Home > Articles > Operating Systems, Server > Linux/UNIX/Open Source

This chapter is from the book

Ubuntu Server Security

As a system administrator, one of your chief tasks is dealing with server security. If your server is connected to the Internet, for security purposes it's in a war zone. If it's only an internal server, you still need to deal with (accidentally) malicious users, disgruntled employees, and the guy in accounting who really wants to read the boss's secretary's e-mail.

In general, Ubuntu Server is a very secure platform. The Ubuntu Security Team, the team that produces all official security updates, has one of the best turnaround times in the industry. Ubuntu ships with a no open ports policy, meaning that after you install Ubuntu on your machine—be it an Ubuntu desktop or a server installation—no applications will be accepting connections from the Internet by default. Like Ubuntu desktops, Ubuntu Server uses the sudo mechanism for system administration, eschewing the root account. And finally, security updates are guaranteed for at least 18 months after each release (five years for some releases, like Dapper), and are free.

In this section, we want to take a look at user account administration, filesystem security, system resource limits, logs, and finally some network security. But Linux security is a difficult and expansive topic; remember that we're giving you a crash course here and leaving out a lot of things—to be a good administrator, you'll want to learn more.

User Account Administration

Many aspects of user administration on Linux systems are consistent across distributions. Debian provides some convenience tools, such as the useradd command, to make things easier for you. But since Ubuntu fully inherits Debian's user administration model, we won't go into detail about it here. Instead, let us refer you to www.oreilly.com/catalog/debian/chapter/book/ch07_01.html for the basics. After reading that page, you'll have full knowledge of the standard model, and we can briefly talk about the Ubuntu difference: sudo.

As we mentioned at the end of the installation section (You're Done—Now Watch Out for Root!), Ubuntu doesn't enable the root, or administrator, account by default. There is a great deal of security benefit to this approach and incredibly few downsides, all of which are documented at the man pages for sudo_root.

The user that you added during installation is the one who, by default, is placed into the admin group and may use sudo to perform system administration tasks. After adding new users to the system, you may add them to the admin group like this:

$ sudo adduser username admin

Simply use deluser in place of adduser in the above command to remove a user from the group. (Adding the --encrypt-home option to adduser will automatically set up home directory encryption for the new user.)

One thing to keep in mind is that sudo isn't just a workaround for giving people root access. sudo can also handle fine-grain permissions, such as saying, "Allow this user to execute only these three commands with super-user privileges."

Documentation about specifying these permissions is available in the sudoers man page, which can be a bit daunting—feel free to skip close to the end of it, until you reach the EXAMPLES section. It should take you maybe 10 or 15 minutes to grok it, and it covers a vast majority of the situations for which you'll want sudo. When you're ready to put your new knowledge to use, simply run:

$ visudo

Be careful here—the sudoers database, which lives in /etc/sudoers, is not meant to just be opened in an editor because an editor won't check the syntax for you! If you mess up the sudoer's database, you might find yourself with no way to become an administrator on the machine.

Filesystem Security

The security model for files is standardized across most UNIX-like operating systems and is called the POSIX model. The model calls for three broad types of access permissions for every file and directory: owner, group, and other. It works in exactly the same way on any Linux distribution, which is why we won't focus on it here. For a refresher, consult the man pages for chmod and chown, or browse around the Internet.

We want to actually look at securing partitions through mount options, an oft-neglected aspect of dealing with system security that's rather powerful when used appropriately. When explaining how to partition your system, we extolled the virtues of giving, at the very least, the /home, /tmp, and /var directories their own partitions, mentioning how it's possible to use special options when mounting these to the filesystem.

Many of the special mount options are filesystem-dependent, but the ones we want to consider are not. Here are the ones that interest us.

nodev

A filesystem mounted with the nodev option will not allow the use or creation of special "device" files. There's usually no good reason to allow most filesystems to allow interpretation of block or character special devices, and allowing them poses potential security risks.

nosuid

If you read up about UNIX file permissions, you know that certain files can be flagged in a way that lets anyone execute them with the permissions of another user or group, often that of the system administrator. This flag is called the setuid (suid) or the setgid bit, respectively, and allowing this behavior outside of the directories that hold the system binaries is often unnecessary and decreases security. If a user is able to, in any way, create or obtain a setuid binary of his or her own choosing, the user has effectively compromised the system.

noexec

If a filesystem is flagged as noexec, users will not be able to run any executables located on it.

noatime

This flag tells the filesystem not to keep a record of when files were last accessed. If used indiscriminately, it lessens security through limiting the amount of information available in the event of a security incident, particularly when computer forensics is to be performed. However, the flag does provide performance benefits for certain use patterns, so it's a good candidate to be used on partitions where security is an acceptable tradeoff for speed.

Deciding which mount options to use on which partition is another fuzzy science, and you'll often develop preferences as you become more accustomed to administering machines. Here's a basic proposal, though, that should be a good starting point:

  • /home: nosuid, nodev
  • /tmp: noatime, noexec, nodev, nosuid
  • /var: noexec, nodev, nosuid

System Resource Limits

By default, Linux will not impose any resource limits on user processes. This means any user is free to fill up all of the working memory on the machine, or spawn processes in an endless loop, rendering the system unusable in seconds. The solution is to set up some of your own resource limits by editing the /etc/security/limits.conf file:

$ sudoedit /etc/security/limits.conf

The possible settings are all explained in the comment within the file, and there are no silver bullet values to recommend, though we do recommend that you set up at least the nproc limit and possibly also the as/data/memlock/rss settings.

If you need to set up disk quotas for your users, install the quota package, and take a look at its man page.

System Log Files

As a system administrator, the system log files are some of your best friends. If you watch them carefully, you'll often know in advance when something is wrong with the system, and you'll be able to resolve most problems before they escalate.

Unfortunately, your ability to pay close attention to the log files dwindles with every server you're tasked with administering, so administrators often use log-processing software that can be configured to alert them on certain events, or they write their own tools in languages such as Perl and Python.

Logs usually live in /var/log, and after your server runs for a while, you'll notice there are a lot of increasingly older versions of the log files in that directory, many of them compressed with gzip (ending with the .gz filename extension).

Here are some log files of note:

  • /var/log/syslog: general system log
  • /var/log/auth.log: system authentication logs
  • /var/log/mail.log: system mail logs
  • /var/log/messages: general log messages
  • /var/log/dmesg: kernel ring buffer messages, usually since system bootup

Your Log Toolbox

When it comes to reviewing logs, you should become familiar with a few tools of choice. The tail utility prints, by default, the last ten lines of a file, which makes it a neat tool to get an idea of what's been happening last in a given log file:

$ tail /var/log/syslog

With the -f parameter, tail launches into follow mode, which means it'll open the file and keep showing you changes on the screen as they're happening. If you want to impress your friends with your new system administrator prowess, you can now easily recreate the Hollywood hacker movie staple: text furiously blazing across the screen.

Also invaluable are zgrep, zcat, and zless, which operate like their analogues that don't begin with a z, but on gzip-compressed files. For instance, to get a list of lines in all your compressed logs that contain the word "warthog" regardless of case, you would issue the following command:

$ zgrep -i warthog /var/log/*.gz

Your toolbox for dealing with logs will grow with experience and based on your preferences, but to get an idea of what's already out there, do an apt-cache search for "log files."

A Sprinkling of Network Security

Network security administration is another feature provided largely by the OS, so it's no different on Ubuntu than on any other modern Linux distribution. That means we won't cover it here but will leave you with a pointer.

The iptables command is the front end to the very powerful Linux firewall tables. Unfortunately, dealing with iptables can be rather difficult, particularly if you're trying to set up complex firewall policies. To whet your appetite, here's iptables in action, dropping all packets coming from a notorious time-sink domain:

$ sudo iptables -A INPUT -s www.slashdot.org -j DROP

Tutorials, how-tos, and articles about iptables are available on the Internet in large numbers, and the system man pages provide detailed information about all the possible options. Spending some time to learn iptables is well worth it because it'll let you set up network security on any Linux machine and will make it pretty easy for you to learn other operating systems' firewall systems if need be.

If you want to just manage a basic firewall on Ubuntu Server, you don't necessarily even need to venture into iptables. Ubuntu provides an excellent front-end called ufw that makes it very easy to add new firewall rules. For more information on ufw, check out the man page for that tool, or if you want a more complete reference, look at the security section of The Official Ubuntu Server Book.

Final Words on Security

We've barely even scratched the surface of system security in this subsection, though we've tried to give you good pointers on where to start and where to get the information you need to learn more. But let us give you some sage advice on security in general, since it's a painful truth to learn: There is no such thing as a fully secure system. Securing systems isn't about making it impossible for a breach to occur. It's about making the breach so difficult that it's not worth it to the attacker. This definition is pretty fluid because if your attacker is a bored 14-year-old sitting in a basement somewhere chewing on cold pizza, you can bet that kid will leave your system alone if it's even marginally secure. But if you're keeping around top-secret information, it's a lot more difficult to have the system be secure enough that breaking into it isn't worth it, from a cost/benefit point of view, to the attackers.

Security is also neat because, as a concept, it permeates the entire idea space of computer science. Getting really good at security requires an incredibly deep understanding of the inner workings of computer systems, which has the nonobvious advantage that if you're trying to get a deep understanding of computer systems but don't know where to start, you can start with security and simply follow the trail. Use this to your advantage! Good luck.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020