SlideShare a Scribd company logo

Unit+eight+ +ubuntu+security

Erdo Deshiant Garnaby, profile picture
Erdo Deshiant Garnaby

This document provides instructions for securing Ubuntu Linux systems. It discusses setting up user accounts with restricted privileges, installing and automating system updates, enabling the built-in firewall (UFW) with a graphical interface (Gufw), editing security-related configuration files using the text editor (Gedit), disabling the guest account, configuring password and account lockout policies in PAM files, viewing and changing file permissions with the LS and CHMOD commands, and monitoring system logs. The document demonstrates how many of the same security configurations applied in Windows can also be applied in Ubuntu through editing configuration files and using built-in Linux commands.

Internet
1 of 22
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
AIR FORCE ASSOCIATION’S NATIONAL YOUTH CYBER EDUCATION PROGRAM CYBERPATRIOT www.uscyberpatriot.org UNIT EIGHT Ubuntu Security
AIR FORCE ASSOCIATION’S NATIONAL YOUTH CYBER EDUCATION PROGRAM CYBERPATRIOT www.uscyberpatriot.org SECTION ONE Basic GUI Security 1
© Air Force Association • This unit will show you how to make many of the same security settings you made in Unit 5 ‐ Linux has many of the same vulnerabilities, so the fixes are similar • Linux does not have a Control Panel like in Windows • The System Settings menu offers limited security tools • Click the System Settings button in the menu bar Basic Linux Security 2
© Air Force Association 3 User Accounts 1. 2. • Click User Accounts in the System Settings window • As in Windows, it is important to restrict root (Admin) privileges and password protect all accounts A. To make account management changes, you must enact root permissions by clicking Unlock and authenticate yourself by entering your password B. Switch users from Administrator to Standard User by clicking next to Account Type C. Change passwords by clicking the asterisks next to the Password option A. B. C.
© Air Force Association • The open-source community regularly develops improvements and patches for Ubuntu • You should install these updates regularly 1. Click the Ubuntu button in the menu bar and search for Update Manager 2. Click Settings on the Update Manager Screen 3. To set automatic updates, go to the Updates Tab and make sure “Automatically check for updates” is set to “Daily” 4. After applying the changes, install any available updates from the main Update Manager window 4 Installing and Automating Updates 1. 2. 3. 4.
© Air Force Association • Enable the Ubuntu Built-in Firewall (UFW) to prevent unauthorized access to the computer ‐ The UFW is deactivated by default • By default, UFW is only accessible by command line • You can download Gufw, a graphical firewall interface, from the Software Center and use it to make changes to the UFW in the GUI ‐ You might need to install Ubuntu updates before installing Gufw Enabling the Firewall 5 Source: https://help.ubuntu.com/community/UFW
© Air Force Association • After downloading Gufw from the Software Center, click the Ubuntu button in your menu bar → Search → Firewall Configuration • Click the Unlock button on the Gufw window → Enact root permissions by authenticating → Turn Firewall Status On • The default (and recommended rules) governing traffic are to Deny all incoming traffic and Allow all outgoing traffic • The Reject option is the same as Deny, but also sends a notification to the sender that connection has been blocked 6 Using Gufw • The Preconfigured rule panel allows incoming and/or outgoing traffic to be controlled for certain applications or services ‐ Similar to the Windows Firewall Exceptions list ‐ Open entire ports by clicking the Simple or Advanced tabs Source: https://help.ubuntu.com/community/Gufw
AIR FORCE ASSOCIATION’S NATIONAL YOUTH CYBER EDUCATION PROGRAM CYBERPATRIOT www.uscyberpatriot.org SECTION TWO Basic Command Line Security 7
© Air Force Association • Gedit is one of many text editor commands in Ubuntu ‐ Syntax: gedit [filepath] ‐ Unlike with other text editors, using gedit will cause a second window to pop- up where you can easily change the text of a file ‐ This command will allow you to edit security policy files • You need to enact root permissions before using gedit to edit files that cannot be accessed by standard users (e.g. system and security files) • When using gedit for the first time, go to Edit → Preferences → Uncheck “Create a backup copy of files” to avoid saving issues • Try using gedit by opening Terminal and entering gedit hello2.txt ‐ You will not be prompted to authenticate because this is a public file The gedit Command 8
© Air Force Association • Like in Windows, the Ubuntu guest account is turned on by default ‐ You should disable it so people can’t access the computer anonymously • The guest account is controlled by LightDM, the display manager controlling the Ubuntu login screen • To turn off the guest account, edit the LightDM file: ‐ After root authenticating, type gedit /etc/lightdm/lightdm.conf ‐ Add the line allow-guest=false to the end of the Light DM file that pops up and click Save ‐ Restart your system and click your username button in the top-right corner of your desktop. The guest account should be disabled. Using gedit to Turn off the Guest Account 9 Sources: https://help.ubuntu.com/8.04/serverguide/C/user-management.html, http://askubuntu.com/questions/451526/removing-guest-session-at-login-in-ubuntu-14-04
© Air Force Association • Pluggable Authentication Modules (PAM) are used for logon and applications • They simplify user authentication ‐ They do not govern authorization (i.e. grant privileges to users) • 4 types of PAM files: ‐ Account – control account conditions (e.g. not expired, etc.) ‐ Authentication – verify user identities ‐ Password – control some password policies ‐ Session – define actions performed at the beginning and end of user sessions. 10 PAM Files Source: http://i.walmartimages.com/i/p/00 /06/41/44/03/0006414403031_500X500.jpg Source: http://www.linux-mag.com/id/7887/
© Air Force Association • Type gedit /etc/pam.d/common-password • Lines in the file starting with “#” are comments to help the user understand the file. They do not enforce any policies. • After making changes, save the file and close it. 11 Editing the PAM Password File 1. To enforce password history of 5 : Add “remember=5” to the end of the line that has “pam_unix.so” in it. 3. To enforce password complexity with one of each type of character:* Add “ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1” to the end of the line with “pam_cracklib.so” in it.** *ucredit = upper case, lcredit=lower case, dcredit = number and ocredit = symbol **cracklib may need to be installed before enforcing password complexity 2. To enforce Password length of 8: Add “minlen=8” to the end of the line that has “pam_unix.so” in it Source: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
© Air Force Association • Type gedit /etc/login.defs • This is a much longer file. To easily find the section to edit, type Ctrl+F and then “PASS_MAX_AGE” • Modify the following variables to the same recommended settings used in Windows: ‐ Maximum Password Duration: • PASS_MAX_DAYS 90 ‐ Minimum Password Duration: • PASS_MIN_DAYS 10 ‐ Days Before Expiration to Warn Users to Change Their Password: • PASS_WARN_AGE 7 • Save the file and close it Using gedit to Edit Password History 12 Sources: http://xmodulo.com/2013/12/set-password-policy-linux.html,
© Air Force Association • Type gedit /etc/pam.d/common-auth • This file allows you to set an account lockout policy • Add this line to the end of the file: auth required pam_tally2.so deny=5 onerr=fail unlock_time=1800 • Save the file and close it Using gedit to Set Account Policy 13 Source: http://linux.die.net/man/8/pam_tally Sets the number of allowed failed login attempts (in this case 5) Sets the account lockout duration in seconds (in this case, 30 minutes)
AIR FORCE ASSOCIATION’S NATIONAL YOUTH CYBER EDUCATION PROGRAM CYBERPATRIOT www.uscyberpatriot.org SECTION THREE Advanced Ubuntu security 14
© Air Force Association • The ls command (lower case “L”) lists the contents and properties of a file or directory • Syntax: ls [option] [filepath] ‐ –l is a common option (lower case “L”), which provides the user with more details about the file or directory • Example: ls –l hello2.txt will yield a description similar to the one below (exact details may differ) 15 The ls Command Owner (user who created the file) Group (user’s group when file was created) Size (kb) Date Modified File Links (refers to how many files, folder, and shortcuts link to this file) hello2.txt
© Air Force Association 1. Type: if this says “d,” the item in question is a directory. A blank means it is a file. 2-4. Owner File Permissions: what the user can do with the file or directory (Blank 2) Read - r (Blank 3) Write/modify - w (Blank 4) Execute – x 5-7. Group File Permissions (Blank 2) Read - r (Blank 3) Write/modify - w (Blank 4) Execute – x 8-10. Other File Permissions (Blank 2) Read - r (Blank 3) Write/modify - w (Blank 4) Execute – x • File permissions are the first items noted when using the ls command with the –l option • File permissions are split into the 10 fields outlined below • If any fields are blank, the users in that section cannot do that action with the file Viewing File Permissions with the ls Command 16 – r w – r w – r – – File (1.) The owner can read and write (2-4.) Group members can read and write (5-7.) Other users can read (8-10.) Example:
© Air Force Association • Chmod allows you to change file permissions • Syntax: chmod [u,g or o][+ or -][r,w, or x] [filepath] ‐ Do not put spaces between the three fields after “chmod” • Example: 1. Type chmod o-r hello2.txt 2. Type ls –l hello2.txt 3. If your permissions originally matched those on the last slide, you should see hello2.txt’s new file permissions as shown below The chmod Command 17 Change permissions for the user, group, or others Add or subtract permissions Specify whether read, write, or execute privileges are being changed Sources: http://condor.depaul.edu/dpowebpg/support/chmod.html, https://help.ubuntu.com/community/FilePermissions hello2.txt
© Air Force Association • Similar to Windows Event Viewer • From the Search field in the Ubuntu menu on the left of the desktop, type System Log to view available logs • Four types of logs ‐ auth.log: Tracks authentication events that prompt for user passwords (e.g., uses of PAM files and sudo) ‐ dpkg.log: Tracks software events (e.g., installations and updates) ‐ syslog: Tracks operating system events (e.g. error messages) ‐ Xorg.0.log: Tracks desktop events (e.g., service changes and graphic card errors. • Can add different types of logs System Logs 18 Sources: http://debian-handbook.info/browse/stable/sect.manipulating-packages-with- dpkg.html, http://ubuntuforums.org/showthread.php?t=900245
© Air Force Association • Unlike Windows, auditing is not set up by default in Ubuntu • Three step process to setting up audits: 1. Install the auditing program by typing apt-get install auditd 2. Enable audits by typing auditctl –e 1 3. View and modify policies by typing gedit /etc/audit/auditd.conf Setting Audit Policies 19 3. 2.
© Air Force Association • Work very similarly to Windows ‐ Root permissions are required 1. To list all groups: cat /etc/group 2. To add a group: addgroup [groupname] 3. To add a user to a group: adduser [username] [groupname] 20 Groups
© Air Force Association • Can be viewed and managed in the GUI • To install, type apt-get install bum in Terminal • After installing, type bum to run Services 21 To enable a service, check the box next to it To start a service, right-click it and select “Start” When a service is started, the light bulb will light up. When stopped, the light bulb will be dark.

More Related Content

PDF
Unit+three+ +computer+basics+and+virtual+machines
Erdo Deshiant Garnaby
 
PDF
Unit+nine+ +additional+topics+and+resources
Erdo Deshiant Garnaby
 
PDF
Unit+seven+ +introduction+to+linux+and+ubuntu
Erdo Deshiant Garnaby
 
PDF
microsoft+windows+security
Erdo Deshiant Garnaby
 
PDF
Unit+six+ +windows+file+protections+and+monitoring
Erdo Deshiant Garnaby
 
PDF
Hpc4 linux advanced
Mohammad Reza Gerami
 
PPT
Chapter 09
cclay3
 
PPT
MELJUN CORTES operating_system_structure
MELJUN CORTES
 
Unit+three+ +computer+basics+and+virtual+machines
Erdo Deshiant Garnaby
 
Unit+nine+ +additional+topics+and+resources
Erdo Deshiant Garnaby
 
Unit+seven+ +introduction+to+linux+and+ubuntu
Erdo Deshiant Garnaby
 
microsoft+windows+security
Erdo Deshiant Garnaby
 
Unit+six+ +windows+file+protections+and+monitoring
Erdo Deshiant Garnaby
 
Hpc4 linux advanced
Mohammad Reza Gerami
 
Chapter 09
cclay3
 
MELJUN CORTES operating_system_structure
MELJUN CORTES
 

What's hot (19)

PPTX
System Client Details
SyAM Software
 
PPTX
The Boot Process
Amir Villas
 
PDF
LinuxTag 2013 Relax and Recover - Disaster Recovery for UEFI Systems
Schlomo Schapiro
 
PDF
Pluggable Authentication Module
SinarShebl
 
PDF
Subscription license update
SemiconSoft
 
PPT
Structure of operating system
Rafi Dar
 
PDF
7 unixsecurity
richarddxd
 
ODP
5. boot process
Marian Marinov
 
DOCX
Operating System Structure (documentation)
Navid Daneshvaran
 
PPT
Ch05
Sumit Tambe
 
PDF
Pluggable authentication modules
Yahia Kandeel
 
PPT
Ch06
Raja Waseem Akhtar
 
ZIP
Diskmanager112
Roger Jowett
 
PPT
Unix.system.calls
GRajendra
 
PDF
Part 04 Creating a System Call in Linux
Tushar B Kute
 
PPT
System call
Sumant Diwakar
 
PPTX
System call
shahadat hossain
 
PPT
Ch04
Raja Waseem Akhtar
 
PPT
Ch10
Raja Waseem Akhtar
 
System Client Details
SyAM Software
 
The Boot Process
Amir Villas
 
LinuxTag 2013 Relax and Recover - Disaster Recovery for UEFI Systems
Schlomo Schapiro
 
Pluggable Authentication Module
SinarShebl
 
Subscription license update
SemiconSoft
 
Structure of operating system
Rafi Dar
 
7 unixsecurity
richarddxd
 
5. boot process
Marian Marinov
 
Operating System Structure (documentation)
Navid Daneshvaran
 
Ch05
Sumit Tambe
 
Pluggable authentication modules
Yahia Kandeel
 
Ch06
Raja Waseem Akhtar
 
Diskmanager112
Roger Jowett
 
Unix.system.calls
GRajendra
 
Part 04 Creating a System Call in Linux
Tushar B Kute
 
System call
Sumant Diwakar
 
System call
shahadat hossain
 
Ch04
Raja Waseem Akhtar
 
Ch10
Raja Waseem Akhtar
 
Ad

Viewers also liked (7)

PDF
Unit+four+ +principles+of+cybersecurity
Erdo Deshiant Garnaby
 
PDF
introduction to cyber patriot and cyber security
Erdo Deshiant Garnaby
 
PDF
Unit+two+ +cyber+ethics+and+online+safety
Erdo Deshiant Garnaby
 
PDF
Cyber Ethics
Erdo Deshiant Garnaby
 
PPTX
Org Design
Erdo Deshiant Garnaby
 
PDF
Unit+eight+ +ubuntu+security
Erdo Deshiant Garnaby
 
PDF
Unit+seven+ +introduction+to+linux+and+ubuntu
Erdo Deshiant Garnaby
 
Unit+four+ +principles+of+cybersecurity
Erdo Deshiant Garnaby
 
introduction to cyber patriot and cyber security
Erdo Deshiant Garnaby
 
Unit+two+ +cyber+ethics+and+online+safety
Erdo Deshiant Garnaby
 
Cyber Ethics
Erdo Deshiant Garnaby
 
Org Design
Erdo Deshiant Garnaby
 
Unit+eight+ +ubuntu+security
Erdo Deshiant Garnaby
 
Unit+seven+ +introduction+to+linux+and+ubuntu
Erdo Deshiant Garnaby
 
Ad

Similar to Unit+eight+ +ubuntu+security (20)

PPT
Week7 downloading and installing software (1).ppt
no22rah1
 
PPT
Week7. linux. operating. system. .ppt
no22rah1
 
PDF
Linux Security Crash Course
UTD Computer Security Group
 
PPTX
Linux+Command+Line+&+Shell+Scripting+Masterclass+-+Final.pptx
newscribduserly
 
PPT
101 4.5 manage file permissions and ownership v3
Acácio Oliveira
 
PDF
Introduction to Linux OS (Part 2) - Tutorial
Faculty of Computers and Informatics, Suez Canal University, Ismailia, Egypt
 
PPT
4.5 manage file permissions and ownership v3
Acácio Oliveira
 
PDF
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
Netgate
 
PDF
How to secure ubuntu 12.04
John Richard
 
PPT
Net essentials6e ch9
APSU
 
PPT
Net essentials6e ch9
APSU
 
PDF
Solaris basics
Ashwin Pawar
 
PPTX
operating system structures
Hassan Siddiqui
 
PPT
chapter11.. linux. Managing Users . ppt
no22rah1
 
PDF
A Day In The Life Of A Linux Administrator
Edureka!
 
PPT
ch2.ppt
51b48265a74f87
 
PPTX
How to Install Odoo 11 on Ubuntu 16.04?
Celine George
 
PPT
System Calls and Components of OS . ppt
aparna14patil
 
PPTX
UNIX/Linux training
Michael Olafusi
 
PPTX
Chapter III - ppt system admin and .pptx
ReyAngeloPagatpat1
 
Week7 downloading and installing software (1).ppt
no22rah1
 
Week7. linux. operating. system. .ppt
no22rah1
 
Linux Security Crash Course
UTD Computer Security Group
 
Linux+Command+Line+&+Shell+Scripting+Masterclass+-+Final.pptx
newscribduserly
 
101 4.5 manage file permissions and ownership v3
Acácio Oliveira
 
Introduction to Linux OS (Part 2) - Tutorial
Faculty of Computers and Informatics, Suez Canal University, Ismailia, Egypt
 
4.5 manage file permissions and ownership v3
Acácio Oliveira
 
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
Netgate
 
How to secure ubuntu 12.04
John Richard
 
Net essentials6e ch9
APSU
 
Net essentials6e ch9
APSU
 
Solaris basics
Ashwin Pawar
 
operating system structures
Hassan Siddiqui
 
chapter11.. linux. Managing Users . ppt
no22rah1
 
A Day In The Life Of A Linux Administrator
Edureka!
 
ch2.ppt
51b48265a74f87
 
How to Install Odoo 11 on Ubuntu 16.04?
Celine George
 
System Calls and Components of OS . ppt
aparna14patil
 
UNIX/Linux training
Michael Olafusi
 
Chapter III - ppt system admin and .pptx
ReyAngeloPagatpat1
 

Recently uploaded (20)

PPTX
Internet Safety for Seniors presentation
mwnorman1
 
PDF
Uptota Investor Deck - Where Africa Meets Blockchain
jjc123linkedin
 
PPTX
KSS ON CYBERSECURITY INCIDENT RESPONSE AND PLANNING MANAGEMENT.pptx
Cashmir Pangandaman
 
DOCX
Powerful Ways AIRCONNECT INFOSYSTEMS Pvt Ltd Enhances IT Infrastructure in In...
Airconnect pvtltd
 
PDF
Course Overview and Agenda cloud security
ElsayedKowaydeh
 
PPT
250152213-Excitation-SystemWERRT (1).ppt
woldemariamworku2
 
PPT
12 Things That Make People Trust a Website Instantly
Shethil Ahammed
 
PPTX
t_and_OpenAI_Combined_two_pressentations
wuvjwfnaadbnzelauy
 
PPTX
Cyber Hygine IN organizations in MSME or
paramkiet
 
PPT
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
PDF
Session 1 (Week 1)fghjmgfdsfgthyjkhfdsadfghjkhgfdsa
ssuser25df8b
 
PPTX
curriculumandpedagogyinearlychildhoodcurriculum-171021103104 - Copy.pptx
HeneszaAvenido1
 
PDF
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
PDF
Top 8 Trusted Sources to Buy Verified Cash App Accounts.pdf
How To Buy Verified Cash App Accounts
 
PPTX
IPCNA VIRTUAL CLASSES INTERMEDIATE 6 PROJECT.pptx
AldoCharaRojas
 
PPTX
The-Importance-of-School-Sanitation.pptx
shinjanmandal111
 
PPTX
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
 
PPTX
TITLE DEFENSE entitle the impact of social media on education
AgustoJerizMarfil
 
PDF
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
PPTX
Layers_of_the_Earth_Grade7.pptx class by
varadhanvara05
 
Internet Safety for Seniors presentation
mwnorman1
 
Uptota Investor Deck - Where Africa Meets Blockchain
jjc123linkedin
 
KSS ON CYBERSECURITY INCIDENT RESPONSE AND PLANNING MANAGEMENT.pptx
Cashmir Pangandaman
 
Powerful Ways AIRCONNECT INFOSYSTEMS Pvt Ltd Enhances IT Infrastructure in In...
Airconnect pvtltd
 
Course Overview and Agenda cloud security
ElsayedKowaydeh
 
250152213-Excitation-SystemWERRT (1).ppt
woldemariamworku2
 
12 Things That Make People Trust a Website Instantly
Shethil Ahammed
 
t_and_OpenAI_Combined_two_pressentations
wuvjwfnaadbnzelauy
 
Cyber Hygine IN organizations in MSME or
paramkiet
 
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
Session 1 (Week 1)fghjmgfdsfgthyjkhfdsadfghjkhgfdsa
ssuser25df8b
 
curriculumandpedagogyinearlychildhoodcurriculum-171021103104 - Copy.pptx
HeneszaAvenido1
 
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
Top 8 Trusted Sources to Buy Verified Cash App Accounts.pdf
How To Buy Verified Cash App Accounts
 
IPCNA VIRTUAL CLASSES INTERMEDIATE 6 PROJECT.pptx
AldoCharaRojas
 
The-Importance-of-School-Sanitation.pptx
shinjanmandal111
 
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
 
TITLE DEFENSE entitle the impact of social media on education
AgustoJerizMarfil
 
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
Layers_of_the_Earth_Grade7.pptx class by
varadhanvara05
 

Unit+eight+ +ubuntu+security

  • 1. AIR FORCE ASSOCIATION’S NATIONAL YOUTH CYBER EDUCATION PROGRAM CYBERPATRIOT www.uscyberpatriot.org UNIT EIGHT Ubuntu Security
  • 2. AIR FORCE ASSOCIATION’S NATIONAL YOUTH CYBER EDUCATION PROGRAM CYBERPATRIOT www.uscyberpatriot.org SECTION ONE Basic GUI Security 1
  • 3. © Air Force Association • This unit will show you how to make many of the same security settings you made in Unit 5 ‐ Linux has many of the same vulnerabilities, so the fixes are similar • Linux does not have a Control Panel like in Windows • The System Settings menu offers limited security tools • Click the System Settings button in the menu bar Basic Linux Security 2
  • 4. © Air Force Association 3 User Accounts 1. 2. • Click User Accounts in the System Settings window • As in Windows, it is important to restrict root (Admin) privileges and password protect all accounts A. To make account management changes, you must enact root permissions by clicking Unlock and authenticate yourself by entering your password B. Switch users from Administrator to Standard User by clicking next to Account Type C. Change passwords by clicking the asterisks next to the Password option A. B. C.
  • 5. © Air Force Association • The open-source community regularly develops improvements and patches for Ubuntu • You should install these updates regularly 1. Click the Ubuntu button in the menu bar and search for Update Manager 2. Click Settings on the Update Manager Screen 3. To set automatic updates, go to the Updates Tab and make sure “Automatically check for updates” is set to “Daily” 4. After applying the changes, install any available updates from the main Update Manager window 4 Installing and Automating Updates 1. 2. 3. 4.
  • 6. © Air Force Association • Enable the Ubuntu Built-in Firewall (UFW) to prevent unauthorized access to the computer ‐ The UFW is deactivated by default • By default, UFW is only accessible by command line • You can download Gufw, a graphical firewall interface, from the Software Center and use it to make changes to the UFW in the GUI ‐ You might need to install Ubuntu updates before installing Gufw Enabling the Firewall 5 Source: https://help.ubuntu.com/community/UFW
  • 7. © Air Force Association • After downloading Gufw from the Software Center, click the Ubuntu button in your menu bar → Search → Firewall Configuration • Click the Unlock button on the Gufw window → Enact root permissions by authenticating → Turn Firewall Status On • The default (and recommended rules) governing traffic are to Deny all incoming traffic and Allow all outgoing traffic • The Reject option is the same as Deny, but also sends a notification to the sender that connection has been blocked 6 Using Gufw • The Preconfigured rule panel allows incoming and/or outgoing traffic to be controlled for certain applications or services ‐ Similar to the Windows Firewall Exceptions list ‐ Open entire ports by clicking the Simple or Advanced tabs Source: https://help.ubuntu.com/community/Gufw
  • 8. AIR FORCE ASSOCIATION’S NATIONAL YOUTH CYBER EDUCATION PROGRAM CYBERPATRIOT www.uscyberpatriot.org SECTION TWO Basic Command Line Security 7
  • 9. © Air Force Association • Gedit is one of many text editor commands in Ubuntu ‐ Syntax: gedit [filepath] ‐ Unlike with other text editors, using gedit will cause a second window to pop- up where you can easily change the text of a file ‐ This command will allow you to edit security policy files • You need to enact root permissions before using gedit to edit files that cannot be accessed by standard users (e.g. system and security files) • When using gedit for the first time, go to Edit → Preferences → Uncheck “Create a backup copy of files” to avoid saving issues • Try using gedit by opening Terminal and entering gedit hello2.txt ‐ You will not be prompted to authenticate because this is a public file The gedit Command 8
  • 10. © Air Force Association • Like in Windows, the Ubuntu guest account is turned on by default ‐ You should disable it so people can’t access the computer anonymously • The guest account is controlled by LightDM, the display manager controlling the Ubuntu login screen • To turn off the guest account, edit the LightDM file: ‐ After root authenticating, type gedit /etc/lightdm/lightdm.conf ‐ Add the line allow-guest=false to the end of the Light DM file that pops up and click Save ‐ Restart your system and click your username button in the top-right corner of your desktop. The guest account should be disabled. Using gedit to Turn off the Guest Account 9 Sources: https://help.ubuntu.com/8.04/serverguide/C/user-management.html, http://askubuntu.com/questions/451526/removing-guest-session-at-login-in-ubuntu-14-04
  • 11. © Air Force Association • Pluggable Authentication Modules (PAM) are used for logon and applications • They simplify user authentication ‐ They do not govern authorization (i.e. grant privileges to users) • 4 types of PAM files: ‐ Account – control account conditions (e.g. not expired, etc.) ‐ Authentication – verify user identities ‐ Password – control some password policies ‐ Session – define actions performed at the beginning and end of user sessions. 10 PAM Files Source: http://i.walmartimages.com/i/p/00 /06/41/44/03/0006414403031_500X500.jpg Source: http://www.linux-mag.com/id/7887/
  • 12. © Air Force Association • Type gedit /etc/pam.d/common-password • Lines in the file starting with “#” are comments to help the user understand the file. They do not enforce any policies. • After making changes, save the file and close it. 11 Editing the PAM Password File 1. To enforce password history of 5 : Add “remember=5” to the end of the line that has “pam_unix.so” in it. 3. To enforce password complexity with one of each type of character:* Add “ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1” to the end of the line with “pam_cracklib.so” in it.** *ucredit = upper case, lcredit=lower case, dcredit = number and ocredit = symbol **cracklib may need to be installed before enforcing password complexity 2. To enforce Password length of 8: Add “minlen=8” to the end of the line that has “pam_unix.so” in it Source: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
  • 13. © Air Force Association • Type gedit /etc/login.defs • This is a much longer file. To easily find the section to edit, type Ctrl+F and then “PASS_MAX_AGE” • Modify the following variables to the same recommended settings used in Windows: ‐ Maximum Password Duration: • PASS_MAX_DAYS 90 ‐ Minimum Password Duration: • PASS_MIN_DAYS 10 ‐ Days Before Expiration to Warn Users to Change Their Password: • PASS_WARN_AGE 7 • Save the file and close it Using gedit to Edit Password History 12 Sources: http://xmodulo.com/2013/12/set-password-policy-linux.html,
  • 14. © Air Force Association • Type gedit /etc/pam.d/common-auth • This file allows you to set an account lockout policy • Add this line to the end of the file: auth required pam_tally2.so deny=5 onerr=fail unlock_time=1800 • Save the file and close it Using gedit to Set Account Policy 13 Source: http://linux.die.net/man/8/pam_tally Sets the number of allowed failed login attempts (in this case 5) Sets the account lockout duration in seconds (in this case, 30 minutes)
  • 15. AIR FORCE ASSOCIATION’S NATIONAL YOUTH CYBER EDUCATION PROGRAM CYBERPATRIOT www.uscyberpatriot.org SECTION THREE Advanced Ubuntu security 14
  • 16. © Air Force Association • The ls command (lower case “L”) lists the contents and properties of a file or directory • Syntax: ls [option] [filepath] ‐ –l is a common option (lower case “L”), which provides the user with more details about the file or directory • Example: ls –l hello2.txt will yield a description similar to the one below (exact details may differ) 15 The ls Command Owner (user who created the file) Group (user’s group when file was created) Size (kb) Date Modified File Links (refers to how many files, folder, and shortcuts link to this file) hello2.txt
  • 17. © Air Force Association 1. Type: if this says “d,” the item in question is a directory. A blank means it is a file. 2-4. Owner File Permissions: what the user can do with the file or directory (Blank 2) Read - r (Blank 3) Write/modify - w (Blank 4) Execute – x 5-7. Group File Permissions (Blank 2) Read - r (Blank 3) Write/modify - w (Blank 4) Execute – x 8-10. Other File Permissions (Blank 2) Read - r (Blank 3) Write/modify - w (Blank 4) Execute – x • File permissions are the first items noted when using the ls command with the –l option • File permissions are split into the 10 fields outlined below • If any fields are blank, the users in that section cannot do that action with the file Viewing File Permissions with the ls Command 16 – r w – r w – r – – File (1.) The owner can read and write (2-4.) Group members can read and write (5-7.) Other users can read (8-10.) Example:
  • 18. © Air Force Association • Chmod allows you to change file permissions • Syntax: chmod [u,g or o][+ or -][r,w, or x] [filepath] ‐ Do not put spaces between the three fields after “chmod” • Example: 1. Type chmod o-r hello2.txt 2. Type ls –l hello2.txt 3. If your permissions originally matched those on the last slide, you should see hello2.txt’s new file permissions as shown below The chmod Command 17 Change permissions for the user, group, or others Add or subtract permissions Specify whether read, write, or execute privileges are being changed Sources: http://condor.depaul.edu/dpowebpg/support/chmod.html, https://help.ubuntu.com/community/FilePermissions hello2.txt
  • 19. © Air Force Association • Similar to Windows Event Viewer • From the Search field in the Ubuntu menu on the left of the desktop, type System Log to view available logs • Four types of logs ‐ auth.log: Tracks authentication events that prompt for user passwords (e.g., uses of PAM files and sudo) ‐ dpkg.log: Tracks software events (e.g., installations and updates) ‐ syslog: Tracks operating system events (e.g. error messages) ‐ Xorg.0.log: Tracks desktop events (e.g., service changes and graphic card errors. • Can add different types of logs System Logs 18 Sources: http://debian-handbook.info/browse/stable/sect.manipulating-packages-with- dpkg.html, http://ubuntuforums.org/showthread.php?t=900245
  • 20. © Air Force Association • Unlike Windows, auditing is not set up by default in Ubuntu • Three step process to setting up audits: 1. Install the auditing program by typing apt-get install auditd 2. Enable audits by typing auditctl –e 1 3. View and modify policies by typing gedit /etc/audit/auditd.conf Setting Audit Policies 19 3. 2.
  • 21. © Air Force Association • Work very similarly to Windows ‐ Root permissions are required 1. To list all groups: cat /etc/group 2. To add a group: addgroup [groupname] 3. To add a user to a group: adduser [username] [groupname] 20 Groups
  • 22. © Air Force Association • Can be viewed and managed in the GUI • To install, type apt-get install bum in Terminal • After installing, type bum to run Services 21 To enable a service, check the box next to it To start a service, right-click it and select “Start” When a service is started, the light bulb will light up. When stopped, the light bulb will be dark.