Paranoid Penguin - Security Features in Ubuntu Server
It's no coincidence that I used the aptitude command in the above examples. Chances are, one of the first things you'll do after installing Ubuntu Server is install some additional software, and aptitude is Ubuntu Server's best tool for this job.
Perhaps surprisingly, given that the Ubuntu Server distribution doesn't even fill a 650MB CD-ROM, there are many useful packages from which to choose on the CD in its /pool directory. When you install Ubuntu Server, the installer also automatically configures the Advanced Package Tool (apt) system, for which aptitude is a front end, with the locations of some download repositories.
In last month's column, I described the Ubuntu repository structure in detail. In case you missed that, here's a quick review:
Main contains Ubuntu's fully supported, fully patched, free software packages.
Restricted contains Ubuntu's fully supported, nonfree (copyrighted) software packages.
Universe contains Ubuntu's free but not fully supported/patched packages.
Multiverse contains packages that are neither fully free nor fully supported/patched.
You might think that on a server system, universe and multiverse packages should be avoided, as they lack any guarantee of timely security patches or bug fixes. And, as a general rule, I think you'd be right.
But, there are some notable packages in universe and multiverse that may be worth installing and sustaining whatever risk is entailed. One such package is Bastille (in universe), a comprehensive system-hardening tool you can uninstall after it does its thing. Another might be Tripwire (in multiverse), which is the classic file integrity checker, though the main repository's aide packages provide the same functionality and are fully supported by the Ubuntu security team.
All of these packages are part of the main repository. Unlike with Ubuntu Desktop, however, these can be installed from the Ubuntu Server CD.
Space does not permit me to include lengthy charts of security-related packages like those I provided in the Ubuntu Desktop column last month. If I did, they would be very similar except for two things.
First, I would omit security auditing tools, such as Nessus and tcpdump (though both are on the Ubuntu Server CD). You shouldn't install anything on any Internet server, or other multiuser system, that can be used by an attacker against the system itself or other systems on your network. Instead, you should run such tools from an administrative system, where they're less likely to be abused.
Second, you would see that many packages on Ubuntu Desktop must be downloaded from a main repository Web site. These are, in fact, provided on the Ubuntu Server CD under /pool. These include the following:
I'll leave it to you to explore the many other security-related packages available in the Ubuntu repositories. One of the best ways to do this is to look them up on packages.ubuntu.com.
Given the importance of patching to maintain system security, you might be surprised to learn that Ubuntu Server doesn't have any specific mechanism for automatically downloading and installing security updates. I can explain why in two words: change control.
On a production server that does real work, it's a bad idea to apply any patches, even security updates, until after you've tested them on a similar server in a lab to make sure they don't break anything. Sure, you can run the commands aptitude -y update, aptitude -y upgrade, aptitude -y dist-upgrade and aptitude -y autoclean from a cron job each night. But that -y option, which allows aptitude to run unattended, also might cause a package update to overwrite some custom configuration file with a default configuration.
On a server, you're better off running these commands manually as needed, without the -y option (after first doing so on a test system if you run in a change-controlled environment). That way, you'll be prompted before any configuration files are overwritten, and you'll be able to observe firsthand the changes aptitude makes to your system as they happen. Subscribe to the ubuntu-security-announce mailing list (via www.ubuntu.com/support/community/mailinglists) to receive e-mail notifications of security patches as they're made available.