Paranoid Penguin - Security Features in Ubuntu Server
Last month, I offered a survey of security features in Ubuntu Desktop 7.10, a single-CD Linux distribution that combines the flexibility of Debian with a very easy-to-use set of graphical setup/administration tools. Ubuntu also comes in a server version, which in some ways is just a re-configuration of Ubuntu Desktop, but nonetheless, it's a different distribution in its own right.
This month, I survey some of the major security features in Ubuntu Server 7.10. Unlike Ubuntu Desktop, Ubuntu Server is probably the wrong choice for complete Linux newcomers. It's extremely command-line-centric, and its documentation is not exactly encyclopedic. Accordingly, this month's column assumes you've got a basic understanding of how Linux works and some comfort with the command prompt.
There are several key differences between Ubuntu Server and Ubuntu Desktop. First, and most obvious, is the lack of any graphical tools. Ubuntu Server doesn't install the X Window System automatically. This has become an increasingly rare approach, even with server-oriented Linux distributions. But, as I explain shortly, omitting the X Window System improves system security and performance and decreases system complexity.
Second, Ubuntu Server installs a much smaller set of packages overall than Ubuntu Desktop. (In fact, there's ample room on the Ubuntu Server CD image to add things of your own—watch this column for a future series on customizing and building your own bootable CD images.) You might think this means that Ubuntu Server offers fewer choices in server applications, but as I show here, these aren't fewer choices than on other popular server-oriented distributions. And besides, you can install additional Ubuntu packages easily over the Internet.
The last major difference worth noting is that Ubuntu Server's default kernel is tuned for server performance, whereas Ubuntu Desktop's default kernel is tuned for maximum responsiveness. An article by Carla Schroder on these differences details some specifics as to how this is achieved (see Resources).
Yes, you read that right. By default, Ubuntu Server is a purely console-driven distribution. On Ubuntu Server, you do things the old-school way, with shell sessions, man page lookups and the vi editor.
Of course, there's nothing to stop you from installing the X Window System, complete with a fully packed KDE desktop environment, OpenOffice.org and Tux Racer. Ubuntu's download repositories don't distinguish between Server and Desktop, so you can install whatever you like. However, I very strongly suggest you resist the temptation to install the X Window System on your Ubuntu Server system.
When the first edition of my book Linux Server Security came out (which I try not to plug here, but this is after all an article on Linux server security), one reviewer complained bitterly about my advice to omit the X Window System from server installations. But, for years I've stood firm on this advice. The X Window System increases complexity. It has a history of “local privilege escalation” vulnerabilities (that can often be exploited remotely), and it always imposes a significant performance penalty.
“Keep it simple” is one of the most important tenets of good system security. If you don't need something, you should live without it. And, in most server scenarios, when a system's primary function is to provide various network services, and wherein what little “interactive” access necessary for administration can be done remotely, it's hard to justify the increased attack surface and overall complexity that come from running X.
Besides, even in Ubuntu Desktop, many if not most serious configuration and security tasks at some point require you to open a terminal and issue commands with sudo. If you want to be an Ubuntu system administrator (or more than a novice at Linux in general), there's no getting around needing to be able to cope with the command line. So I applaud the Ubuntu team's common sense (and courage) in keeping the X Window System out of the default installation of Ubuntu Server.
If you really need a GUI experience in administering your Ubuntu Server system, there are remote administration tools you can use (Webmin, for example—see Resources, and also see Federico Kereki's article “Graphic Administrationwiht Webmin” on page 64) that provide this without requiring X on the server itself.
|Speed Up Your Web Site with Varnish||Jun 19, 2013|
|Non-Linux FOSS: libnotify, OS X Style||Jun 18, 2013|
|Containers—Not Virtual Machines—Are the Future Cloud||Jun 17, 2013|
|Lock-Free Multi-Producer Multi-Consumer Queue on Ring Buffer||Jun 12, 2013|
|Weechat, Irssi's Little Brother||Jun 11, 2013|
|One Tail Just Isn't Enough||Jun 07, 2013|
- Containers—Not Virtual Machines—Are the Future Cloud
- Non-Linux FOSS: libnotify, OS X Style
- Linux Systems Administrator
- Lock-Free Multi-Producer Multi-Consumer Queue on Ring Buffer
- Technical Support Rep
- Validate an E-Mail Address with PHP, the Right Way
- Senior Perl Developer
- UX Designer
- Speed Up Your Web Site with Varnish
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?