Paranoid Penguin - Security Features in Ubuntu

Securing Ubuntu is as straightforward as installing it.
Notable Ubuntu Packages

Ubuntu Desktop 7.10 automatically installs with a number of important security-related software packages. Table 1 lists some of my favorites.

Table 1. Security-Related Packages Installed by Default

Package NameDescription
apparmor, apparmor-utils Novell AppArmor, type-enforcement controls for selected applications.
fping (!)Flood Ping, for probing ranges of IP addresses.
gnupgGNU Privacy Guard, a free OpenPGP implementation.
libselinux1, libsepol1SELinux libraries (require user-space tools from the universe repository).
libwrap0, tcpdTCP Wrappers, simple IP filtering for dæmons.
netcatNetcat, a general-purpose port-forwarder.
openssh-clientA free SSH client. Note that ssh-server isn't installed by default.
tcpdumpClassic protocol analyzer (sniffer).
update-managerGUI-based tool for automatic notifications and installing software updates.
wpasupplicantWPA client for 802.11 wireless networks.

I've mixed security-auditing tools (fping and tcpdump) alongside defense tools (gnupg, SELinux and TCP Wrappers). Obviously, you need to give some thought as to whether a given system is going to have an “offensive” role versus a “defensive” role with respect to security; security scanners can be dangerous!

The main repository contains a wealth of additional security software packages. Table 2 lists more of my favorites.

Table 2. More Security Packages in the Ubuntu Main Repository

Package NameDescription
aideIntegrity checker similar to Tripwire.
auth-config-clientPAM (Pluggable Authentication Module) configurator.
checksecuritycron jobs for security checking.
chkrootkitRootkit detection toolkit (though this is best run from read-only media).
cryptsetupTool for creating encrypted filesystems.
dovecot-imapd, dovecot-pop3dSecure IMAP and POP3 dæmons.
exim4-daemon-heavySMTP dæmon with extended features.
gpgsmGnuPG for S/MIME.
ipsec-toolsUser-space tools for configuring IPsec tunnels.
kwalletmanagerPassword vault for KDE.
libkrb53, krb5-docKerberos runtime libraries.
logcheckScans log files for anomalies and sends admin e-mail notifications.
nessus, nessusdNessus security scanner.
opie-client, opie-server, libpam-opieOPIE one-time password system (based on S/KEY).
shorewallSystem for generating iptables firewall rules.
slapdOpenLDAP server dæmon.
squid, squid-commonWeb proxy with caching and security features.
vsftpdThe Very Secure FTP Dæmon.

But wait, there's more! We've actually scratched only the surface. The universe and multiverse repositories contain many, many more security software packages. Table 3 lists a very small subset of these. Remember, the Ubuntu team offers no guarantee of timely security patches for these packages.

Table 3. Security Software in the Universe and Multiverse Repositories

Package NameRepositoryDescription
aircrack-nguniverseWEP/WPA wireless network shared-secret auditor.
amavisd-newuniverseAntivirus/spam-filter helper dæmon.
avscanuniverseGUI for ClamAV antivirus system.
bastilleuniverseComprehensive system-hardening scripts.
chntpwmultiverseChanges passwords on Windows NT/2K/XP systems.
clamavuniverseClamAV, a free virus scanner.
djbdns-installermultiverseSecure domain name service dæmon.
firestarteruniverseAn iptables GUI (GNOME).
flawfinderuniverseSource code security analyzer.
freeradiusuniverseRADIUS server for remote access and WLAN/WPA authentication.
perditionuniverseAn IMAP4/POP3 proxy.
spikeproxyuniverseWeb client proxy for Web site probing/analysis.
tigeruniverseSecurity audit scripts.
tripwireuniverseThe classic file/directory integrity checker.
uml-utilitiesuniverseUser Mode Linux virtualization engine tools.
wiresharkuniverseGraphical network packet sniffer/analyzer.
zorpuniverseApplication-layer proxy firewall.

As you can see, Ubuntu Desktop is an extremely versatile distribution. It contains a wide variety of security tools, representing many different ways to secure your system (and the network on which it resides).

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Thanks for a great article.

Mike Roberts's picture

Thanks for a great article. Although I have installed many distros, I don't consider myself a system administrator or security expert. Linux installation has become friendly enough that I haven't had to dig very deep to get it to work. I have been test driving *Ubuntu distros for less than a year. Your article clarified many things for me, some not security specific. Your straightforward article should be required reading for anyone about to plunge into *Ubuntu.

Mike Roberts is a bewildered Linux Journal Reader Advisory Panelist.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix