Ubuntu Server Security
As a system administrator, one of your chief tasks is dealing with server security. If your server is connected to the Internet, for security purposes, it's in a war zone. If it's only an internal server, you still need to deal with (accidentally) malicious users, disgruntled employees, and the guy in accounting who really wants to read the boss's secretary's e-mail.
In general, Ubuntu Server is a very secure platform. The Ubuntu Security Team, the team that produces all official security updates, has one of the best turnaround times in the industry. Ubuntu ships with a no open ports policy, meaning that after you install the machine—be it an Ubuntu desktop or a server—no applications will be accepting connections from the Internet by default. Like Ubuntu desktops, Ubuntu Server uses the sudo mechanism for system administration, eschewing the root account. And finally, security updates are guaranteed for at least 18 months after each release (five years for some releases, like Dapper), and are free.
In this section, we want to take a look at filesystem security, system resource limits, dealing with logs, and finally some network security. But Linux security is a difficult and expansive topic; remember that we're giving you a crash course here, and leaving a lot of things out—to be a good administrator, you'll want to learn more.
User Account Administration
Many aspects of user administration on Linux systems are consistent across distributions. Debian provides some convenience tools, such as the useradd command, to make things easier for you. But since Ubuntu fully inherits Debian's user administration model, we won't go into detail about it here. Instead, let us refer you to www.oreilly.com/catalog/debian/chapter/book/ch07_01.html for the basics. After reading that page, you'll have full knowledge of the standard model, and we can briefly talk about the Ubuntu difference: sudo.
As we mentioned at the end of the installation section (You're done—Now Watch Out for Root!), Ubuntu doesn't enable the root, or administrator, account by default. There is a great deal of security benefit to this approach and incredibly few downsides, all of which are documented at the man pages for sudo_root.
The user that you added during installation is the one who, by default, is placed into the admin group and may use sudo to perform system administration tasks. After adding new users to the system, you may add them to the admin group like this:
$ sudo adduser username admin
Simply use deluser in place of adduser in the above command to remove a user from the group.
One thing to keep in mind is that sudo isn't just a workaround for giving people root access. It can also handle fine-grain permissions, such as saying, "allow this user to execute only these three commands with superuser privileges."
Documentation about specifying these permissions is available in the "sudoers" man page, which can be a bit daunting—feel free to skip close to the end of it, until you reach the EXAMPLES section. It should take you maybe 10 or 15 minutes to grok it, and it covers a vast majority of the situations for which you'll want sudo. When you're ready to put your new knowledge to use, simply run:
Be careful here—the sudoers database, which lives in /etc/sudoers, is not meant to just be opened in an editor, because an editor won't check the syntax for you! If you mess up the sudoers database, you might find yourself with no way to become an administrator on the machine.
The security model for files is standardized across most Unix-like OS, and is called the POSIX model. The model calls for three broad types of access permissions for every file and directory: owner, group, and other. It works in exactly the same way on any Linux distribution, which is why we won't focus on it here. For a refresher, consult the man pages for chmod and chown, or browse around the Internet.
We want to actually look at securing partitions through mount options, an oft-neglected aspect of dealing with system security that's rather powerful when used appropriately. When explaining how to partition your system, we extolled the virtues of giving, at the very least, the /home, /tmp, and /var directories their own partitions, mentioning how it's possible to use special options when mounting these to the filesystem.
Many of the special mount options are filesystem-dependent, but the ones we want to consider are not. Here are the ones that interest us:
A filesystem mounted with the nodev option will not allow the use or creation of special "device" files. There's usually no good reason to allow most filesystems to allow interpretation of block or character special devices, and allowing them poses potential security risks.
If you read up about Unix file permissions, you know that certain files can be flagged in a way that lets anyone execute them with the permissions of another user or group, often that of the system administrator. This flag is called the setuid (suid) or the setgid bit, respectively, and allowing this behavior outside of the directories that hold the system binaries is often unnecessary and decreases security. If a user is able to, in any way, create or obtain a suid binary of his own choosing, he has effectively compromised the system.
If a filesystem is flagged as noexec, users will not be able to run any executables located on it.
This flag tells the filesystem not to keep a record of when files were last accessed. If used indiscriminately, it lessens security through limiting the amount of information available in the event of a security incident, particularly when computer forensics is to be performed. However, the flag does provide performance benefits for certain use patterns, so it's a good candidate to be used on partitions where security is an acceptable trade-off for speed.
Deciding which mount options to use on which partition is another fuzzy science, and you'll often develop preferences as you become more accustomed to administering machines. Here's a basic proposal, though, that should be a good starting point:
- /home—nosuid, nodev
- /tmp—noatime, noexec, nodev, nosuid
- /var—noexec, nodev, nosuid
System Resource Limits
By default, Linux will not impose any resource limits on user processes. This means any user is free to fill up all of the working memory on the machine, or spawn processes in an endless loop, rendering the system unusable in seconds. The solution is to set up some of your own resource limits by editing the /etc/security/limits.conf file:
$ sudoedit /etc/security/limits.conf
The possible settings are all explained in the comment within the file, and there are no silver bullet values to recommend, though we do recommend that you set up at least the nproc limit, and possibly also the as/data/memlock/rss settings.
If you need to set up disk quotas for your users, install the quota package, and take a look at its man page.
System Log Files
As a system administrator, the system log files are some of your best friends. If you watch them carefully, you'll often know in advance when something is wrong with the system, and you'll be able to resolve most problems before they escalate.
Unfortunately, your ability to pay close attention to the log files dwindles with every server you're tasked with administering, so administrators often use log processing software that can be configured to alert them on certain events, or write their own tools in languages such as Perl and Python.
Logs usually live in /var/log, and after your server runs for a while, you'll notice there are a lot of increasingly older versions of the log files in that directory, many of them compressed with gzip (ending with the .gz filename extension).
Here are some log files of note:
- /var/log/syslog—general system log
- /var/log/auth.log—system authentication logs
- /var/log/mail.log—system mail logs
- /var/log/messages—general log messages
- /var/log/dmesg—kernel ring buffer messages, usually since system bootup
Your Log Toolbox
When it comes to reviewing logs, there are a few tools of choice that you should become familiar with. The tail utility prints, by default, the last ten lines of a file, which makes it a neat tool to get an idea of what's been happening last in a given log file:
$ tail /var/log/syslog
With the -f parameter, tail launches into follow mode, which means it'll open the file and keep showing you changes on the screen as they're happening. If you want to impress your friends with your new system administrator prowess, you can now easily recreate the Hollywood hacker movie staple: text furiously blazing across the screen.
Also invaluable are zgrep, zcat, and zless, which operate like their analogues that don't begin with a "z" but on gzip-compressed files. For instance, to get a list of lines in all your compressed logs that contain the word "warthog" regardless of case you would issue the following command:
$ zgrep -i warthog /var/log/*.gz
Your toolbox for dealing with logs will grow with experience and based on your preferences, but to get an idea of what's already out there, do an apt-cache search for "log files."
A Sprinkling of Network Security
Network security administration is another feature provided largely by the OS, so it's no different on Ubuntu than on any other modern Linux distribution. That means we won't cover it here but will leave you with a pointer.
The iptables command is the front end to the very powerful Linux firewall tables. Unfortunately, dealing with iptables can be rather difficult, particularly if you're trying to set up complex firewall policies. To whet your appetite, here's iptables in action, dropping all packets coming from a notorious time-sink domain:
$ sudo iptables -A INPUT -s www.slashdot.org -j DROP
Tutorials, how-tos, and articles about iptables are available on the Internet in large numbers, and the system man pages provide detailed information about all the possible options. Spending some time to learn iptables is well worth it, because it'll let you set up network security on any Linux machine, and will make it pretty easy for you to learn other OS firewall systems if need be.
Final Words on Security
We've barely even scratched the surface of system security in this subsection, though we've tried to give you good pointers on where to start and where to get the information you need to learn more. But let us give you some sage advice on security in general, since it's a painful truth to learn: There is no such thing as a fully secure system. Securing systems isn't about making it impossible for a breach to occur. It's about making the breach so difficult that it's not worth it to the attacker. This definition is pretty fluid, because if your attacker is a bored 14-year-old sitting in a basement somewhere chewing on cold pizza, you can bet that he'll leave your system alone if it's even marginally secure. But if you're keeping around top secret information, then it's a lot more difficult to have the system be secure enough that breaking into it isn't worth it, from a cost/benefit point of view, to the attackers.
Security is also neat because, as a concept, it permeates the entire idea space of computer science. Getting really good at security requires incredibly deep understanding of the inner workings of computer systems, which has the nonobvious advantage that if you're trying to get a deep understanding of computer systems but don't know where to start, you can start with security and simply follow the trail. Use this to your advantage! Good luck.