There is a common misconception that servers running Linux OS are the most secure and secure from outside intrusions. Unfortunately, this is not the case, the security of any server depends on a number of factors and measures to ensure it, and practically does not depend on the operating system used.
We decided to start a series of articles dedicated to network security With Ubuntu Server, because solutions on this platform are of great interest to our readers and because many believe that Linux solutions are safe in themselves.
At the same time, a router with a dedicated IP address is a "gateway" to the local network, and it will depend only on the administrator whether this gate will be a reliable barrier or whether it will turn out to be a country gate closed with a carnation.
Another common misconception, reasoning in the style: "but who needs it, our server, we have nothing interesting." Indeed, your local network may not be of any interest to attackers, however, they can use a hacked server to send spam, attacks on other servers, an anonymous proxy, in short, as a starting point for their dark deeds.
And this is already unpleasant and can serve as a source of various problems: from the provider to law enforcement agencies. And you should not forget about the spread of viruses, theft and destruction of important information, as well as the fact that a downtime of an enterprise leads to quite tangible losses.
Despite the fact that the article is dedicated to Ubuntu Server, first we will consider general security issues that apply equally to any platform and are the basics, without which it makes no sense to discuss the issue in more detail.
No, security doesn't start with a firewall, it doesn't start with a firewall at all. technical means, security starts with the user. After all, what's the point of the coolest metal door installed by the most the best specialists if the owner leaves the key under the rug?
Therefore, the first thing you should do is conduct a security audit. Do not be afraid of this word, everything is not so difficult: draw a schematic network plan on which you mark a safe zone, a zone of potential danger and a zone of increased danger, and also make a list of users who have (should have) access to these zones.
The safe zone should include internal network resources to which there is no access from the outside and for which a low level of security is acceptable. These can be workstations file servers and so on. devices access to which is limited by the local network of the enterprise.
The zone of potential danger should include servers and devices that do not have direct access to the external network, but some of whose services are accessible from the outside, for example, web and mail servers located behind the firewall, but at the same time serving requests from the external network.
The danger zone should include devices directly accessible from the outside, in the ideal case it should be one router.
If possible, a potentially dangerous zone should be moved to a separate subnet - a demilitarized zone (DMZ), which is separated from the main network by an additional firewall.
LAN devices should only be able to access the services in the DMZ that they need, such as SMTP, POP3, HTTP, other connections should be blocked. This will reliably isolate an attacker or malware that exploited a vulnerability in a separate service with a demilitarized zone, blocking their access to the main network.
Physically, DMZ can be set up by installing a separate server / hardware firewall or by adding an additional network card to the router, but in the latter case, you will have to pay close attention to the security of the router. But in any case, it is much easier to secure a single server than a group of servers.
The next step should be to analyze the list of users, whether all of them need access to the DMZ and to the router (with the exception of public services), special attention should be paid to users connecting from outside.
This usually requires the very unpopular step of enforcing a password policy. All passwords of users with access to critical services and with the ability to connect from outside must contain at least 6 characters and contain, in addition to lowercase letters, characters of two of the three categories: uppercase letters, numbers, non-alphabetic characters.
In addition, the password should not include the user's login or part of it, should not contain dates and names that can be associated with the user, and, preferably, should not be a dictionary word.
It's a good idea to get into the habit of changing passwords every 30-40 days. It is clear that such a policy can cause rejection on the part of users, but you should always remember that passwords like 123 or qwerty are equivalent to the key left under the mat.
Now, having an idea of what we want to protect and from what, let's move on to the server itself. Make a list of all services and services, then consider whether all of them are needed on this particular server, or if they can be moved somewhere.
The fewer services, the easier it is to ensure security, the less chance of a server being compromised through a critical vulnerability in one of them.
Configure local network services (such as squid) to only accept requests from the local interface. The fewer services available externally, the better.
A good security assistant is a vulnerability scanner that should scan the external interface of the server. We used a demo version of one of the most famous products - XSpider 7.7.
The scanner shows open ports, tries to determine the type of running service and, if successful, vulnerabilities for it. As you can see, a properly configured system is quite safe, but you should not leave the key under the mat, the presence of open ports 1723 (VPN) and 3389 (RDP, forwarded to the terminal server) on the router is a good reason to think about password policy.
Separately, it is worth talking about the security of SSH, this service commonly used by administrators for remote control server and is of particular interest to intruders. SSH settings are stored in a file /etc/ssh/sshd_config, all the changes described below are made to it. First of all, you should disable authorization under the root user, to do this, add the option:
PermitRootLogin no
Now the attacker will have to guess not only the password, but also the login, while he will still not know the superuser password (we hope it does not match your password). All administrative tasks when connecting from outside should be performed from under sudo by logging in as an unprivileged user.
It is worth explicitly specifying the list of allowed users, while you can use records like [email protected] , which allows the specified user to connect only from the specified host. For example, to allow the user ivanov to connect from home (IP 1.2.3.4), add the following entry:
AllowUser [email protected]
Also disable the use of the outdated and less secure SSH1 protocol, allowing only the second version of the protocol, to do this, change the following line to the form:
Protocol 2
Despite all the measures taken, there will still be attempts to connect to SSH and other public services, to prevent guessing passwords, use the utility fail2ban, which allows you to automatically ban a user after several unsuccessful authorization attempts. You can install it with the command:
sudo apt-get install fail2ban
This utility is ready to work immediately after installation, however, we would advise you to immediately change some parameters, for this, make changes to the file /etc/fail2ban/jail.conf. By default, only access to SSH is controlled and the ban time is 10 minutes (600 seconds), in our opinion it is worth increasing it by changing the following option:
Bantime = 6000
Then scroll through the file and enable the sections for the services running on your system by setting the parameter after the name of the corresponding section enabled into a state true, for example for the service proftpd it will look like this:
enabled=true
Another important parameter maxretry, which is responsible for the maximum number of connection attempts. After changing the settings, don't forget to restart the service:
sudo /etc/init.d/fail2ban restart
You can see the log of the utility in /var/log/fail2ban.log.
None of us want personal information to fall into the wrong hands. But how to protect the system from attacks and data theft? Do you really have to read kilometer-long manuals on setting up and encryption algorithms? Not at all necessary. In this article, I will show you how to make a Linux system secure in just 30 minutes.
We live in an age mobile devices and permanent online. We go to a cafe with a laptop and run web servers on the Internet on home machines. We register on hundreds of sites and use the same passwords for web services. We always have a smartphone in our pockets, which is stuffed with dozens of passwords, and stores the keys to several SSH servers. We have become so accustomed to the fact that third-party services take care of our privacy that we have already ceased to pay attention to it.
When I lost my smartphone, I was very lucky that the anti-theft installed on it turned out to be efficient and allowed me to remotely erase all data from the device’s memory. When I inadvertently opened an SSH port on home car with a user without a password (!) to the outside world (!!), I was very lucky that script-kiddies got onto the machine, which, apart from the funny shell story, did not leave any serious traces of their stay in the system. When I accidentally posted a listing on the Internet with my Gmail password, I was very lucky that there was a kind person who warned me about it.
Maybe I'm gouging, but I firmly believe that such incidents have happened to many who read these lines. And it's good if these people, unlike me, seriously took care of protecting their car. After all, the anti-theft might not work, and instead of a script kiddy, serious people could get into the car, and I could lose not a smartphone, but a laptop, on which, apart from the user's password, there was no other protection. No, relying on one Google two-factor authentication and stupid passwords is definitely not worth it in our age, something more serious is needed.
This article is a paranoid unixoid's guide dedicated to the total protection of a Linux machine from anything and everything. I do not dare to say that everything described here is mandatory for use. Quite the contrary, it is a collection of recipes, the information from which can be used to protect yourself and data at those frontiers where it is needed in your particular situation.
It all starts with passwords. They are everywhere: in the login window in a Linux distribution, in registration forms on Internet sites, on FTP and SSH servers, and on the lock screen of a smartphone. The standard for passwords today is 8–12 mixed case characters with numbers included. Generate such passwords for your own mind quite tedious, but there is an easy way to do it automatically:
$ openssl rand -base64 6
No external applications, no web browser extensions, OpenSSL is available on any machine. Although, if it is more convenient for someone, he can install and use pwgen for these purposes (they say that the password will be more resistant):
$ pwgen -Bs 8 1
Where to store passwords? Today, each user has so many of them that it is simply impossible to keep everything in your head. Trust the browser's autosave system? You can, but who knows how Google or Mozilla will treat them. Snowden said that it was not very good. Therefore, passwords must be stored on the machine itself in an encrypted container. The founding fathers recommend using KeePassX for this. The thing is graphical, which the founding fathers themselves do not much like, but it works everywhere, including the well-known Google Probe Android (KeePassDroid). All that remains is to transfer the database with passwords to the right place.
Encryption - how much there is in this word... Today, encryption is everywhere and nowhere at the same time. We are forced to use HTTPS versions of sites, but we don't care. They tell us: "Encrypt your home directory", and we say: "I'll set it up later." They tell us: “The favorite pastime of Dropbox employees is to laugh at the personal photos of users,” and we: “Let them laugh.” Meanwhile, encryption is the only absolute means of protection today. And it is very affordable and smoothes wrinkles.
In Linux, you can find tons of encryption tools for everything and everything, from hard disk partitions to single files. The three most well known and time tested tools are dm-crypt/LUKS, ecryptfs and encfs. The first encrypts entire disks and partitions, the second and third - directories with important information, each file separately, which is very convenient if you need to make incremental backups or use it in conjunction with Dropbox. There are also several lesser known tools, including TrueCrypt for example.
I will make a reservation right away that encrypting the entire disk is a difficult task and, most importantly, useless. There is and cannot be anything particularly confidential in the root directory, but the home directory and swap are just a storehouse of information. Moreover, the second one is even larger than the first one, since data and passwords already decrypted can get there (normal programmers forbid the system from throwing such data into a swap, but such a minority). Setting up encryption for both is very simple, just install the ecrypts tools:
$ sudo apt-get install ecryptfs-utils
And, in fact, enable encryption:
$ sudo ecryptfs-setup-swap $ ecryptfs-setup-private
Next, just enter your password used for login and log in to the system. Yes, it's really that simple. The first command will encrypt and remount the swap by changing the necessary lines in /etc/fstab. The second one will create the ~/.Private and ~/Private directories, which will store the encrypted and decrypted files, respectively. When you log in, the PAM module pam_ecryptfs.so will be triggered, which will mount the first directory on the second with transparent data encryption. After unmounting, ~/Private will be empty, and ~/.Private will contain all files in encrypted form.
It is not forbidden to encrypt the entire home directory as a whole. Performance will not drop much, but all files will be protected, including the same ~/Dropbox network directory. It is done like this:
# ecryptfs-migrate-home -u vasya
By the way, there should be 2.5 times more disk space than vasya has data, so I recommend cleaning up in advance. After the operation is completed, you should immediately log in as the user vasya and check if it works:
$ mount | grep Private /home/vasya/.Private on /home/vasya type ecryptfs ...
If everything is OK, the unencrypted copy of the data can be overwritten:
$ sudo rm -r /home/vasya.* 
OK, passwords are in a safe place, personal files too, now what? And now we have to make sure that some pieces of our personal data do not fall into the wrong hands. It's not a secret for anyone that when a file is deleted, its actual contents remain on the media even if formatting is done after that. Our encrypted data will be safe even after erasing, but what about flash drives and other memory cards? This is where the srm utility comes in handy, which not only deletes the file, but also fills the data blocks left after it with garbage:
$ sudo apt-get install secure-delete $ srm secret-file.txt home-video.mpg
# dd if=/dev/zero of=/dev/sdb
This command will erase all data on the sdb stick. Next, it remains to create a partition table (with one partition) and format it into the desired file system. It is recommended to use fdisk and mkfs.vfat for this, but you can also get by with the graphical gparted.
Fail2ban is a daemon that scans logs for attempts to guess passwords for network services. If such attempts are found, then the suspicious IP address is blocked by iptables or TCP Wrappers. The service is able to notify the host owner about the incident by email and reset the block after a specified time. Fail2ban was originally developed to protect SSH, today there are ready-made examples for Apache, lighttpd, Postfix, exim, Cyrus IMAP, named and so on. Moreover, one Fail2ban process can protect several services at once.
In Ubuntu / Debian, to install, we type:
# apt-get install fail2ban
The configs are located in the /etc/fail2ban directory. After changing the configuration, restart fail2ban with the command:
# /etc/init.d/fail2ban restart
Now let's take care of the threats coming from the bowels world wide web. This is where I should start talking about iptables and pf running on a dedicated machine running OpenBSD, but that's all redundant when there's ipkungfu. What it is? This is a script that will do all the dirty work of configuring the firewall for us, without having to make kilometer-long lists of rules. Install:
$ sudo apt-get install ipkungfu
Edit config:
$ sudo vi /etc/ipkungfu/ipkungfu.conf # The local network, if there is - we write the network address along with the mask, if not - we write the loopback address LOCAL_NET="127.0.0.1" # Our machine is not a gateway GATEWAY=0 # Close the necessary ports FORBIDDEN_PORTS="135 137 139" # Block pings, 90% kiddis will fall off at this stage BLOCK_PINGS=1 # Dropping suspicious packets (flooding of various kinds) SUSPECT="DROP" # Dropping "wrong" packets (some types of DoS) KNOWN_BAD="DROP" # Port scanning? Thrash! PORT_SCAN="DROP"
To enable ipkungfu, open the /etc/default/ipkungfu file and change the line IPKFSTART = 0 to IPKFSTART = 1. Run:
$ sudo ipkungfu
Additionally, we will make changes to /etc/sysctl.conf:
$ sudo vi /etc/systcl.conf # Drop ICMP redirects (against MITM attacks) net.ipv4.conf.all.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 # Enable TCP syncookies mechanism net.ipv4 .tcp_syncookies=1 # Various tweaks (anti-spoofing, increasing the queue of "half-open" TCP connections, and so on) net.ipv4.tcp_timestamps=0 net.ipv4.conf.all.rp_filter=1 net.ipv4.tcp_max_syn_backlog=1280 kernel .core_uses_pid=1
Activate changes:
$ sudo sysctl -p
Snort is one of the favorite tools for admins and a mainstay in all security guides. A thing with a long history and colossal possibilities, to which entire books are devoted. What does he do in our guide to quick setup secure system? And here is the place for him, Snort does not need to be configured:
$ sudo apt-get install snort $ snort -D
All! I am not kidding, default settings Snort is more than enough to protect typical network services if you have them, of course. You just need to look at the log from time to time. And in it you can find lines like these:
[**] MS-SQL probe response overflow attempt [**] http://www.securityfocus.com/bid/9407]
Oops. Someone tried to cause a buffer overflow in MySQL. There is also a link to a page with a detailed description of the problem. Beauty.
Someone particularly smart was able to bypass our firewall, get past Snort, gain root access to the system, and now logs into the system regularly using the installed backdoor. Not good, the backdoor needs to be found, removed, and the system updated. To search for rootkits and backdoors, use rkhunter:
$ sudo apt-get install rkhunter
We launch:
$ sudo rkhunter -c --sk
The software will check the entire system for rootkits and display the results. If the malware is still found, rkhunter will point to the place and it can be overwritten. A more detailed log is located here: /var/log/rkhunter.log. It is better to run rkhunter as a daily cron job:
$ sudo vi /etc/cron.daily/rkhunter.sh #!/bin/bash /usr/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Results" [email protected]
We replace Vasya's email address with our own and make the script executable:
$ sudo chmod +x /etc/cron.daily/rkhunter.sh
$ sudo rkhunter --update
By the way, it can be added before the check command in the cron script. Two more rootkit search tools:
$ sudo apt-get install tiger $ sudo tiger $ sudo apt-get install lynis $ sudo lynis -c
In fact, the same Faberge eggs from a bird's eye view, but they have different bases. Perhaps with their help it will be possible to reveal what rkhunter missed. Well, for starters, debsums is a tool for verifying file checksums, installed packages with a standard. We put:
$ sudo apt-get install debsums
We start the check:
$ sudo debsums -ac
As always? launch can be added to cron jobs.
Now let's talk about how to maintain your anonymity on the Web and gain access to sites and pages blocked at the request of various copyright organizations and other Mizulins. The easiest way to do this is to use one of the thousands of proxy servers around the world. Many of them are free, but often cut the channel to the speed of an ancient analog modem.
To safely navigate the sites and only turn on the proxy if necessary, you can use one of the many extensions for Chrome and Firefox, which are easily found in the proxy switcher directory. We install, drive in the list of necessary proxies and switch to the required one, seeing instead of the page the sign “Access to the page is limited at the request of Mr. Skumbrievich”.
In those situations when the entire site fell under the filter and its address was blacklisted on the side of the providers' DNS servers, you can use free DNS servers whose addresses are published. Just take any two addresses you like and add to /etc/resolv.conf:
Nameserver 156.154.70.22 nameserver 156.154.71.22
To prevent various kinds of DHCP clients and NetworkManagers from overwriting the file with addresses received from the provider or router, we make the file unwritable using extended attributes:
$ sudo chattr +i /etc/resolv.conf
After that, the file will become write-protected for everyone, including root.
To further anonymize your browsing experience, you can also use the dnscrypt daemon, which will encrypt all requests to the DNS server in addition to the proxy server used to connect to the site itself. Install:
$ wget http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.3.2.tar.bz2 $ bunzip2 -cd dnscrypt-proxy-*.tar.bz2 | tar xvf - $ cd dnscrypt-proxy-* $ sudo apt-get install build-essential $ ./configure && make -j2 $ sudo make install
Specify the loopback address in /etc/resolv.conf:
$ vi /etc/resolv.conf nameserver 127.0.0.1
Let's start the daemon:
$ sudo dnscrypt-proxy --daemonize
By the way, there are versions of dnscrypt for Windows, iOS and Android.
What is onion routing? This is Tor. And Tor, in turn, is a system that allows you to create a completely anonymous network with Internet access. The term "onion" is used here in relation to the work model, in which any network packet will be "wrapped" in three layers of encryption and will pass through three nodes on the way to the addressee, each of which will remove its own layer and transmit the result further. Everything, of course, is more complicated, but for us the only important thing is that this is one of the few types of networking that allows you to maintain complete anonymity.
However, where there is anonymity, there are connection problems. And Tor has at least three of them: it's horrendously slow (thanks to encryption and passing through a chain of nodes), it will create a load on your network (because you yourself will be one of the nodes), and it is vulnerable to traffic interception. The latter is a natural consequence of the ability to access the Internet from the Tor network: the last node (the exit) will remove the last layer of encryption and can access the data.
However, Tor is very easy to install and use:
$ sudo apt-get install
Everything, now on the local machine there will be a proxy server leading to the Tor network. Address: 127.0.0.1:9050, you can drive it into the browser using the same extension, or add it through the settings. Keep in mind that this is SOCKS, not an HTTP proxy.
To put in command line the password has not been saved in history, you can use a clever trick called "add a space at the beginning of the command."
It is ecryptfs that is used to encrypt the home directory in Ubuntu.
Here are a few commands that can help with flooding your host.
Counting the number of connections on a specific port:
$ netstat -na | grep ":port\" | wc -l
Counting the number of "half-open" TCP connections:
$ netstat -na | grep ":port\" | grep SYN_RCVD | wc -l
Viewing the list of IP addresses from which connection requests are made:
$ netstat -na | grep ":port\" | sort | uniq -c | sort-nr | less
Analyzing suspicious packets with tcpdump:
# tcpdump -n -i eth0 -s 0 -w output.txt dst port port and host of the IP server
We drop the attacker's connections:
# iptables -A INPUT -s attacker's ip -p tcp --destination-port port -j DROP
We limit the maximum number of "half-open" connections from one IP to a specific port:
# iptables -I INPUT -p tcp --syn --dport port -m iplimit --iplimit-above 10 -j DROP
Disable responses to ICMP ECHO requests:
# iptables -A INPUT -p icmp -j DROP --icmp-type 8
That's all. Without going into details and without the need to study manuals, we have created a Linux-box that is protected from outside intrusion, from rootkits and other infections, from direct human intervention, from traffic interception and surveillance. All that remains is to regularly update the system, disable password login via SSH, remove unnecessary services and avoid configuration errors.
Many users face problems when trying to set up an internet connection in Ubuntu. Most often this is due to inexperience, but there may be other reasons. The article will provide instructions for setting up several types of connections with detailed analysis all possible complications in the process of implementation.
There are many types of Internet connections, but this article will cover the most popular ones: wired network, PPPoE and DIAL-UP. It will also talk about a separate setting of the DNS server.
Before you start establishing a connection, you should make sure that your system is ready for this. Immediately it should be clarified that the commands executed in "Terminal", are divided into two types: requiring user rights (they will be preceded by the symbol $ ) and requiring superuser rights (the symbol is at the beginning # ). Pay attention to this, because necessary rights most commands will simply refuse to run. It is also worth clarifying that the characters themselves in "Terminal" no need to enter.
You will need to complete a number of steps:
Among other things, you must know the name of the network adapter. To find out, enter "Terminal" this line:
$ sudo lshw -C network
As a result, you will see something like this:
The name of your network adapter will be located opposite the word "logical name". IN this case "enp3s0". It is this name that will appear in the article, it may be different for you.
Note: If your computer has more than one network adapters, then they will be numbered accordingly (enp3s0, enp3s1, enp3s2, and so on). Decide which one you will work with and use it in subsequent settings.
"Terminal"- This universal remedy on configuring everything in Ubuntu. With its help, it will be possible to establish an Internet connection of all types, which will be discussed now.
Wired network setup
Setting up a wired network in Ubuntu is done by making new settings in configuration file "interfaces". Therefore, first you need to open this same file:
Note: the Gedit text editor is used in the command to open the configuration file, but you can write any other editor in the corresponding part, for example, vi.
Now you need to decide what type of IP your provider has. There are two varieties: static and dynamic. If you don't know for sure, then call tech. support and consult with the operator.
First, let's deal with dynamic IP - its configuration is easier. After the introduction previous command, in the file that opens, specify the following variables:
iface [interface name] inet dhcp
auto [interface name]
After entering, you should end up with something like this:
A static IP is somewhat more difficult to set up. The main thing is to know all the variables. In the configuration file, you need to enter the following lines:
iface [interface name] inet static
address [address]
netmask [address]
gateway [address]
dns-nameservers [address]
auto [interface name]
After entering all the parameters, you will see something like this:
Don't forget to save any settings you've made before closing the text editor.
Among other things, in Ubuntu, you can temporarily set up an Internet connection. It differs in that the specified data does not change the configuration files in any way, and after restarting the PC, all previously specified settings will be reset. If this is your first time trying to set up a wired connection on Ubuntu, this is the recommended way to start.
All parameters are set using one command:
$ sudo ip addr add 10.2.119.116/24 dev enp3s0
After entering all the necessary data and executing the command in "Terminal", you can check their correctness. If the Internet appeared on the PC, then all the variables are correct, and they can be entered into the configuration file.
DNS setup
Setting up a DNS connection in different versions of Ubuntu performed differently. In OS versions starting from 12.04 - one way, in earlier versions - another. We will consider only the static connection interface, since the dynamic one implies automatic detection of DNS servers.
Configuration in OS versions higher than 12.04 takes place in an already known file "interfaces". You must enter the line "dns-nameservers" and list the values separated by a space.
So first open via "Terminal" configuration file "interfaces":
$ sudo gedit /etc/network/interfaces
dns-nameservers [address]
As a result, you should get something like this, only the values \u200b\u200bmay be different:
If you want to set up DNS on an older version of Ubuntu, then the configuration file will be different. Let's open it with "Terminal":
$ sudo gedit /etc/resolv.conf
After that, you can set the necessary DNS addresses in it. It is worth taking into account that, in contrast to entering parameters in "interfaces", V "resolv.conf" addresses are written each time from a paragraph, a prefix is used before the value "nameserver"(without quotes).
Setting up a PPPoE connection
PPPoE setup via "Terminal" does not imply the introduction of many parameters in various configuration files on the computer. On the contrary, only one command will be used.
So, to make a point-to-point (PPPoE) connection, you need to do the following:
After all the steps taken, your computer will establish an Internet connection if you did everything right.
Note that by default the utility pppoeconf names the created connection dsl-provider. If you need to terminate the connection, then execute in "Terminal" command:
$ sudo poff dsl-provider
To re-establish the connection, enter:
$ sudo pon dsl-provider
Note: if you connect to the network using the pppoeconf utility, then network management through Network Manager will not be possible, due to the settings in the "interfaces" configuration file. To reset all settings and transfer control to Network Manager, you need to open the "interfaces" file and replace all contents with the text shown below. After entering, save the changes and restart the network with the command "$ sudo /etc/init.d/networking restart" (without quotes). Also restart the Network Manager utility by running "$ sudo /etc/init.d/NetworkManager restart" (without quotes).
Setting up a DIAL-UP connection
To configure DIAL-UP, you can use two console utilities: pppconfig And wvdial.
Set up a connection using pppconfig simple enough. Generally this way very similar to the previous pppoeconf): you will be asked questions in the same way, answering which, as a result, you will establish a connection to the Internet. First, run the utility itself:
$ sudo pppconfig
After that, follow the instructions. If you do not know some of the answers, it is recommended to contact the operator from those. support from your ISP and consult with them. After completing all the settings, the connection will be established.
As for setting up with wvdial, then it is a little more complicated. First you need to install the package itself through "Terminal". To do this, run the following command:
$ sudo apt install wvdial
It includes a utility designed to automatically configure all parameters. It's called "wvdialconf". Run it:
$ sudo wvdialconf
After its execution in "Terminal" a lot of parameters and characteristics will be displayed - you don’t need to understand them. You just need to know that the utility created a special file wvdial.conf, into which I automatically entered the necessary parameters, reading them from the modem. Next, you need to edit the created file wvdial.conf, open it via "Terminal":
$ sudo gedit /etc/wvdial.conf
As you can see, most of the settings have already been written, but the last three points still need to be supplemented. You will need to enter your phone number, username and password, respectively. However, do not rush to close the file, for more convenient work it is recommended to add a few more parameters:
As a result, the configuration file will look like this:
Please note that the settings are divided into two blocks, titled with names in brackets. This is necessary to create two versions of parameter usage. So, the parameters under «» , will always be executed, and under «» - when specifying the appropriate option in the command.
After completing all the settings, in order to establish a DIAL-UP connection, you need to issue this command:
If you want to establish a pulse connection, then write the following:
$ sudo wvdial pulse
To terminate an established connection, "Terminal" need to press a combination of keys ctrl+c.
Ubuntu has special utility, which will help establish the connection of most species. Moreover, she has GUI. This is the Network Manager, which is called by clicking on the corresponding icon on the right side of the top panel.
Wired network setup
We will start in the same way with setting up a wired network. First you need to open the utility itself. To do this, click on its icon and press "Change Connections" V context menu. Next, in the window that appears, do the following:
After all the steps taken wired internet connection must be installed. If this does not happen, check all the entered parameters, you may have made a mistake somewhere. Also don't forget to check if the box is ticked. "Network Management" in the utility drop down menu.
DNS setup
To establish a connection, you may need manual setting DNS servers. To do this, do the following:
PPPoE setup
Setting up a PPPoE connection in Network Manager is as easy as "Terminal". In fact, you will only need to specify the login and password received from the provider. But let's take a closer look.
Now a new DSL connection has appeared in the Network Manager menu, by selecting which you will get access to the Internet. Recall that sometimes you need to restart your computer for the changes to take effect.
As a result, we can say that the Ubuntu operating system has many tools for setting up the necessary Internet connection. The Network Manager utility has a graphical interface, which greatly simplifies the work, especially for beginners. However "Terminal" allows for more flexible configuration, entering those parameters that are not in the utility.
According to cvedetails.com, since 1999 in Linux kernel 1305 vulnerabilities were found, of which 68 were in 2015. Most of them do not carry any special problems, they are marked as Local and Low, and some can only be called with reference to certain applications or OS settings. In principle, the numbers are small, but the kernel is not the whole OS. Vulnerabilities are also found in GNU Coreutils, Binutils, glibs and, of course, in user applications. Let's analyze the most interesting ones.
OS: linux
Level: Medium, Low
Vector: Remote
CVE: CVE-2015-3331, CVE-2015-4001, CVE-2015-4002, CVE-2015-4003
exploit: concept, https://lkml.org/lkml/2015/5/13/740 , https://lkml.org/lkml/2015/5/13/744
A vulnerability found in June in the Linux kernel prior to 3.19.3 in the __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_glue.c file is due to the fact that the implementation of RFC4106 for x86 processors supporting the AES AES-NI command set extension (proposed Intel, Intel Advanced Encryption Standard Instructions) incorrectly calculates buffer addresses in some cases. If the IPsec tunnel is configured to use this mode (AES algorithm is CONFIG_CRYPTO_AES_NI_INTEL), the vulnerability could lead to memory corruption, crashes, and potentially remote execution of CryptoAPI code. And the most interesting thing is that the problem can arise on its own, on completely legal traffic, without outside interference. At the time of posting, the issue has been fixed.
Five vulnerabilities have been identified in the Linux 4.0.5 ozwpan driver, which has the status of experimental, four of which allow a DoS attack through a kernel crash by sending specially crafted packets. The problem is related to a buffer overflow due to incorrect handling of signed integers, in which the calculation in memcpy between required_size and offset returned a negative number, as a result, the data is copied to the heap.
Found in the oz_hcd_get_desc_cnf function in drivers/staging/ozwpan/ozhcd.c and in the oz_usb_rx and oz_usb_handle_ep_data functions in the drivers/staging/ozwpan/ozusbsvc1.c file. In other vulnerabilities, there was a situation of possible division by 0, a system loop, or the ability to read from areas outside the boundaries of the allocated buffer.
The ozwpan driver, one of the new Linux drivers, can be paired with existing wireless devices compatible with Ozmo Devices technology ( WiFi Direct). Provides an implementation of a USB host controller, but the trick is that instead of a physical connection, the peripheral communicates via Wi-Fi. Driver Accept network packages with type (ethertype) 0x892e, then parses them and translates them into various USB functionality. It is used in rare cases so far, so it can be disabled by unloading the ozwpan.ko module.
OS: linux ubuntu 12.04–15.04 (core until June 15, 2015)
Level: Critical
Vector: Local
CVE: CVE-2015-1328
exploit: https://www.exploit-db.com/exploits/37292/
Critical Vulnerability on the OverlayFS file system allows you to get root access in Ubuntu systems, which allow mounting of OverlayFS partitions by an unprivileged user. The default settings required to exploit the vulnerability are used in all branches of Ubuntu 12.04-15.04. OverlayFS itself appeared in the Linux kernel relatively recently - since 3.18-rc2 (2014), it is a SUSE development to replace UnionFS and AUFS. OverlayFS allows you to create a virtual multilayer file system, which combines several parts of other file systems.
FS is created from the bottom and top layers, each of which is attached to separate directories. The bottom layer is used only for reading in the directories of any file systems supported by Linux, including network ones. The top layer is usually writable and will override the data of the bottom layer if files are duplicated. It is in demand in Live distributions, container virtualization systems and for organizing the work of containers of some desktop applications. Namespaces for users (user namespaces) allow you to create your own sets of user and group identifiers in containers. The vulnerability is caused by incorrect check of access rights when creating new files in the directory of the underlying FS.
If the kernel is built with CONFIG_USER_NS=y (enable user namespace), and the FS_USERNS_MOUNT flag is specified on mount, OverlayFS can be mounted by a normal user in a different namespace, including where operations with as root. At the same time, operations with files with root rights performed in such namespaces receive the same privileges when performing operations with the underlying FS. Therefore, you can mount any FS partition and view or modify any file or directory.
At the time of publication, a kernel update was already available with the patched OverlayFS module from Ubuntu. And if the system is up to date, there should be no problems. In the same case, when updating is not possible, as a temporary measure, you should stop using OverlayFS by removing the overlayfs.ko module.
OS: linux
Level: Critical
Vector: local, remote
CVE: CVE-2015-0235
exploit: https://www.qualys.com/research/security-advisories/exim_ghost_bof.rb
A dangerous vulnerability in the GNU glibc standard library, which is the main part of the Linux OS, and in some versions of Oracle Communications Applications and Oracle Pillar Axiom, discovered during a code audit by hackers from Qualys. Received the code name GHOST. It involves a buffer overflow inside the __nss_hostname_digits_dots() function, which is used by glibc functions like gethostbyname() and gethostbyname2() (hence the name GetHOST) to get the hostname. To exploit the vulnerability, you must cause a buffer overflow with an invalid hostname argument to an application that performs name resolution through DNS. That is, theoretically, this vulnerability can be applied to any application that uses the network to some extent. Can be called locally and remotely, allowing arbitrary code to be executed.
The most interesting thing is that the bug was fixed back in May 2013, between the releases of glibc 2.17 and 2.18 a patch was submitted, but the problem was not classified as a security patch, so it was not paid attention to. As a result, many distributions were vulnerable. Initially, it was reported that the very first vulnerable version was 2.2 dated November 10, 2000, but there is a possibility of its appearance up to 2.0. RHEL/CentOS 5.x–7.x, Debian 7, and Ubuntu 12.04 LTS distributions were affected, among other vulnerabilities. Fixes are currently available. The hackers themselves offered a utility that explains the essence of the vulnerability and allows you to check your system. In Ubuntu 12.04.4 LTS everything is fine:
$ wget https://goo.gl/RuunlE $ gcc gistfile1 . c-o CVE-2015-0235 $ . /CVE-2015-0235 not vulnerable |
Checking the system for GHOST
Almost immediately, the k module was released, allowing you to remotely execute code on x86 and x86_64 Linux with a working mail server Exim (with the helo_try_verify_hosts or helo_verify_hosts option enabled). Later, other implementations appeared, such as the Metasploit module for checking a WordPress blog.
A little later, in 2015, three more vulnerabilities were discovered in GNU glibc that allow a remote user to perform a DoS attack or overwrite memory cells outside the stack boundary: CVE-2015-1472, CVE-2015-1473, CVE-2015-1781.
OS: Linux (GNU Coreutils)
Level: low
Vector: local, remote
CVE: CVE-2014-9471
exploit: No
GNU coreutils is one of the main *nix packages, including almost all basic utilities (cat, ls, rm, date...). Issue found in date. A bug in the parse_datetime function allows a remote attacker who does not have account on the system, cause a denial of service, and possibly execute arbitrary code using a specially crafted date string using a timezone. The vulnerability looks like this:
$ touch ‘-- date=TZ=”123”345”@1” Segmentation fault $ date - d ‘TZ = ”Europe / Moscow ”“00 : 00 + 1 hour ”’ Segmentation fault $date ‘-- date=TZ=”123”345”@1” * * * Error in ` date ': free () : invalid pointer : 0xbfc11414 * * * |
Vulnerability in GNU Coreutils
If there is no vulnerability, we will receive a message about the incorrect date format. Almost all developers reported about the presence of the vulnerability. Linux distributions. An update is currently available.
Normal output of patched GNU Coreutils OS: Linux (grep 2.19–2.21)
Level: low
Vector: Local
CVE: CVE-2015-1345
exploit: No
The grep utility, which is used to search for text by a pattern, rarely finds vulnerabilities. But this utility is often called by other programs, including system ones, so the presence of vulnerabilities is much more problematic than it seems at first glance. An error in the bmexec_trans function in kwset.c can cause uninitialized data to be read from an area outside of the allocated buffer or the application to crash. This can be exploited by a hacker by creating a special set of data supplied as input to the application using grep -F. Updates are currently available. There are no exploits that use the vulnerability or a module for Metasploit.
OS: FreeBSD
Level: low
Vector: local, remote
CVE: CVE-2014-0998, CVE-2014-8612, CVE-2014-8613
exploit: https://www.exploit-db.com/exploits/35938/
There are not so many vulnerabilities in the CVE database for 2015, to be more precise - only six. Three vulnerabilities were found in FreeBSD 8.4-10.x at the end of January 2015 by researchers from the Core Exploit Writers Team. CVE-2014-0998 is related to the implementation of the VT console driver (Newcons) which provides several virtual terminals enabled by the kern.vty=vt option in /boot/loader.conf.
CVE-2014-8612 manifested itself when using the SCTP protocol and is caused by an error in the code for checking the ID of the SCTP stream implementing SCTP sockets (local port 4444). The bottom line is the out-of-memory error in the sctp_setopt() function (sys/netinet/sctp_userreq.c). This gives a local non-privileged user the ability to write or read 16 bits of kernel memory data and elevate their privileges on the system, expose sensitive data, or shut down the system.
CVE-2014-8613 allows null pointer dereference to be triggered when processing an externally received SCTP packet by setting the SCTP_SS_VALUE SCTP socket option. Unlike previous ones, CVE-2014-8613 can be used to remote call kernel crash by sending specially crafted packets. In FreeBSD 10.1, you can protect yourself by setting the net.inet.sctp.reconfig_enable variable to 0, thereby disabling the processing of RE_CONFIG blocks. Or simply disable applications (browsers, email clients, etc.) from using SCTP connections. Although at the time of publication, the developers have already released an update.
FreeBSD Vulnerability Statistics OS: OpenSSL
Level: Remote
Vector: Local
CVE: CVE-2015-1793
exploit: No
In 2014, a critical Heartbleed vulnerability was found in OpenSSL, a widely used cryptographic package for working with SSL/TLS. The incident at one time caused massive criticism of the quality of the code, and, on the one hand, this led to the emergence of alternatives like LibreSSL, on the other hand, the developers themselves finally got down to business.
Top vendors by vulnerability A critical vulnerability was discovered by Google's Adam Langley and BoringSSL's David Benjamin. Changes made in OpenSSL versions 1.0.1n and 1.0.2b caused OpenSSL to try to find an alternative certificate verification chain if the first attempt to build the trust chain failed. This allows you to bypass the certificate verification procedure and organize a verified connection using a fake certificate, in other words, calmly lure the user to fake sites or a server. Email or implement any MITM attack where the certificate is used.
After the discovery of the vulnerability, the developers on July 9 released releases 1.0.1p and 1.0.2d, in which this problem was fixed. Versions 0.9.8 or 1.0.0 do not have this vulnerability.
The end of autumn was marked by the appearance of a number of encryption viruses, first Linux.Encoder.0, followed by modifications of Linux.Encoder.1 and Linux.Encoder.2, which infected more than 2500 sites. According to antivirus companies, servers on Linux and FreeBSD with websites running using various CMS - WordPress, Magento CMS, Joomla and others are being attacked. Hackers use an unspecified vulnerability. Next, a shell script was placed (error.php file), with the help of which any further actions were performed (via the browser). In particular, a Linux encoder trojan was launched.
Encoder, which determined the OS architecture and launched the ransomware. The encoder was launched with the rights of the web server (Ubuntu - www-data), which is quite enough to encrypt the files in the directory where the CMS files and components are stored. Encrypted files get a new .encrypted extension.
The ransomware also tries to bypass other OS directories, if the rights are not configured correctly, then it could well go beyond the boundaries of the website. Further, the file README_FOR_DECRYPT.txt was saved in the directory, containing instructions for decrypting files and the hacker's requirements. On this moment anti-virus companies have introduced utilities that allow you to decrypt directories. For example, a set from Bitdefender. But you need to remember that all utilities designed to decrypt files do not remove the shellcode and everything can happen again.
Considering that many users developing or experimenting with website administration often install a web server on home computer, you should worry about security: close access from the outside, update software, arrange experiments on the VM. And the idea itself can be used in the future when attacking home systems.
Complex software without bugs does not physically exist, so you have to put up with the fact that vulnerabilities will be discovered all the time. But not all of them can present real problems. And you can protect yourself by taking simple steps: remove unused software, monitor for new vulnerabilities and be sure to install security updates, configure a firewall, install an antivirus. And do not forget about special technologies like SELinux, which are quite capable of compromising a daemon or user application.
It can certainly be said that linux more safe(protected) than Windows. Safety V linux built-in, and not screwed somewhere on the side, as is implemented in Windows. Safety systems linux covers the area from the kernel to the desktop, but there are chances for hackers to damage your home directory (/home).
Your bytes of photos, home videos, documents, and credit card or wallet data are the most valuable piece of information on a computer. Of course, Linux is not susceptible to all sorts of Internet worms and viruses for Windows. But attackers can find a way to access your data in your home directory.
Having prepared your old computer or HDD before selling formatting, do you think it will be enough? There are a lot of modern tools for data recovery. A hacker can easily recover your data from hard drive, regardless of the OS in which you worked.
On this topic, I recall the experience of one company repurchasing used computers and disks. In the course of their activities, they issued a verdict that 90% of the previous owners of their computer did not take proper care of cleaning their storage media before selling. And they were extracting very sensitive bytes of data. It’s even scary to imagine that somewhere in the bins of your hard drive there is information to enter your online bank or online wallet.
Let's step into the basics (), which will fit almost any 
Linux distributions.
Custom passwords won't solve the problem if you really want no one to be able to read your home directory (/home) or a certain byte size. You can do it so that even a user with the highest privileges of root cannot poke his nose.
If you decide to sell or donate your computer or storage media, don't assume that simple formatting will permanently delete your files. You can install the secure-delete tool on your Linux, which includes the srm utility for safe removal files.
Also, do not forget about the firewall available in the Linux kernel. All Linux distributions include lptables, which is part of the kernel. Lptables allows you to filter network packets. Of course, you can configure this utility in the terminal. But this method is beyond the power of many, including me. So I install and configure as easily as if I were playing a game.
Like all OS, Linux tends to accumulate junk while running various applications. And this is not Linux's fault, since various applications, such as browsers, text editors and even video players, work outside the kernel level and accumulate temporary files. You can install the BleachBit universal garbage disposal utility.
In conclusion, I want to tell you anonymous web surfing. Sometimes it happens that it is necessary, as I do, when, secretly from my wife, I visit sites with erotic content. Of course I was joking.
It will be difficult for attackers to get to you if they cannot determine your location. We cover the tracks with a simple setup of two utilities working together called privoxy and tor.
In my opinion, following and setting up all these rules will secure you and your computer by 90%.
P.S. I'm using a cloud called dropbox. I keep my old and new, not yet published articles in it. It is convenient to have access to your files from anywhere in the world and on any computer. When writing articles for the site in text editor I keep my text documents with a password and only after that I upload it to the dropbox server. You should never neglect extra security, which will only play into your hands.
