Loading
Paranoid Penguin - Security Features in Ubuntu Server
Use old-school administration skills to benefit from modern tools on Ubuntu Server.
Last month, I offered a survey of security features in Ubuntu Desktop 7.10, a single-CD Linux distribution that combines the flexibility of Debian with a very easy-to-use set of graphical setup/administration tools. Ubuntu also comes in a server version, which in some ways is just a re-configuration of Ubuntu Desktop, but nonetheless, it's a different distribution in its own right.
This month, I survey some of the major security features in Ubuntu Server 7.10. Unlike Ubuntu Desktop, Ubuntu Server is probably the wrong choice for complete Linux newcomers. It's extremely command-line-centric, and its documentation is not exactly encyclopedic. Accordingly, this month's column assumes you've got a basic understanding of how Linux works and some comfort with the command prompt.
There are several key differences between Ubuntu Server and Ubuntu Desktop. First, and most obvious, is the lack of any graphical tools. Ubuntu Server doesn't install the X Window System automatically. This has become an increasingly rare approach, even with server-oriented Linux distributions. But, as I explain shortly, omitting the X Window System improves system security and performance and decreases system complexity.
Second, Ubuntu Server installs a much smaller set of packages overall than Ubuntu Desktop. (In fact, there's ample room on the Ubuntu Server CD image to add things of your own—watch this column for a future series on customizing and building your own bootable CD images.) You might think this means that Ubuntu Server offers fewer choices in server applications, but as I show here, these aren't fewer choices than on other popular server-oriented distributions. And besides, you can install additional Ubuntu packages easily over the Internet.
The last major difference worth noting is that Ubuntu Server's default kernel is tuned for server performance, whereas Ubuntu Desktop's default kernel is tuned for maximum responsiveness. An article by Carla Schroder on these differences details some specifics as to how this is achieved (see Resources).
Yes, you read that right. By default, Ubuntu Server is a purely console-driven distribution. On Ubuntu Server, you do things the old-school way, with shell sessions, man page lookups and the vi editor.
Of course, there's nothing to stop you from installing the X Window System, complete with a fully packed KDE desktop environment, OpenOffice.org and Tux Racer. Ubuntu's download repositories don't distinguish between Server and Desktop, so you can install whatever you like. However, I very strongly suggest you resist the temptation to install the X Window System on your Ubuntu Server system.
When the first edition of my book Linux Server Security came out (which I try not to plug here, but this is after all an article on Linux server security), one reviewer complained bitterly about my advice to omit the X Window System from server installations. But, for years I've stood firm on this advice. The X Window System increases complexity. It has a history of “local privilege escalation” vulnerabilities (that can often be exploited remotely), and it always imposes a significant performance penalty.
“Keep it simple” is one of the most important tenets of good system security. If you don't need something, you should live without it. And, in most server scenarios, when a system's primary function is to provide various network services, and wherein what little “interactive” access necessary for administration can be done remotely, it's hard to justify the increased attack surface and overall complexity that come from running X.
Besides, even in Ubuntu Desktop, many if not most serious configuration and security tasks at some point require you to open a terminal and issue commands with sudo. If you want to be an Ubuntu system administrator (or more than a novice at Linux in general), there's no getting around needing to be able to cope with the command line. So I applaud the Ubuntu team's common sense (and courage) in keeping the X Window System out of the default installation of Ubuntu Server.
If you really need a GUI experience in administering your Ubuntu Server system, there are remote administration tools you can use (Webmin, for example—see Resources, and also see Federico Kereki's article “Graphic Administrationwiht Webmin” on page 64) that provide this without requiring X on the server itself.
______________________
White Paper
Fabric-Based Computing Enables Optimized Hyperscale Data Centers
Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- RSS Feeds
- New Products
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Home, My Backup Data Center
- New Products
- Paranoid Penguin - Building a Secure Squid Web Proxy, Part IV
- Trying to Tame the Tablet
- Developer Poll
- Looking Good
6 min 39 sec ago - Hey God - You may not be
4 hours 20 min ago - Reply to comment | Linux Journal
6 hours 52 min ago - Drupal is an Awesome CMS and a Crappy development framework
11 hours 32 min ago - IT industry leaders
13 hours 54 min ago - Reply to comment | Linux Journal
1 day 6 hours ago - Reply to comment | Linux Journal
1 day 9 hours ago - Reply to comment | Linux Journal
1 day 10 hours ago - great post
1 day 11 hours ago - Google Docs
1 day 11 hours ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.
Comments
Server Security
Hello,
I am in the process of re-vamping an NGO's IT setup and have a few questions. We want to configure a file server that will have shared folders and user backups. As data security is vital for this NGO, I was wondering if Ubuntu server (or perhaps eBox) would be secure enough to have open to the internet. Are Novell, Red Hat, or Microsoft any better? Or, would it be better to keep this server off the net, but have it be accessible through VPN? There will be around 40 LAN clients and only 1-2 remote clients.
Thank you very much for any help.
JJ