Ubuntu 7.10 actually comes with some pretty good security practices already set up for you. For example, the root account is locked and no network services are enabled by default. If you’re planning on making your Ubuntu system publicly accessible, here are some things to consider before you forward a port or public IP address.

• If a bad guy has physical access to your system, it’s not your system anymore.
  One could boot from a CD, Floppy or USB and replace your trusted programs with altered ones.
  
• If a bad guy can persuade you to run his program on your system, it’s not your system anymore.
  Though not a major problem for Linux users (yet), this is a huge issue for Windows users.
• Encrypted data is only as secure as the decryption key.
  If the magic word that unlocks your encrypted, sensitive information is ‘password’ or ’secret’ or some other such word, then why bother?
• Weak passwords trump strong security.
  Story time: Two years ago, I added a Fedora Core workstation to an Active Directory domain. Domain users could log in at the FC workstation, and everything was great. I only did it to learn how, so the machine wasn’t used much at all. About 10 days later, I went snooping the log files — just to see who had been using the Linux machine. I noticed that a username ‘temp’ had logged in a few times over ssh. I hadn’t created a local user with that name, and knew that the receptionist who came from the employment agency hadn’t logged in, so I immediately unplugged the cat5 cable. Come to find out, the machine had had an external IP forwarded to it. Not only that, but the password for the temp username was locked by the administrator to temp123. Nothing bad happened to any of our servers, but it could’ve. There were actually a couple of mistakes made here: The password for the temp account was weak, and was locked by the admin, and the external IP mapping should have been removed from the firewall when the workstation no longer needed it. This event is what led me to discover DenyHosts.
• Nobody believes anything bad can happen to them, until it does.
  See above. We really dodged a bullet on that one.
• Security only works if the secure way also happens to be the easy way.
  A good place to see this in action is your nearest Fedora install guide. Most have you disable SELinux because it’s difficult to work with.
• If you don’t keep up with security fixes, your system won’t be yours for long.
  This should be a no-brainer. Unfortunately, it’s not.
• Eternal vigilance is the price of security.
  You can’t lock down your box, stick it out on the Interweb, and just hope for the best. You have to babysit it a little. You have to know what packages you have installed and make sure that they are updated when necessary. You have to make sure that your firewall is configured properly. You have to make sure that only the necessary services are installed. You have to keep and eye on your system!
• There really is someone out there trying to guess your passwords.
  Just because you’re not paranoid doesn’t mean they’re not out to get you.

Share This