A few simple tips on how to improve the security of an Ubuntu Desktop (or Linux Mint) installation.

The instructions are based on Ubuntu 16.04.2 (and Linux Mint 18.1).

I recommend reading up on each step instead of just blindly following them.

Set BIOS/UEFI password

Enable and set BIOS/UEFI password. The exact steps for this depend on the particular hardware and firmware that you have: look them up.

Enable full disk encryption

During the installation, select the checkbox Encrypt the new Ubuntu installation for security.

Update packages

sudo apt-get update && sudo apt-get dist-upgrade

Set Grub password

Generate password hash:

$ grub-mkpasswd-pbkdf2
Enter password: 
Reenter password: 
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.06FF[...]

Add the following lines to etc/grub.d/40_custom:

$ cat etc/grub.d/40_custom
...
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.06FF[...]

Regenerate Grub config:

sudo update-grub2

Reboot.

Disable unneeded services

By default, Ubuntu enables and starts a few services that listen on external network:

$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      856/cupsd       
tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      1050/dnsmasq    
tcp6       0      0 ::1:631                 :::*                    LISTEN      856/cupsd       
udp        0      0 0.0.0.0:47622           0.0.0.0:*                           1050/dnsmasq    
udp        0      0 0.0.0.0:33349           0.0.0.0:*                           855/avahi-daemon: r
udp        0      0 0.0.0.0:631             0.0.0.0:*                           993/cups-browsed
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           855/avahi-daemon: r
udp        0      0 127.0.1.1:53            0.0.0.0:*                           1050/dnsmasq    
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1038/dhclient   
udp6       0      0 :::39773                :::*                                855/avahi-daemon: r
udp6       0      0 :::5353                 :::*                                855/avahi-daemon: r

Disable cupsd:

sudo systemctl disable cups.socket cups.path cups.service
sudo systemctl kill --signal=SIGKILL cups.service
sudo systemctl stop cups.socket cups.path

Disable cups-browsed:

sudo systemctl disable cups-browsed
sudo systemctl stop cups-browsed

Disable avahi-daemon:

sudo systemctl disable avahi-daemon.socket avahi-daemon.service
sudo systemctl stop avahi-daemon.socket avahi-daemon.service

For Linux Mint, disable ntp:

sudo systemctl stop ntp
sudo systemctl disable ntp

Reboot and make sure these services are not running.

Restrict information exposed by the kernel

Add the following lines to /etc/sysctl.conf.

Disable system log being visible to anybody:

kernel.dmesg_restrict=1

Run sudo sysctl -p after adding settings to /etc/sysctl.conf here and below.

Check:

$ dmesg
dmesg: read kernel buffer failed: Operation not permitted

Disable kernel pointers being shown:

kernel.kptr_restrict=2

Check:

$ sudo cat /proc/kallsyms
0000000000000000 A irq_stack_union
0000000000000000 A __per_cpu_start
0000000000000000 A exception_stacks
0000000000000000 A gdt_page
0000000000000000 A espfix_waddr
0000000000000000 A espfix_stack
...

Disable unprivileged user namespaces

This significantly reduces kernel attack surface but disables browser’s sandboxes: use with caution.

Add this line /etc/sysctl.conf:

kernel.unprivileged_userns_clone=0

Check:

$ unshare -U
unshare: unshare failed: Operation not permitted

Disable unprivileged BPF

Add this line /etc/sysctl.conf:

kernel.unprivileged_bpf_disabled=1

Disable TTY module autoloading

Add this line /etc/sysctl.conf:

dev.tty.ldisc_autoload=0

Enable firewall

Disable unwanted incoming packets:

sudo ufw enable
sudo ufw default deny incoming

Disable IPv6

Add these lines to /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1  
net.ipv6.conf.lo.disable_ipv6=1

Alternatively, change /etc/default/grub as:

...
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
...

And update Grub config:

sudo update-grub2

Reboot.

Make sure that you don’t see inet6 address in ifconfig:

ifconfig | grep inet6

Disable LightDM guest sessions

Not required on Linux Mint.

Create /etc/lightdm/lightdm.conf.d/50-no-guest.conf file with the following content:

$ cat /etc/lightdm/lightdm.conf.d/50-no-guest.conf
[Seat:*]
allow-guest=false

Now reboot.

Make sure login as guest is not available on the login screen.

More

Other things you can do:

  • Turn on IOMMU;
  • Redefine core_pattern;
  • Whitelist kernel modules;
  • Whitelist USB devices.

💜 Thank you for reading!

🐱 About me

I’m a security researcher and a software engineer focusing on the Linux kernel.

I contributed to several security-related Linux kernel subsystems and tools, including KASAN — a fast dynamic bug detector, syzkaller — a production-grade kernel fuzzer, and Arm Memory Tagging Extension — an exploit mitigation. I also wrote a few Linux kernel exploits for the bugs I found.

Occasionally, I’m having fun with hardware hacking, teaching, and other random stuff.

Follow me @andreyknvl on X, @andreyknvl.bsky.social on Bluesky, @xairy@infosec.exchange on Mastodon, or @xairy on LinkedIn for notifications about new articles, talks, and training sessions.