Paranoid Penguin - Security Features in Ubuntu Server

Use old-school administration skills to benefit from modern tools on Ubuntu Server.
Installing Optional Software

It's no coincidence that I used the aptitude command in the above examples. Chances are, one of the first things you'll do after installing Ubuntu Server is install some additional software, and aptitude is Ubuntu Server's best tool for this job.

Perhaps surprisingly, given that the Ubuntu Server distribution doesn't even fill a 650MB CD-ROM, there are many useful packages from which to choose on the CD in its /pool directory. When you install Ubuntu Server, the installer also automatically configures the Advanced Package Tool (apt) system, for which aptitude is a front end, with the locations of some download repositories.

In last month's column, I described the Ubuntu repository structure in detail. In case you missed that, here's a quick review:

  • Main contains Ubuntu's fully supported, fully patched, free software packages.

  • Restricted contains Ubuntu's fully supported, nonfree (copyrighted) software packages.

  • Universe contains Ubuntu's free but not fully supported/patched packages.

  • Multiverse contains packages that are neither fully free nor fully supported/patched.

You might think that on a server system, universe and multiverse packages should be avoided, as they lack any guarantee of timely security patches or bug fixes. And, as a general rule, I think you'd be right.

But, there are some notable packages in universe and multiverse that may be worth installing and sustaining whatever risk is entailed. One such package is Bastille (in universe), a comprehensive system-hardening tool you can uninstall after it does its thing. Another might be Tripwire (in multiverse), which is the classic file integrity checker, though the main repository's aide packages provide the same functionality and are fully supported by the Ubuntu security team.

All of these packages are part of the main repository. Unlike with Ubuntu Desktop, however, these can be installed from the Ubuntu Server CD.

Notable Ubuntu Server Packages

Space does not permit me to include lengthy charts of security-related packages like those I provided in the Ubuntu Desktop column last month. If I did, they would be very similar except for two things.

First, I would omit security auditing tools, such as Nessus and tcpdump (though both are on the Ubuntu Server CD). You shouldn't install anything on any Internet server, or other multiuser system, that can be used by an attacker against the system itself or other systems on your network. Instead, you should run such tools from an administrative system, where they're less likely to be abused.

Second, you would see that many packages on Ubuntu Desktop must be downloaded from a main repository Web site. These are, in fact, provided on the Ubuntu Server CD under /pool. These include the following:

  • aide

  • auth-client-config

  • apparmor

  • chkrootkit

  • cryptsetup

  • dovecot-imapd

  • exim4-daemon-heavy

  • gnupg

  • ipsec-tools

  • libkrb53

  • sasl2-bin

  • libselinux1

  • libwrap0, tcpd

  • openssh-server

  • libpam-opie

  • shorewall

  • slapd, ldap-utils

  • squid

  • vlan

  • vsftpd

I'll leave it to you to explore the many other security-related packages available in the Ubuntu repositories. One of the best ways to do this is to look them up on packages.ubuntu.com.

No Automatic Updates in Ubuntu Server

Given the importance of patching to maintain system security, you might be surprised to learn that Ubuntu Server doesn't have any specific mechanism for automatically downloading and installing security updates. I can explain why in two words: change control.

On a production server that does real work, it's a bad idea to apply any patches, even security updates, until after you've tested them on a similar server in a lab to make sure they don't break anything. Sure, you can run the commands aptitude -y update, aptitude -y upgrade, aptitude -y dist-upgrade and aptitude -y autoclean from a cron job each night. But that -y option, which allows aptitude to run unattended, also might cause a package update to overwrite some custom configuration file with a default configuration.

On a server, you're better off running these commands manually as needed, without the -y option (after first doing so on a test system if you run in a change-controlled environment). That way, you'll be prompted before any configuration files are overwritten, and you'll be able to observe firsthand the changes aptitude makes to your system as they happen. Subscribe to the ubuntu-security-announce mailing list (via www.ubuntu.com/support/community/mailinglists) to receive e-mail notifications of security patches as they're made available.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Server Security

JJ's picture

Hello,

I am in the process of re-vamping an NGO's IT setup and have a few questions. We want to configure a file server that will have shared folders and user backups. As data security is vital for this NGO, I was wondering if Ubuntu server (or perhaps eBox) would be secure enough to have open to the internet. Are Novell, Red Hat, or Microsoft any better? Or, would it be better to keep this server off the net, but have it be accessible through VPN? There will be around 40 LAN clients and only 1-2 remote clients.

Thank you very much for any help.
JJ

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix