Announcement

Collapse
No announcement yet.

Discuss: article on Ubuntu security

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Discuss: article on Ubuntu security

    Users of Ubuntu and, by extension, Kubuntu should be aware of system security.
    I found this article which gives a good general description of configuration for
    higher security against malware, phishing etc. These go beyond simple anti-virus
    software.

    http://www.datamation.com/open-sourc...-security.html

    I'm not completely sure that I accept the authors view on the lack-of-need for
    antivirus software on Ubuntu systems. In the past, the Linux universe represented a
    smaller percent of installed systems, which made it less attractive to malware
    writers. With today's increased usage of Linux servers in the banking and finance
    worlds, the opportunity for mal-writers is much greater. But read his analysis and
    make your own decision.

    I also note the lack of a forum, here, specifically addressing security issues as a case in point.
    Kubuntu 24.11 64bit under Kernel 6.12.3, Hp Pavilion, 6MB ram. Stay away from all things Google...

    #2
    Originally posted by Teunis
    One little problem with any antivirus software for Linux is the absence of fingerprints for Linux targeted malware.
    So it consumes resources without offering any measurable security.
    Seems like there is a market space there for someone to fill. Considering that it is the banks and financials that are a target and who has the money to support maintenance on the fingerprint db...
    Kubuntu 24.11 64bit under Kernel 6.12.3, Hp Pavilion, 6MB ram. Stay away from all things Google...

    Comment


      #3
      Linux, when set up and managed with security in mind (not running the system "as root"), is very secure. Viri and malware targeted at Linux systems, while not non-existent, is rare. Effective Linux viri or malware is even rarer.
      Windows no longer obstructs my view.
      Using Kubuntu Linux since March 23, 2007.
      "It is a capital mistake to theorize before one has data." - Sherlock Holmes

      Comment


        #4
        While using common sense and only using software from trusted sources are generally sound advice, the author seems to have only rudimentary understanding of security concepts.

        The Firewall section just hurts my head in more ways than one...and "If you're seeing an increase in brute forced attacks, I'd also recommend increasing your key strength just to be safe." Really? Who an earth would be brute forcing host keys at random?

        He probably means "password" instead of "key", but still, if you're using/allowing password authentication with SSH you're most likely already doing it wrong if you're a regular desktop user.
        Last edited by kubicle; Mar 26, 2015, 01:32 AM.

        Comment


          #5
          Originally posted by kubicle View Post
          Who an earth would be brute forcing host keys at random?
          No one. Attackers rarely grind against password prompts or attempt other forms of brute force intrusion methods these days. Instead, the common technique is to social engineer someone who already has a degree of access. The amount of work is less, and the reward is greater. From there, the attacker can more easily spread across the network. Perhaps a privileged user once logged onto normal workstation and failed to clear the cached credential. An attacker can discover this and use it to impersonate a privileged user, thus gaining access to many more resources on the network.

          I'm going to deconstruct that article momentarily.

          Comment


            #6
            Anti-virus software isn't needed
            True until bad guys start writing more malware for Linux. The likelihood of this is slim, though. Attackers and criminals are opportunistic -- they seek target-rich environments. You see lots of malware on Android for the same reason you see lots of malware on earlier versions of Windows: unsafe defaults, zillions of clueless users. Kitkat and Lollipop are much more resilient against attack than prior versions, just like Windows 7/8/8.1 are more resilient than prior versions. But there is still so much Gingerbread, Ice Cream Sandwich, Jellybean to target; there is still so much XP to target. Don't forget about Java, Flash, Acrobat, Quicktime, and every major browser -- these are even richer targets. Attackers won't waste their time on the sliver of a minority of us who take the time to learn Linux and also care about safe computing.

            However: Linux powers most of the server infrastructure on the Internet. I do worry about zero-days a lot: exploits targeting undiscovered vulnerabilities. Anti-malware tools are powerless against these, of course. Monitoring for anomalous behavior becomes your best defense.

            Use your firewall
            Ridiculous. The notion of "open ports" on a host doesn't make sense. A host will establish a listening socket on a port when it needs to accept inbound connections. A host will establish a transmitting socket on a port when it needs to create an outbound connection. What are you going to block on a host? The author instructs us "to block any ports that aren't being used on a regular basis." News flash: the only time a port is available for an inbound connection is when you run some software designed to listen on that port. Otherwise, there's nothing to block.

            The advice about SSH is goofy. If you don't need to permit inbound SSH, don't run the daemon. If you do need SSH, and if your password is a good one or you're using keys for authentication, then it doesn't matter what port you run it on. The default is fine. You'll see a lot of "knocks" from scanners across the Internet, but this is nothing new, really.

            As for -- "The idea behind setting up your firewall to block unwanted connections is simple commonsense. If an application or protocol doesn't have a good reason to be connected, then it's best to play it safe and block that connection." -- what is this I don't even. If an application doesn't have a good reason to be connected, then it's best not to run that application. (In the same way that languages don't speak, people do, know that protocols don't connect, applications do. Does this author really understand the topic?)

            Finally, a NAT-based router with stateful packet inspection is perfectly adequate for protecting machines behind it in a typical home or small office scenario. Extra layers, especially ones that are completely ineffective, are unnecessary.

            Patch your installation
            The first section that actually contains good advice. Do this.

            Except...the author returns to "securing your ports" as a necessary defense against a malicious user or script "testing the waters." LOLWUT? Let's consider how such a thing might happen. If you're running a listening service because you need to answer incoming connections, a host firewall will have a rule permitting those. Good and bad traffic can and will make connections. A firewall can't distinguish between good and bad. Thus, "port security" is meaningless here. If you aren't running any listening services, then there is nothing for a firewall to do, so you don't need one. Why is this writer so obsessed with ports ports ports? Ugh!

            Browser extensions
            Good advice. More generally, be wary of random code that comes in any form, not just browser extensions.

            Java
            "These days Java isn't really a threat to anyone using a desktop operating system." This is so wrong. HotSpot, Oracle's Java virtual machine, is routinely updated to fix major security flaws that permit malicious software to escape the sandbox. But these updates are often not timely and exploits can run wild for quite a while. OpenJDK, the Java VM present in most Linux distributions, is much better here.

            Also: a lot of enterprise applications are written so poorly that they require specific versions of Java. Java upgrades will break these applications, so millions of computers in medium and large organizations contain flawed JVMs.

            Phishing
            Um, phishing is an attack against people, not computers. Software can't help you here.

            Comment


              #7
              umm if SR said it you should maybe do it.

              woodjustsayinbecauseIvolunteeredatCastleCopssmoke

              Comment


                #8
                Good analysis Steve

                Originally posted by SteveRiley View Post
                OpenJDK, the Java VM present in most Linux distributions, is much better here.
                Vulnerabilities fixed more quickly? Or fewer vulnerabilities in the first place?
                I'd rather be locked out than locked in.

                Comment


                  #9
                  Well, I'm not sure whether I feel embarrassed or proud to have started this thread. I learned something, which is a point in favor...
                  Kubuntu 24.11 64bit under Kernel 6.12.3, Hp Pavilion, 6MB ram. Stay away from all things Google...

                  Comment


                    #10
                    I agree with Teunis on the not feeling embarrassed part. Especially when it comes to security, there is a lot of information out there that is just silly but not harmful, a lot that is outdated and usually not harmful, and some that just makes you cringe.

                    To help others in the future, I suggest changing the name of the thread (if possible), and/or edit your original post to add something like "The article I linked to has been mostly debunked by people smarter than the article's author. See comment X in this thread."

                    Comment


                      #11
                      ... and this discussion continues, huh?

                      OK, my contribution will be embarrassingly to the point:
                      I can't figure out why anyone would feel embarrassed about anything around here.
                      An intellectual says a simple thing in a hard way. An artist says a hard thing in a simple way. Charles Bukowski

                      Comment


                        #12
                        Many thanks for everyone's kind words

                        Originally posted by SecretCode View Post
                        Vulnerabilities fixed more quickly? Or fewer vulnerabilities in the first place?
                        Many, many fewer in the first place.

                        Originally posted by TWPonKubuntu View Post
                        Well, I'm not sure whether I feel embarrassed or proud to have started this thread. I learned something, which is a point in favor...
                        As others have said, dicussions like these are valuable. No reason to feel embarrassed.

                        Originally posted by ronw View Post
                        I suggest changing the name of the thread
                        Good idea; will do.

                        Comment

                        Working...
                        X