     
  7. guest

    guest Guest

    "fewer non-deliberate mistakes"? Elaborate please.
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    It's a known fact that Linux is more secure by default. Windows is configured for ease-of-use by default, on purpose. Microsoft will take advantage of security wherever possible when it doesn't affect ease-of-use in a big way, for example, anti-exploit technologies like ASLR.

    There are many tools, settings, and tweaks that admins take advantage of when locking down Windows. These changes can arguably make it as secure as Linux, but publishing the desktop OS by default to consumers like that would not make sense.

    You honestly cannot argue that out-of-the-box Windows is as secure as Linux by default, if it was, it would not have the market share it has today. (Just look at the uproar UAC originally caused, and that didn't even require a password like Linux elevation does).
     
  9. guest

    guest Guest

    Of course guys, but this is taking into account security through obscurity/minority. Because Linux is less used, its default settings don't need to be user friendly.

    This wasn't the "security" I was thinking about when I questioned Hungry Man's post. I was thinking about vulnerabilities, bugs etc. Linux has (arguably) more of those.
     
  10. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Which Linux OS are you using ? If you are using both Windows and some or other Linux distro you will be in a position to evaluate, and will surely be better qualified in making the assertions you seem to be hardwired to.
    Linux is more secure than Windows out of the box. Amen.
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Delete system32 without admin password for example ... seen it happen as accident! Drag & drop system files to oblivious. Seen it happen. Accidentally click yes on some installer. Seen it happen. And suchlike.
    Mrk
     
  12. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Thank you!
    Mrk
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    PeterPan you can see this link here for my views on it.

    Like I say there there's more to it than that but for a quick summary:
    1) Better MAC, which works well with the DAC
    2) OS handles the updates entirely on its own

    Those are the two big points.

    The fact is that once you give a Windows program Admin it's unrestrained. Services that run with root are entirely unrestrained so each one you have running (*cough* printer spooler *cough*) has way more access than required. That means every single service is a really nice piece of attack surface.

    On Linux this isn't the case. Even root can be contained by kernel-level LSM. By default Ubuntu already runs a few more dangerous services this way.

    Once you start moving away from default configs it isn't even fair to compare anymore. The things you can do with pax and grsec are beyond what slapping third party software will ever be able to do for Windows.

    I won't go into Windows 8 yet. There isn't enough known about AppContainer, which is really what I see as potentially the game changer for Windows security. But even with AppContainer Ubuntu 12.04 just got SysCall filters, which isn't nearly as big a step as finally having a decent MAC but once there's mainstream support (not long, I'd say we'll start seeing many applications with it in the next 6 months) it'll be great.
     
    Last edited: Jun 7, 2012
  15. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677

    you welcome mrk :))

    did you test mageia or rosa linux we wait to see your reviews on them :))
     
  16. For security stuff on Ubuntu:

    - I set timestamp_timeout=0 for sudo. The no-password timestamp makes social engineering easier, and you can get a root shell with 'sudo -i', so why bother with it?

    - I enable the UFW firewall ('ufw enable'), in case some stupid application I run wants to open a port

    - I install apparmor-utils and enable Firefox's AppArmor profile, since that gains me security and loses me nothing.

    You can also enable or create AppArmor profiles for other things fairly easily, IIRC Hungry Man has posted instructions on that.

    BTW, you should understand that security on Linux is highly dependent on how your system is configured. Security updates, limited user account, and no unnecessary services running = decent security. That plus mandatory access control and iptables = strong security. No updates, root account, and vulnerable services running = worse security than Windows. Some distros (e.g. Puppy) are a casebook example of bad security.

    (Really the same is true on Windows, but Windows gives you fewer options when it comes to configuration; so I would say the upper and lower limits are less extreme.)
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I think one of my big problems with Windows security is root/ admin applications running with the ability to basically destroy the system. A compromise in one of those means the system belongs to the attacker. That's just not the case on Linux, a lot of them aren't running as root and some are even chrooted, at least a few have apparmor profiles, and you can use suid as well.
     
  18. Hmm. CUPS runs as root on Ubuntu, though it does have an AppArmor profile. I wonder if there are any distros that run it suid as a limited user. Given its network capabilities that's probably a good idea.
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It might not be possible. But there's not much point, it already has an AppArmor profile, which is pretty strong. You could try putting it in a new SUID.
     
  20. BrandiCandi

    BrandiCandi Guest

    /facepalm

    Since you are asking, I recommend this link to understand some simple, beginner security steps for Ubuntu. It explains where a typical desktop user could be vulnerable.
    https://wiki.ubuntu.com/BasicSecurity
     
  21. BrandiCandi

    BrandiCandi Guest

    Do you have a source for this? I can't find anything that says it's running as root.
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Pretty sure it's running as root. Check the task manager. I think I've removed it but Top would show it as 0.
     
  23. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Care to elaborate on how that statement justifies that response?
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It's not much of a fact, just a widely held opinion. Brandi dislikes the generalization lol though I still think that it isn't much of an argument between Ubuntu 12.04 and Windows 7.
     
  25. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Any services that listens on ports < 1024 must start as root in order to open the socket and then it can switch to another user, e.g. apache. Since cups listens on 631 by default, it must start as root. That's the basics.
    Mrk
     
Loading...
Thread Status:
Not open for further replies.