Like most modern operating systems, Ubuntu Linux is designed to be secure by default. However, also like most modern operating systems, Ubuntu can be made even more secure through security hardening.
This article provides an overview of Ubuntu security hardening best practices. The Ubuntu security hardening tips below should apply to any Ubuntu version released in recent years, but we’ll focus in particular on Ubuntu 18.04, the latest “long-term support” release of Ubuntu.
In
modern versions of Ubuntu, there are around 50,000 individual software packages that you can install on your system. Each package provides an application or part of an application.
However, most Ubuntu installations don’t require anywhere near all of these packages. And every package you’ve installed but aren’t using creates unnecessary security risks.
Thus, you can strengthen your Ubuntu system by minimizing the number of applications you have installed. Ideally, it will do so during the installation time of the system. This is easy to do in Ubuntu Server Edition, which allows you to choose different categories of packages to install, as illustrated by the following screenshot:
Other editions of Ubuntu provide less freedom to customize which packages are included with the installation. However, you can easily remove unnecessary applications in the Ubuntu Software Center (Ubuntu’s graphical software management tool) or by using the iap-get command-line tool.
Ubuntu Disk Encryption and
Security
Another Ubuntu security hardening best practice is to encrypt hard drives. That way, if someone gains unauthorized physical access to your systems (by stealing your laptop, for example), they won’t be able to read your data.
In the desktop editions of Ubuntu, you can easily choose to encrypt the system during installation using a convenient graphical interface:
And even if you have already installed your Ubuntu system without encrypting it, you can still encrypt it. See the Ubuntu disk encryption documentation for instructions. Keep in mind that it’s a best practice to back up your data before applying system-wide encryption, in case something goes wrong during the encryption process.
Remember, too,
that because Ubuntu decrypts your disks when it boots, disk encryption will only protect data on a system that is not running. It does nothing to prevent an attacker from accessing your data if they can gain physical or remote access to the system while it is actually turned on.
Ubuntu Firewalls and Security Hardening
To harden your Ubuntu system against network attacks, you need to set up a firewall. By default, most editions of Ubuntu come with a built-in firewall tool called ufw. (Technically, ufw isn’t a firewall; it’s just an interface to iptables, the Linux kernel’s primary framework for controlling access to network ports and hosts. But most end users don’t need to know the difference.)
However, even though ufw is installed by default on most Ubuntu systems, it doesn’t do anything until you tell it. A simple ufw setup that will strengthen your system is to run these commands:
sudo ufw default
- deny incoming sudo
- default
ufw
allow outgoing This tells ufw to block all incoming network connections (such as
someone trying to log into their computer remotely or access files over the network) and allow all outgoing connections (such as your Ubuntu system connecting to a remote application).
You can then use ufw to enable specific types of incoming connections as needed based on the connection protocol (such as TCP or RDP), port number, and/or IP address where the request originates. For
example, if you want to enable SSH connections (which use the TCP protocol on port 22 by default) from host 192.168.1.10, you can run this command: sudo ufw allow from 192.168.1.10 to any port 22 proto tcp This would be useful if you want to block all SSH requests by default, but allow requests from a specific workstation (with the IP address
192.168.1.10
in the example above) that you use to manage your Ubuntu server.
Bolster Your Ubuntu System with AppArmor
(or SELinux) AppArmor
is a security hardening framework designed for Ubuntu that allows you to impose restrictions on how individual programs can behave and what system resources they can access. The intended purpose of AppArmor is to mitigate the scope of a breach by ensuring that even if attackers can take control of some of the software on your computer (for example, by convincing you to install malware on the system), the damage they can do will be limited because the software won’t have free rein to do whatever it wants.
AppArmor is a complicated tool, and a full explanation of how to use it is beyond the scope of this article. However, in a nutshell, you must first install AppArmor (it is not installed by default on most Ubuntu systems), then create profiles that control how different applications can behave. The Ubuntu documentation offers more details.
On most Ubuntu desktop systems, AppArmor is probably an exaggeration. It’s probably not worth learning how to set up AppArmor if you’re just a regular PC user. However, on Ubuntu servers, taking the time to learn how to work with AppArmor is a smart way to harden your system against attacks.
You might hear people talking about SELinux as an alternative to AppArmor. SELinux is a similar framework that is popular on Linux distributions other than Ubuntu. SELinux can be installed and used on Ubuntu systems as well as AppArmor; however, AppArmor is the framework that Canonical (the company behind Ubuntu) favors. So unless you already know how to work with SELinux, it’s generally a good idea to choose AppArmor as your security framework in Ubuntu, because AppArmor is better integrated into Ubuntu.
Ubuntu Data
Backup
and
Security Last but not least, backing up your data is one of the best practices of Ubuntu security hardening. While data backups won’t make your system harder to attack, they will help ensure that if attackers breach it, you’ll have clean data from which you can restore the system.
Further reading How to Backup Ubuntu to
Cloud with MSP360 Backup
There are several open source tools that you can use in Ubuntu to back up data; for a list, see the Ubuntu backup documentation. However, most of these tools require a fair amount of effort to set up, especially if you want them to run automatically. Some also only work on the command line.
If you want a simpler backup experience that includes
easily automated cloud backups and a graphical user interface, check out MSP360 Backup for Linux (pictured above).
Conclusion
A variety of Ubuntu security hardening tools and techniques are available to make your Ubuntu system even more secure. of what is by default. Depending on how critical your Ubuntu system is and how sensitive the data you store may be, following the Ubuntu security hardening best practices outlined above can be a wise investment of your time as it will help prevent attacks and data breaches.