There seems to be a lot of discussion about how to make a system secure. Here are some of the thoughts I have had.
Read all of this before you start.
Download the Ubuntu alternate install image from http://www.ubuntu.com/download/ubuntu/alternative-download
Ubuntu 10.04 LTS
* ubuntu-10.04.3-alternate-amd64.iso.torrent
* ubuntu-10.04.3-alternate-i386.iso.torrent
Ubuntu 11.10 (Ubuntu 11.10 may not work well with some laptops)
* ubuntu-11.10-alternate-amd64.iso.torrent
* ubuntu-11.10-alternate-i386.iso.torrent
DO NOT INSTALL THE NETBOOK OR DESKTOP VERSION.
If you do not have a bit-torrent client, use transmission because it's safe and easy:
http://www.transmissionbt.com/
Verify that you have a good image. That may be difficult if you're using Windows or Mac. For Windows and Mac, there is a program called Checksums calculator v. 1.1, which you can find here: http://sinf.gr/en/hashcalc.html
You can compare the md5sum at https://help.ubuntu.com/community/UbuntuHashes
md5 is not as strong as hashing systems, so try to get the sha256 and sha512 hashes. You can often paste the sha256sum in Google and find the hash listed on various official websites. There are other ways of checking with GnuPG.
Burn that image to a disk. The ISO file cannot be simply dragged and dropped or copied directly onto a disc.
If you need help, see https://help.ubuntu.com/community/BurningIsoHowto
Disconnect your computer from the Internet before the actual install.
Boot from the alternate installer CD.
Select your language and then
* press F6 for "Other Options" and mark the free software only option (use spacebar to mark, press esc when done)
* press F4 for "Modes" and select Install a command-line system (arrow down, press enter)
Install Ubuntu
The install will be straightforward--select language, select a location, etc.--until you reach the part that says "Partition Disks"
When you reach the Partition Disks section,
*Select "Guided - use entire disk and set up encrypted LVM"
Continue and select "YES" when it asks if you want to write changes to disk and configure LVM.
The installer will ask for an encryption passphrase. That passphrase must be strong (and at least 40 characters long). Do not include previous passwords, birthdates of people you know, names, any phrase from a book or magazine, or simple combination of dictionary words, etc. Something like Nwwu7MM9PPc##RVWToiykarHHWf*34CwijYgNsj9rz9eqnd is a reasonable passphrase.. write it down. Do not use a short passphrase so you can remember it easily. Try something like **babyJesusbarksbarksbarksinthe3snowwwsnowwwsnowww///@CATS if you want something you can eventually remember.
Note: your user password does not need to be that strong.
when asked for Amount of volume group to use for guided partitioning:
type "max" without quotation makers and hit continue
select "YES" when it asks if you want to write changes to disk
select "NO" when it asks "Encrypt your home directory?" (we already have better encryption)
select "YES" when it asks "Install the GRUB boot loader to the master boot record?"
select "YES" when it asks "Is the system clock set to UTC?"
When the install is finished, reboot and log in, and enter the following commands:
sudo ufw enable
sudo apt-get remove --purge popularity-contest
sudo chmod 700 /home/jane (assuming your username is jane)
now, plug your computer into ethernet to give it Internet access.
sudo aptitude update
sudo aptitude upgrade
sudo aptitude install wicd-curses (only if you're going to ues wifi)
sudo aptitude install xorg gnome-core firefox seahorse seahorse-plugins apparmor-profiles gnome-disk-utility transmission (that might take some time)
sudo aptitude remove ubufox
sudo aa-enforce /etc/apparmor.d/*
restart computer and login
Now, check some things
type startx (to turn on graphics)
In terminal,
type sudo apparmor_status (it should say something like 27 profiles are loaded. 27 profiles are in enforce mode)
check encryption
type sudo cryptsetup status sda5_crypt It should say something like:
/dev/mapper/sda5_crypt is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda5
offset: 2056 sectors
size: 624633333 sectors
mode: read/write
see that you're computer is not listing for connections.
type sudo netstat -anp | grep -e tcp -e udp
connections from dhclient are fine. if you've used firefox, there may be some connection open from it.
to connect to wireless networks, type wicd-curses
also see
http://rationallyparanoid.com/articles/ubuntu-10-lts-security.html
Note: you should not have to disable startup scripts and uninstall the things as he says since we didn't install all the crap in the first place.
Above all, do not not install crap that will compromise your system.
Here are somethings NOT to install: NVIDIA or ATI drivers, VMware, Google Earth, Flash Plugins or Flash, Java, or Adobe Acrobat. Firefox is probably safer than Chrome.. and don't install both. There are a lot of anti-virus products available for Ubuntu and Debian; however, you do not need them and they cause security problems. If you can't type something like "sudo apt-get install firefox" to install a program, it doesn't need to be on your computer. Do not enable unusual software repositories.
If you need encryption, use gpg (already on your system). Before using gpg, set defaults in ~/.gnupg/gpg.conf and in ~/.caff/gnupghome/gpg.conf if it exists to the following:
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
You should ONLY use 4096 RSA. Do not install Truecrypt if gpg will work.
Does anyone else have any ideas?
Read all of this before you start.
Download the Ubuntu alternate install image from http://www.ubuntu.com/download/ubuntu/alternative-download
Ubuntu 10.04 LTS
* ubuntu-10.04.3-alternate-amd64.iso.torrent
* ubuntu-10.04.3-alternate-i386.iso.torrent
Ubuntu 11.10 (Ubuntu 11.10 may not work well with some laptops)
* ubuntu-11.10-alternate-amd64.iso.torrent
* ubuntu-11.10-alternate-i386.iso.torrent
DO NOT INSTALL THE NETBOOK OR DESKTOP VERSION.
If you do not have a bit-torrent client, use transmission because it's safe and easy:
http://www.transmissionbt.com/
Verify that you have a good image. That may be difficult if you're using Windows or Mac. For Windows and Mac, there is a program called Checksums calculator v. 1.1, which you can find here: http://sinf.gr/en/hashcalc.html
You can compare the md5sum at https://help.ubuntu.com/community/UbuntuHashes
md5 is not as strong as hashing systems, so try to get the sha256 and sha512 hashes. You can often paste the sha256sum in Google and find the hash listed on various official websites. There are other ways of checking with GnuPG.
Burn that image to a disk. The ISO file cannot be simply dragged and dropped or copied directly onto a disc.
If you need help, see https://help.ubuntu.com/community/BurningIsoHowto
Disconnect your computer from the Internet before the actual install.
Boot from the alternate installer CD.
Select your language and then
* press F6 for "Other Options" and mark the free software only option (use spacebar to mark, press esc when done)
* press F4 for "Modes" and select Install a command-line system (arrow down, press enter)
Install Ubuntu
The install will be straightforward--select language, select a location, etc.--until you reach the part that says "Partition Disks"
When you reach the Partition Disks section,
*Select "Guided - use entire disk and set up encrypted LVM"
Continue and select "YES" when it asks if you want to write changes to disk and configure LVM.
The installer will ask for an encryption passphrase. That passphrase must be strong (and at least 40 characters long). Do not include previous passwords, birthdates of people you know, names, any phrase from a book or magazine, or simple combination of dictionary words, etc. Something like Nwwu7MM9PPc##RVWToiykarHHWf*34CwijYgNsj9rz9eqnd is a reasonable passphrase.. write it down. Do not use a short passphrase so you can remember it easily. Try something like **babyJesusbarksbarksbarksinthe3snowwwsnowwwsnowww///@CATS if you want something you can eventually remember.
Note: your user password does not need to be that strong.
when asked for Amount of volume group to use for guided partitioning:
type "max" without quotation makers and hit continue
select "YES" when it asks if you want to write changes to disk
select "NO" when it asks "Encrypt your home directory?" (we already have better encryption)
select "YES" when it asks "Install the GRUB boot loader to the master boot record?"
select "YES" when it asks "Is the system clock set to UTC?"
When the install is finished, reboot and log in, and enter the following commands:
sudo ufw enable
sudo apt-get remove --purge popularity-contest
sudo chmod 700 /home/jane (assuming your username is jane)
now, plug your computer into ethernet to give it Internet access.
sudo aptitude update
sudo aptitude upgrade
sudo aptitude install wicd-curses (only if you're going to ues wifi)
sudo aptitude install xorg gnome-core firefox seahorse seahorse-plugins apparmor-profiles gnome-disk-utility transmission (that might take some time)
sudo aptitude remove ubufox
sudo aa-enforce /etc/apparmor.d/*
restart computer and login
Now, check some things
type startx (to turn on graphics)
In terminal,
type sudo apparmor_status (it should say something like 27 profiles are loaded. 27 profiles are in enforce mode)
check encryption
type sudo cryptsetup status sda5_crypt It should say something like:
/dev/mapper/sda5_crypt is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda5
offset: 2056 sectors
size: 624633333 sectors
mode: read/write
see that you're computer is not listing for connections.
type sudo netstat -anp | grep -e tcp -e udp
connections from dhclient are fine. if you've used firefox, there may be some connection open from it.
to connect to wireless networks, type wicd-curses
also see
http://rationallyparanoid.com/articles/ubuntu-10-lts-security.html
Note: you should not have to disable startup scripts and uninstall the things as he says since we didn't install all the crap in the first place.
Above all, do not not install crap that will compromise your system.
Here are somethings NOT to install: NVIDIA or ATI drivers, VMware, Google Earth, Flash Plugins or Flash, Java, or Adobe Acrobat. Firefox is probably safer than Chrome.. and don't install both. There are a lot of anti-virus products available for Ubuntu and Debian; however, you do not need them and they cause security problems. If you can't type something like "sudo apt-get install firefox" to install a program, it doesn't need to be on your computer. Do not enable unusual software repositories.
If you need encryption, use gpg (already on your system). Before using gpg, set defaults in ~/.gnupg/gpg.conf and in ~/.caff/gnupghome/gpg.conf if it exists to the following:
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
You should ONLY use 4096 RSA. Do not install Truecrypt if gpg will work.
Does anyone else have any ideas?
