Of course, we can say that Linux more safe(protected) than Windows. Safety v Linux built-in, and not screwed somewhere on the side, as it is implemented in Windows. Safety systems Linux covers the area from kernel to desktop, but chances are for hackers to harm your home directory (/ home).
Your bytes of photos, home videos, documents, and credit card or wallet data are the most expensive piece of information on a computer. Of course, Linux is not susceptible to all kinds of Internet worms and Windows viruses. But attackers can find a way to access your data in your home directory.
Preparing your old computer or HDD before selling formatting, do you think it will be enough? There are tons of modern data recovery tools out there. A hacker can easily recover your data from hard disk, regardless of the OS you were working on.
On this topic, I recall the experience of one company in the repurchase of used computers and disks. In the course of their activities, they passed the verdict that 90% of the previous owners of their computers did not take proper care of cleaning their storage media before the sale. And they were extracting very scrupulous data bytes. It’s even scary to imagine that somewhere in the bins of your hard disk there is information to enter your Internet bank or online wallet.
Start with Linux security basics
Let's step up to the basics (), which will work for almost any 
Linux distributions.
Let's encrypt the file system in Linux for more complete Linux security
User passwords will not solve the problem if you really want nobody to be able to read your home directory (/ home) or a specific byte size. You can do it so that even a user with the highest root privileges will not be able to poke his nose.
Delete sensitive files so that no one else can restore them
If you decide to sell or donate your computer or storage medium, do not assume that simple formatting will permanently delete your files. You can install the secure-delete tool on your Linux box, which includes the srm utility to securely delete files.
Also, do not forget about the available in Linux kernel firewall. All Linux distributions include lptables, which is part of the kernel. Lptables allows you to filter network packets. Of course, you can configure this utility in the terminal. But this method is beyond the power of many, including me. So I install and configure it as easily as if I were playing a game.
Like all operating systems, Linux tends to accumulate junk when running various applications. And this is not his Linux fault, as various applications, such as browsers, text editors and even video players, do not work at the kernel level and accumulate temporary files. You can install the BleachBit utility for universal garbage disposal.
Anonymous surfing, hiding your IP is very important for the security of your identity under Linux
In conclusion, I want to tell you about anonymous web surfing. Sometimes it happens that it is necessary, as I do, when secretly from my wife I visit sites with erotic content. Of course I was joking.
It will be difficult for attackers to reach you if they cannot determine your location. We cover the traces with a simple configuration of two utilities working together called privoxy and tor.
In my opinion, following and configuring all these rules will protect you and your computer by 90%.
P.S. I am using a cloud called dropbox. I store my old and new, not yet published articles in it. It is convenient to have access to your files from anywhere in the world and on any computer. When writing articles for a site in text editor, I save my text documents with a password and only after that I upload it to the dropbox server. You should never neglect unnecessary security, which will only play into your hands.
No doubt just now installed system Linux is much more resistant to various malware, spyware and hackers than the same Windows version... However, most Linux systems use default settings that are not entirely secure in nature.
Some Linux distributions are designed to be as secure as possible out of the box, but they tend to be very difficult for newbies, especially non-computer security experts.
Ubuntu is the most popular Linux distribution in use today. This is due to many factors, one of which is that it is the easiest for novice users. This has its own positive sides, but also for this reason there are several weaknesses in the system that the developers left behind by opting for user friendliness. In this article, we will take a look at how security configuration is performed on Ubuntu 16.04. These settings are not that complicated, but they will help you to make the system more resistant to the most common attack methods.
The first thing you need to know is to keep your system constantly updated and up to date. New vulnerabilities in the kernel and software are constantly being discovered, an example is the same Drity COW. The developers fix these bugs very quickly, but in order to apply these fixes to your system, you need to update it in a timely manner.
Another important note is the user's password. Do not use a user without a password. If you need to share your computer with other people, create new account eg guest. But always use passwords. Operating room Linux system was originally built as a multi-user system with security in mind for all users, so this opportunity should not be missed. But these are all the tips that you probably already know, let's look at some really useful ways to increase the security of ubuntu.
1. Setting up shared memory
By default, the entire volume shared memory/ run / shm is read / write with the ability to run programs. This is considered a security hole and many exploits use / run / shm to attack running services. For most desktop, and especially server devices, it is recommended to mount this file in read-only mode. To do this, add the following line to / etc / fstab:
sudo vi / etc / fstab
none / run / shm tmpfs defaults, ro 0 0
But still, some programs won't work if / run / shm is read-only, one of them is Google chrome... If you are using Google Chrome, then we must retain the ability to write, but we can prevent the execution of programs, for this add the following line instead of the one suggested above:
none / run / shm tmpfs rw, noexec, nosuid, nodev 0 0
2. Deny the use of su for non-administrators
In addition to your account, Ubuntu also has a guest Account which you can use to share your laptop with a friend. The su utility allows you to run programs as a different user. It is very useful in system administration and vital when applied correctly. But, nevertheless, all Linux users can access this utility, and this is already abuse. To deny the guest account access to the su command, run:
sudo dpkg-statoverride --update - add root sudo 4750 / bin / su
3. Protect your home directory
Your default home directory will be accessible to every user on the system. So if you have a guest account, then the guest can have full access to all your personal files and documents. But you can only make it available to you. Open a terminal and run the following command:
chmod 0700 / home / username
It sets the rights in such a way that the owner of the folder, that is, you have access to everything, and other users cannot even see the contents. Alternatively, you can set 750 permissions, which will grant read access to your folder for users in the same group as you:
chmod 0750 / home / username
Now the security of Ubuntu 16.04, and especially your personal data, will be slightly higher.
4. Disable SSH login as root
By default, in Ubuntu, you can SSH into the system as the superuser.Although you set a password for the root user, this can be potentially dangerous, because if the password is very simple, an attacker can brute force it and take full control of the computer. The sshd service may not be installed on your system. To check run:
If you get a connection refused message, it means that no SSH server is installed and you can skip this step. But if it is installed, then it needs to be configured using the configuration file / etc / ssh / sshd_config. Open this file and replace the line:
PermitRootLogin yes
PermitRootLogin no
Done, now it will be more difficult to ssh into your system, but the security configuration in ubuntu 16.04 is not complete yet.
5. Install the firewall
Perhaps you have not only ssh server installed on your machine, but also a database service and apache web server or nginx. If this home computer then most likely you would not want someone else to be able to connect to your local site or database. To prevent this, you need to install a firewall. It is recommended to use gufw on Ubuntu as it is designed specifically for this system.
To install, run:
sudo apt install gufw
Then you need to open the program, turn on protection and block all incoming connections. Allow only necessary ports for browser and others famous programs... Read more in the instructions.
6. Protection against MITM attacks
The essence of a MITM or Man-in-the-Middle attack is that another person intercepts all the packets that you transmit to the server, thus, they can get all your passwords and personal data. We cannot defend against all attacks of this kind, but a variety of MITM attacks - ARP attack - is quite popular in public local networks. Using features ARP protocol the attacker pretends to be a router in front of your computer and you send all your data packets to him. You can very easily protect yourself from this using the TuxCut utility.
There is no program in the official repositories, so to install it you need to download the package from GitHub:
wget https://github.com/a-atalla/tuxcut/releases/download/6.1/tuxcut_6.1_amd64.deb
Then install the resulting package:
sudo apt install tuxcut_6.1_amd64.deb
Before starting the program, start its service:
sudo systemctl start tuxcutd
The utility's main window looks like this:
The IP addresses of all users connected to the network are displayed here, as well as the corresponding to each of them. MAC address... If you check the Protection Mode checkbox, the program will protect against ARP attacks. You can use it on public networks, such as public wifi, where you fear for your safety.
conclusions
Well that's it, now the security setup for Ubuntu 16.04 is complete and your system is much more secure. We have blocked the most common attack vectors and methods of penetration into the system used by hackers. If you know of other useful ways to improve security in Ubuntu, write in the comments!
We all know that operating system Linux is much safer than windows due to its architecture and a special system of distribution of access between users. But programmers are people too, no matter how we like it, they are also wrong. And because of these errors, holes appear in the system through which attackers can bypass the protection systems.
These errors are called vulnerabilities, they can be found in various programs and even in the very core of the system, undermining its security. In recent years, Linux has started to grow in popularity and security researchers are paying more attention to the system. More and more vulnerabilities are discovered, and thanks to the open source code, they can be eliminated very quickly. In this article, we will take a look at the most dangerous Linux vulnerabilities that have been discovered over the past few years.
Before moving on to the list of vulnerabilities itself, it is important to understand what they are and what they are. As I said, a vulnerability is a bug in a program that allows a user to use a program in a way that was not intended by its developer.
This may be the lack of verification for the correctness of the received data, verification of the data source and, most interestingly, the size of the data. The most dangerous vulnerabilities are those that allow the execution of arbitrary code. V random access memory all data have a certain size and the program is designed to write data from a user of a certain size to memory. If the user transmits more data, then it should throw an error.
But if the programmer makes a mistake, the data will overwrite the program code and the processor will try to execute it, thus creating buffer overflow vulnerabilities.
Also, all vulnerabilities can be divided into local ones, which work only if the hacker has access to local computer and remote, when there is enough access via the Internet. Now let's move on to the list of vulnerabilities.
1. Dirty COW
First on our list will be a fresh vulnerability that was discovered this fall. The name Dirty COW stands for Copy on Write. The error occurs in file system while copying while recording. This is a local vulnerability that allows any unprivileged user to gain full access to the system.
In short, to exploit the vulnerability, you need two files, one is writeable only on behalf of the superuser, the other for us. We begin to write data to our file and read from the superuser file many times, after a certain time the moment will come when the buffers of both files will mix and the user will be able to write data to the file, the record of which is not available to him, so you can give yourself root rights in system.
The vulnerability was in the kernel for about 10 years, but after its discovery it was quickly eliminated, although there are still millions of Andoid devices in which the kernel has not been updated and does not think and where this vulnerability can be exploited. The vulnerability received the code CVE-2016-5195.
2. Glibc vulnerability
The vulnerability received the code CVE-2015-7547. This was one of the most talked about open source vulnerabilities. In February 2016, it was revealed that the Glibc library has a very serious vulnerability that allows an attacker to execute their code on a remote system.
It is important to note that Glibc is an implementation standard library C and C ++, which is used by most Linux programs, including services and programming languages such as PHP, Python, Perl.
An error was made in the response parsing code DNS servers... Thus, the vulnerability could be exploited by hackers, whose DNS was accessed by vulnerable machines, as well as by performing a MITM attack. But the vulnerability gave full control over the system.
The vulnerability has been in the library since 2008, but after detection, patches were quickly released.
3. Heartbleed
In 2014, one of the most serious vulnerabilities in scale and consequences was discovered. It was caused by a bug in the heartdead module of the OpenSSL program, hence the name Heartbleed. The vulnerability allowed attackers to gain direct access to 64 kilobytes of the server's RAM, and the attack could be repeated until all memory was read.
Despite the fact that the fix was released very quickly, many sites and applications were affected. In fact, all sites using HTTPS to protect traffic were vulnerable. Attackers could get user passwords, their personal data and everything that was in memory at the time of the attack. The vulnerability received the code CVE-2014-0160.
4. Stagefright
If a vulnerability has received a codename, this clearly means that it deserves attention. The Stagerfight vulnerability is no exception. True, this is not really a Linux problem. Stagefright is a library for handling multimedia formats in Android.
It is implemented in C ++, which means it bypasses all Java security mechanisms. In 2015, a whole group of vulnerabilities was discovered that allowed remote execution of arbitrary code on the system. These are CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829.
The attacker only had to send MMS to a vulnerable smartphone with a specially modified media file, and he received full control over the device with the ability to write and read data from the memory card. The vulnerability was patched by Android developers but still millions of devices remain vulnerable.
5. Kernel zero-day vulnerability
This is a local vulnerability that allows the current user to be elevated to root due to an error in the system for handling kernel cryptographic data stored in memory. It was discovered in February 2016 and covered all kernels starting from 3.8, which means that the vulnerability has existed for 4 years.
The error could have been exploited by hackers or malware software to increase their powers in the system, but was very quickly fixed.
6. Vulnerability in MySQL
This vulnerability was code CVE-2016-6662 and affected all available MySQL database server versions (5.7.15, 5.6.33 and 5.5.52), Oracle databases, and MariaDB and PerconaDB clones.
Attackers could gain full access to the system through SQL query a code was passed that allowed replacing my.conf with its own version and restarting the server. There was also an opportunity to perform malicious code with superuser rights.
MariaDB and PerconaDB released patches quite quickly, Oracle reacted, but much later.
7. Shellshock
This vulnerability was discovered in 2014 before it existed for 22 years. She was assigned the CVE-2014-6271 code and the codename Shellshock. This vulnerability is comparable in severity to the already known Heartbleed. It is caused by a bug in the Bash command interpreter, which is the default for most Linux distributions.
Bash allows you to declare environment variables without user authentication, and together you can run any command in them. This is especially dangerous in CGI scripts that are supported by most sites. Not only servers are vulnerable, but also personal computers users, routers and other devices. In fact, an attacker can remotely execute any command; this is a full-fledged remote control without authentication.
All versions of Bash were affected, including 4.3, although after the discovery of the problem, the developers very quickly released a fix.
8. Quadrooter
This is a whole series of vulnerabilities in Android that were discovered in August 2016. They received the codes CVE-2016-5340, CVE-2016-2059, CVE-2016-2504, CVE-2016-2503. More than 900 million are subject to error Android devices... All vulnerabilities have been found in the Qualcomm processor ARM driver and can all be exploited to getting root access to the device.
Like DirtyCOW, you don't need any credentials here, you just need to install a malicious application and it will be able to get all your data and transfer it to the attacker.
9. Vulnerability in OpenJDK
This is a very serious linux 2016 vulnerability in the OpenJDK Java machine with code CVE-2016-0636 and affects all users running Oracle Java SE 7 Update 97 and 8 Update 73 and 74 for Windows, Solaris, Linux and Mac OS X. This vulnerability Allows an attacker to execute arbitrary code outside the Java machine if you open a special page in a browser with a vulnerable version of Java.
This allowed an attacker to gain access to your passwords, personal data, and run programs on your computer. In all versions Java error was very quickly corrected, it has existed since 2013.
10. Vulnerability of the HTTP / 2 protocol
This is a whole series of vulnerabilities that were discovered in 2016 in the HTTP / 2 protocol. They received the codes CVE-2015-8659, CVE-2016-0150, CVE-2016-1546, CVE-2016-2525, CVE-2016-1544. All implementations of this protocol in Apache, Nginx Microsoft, Jetty and nghttp2 were affected.
All of them allow an attacker to dramatically slow down the web server and execute a denial of service attack. For example, one of the errors led to the possibility of sending a small message, which was unpacked into gigabytes on the server. The bug was fixed very quickly and therefore did not generate much buzz in the community.
Are you safe?
In this article, we have covered the most dangerous Linux vulnerabilities in 2016, 2015 and 2014. Most of them could cause serious damage to systems if they were not fixed in time. Thanks to the open source code, such Linux vulnerabilities are efficiently detected and quickly fixed. Just remember to update your system. The only problem remains with Android. Some devices no longer receive updates and there is no solution to this problem yet.
There is a common misconception that Linux servers are the most secure and protected from outside intrusions. Unfortunately, this is not the case, the security of any server depends on a number of factors and measures to ensure it and is practically independent of the operating system used.
We decided to start a series of articles dedicated to network security with Ubuntu Server, since solutions based on this platform are of great interest to our readers and since many people think that Linux solutions are safe in themselves.
At the same time, a router with a dedicated IP address is a "gateway" to the local network and only the administrator will determine whether these gates will be a reliable barrier or will turn out to be a dacha gate closed with a nail.
Another common misconception, reasoning in the style: "but who needs it, our server, we have nothing interesting". Indeed, your local network may not be of any interest to intruders, but they can use a compromised server to send spam, attacks on other servers, an anonymous proxy, in short, as a starting point for their dark deeds.
And this is already unpleasant and can serve as a source of various problems: from the provider to law enforcement agencies. And about the spread of viruses, theft and destruction important information it is also not worth forgetting, as well as the fact that the downtime of the enterprise leads to quite tangible losses.
Although this article is about Ubuntu Server, first we will look at general issues security, which are equally relevant to any platform and are the basics, without which it makes no sense to discuss the issue in more detail.
Where does safety begin?
No, security doesn't start with the firewall, it doesn't start with hardware at all, security starts with the user. After all, what's the use of the coolest metal door installed by the best specialists if the owner leaves the key under the rug?
Therefore, the first thing you should do is conduct a security audit. Do not be intimidated by this word, everything is not so difficult: draw a schematic network plan, on which you mark the safe area, the potential danger area and the increased danger area, and also make a list of users who have (should have access) to these areas.
The safe zone should include the internal resources of the network to which there is no access from the outside and for which it is permissible low level security. These can be workstations, file servers, etc. devices access to which is limited to the local network of the enterprise.
The potential danger zone includes servers and devices that do not have direct access to the external network, but whose individual services are accessible from the outside, for example, the web and mail servers located behind the firewall, but at the same time serving requests from the external network.
The hazardous area should include devices directly accessible from the outside, ideally it should be one router.
If possible, the potentially dangerous zone should be moved to a separate subnet - the demilitarized zone (DMZ), which is separated from the main network by an additional firewall.
Devices on the local network should only have access to those services in the DMZ that they need, for example SMTP, POP3, HTTP, other connections should be blocked. This will reliably isolate an attacker or malware that exploited a vulnerability in a separate service, the DMZ, by denying them access to the main network.
Physically, the DMZ can be organized by installing a separate server / hardware firewall or adding an additional network card to the router, but in the latter case, you will have to pay close attention to the security of the router. But in any case, securing a single server is much easier than securing a group of servers.
The next step should be to analyze the list of users, whether they all need access to the DMZ and to the router (with the exception of public services), special attention should be paid to users connecting from outside.
This typically requires a very unpopular step - enforcing a password policy. All passwords of users who have access to critical services and who can connect from the outside must contain at least 6 characters and contain, in addition to lowercase letters, characters of two categories of three: uppercase letters, numbers, non-alphabetic characters.
In addition, the password should not include the username or part of it, not contain dates and names that can be associated with the user and, preferably, not be a dictionary word.
It's a good idea to start a practice of changing passwords every 30-40 days. It is clear that such a policy can cause rejection from users, but you should always remember that passwords like 123 or qwerty are equivalent to leaving a key under the rug.
Server security is nothing more.
Now, having an idea of what we want to protect and from what, let's move on to the server itself. Make a list of all the services and services, then think about whether they are all needed on this particular server, or they can be taken out somewhere.
The fewer services, the easier it is to ensure security, the less chance of a server being compromised through a critical vulnerability in one of them.
Configure the services that serve local area network(eg squid) so that they only accept requests from the local interface. The fewer services available externally, the better.
A good helper in security is a vulnerability scanner that should be scanned front end server. We used a demo version of one of the most famous products - XSpider 7.7.
Scanner shows open ports, tries to determine the type of the running service and, if successful, the vulnerabilities for it. As you can see, a properly configured system is quite safe, but you should not leave the key under the rug, the presence of open ports 1723 (VPN) and 3389 (RDP, forwarded to a terminal server) on the router is a good reason to think about a password policy.
Separately, it is worth talking about SSH security, this service is usually used by administrators to remote control server and is of increased interest to cybercriminals. SSH settings are stored in a file / etc / ssh / sshd_config, all changes described below are made to it. First of all, you should disable authorization under the root user, for this add the option:
PermitRootLogin no
Now the attacker will have to guess not only the password, but also the login, while he will still not know the superuser password (we hope it does not match your password). All administrative tasks when connecting from the outside should be performed from under sudo by logging in as an unprivileged user.
It is worth explicitly specifying the list of allowed users; in this case, you can use records like [email protected] which allows the specified user to connect only from the specified host. For example, to allow the user ivanov to connect from home (IP 1.2.3.4), add the following entry:
AllowUser [email protected]
Also disallow the use of deprecated and less secure protocol SSH1, allowing only the second version of the protocol, to do this, give next line to look:
Protocol 2
Despite all the measures taken, attempts to connect to SSH and other public services will still be in order to prevent password guessing, use the utility fail2ban, which allows you to automatically ban a user after several unsuccessful login attempts. You can install it with the command:
Sudo apt-get install fail2ban
This utility is ready to work immediately after installation, however, we would advise you to immediately change some parameters, for this, make changes to the file /etc/fail2ban/jail.conf... By default, only SSH access is controlled and the ban time is 10 minutes (600 seconds), in our opinion it is worth increasing it by changing the following option:
Bantime = 6000
Then scroll through the file and enable the sections for the services running on your system by setting the parameter after the name of the corresponding section enabled in a state true, for example for service proftpd it will look like this:
enabled = true
Another important parameter maxretry, which is responsible for the maximum number of connection attempts. After changing the settings, don't forget to restart the service:
Sudo /etc/init.d/fail2ban restart
You can look at the log of the utility in /var/log/fail2ban.log.
At the annual LinuxCon in 2015, GNU / Linux kernel creator Linus Torvalds shared his views on system security. He emphasized the need to mitigate the effect of the presence of certain bugs with competent protection, so that if one component malfunctions, the next layer overlaps the problem.
In this article, we will try to cover this topic from a practical point of view:
7. Install firewalls
Recently there was a new vulnerability allowing DDoS attacks on Linux servers. A bug in the kernel of the system appeared with version 3.6 at the end of 2012. The vulnerability allows hackers to inject viruses into download files, web pages and expose Tor connections, and hacking does not require much effort - IP spoofing will work.The maximum harm for encrypted HTTPS or SSH connections is interrupting the connection, but an attacker can place new content in unprotected traffic, including malware... To protect against such attacks, a firewall is suitable.
Block access with Firewall
Firewall is one of the most important tools for blocking unwanted incoming traffic... We recommend that you only allow the traffic you really need and deny everything else entirely.
Most Linux distributions have an iptables controller for packet filtering. Usually they use it experienced users, and for simplified configuration, you can use the UFW utilities in Debian / Ubuntu or FirewallD in Fedora.
8. Disable unnecessary services
Experts from the University of Virginia recommend that you turn off all services that you do not use. Some background processes are set to autoload and work until the system is shut down. To configure these programs, you need to check the init scripts. Services can be started via inetd or xinetd.If your system is configured via inetd, then in the /etc/inetd.conf file you can edit the list of background "daemons" programs; to disable the loading of the service, just put a "#" sign at the beginning of the line, turning it from executable into a comment.
If the system uses xinetd, then its configuration will be in the /etc/xinetd.d directory. Each directory file defines a service that can be disabled by specifying disable = yes, as in this example:
Service finger (socket_type = stream wait = no user = nobody server = /usr/sbin/in.fingerd disable = yes)
It is also worth checking for persistent processes that are not managed by inetd or xinetd. You can configure startup scripts in the /etc/init.d or / etc / inittab directories. After the changes made, run the command as root account.
/etc/rc.d/init.d/inet restart
9. Protect the server physically
It is impossible to fully defend against attacker attacks with physical access to the server. Therefore, it is necessary to secure the room where your system is located. Data centers seriously monitor security, restrict access to servers, install security cameras and assign permanent security.To enter the data center, all visitors must go through certain stages of authentication. It is also highly recommended to use motion detectors in all areas of the center.
10. Protect the server from unauthorized access
An unauthorized access system, or IDS, collects data about system configuration and files and then compares this data with new changes to determine if they are harmful to the system.For example, Tripwire and Aide tools collect a database of system files and protect them with a set of keys. Psad is used to track suspicious activity using firewall reports.
Bro is designed to monitor the network, track suspicious patterns of activity, collect statistics, execute system commands and generate alerts. RKHunter can be used to protect against viruses, most commonly rootkits. This utility checks your system for known vulnerabilities and can identify unsafe settings in applications.
