lp0 on fire

My personal blog

OS: Hardening ubuntu 22.04

Most of this is meant for a laptop that I take everywhere I go. The laptop:

  • Might get stolen
  • Sometimes has to connect to insecure open WIFI hotspots
  • Sometimes has to load suspicious websites

Use a secure password

Use an unique password for everything. Most websites allow up to 16 characters, with special characters but not spaces and such. Try to find some nice creative ways around it, like so:

Th1sIs$ecureRt!

It's annoying, but it works really well.

Strip your system

Less is more! Remove everything you don't use/need on your main system, try to move useful but not often used applications (like recovery utilities) to a separate usb stick (for example a linux live usb).

Use alternatives

Replace pulseaudio with pipewire for better process isolation, EFISTUB boot instead of GRUB to reduce possible vulnerabilities during the boot process. There are probably more things like this that you could do, so check what's installed by default and if more secure alternatives exist that meet your requirements.

Protect your files

For important files, move them to an external hard drive and use Full Disk Encryption (FDE) to protect the data. Only bring the disk with you whenever you really need it.

For the device, use FDE through LUKS. This can be done during the installation of Ubuntu of 22.04: Disk management > select erasing the full disk > select advanced options > use LVM with the new installation > Encrypt the new Ubuntu installation for security. Follow the prompts and you're done.

Updating

Ubuntu used APT for package management and updating your system. Ubuntu's APT repositories do not use HTTPS by default, making it vunerable to MITM attacks [1][2][3]. To add an additional layer of defence against these type of attacks, we can change the mirror urls to use HTTPS:

# change this command to use your mirror
sed --in-place --regexp-extended 's http://(nl\.archive\.ubuntu\.com|security\.ubuntu\.com) https://nl.archive.ubuntu.com g' /etc/apt/sources.list

General good advice is to not install 3rd party PPA's, just stick what Ubuntu (and/or your company) provides.

Another nice thing we can do is enable automatic updates to ensure the system is less likely to be the target of outdated apt index attacks. This can be done by running the following:

sudo apt install -y --no-install-recommends unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades

Firewall

Ubuntu's firewall is not enabled by default, nor does it contain any rules. So a good start is to enable it! I'm very strict with my firewall so I only allow outgoing traffic from specific ports, nothing else.

ufw default deny incoming
ufw default deny outgoing
ufw allow out to any port 53
ufw allow out to any port 443
ufw enable

I don't use SSH so I disable it. I don't use HTTP because I re-routed Ubuntu's APT repository to use HTTPS instead.

Flatpak

Sandboxing provides another layer of defense to protect yourself against unintended access. With flatpak you can do this, and define what the package is (not) allowed to do through permissions. A good graphical management tool for flatpak permissions is flatseal.

A nice example is com.kingsoft.Office. My office suite is really good, but it connects to the internet for templates and telemetry. I don't want this, so I disable network access for the package and monitor the network connections for a bit to check if doesn't escape the sandbox.

This is especially nice for browsers. When an exploit escapes the browser, you can limit the amount of damage it can do.

Browser

As with everything else, disable what you don't need. This can be done in the most popular browsers using an extension called UBlock Origin. It can not only remove ads and trackers, it can also disable javascript and such. With another extension named UMatrix, you can select specific things you allow through.

In addition, disable a lot of things in the browser. If you only use discord, netflix, google mail/docs and youtube in the browser you can disable things like cross-origin cookies and such.

SSH protection

Since SSH is a port that's often probed for, we need to make sure that attackers only have a limited ammount of attempts to try and blocking access. This can be done with fail2ban. In addition, use a key for authentication and change the port to make it harder to brute-force.

Change port

Allow the port in the firewall:

ufw allow 2222/tcp

Set the port to use in SSH:

sudo nano /etc/ssh/sshd_config

Port 2222

Key login

Generating a key:

# note: set passphrase when prompted to
ssh-keygen -t rsa -b 4096

# note: change <user> to your username and <server> to your server address
ssh-copy-id -i ~/.ssh/id_rsa.pub user@server

Enable ssh key authentication:

sudo nano /etc/ssh/sshd_config

PasswordAuthentication no
PubkeyAuthentication yes

Fail2Ban

To install:

sudo apt install -y --no-install-recommends fail2ban
sudo systemctl enable fail2ban.service

For configuration:

sudo nano /etc/fail2ban/jail.local

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = -1
ignoreip = 127.0.0.1

Conclusion

There are many more things that could be covered here like AppArmor, but then this article would become way too large hahaha. All steps combined are mostly an one-time setup and forget.

Appendix A: References