🖥 Tips on improving security of Ubuntu Desktop

A few simple tips on how to improve the security of an Ubuntu Desktop installation.

The instructions are based on Ubuntu 16.04.2 (and Linux Mint 18.1).

I recommend reading up on each step instead of just blindly following them.

Set BIOS/UEFI password

Enable and set BIOS/UEFI password. The exact steps for this depend on the particular hardware and firmware that you have. Google it.

Enable full disk encryption

During installation select the checkbox Encrypt the new Ubuntu installation for security.

Update packages

sudo apt-get update && sudo apt-get dist-upgrade

Set Grub password

Generate password hash:

$ grub-mkpasswd-pbkdf2
Enter password: 
Reenter password: 
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.06FF[...]

Add the following lines to etc/grub.d/40_custom:

$ cat etc/grub.d/40_custom
...
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.06FF[...]

Regenerate grub config:

sudo update-grub2

Now reboot.

Disable unneeded services

By default Ubuntu enables and starts a few services that listen on external network:

$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      856/cupsd       
tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      1050/dnsmasq    
tcp6       0      0 ::1:631                 :::*                    LISTEN      856/cupsd       
udp        0      0 0.0.0.0:47622           0.0.0.0:*                           1050/dnsmasq    
udp        0      0 0.0.0.0:33349           0.0.0.0:*                           855/avahi-daemon: r
udp        0      0 0.0.0.0:631             0.0.0.0:*                           993/cups-browsed
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           855/avahi-daemon: r
udp        0      0 127.0.1.1:53            0.0.0.0:*                           1050/dnsmasq    
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1038/dhclient   
udp6       0      0 :::39773                :::*                                855/avahi-daemon: r
udp6       0      0 :::5353                 :::*                                855/avahi-daemon: r

Disable cupsd:

sudo systemctl disable cups.socket cups.path cups.service
sudo systemctl kill --signal=SIGKILL cups.service
sudo systemctl stop cups.socket cups.path

Disable cups-browsed:

sudo systemctl disable cups-browsed
sudo systemctl stop cups-browsed

Disable avahi-daemon:

sudo systemctl disable avahi-daemon.socket avahi-daemon.service
sudo systemctl stop avahi-daemon.socket avahi-daemon.service

For Linux Mint disable ntp:

sudo systemctl stop ntp
sudo systemctl disable ntp

Now reboot and make sure these services are not running.

Restrict information exposed by the kernel

Add the following lines to /etc/sysctl.conf.

Disable system log being visible to anybody:

kernel.dmesg_restrict=1

Run sudo sysctl -p after adding settings to /etc/sysctl.conf here and below.

Check:

$ dmesg
dmesg: read kernel buffer failed: Operation not permitted

Disable kernel pointers being shown:

kernel.kptr_restrict=2

Check:

$ sudo cat /proc/kallsyms
0000000000000000 A irq_stack_union
0000000000000000 A __per_cpu_start
0000000000000000 A exception_stacks
0000000000000000 A gdt_page
0000000000000000 A espfix_waddr
0000000000000000 A espfix_stack
...

Disable unprivileged user namespaces

This significantly reduces kernel attack surface.

Add this line /etc/sysctl.conf:

kernel.unprivileged_userns_clone=0

Check:

$ unshare -U
unshare: unshare failed: Operation not permitted

Disable unprivileged BPF

Add this line /etc/sysctl.conf:

kernel.unprivileged_bpf_disabled=1

Enable firewall

Disable unwanted incoming packets:

sudo ufw enable
sudo ufw default deny incoming

Disable IPv6

Add these lines to /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1  
net.ipv6.conf.lo.disable_ipv6=1

Change /etc/default/grub as:

...
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
...

Update Grub config:

sudo update-grub2

Now reboot.

Make sure that you don’t see inet6 address in ifconfig:

ifconfig | grep inet6

Disable LightDM guest sessions

Not required on Linux Mint.

Create /etc/lightdm/lightdm.conf.d/50-no-guest.conf file with the following content:

$ cat /etc/lightdm/lightdm.conf.d/50-no-guest.conf
[Seat:*]
allow-guest=false

Now reboot.

Make sure login as guest is not available on the login screen.

Other things you can do.

Turn on IOMMU
Redefine core_pattern
Whitelist kernel modules
Whitelist USB devices

💜 Thank you for reading!

🐱 About me

I’m a security researcher and a software engineer focusing on the Linux kernel.

I contributed to several security-related Linux kernel subsystems and tools, including KASAN — a fast dynamic bug detector, syzkaller — a production-grade kernel fuzzer, and Arm Memory Tagging Extension — an exploit mitigation. I also wrote a few Linux kernel exploits for the bugs I found.

Occasionally, I’m having fun with hardware hacking, teaching, and other random stuff.

Follow me @andreyknvl on Twitter, @xairy@infosec.exchange on Mastodon, or @xairy on LinkedIn for notifications about new articles, talks, and training sessions.

Set BIOS/UEFI password

Enable full disk encryption

Update packages

Set Grub password

Disable unneeded services

Restrict information exposed by the kernel

Disable unprivileged user namespaces

Disable unprivileged BPF

Enable firewall

Disable IPv6

Disable LightDM guest sessions

More

💜 Thank you for reading!

🐱 About me