Paranoid Penguin - Security Features in Ubuntu Server
Last month, I offered a survey of security features in Ubuntu Desktop 7.10, a single-CD Linux distribution that combines the flexibility of Debian with a very easy-to-use set of graphical setup/administration tools. Ubuntu also comes in a server version, which in some ways is just a re-configuration of Ubuntu Desktop, but nonetheless, it's a different distribution in its own right.
This month, I survey some of the major security features in Ubuntu Server 7.10. Unlike Ubuntu Desktop, Ubuntu Server is probably the wrong choice for complete Linux newcomers. It's extremely command-line-centric, and its documentation is not exactly encyclopedic. Accordingly, this month's column assumes you've got a basic understanding of how Linux works and some comfort with the command prompt.
There are several key differences between Ubuntu Server and Ubuntu Desktop. First, and most obvious, is the lack of any graphical tools. Ubuntu Server doesn't install the X Window System automatically. This has become an increasingly rare approach, even with server-oriented Linux distributions. But, as I explain shortly, omitting the X Window System improves system security and performance and decreases system complexity.
Second, Ubuntu Server installs a much smaller set of packages overall than Ubuntu Desktop. (In fact, there's ample room on the Ubuntu Server CD image to add things of your own—watch this column for a future series on customizing and building your own bootable CD images.) You might think this means that Ubuntu Server offers fewer choices in server applications, but as I show here, these aren't fewer choices than on other popular server-oriented distributions. And besides, you can install additional Ubuntu packages easily over the Internet.
The last major difference worth noting is that Ubuntu Server's default kernel is tuned for server performance, whereas Ubuntu Desktop's default kernel is tuned for maximum responsiveness. An article by Carla Schroder on these differences details some specifics as to how this is achieved (see Resources).
Yes, you read that right. By default, Ubuntu Server is a purely console-driven distribution. On Ubuntu Server, you do things the old-school way, with shell sessions, man page lookups and the vi editor.
Of course, there's nothing to stop you from installing the X Window System, complete with a fully packed KDE desktop environment, OpenOffice.org and Tux Racer. Ubuntu's download repositories don't distinguish between Server and Desktop, so you can install whatever you like. However, I very strongly suggest you resist the temptation to install the X Window System on your Ubuntu Server system.
When the first edition of my book Linux Server Security came out (which I try not to plug here, but this is after all an article on Linux server security), one reviewer complained bitterly about my advice to omit the X Window System from server installations. But, for years I've stood firm on this advice. The X Window System increases complexity. It has a history of “local privilege escalation” vulnerabilities (that can often be exploited remotely), and it always imposes a significant performance penalty.
“Keep it simple” is one of the most important tenets of good system security. If you don't need something, you should live without it. And, in most server scenarios, when a system's primary function is to provide various network services, and wherein what little “interactive” access necessary for administration can be done remotely, it's hard to justify the increased attack surface and overall complexity that come from running X.
Besides, even in Ubuntu Desktop, many if not most serious configuration and security tasks at some point require you to open a terminal and issue commands with sudo. If you want to be an Ubuntu system administrator (or more than a novice at Linux in general), there's no getting around needing to be able to cope with the command line. So I applaud the Ubuntu team's common sense (and courage) in keeping the X Window System out of the default installation of Ubuntu Server.
If you really need a GUI experience in administering your Ubuntu Server system, there are remote administration tools you can use (Webmin, for example—see Resources, and also see Federico Kereki's article “Graphic Administrationwiht Webmin” on page 64) that provide this without requiring X on the server itself.
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- SUSE LLC's SUSE Manager
- My +1 Sword of Productivity
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- Non-Linux FOSS: Caffeine!
- Managing Linux Using Puppet
- SuperTuxKart 0.9.2 Released
- Doing for User Space What We Did for Kernel Space
- Google's SwiftShader Released
- Parsing an RSS News Feed with a Bash Script
- Rogue Wave Software's Zend Server