Paranoid Penguin - Security Features in Ubuntu

Securing Ubuntu is as straightforward as installing it.
Notable Ubuntu Packages

Ubuntu Desktop 7.10 automatically installs with a number of important security-related software packages. Table 1 lists some of my favorites.

Table 1. Security-Related Packages Installed by Default

Package NameDescription
apparmor, apparmor-utils Novell AppArmor, type-enforcement controls for selected applications.
fping (!)Flood Ping, for probing ranges of IP addresses.
gnupgGNU Privacy Guard, a free OpenPGP implementation.
libselinux1, libsepol1SELinux libraries (require user-space tools from the universe repository).
libwrap0, tcpdTCP Wrappers, simple IP filtering for dæmons.
netcatNetcat, a general-purpose port-forwarder.
openssh-clientA free SSH client. Note that ssh-server isn't installed by default.
tcpdumpClassic protocol analyzer (sniffer).
update-managerGUI-based tool for automatic notifications and installing software updates.
wpasupplicantWPA client for 802.11 wireless networks.

I've mixed security-auditing tools (fping and tcpdump) alongside defense tools (gnupg, SELinux and TCP Wrappers). Obviously, you need to give some thought as to whether a given system is going to have an “offensive” role versus a “defensive” role with respect to security; security scanners can be dangerous!

The main repository contains a wealth of additional security software packages. Table 2 lists more of my favorites.

Table 2. More Security Packages in the Ubuntu Main Repository

Package NameDescription
aideIntegrity checker similar to Tripwire.
auth-config-clientPAM (Pluggable Authentication Module) configurator.
checksecuritycron jobs for security checking.
chkrootkitRootkit detection toolkit (though this is best run from read-only media).
cryptsetupTool for creating encrypted filesystems.
dovecot-imapd, dovecot-pop3dSecure IMAP and POP3 dæmons.
exim4-daemon-heavySMTP dæmon with extended features.
gpgsmGnuPG for S/MIME.
ipsec-toolsUser-space tools for configuring IPsec tunnels.
kwalletmanagerPassword vault for KDE.
libkrb53, krb5-docKerberos runtime libraries.
logcheckScans log files for anomalies and sends admin e-mail notifications.
nessus, nessusdNessus security scanner.
opie-client, opie-server, libpam-opieOPIE one-time password system (based on S/KEY).
shorewallSystem for generating iptables firewall rules.
slapdOpenLDAP server dæmon.
squid, squid-commonWeb proxy with caching and security features.
vsftpdThe Very Secure FTP Dæmon.

But wait, there's more! We've actually scratched only the surface. The universe and multiverse repositories contain many, many more security software packages. Table 3 lists a very small subset of these. Remember, the Ubuntu team offers no guarantee of timely security patches for these packages.

Table 3. Security Software in the Universe and Multiverse Repositories

Package NameRepositoryDescription
aircrack-nguniverseWEP/WPA wireless network shared-secret auditor.
amavisd-newuniverseAntivirus/spam-filter helper dæmon.
avscanuniverseGUI for ClamAV antivirus system.
bastilleuniverseComprehensive system-hardening scripts.
chntpwmultiverseChanges passwords on Windows NT/2K/XP systems.
clamavuniverseClamAV, a free virus scanner.
djbdns-installermultiverseSecure domain name service dæmon.
firestarteruniverseAn iptables GUI (GNOME).
flawfinderuniverseSource code security analyzer.
freeradiusuniverseRADIUS server for remote access and WLAN/WPA authentication.
perditionuniverseAn IMAP4/POP3 proxy.
spikeproxyuniverseWeb client proxy for Web site probing/analysis.
tigeruniverseSecurity audit scripts.
tripwireuniverseThe classic file/directory integrity checker.
uml-utilitiesuniverseUser Mode Linux virtualization engine tools.
wiresharkuniverseGraphical network packet sniffer/analyzer.
zorpuniverseApplication-layer proxy firewall.

As you can see, Ubuntu Desktop is an extremely versatile distribution. It contains a wide variety of security tools, representing many different ways to secure your system (and the network on which it resides).

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Thanks for a great article.

Mike Roberts's picture

Thanks for a great article. Although I have installed many distros, I don't consider myself a system administrator or security expert. Linux installation has become friendly enough that I haven't had to dig very deep to get it to work. I have been test driving *Ubuntu distros for less than a year. Your article clarified many things for me, some not security specific. Your straightforward article should be required reading for anyone about to plunge into *Ubuntu.

Mike Roberts is a bewildered Linux Journal Reader Advisory Panelist.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState