In 2016, keeping your Ubuntu network secure is more important than ever. Despite what some people might think, there's much more to this than merely putting up a router to protect a network. You must also configure each of your PCs properly to ensure you're operating within a secure Ubuntu network. This article will show you how.
Absolute Ubuntu network security is a myth
Much like avoiding a break-in or a home invasion, absolute Ubuntu network security in most environments is a myth. The best we can hope for is to make it extremely difficult to have your network compromised. In my case, this means protecting an Ubuntu network with as much security as practical.
To be clear, the only way you can achieve 100% network security is to turn off your devices, put them into a safe and never use them again. Why is this? Simple – because most security issues come from our own mistakes. Human error is the number one issue you'll run into with network security in my opinion.
Trust but verify your Ubuntu network security
Placing blind trust in any firewall appliance, user "best practices," or "security through obscurity" is just asking for trouble. All it takes is a flash drive, phishing scheme or even a failure to successfully apply a patch and you could be putting your Ubuntu network in danger.
Because there is no silver bullet to keep your network safe, I recommend using all the tools at our disposal. In addition to that, it's also important to verify that everything is operating correctly on a schedule. For myself personally, I usually setup an "audit" day once a month to really drill down on everything. This means checking logs, verifying applied patches and looking for anything out of the ordinary.
Ubuntu network security starts with the PC
Many of you might believe that security for your network starts at your router. I disagree and instead recommend starting your security overhaul on each individual PC on your network. Ubuntu (and other distros), Windows and Mac PCs need to all be locked down as much as possible. In an era of laptops, it's just too easy to take a poorly locked down computer over to a secondary network and expose said laptop to who knows what type of network security.
Because of this, I recommend doing the following with all of your Ubuntu powered (and other distros) PCs.
- Run and install updates weekly. Installing these daily is also good, but by committing to a set day per week instead, it's less likely to be put off.
- On the same schedule as your updates, run sudo less /var/log/auth.log and lastlog to make sure everything looks right. You'll be looking out for users running unknown activity or otherwise odd user activity. For example, you might find a user you've never heard of before logging in or smbd access from a user who shouldn't be accessing samba shares.
- Double check your crontab for unusual cron schedules. By running crontab -l under each user on the system, you can look for cron tasks that you didn't authorize. While this is usually overkill, I've heard of instances where strange scripts that were not authorize have shown up. It's never happened to me, but I can see how it might happen to someone who blindly runs scripts as root.
- Enable ufw on your Ubuntu powered PCs and block all unnecessary ports. I also recommend using ufw to allow ports out only whenever possible. For example, I have one set of ports locked down so they only work on my tun0 interface (for VPN) and even then, are allowing outgoing packets only. Once this is setup with ufw, I recommend doing a weekly ufw status check to make sure nothing is "off" or that someone has opened ports that should be closed.
- For headless Ubuntu servers, disable root access and restricted SSH access to LAN users only. Going even further, you could restrict SSH access to only one trusted static LAN IP. I recommend disabling root from your headless SSH server's sshd_config file. In the same file, restrict the static LAN IP under AllowUsers. This approach is better than a LAN only restriction via ufw as the rule travels with the server. It's a bit over the top for most people, but I like keeping my SSH restrictions under one roof myself. Makes my weekly audits a lot faster and easier for me to spot any oddities.
- Encrypt your hard drive. Assuming you're using a strong root/sudo password, odds are the easiest way to access your data is to try and slave your drive to get local access to its data. If the drive is encrypted, the odds are much slimmer that you'll ever have to worry about a burglar accessing your data if they steal your Ubuntu PC.
If you want to dive deep into securing your system even further, you can also secure your tmp directory, shared memory and even limit the number of allowed services. I do not recommend doing any of these things without fully exploring what misconfiguring each of these things can do to your system. And since most of you are running workstations and not public facing servers, I'd suggest avoiding such things.
Locking down your Ubuntu network security
Now that we have the Ubuntu PCs locked down, the next step is to make sure all data in transit from these PCs is secure. To do this, I recommend using SSH for remote access to each PC and utilizing SSL whenever possible over the Internet. An example of this would be if you decided to setup a CCTV setup using ZoneMinder, but needed to access it remotely over the Internet. My recommendation would be to setup a user specific SSL certificate. This would allow you to remotely access it with apps such as zmNinja. All traffic between your ZoneMinder Ubuntu PC and the Android phone running zmNinja would be encrypted.
Speaking of accessing Ubuntu PCs over your network, let's talk about the right way to setup SSH. First off, use a SSH key rather than a password. From there, you'll want to then disable SSH password access on any SSH enabled server. As an added precaution, I'd also disable root SSH access altogether. If you find in your weekly log audits that you're seeing a lot of traffic trying to get into your system over SSH, you can install Fail2Ban to block malicious login attempts. Do not rely on odd ball ports as a solution – security through obscurity isn't the answer.
Finally, let's talk about securing samba/NFS and printer shares. To be frank, none of these things are all that secure by default. My recommendation is to use strong passwords for your network shares. In addition, make sure to use ufw to only allow access from within the LAN. If you feel you need addition security, you can research how to use groups and permissions to further lock down samba shares. My default recommendation is to limit write access to read only. And for goodness sake, never-ever samba share over the Internet. That's just asking for trouble.
Routers and firewalls for Ubuntu Network Security
The router or firewall you decide to run is a deeply personal choice. I happen to use pfSense for my home network. However, you might prefer a dd-wrt or similar instead to handle your Internet facing needs.
At the very minimum, here's what you shouldn't use: default router login credentials for your router. Additionally, please check for firmware updates for your router. Those two things alone can make all the difference. And finally, audit how exposed you are when running IoT devices. You'll have to Google around to find what works for the devices you own. But when in doubt, check for updates or don't use them. That's my genuine heartfelt advice on how to keep your network as secure as possible.
What say you? How confident that your Ubuntu network security is setup as well as possible? Perhaps you've found other distros to be more secure overall and thus providing you with better network security? Hit the Comments and tell me about it.