Setup Idea Ubuntu Hardening

Last updated
Aug 23, 2024
How it's used?
For home and private use
Operating system
Linux
On-device encryption
Other full-disk drive encryption software
Log-in security
    • Basic account password (insecure)
Security updates
Allow security updates
Update channels
Allow stable updates only
User Access Control
N/A - Linux / Mac / Other operating system
Smart App Control
N/A - Linux / Mac / Other operating system
Network firewall
Enabled
Real-time security
clamav (linux free AV)
Firewall security
Built-in Firewall for Mac/Linux
About custom security
this is what the article is about
Periodic malware scanners
clamav
Malware sample testing
I do not participate in malware testing
Environment for malware testing
n/a
Browser(s) and extensions
firefox
Secure DNS
quad9
Desktop VPN
proton vpn free
Password manager
firefox built-in password manager
File and Photo backup
deja-dup (built-in backup app)
System recovery
clonzilla
Risk factors
    • Browsing to popular websites
Computer specs
ASUS Vivobook 2021 model
Recommended for
  1. All types of users

Victor M

Level 16
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
755
I prefer to search for Live data myself: Common Vulnerabilities and Exposures (CVEs) . Oval relies on old static data available on the ubuntu server: security-metadata.canonical.com . I suspect it only reports Patched vulnerablities, because all of the items in that list says 'patch'. There has to be some undergoing evaluation, and some that have undergone evaluation and are rated unimportant and so on. Imho, it is more useful to see what a potential attacker sees when he is doing reconnaissance.

On the other hand ubuntu's site revealed things I have missed when doing my searches. Ubuntu knows the complete list of components that are in use in it's releases. I need to be more careful and expand my searching. That oval report is good for people who need to do extensive testing before patching and are forever behind in patching. I don't have any custom applications that requires me to do testing. Ubuntu's own testing is good enough for me.
 
Last edited:

anirbandutta01

Level 10
Well-known
Jun 18, 2022
480
Switch to Ubuntu Pro, free for 5 home devices.

How can I download UBUNTU Pro which is free for personal usage ?
 
  • Like
Reactions: simmerskool

simmerskool

Level 40
Verified
Top Poster
Well-known
Apr 16, 2017
2,932
Web site updated today. Extra firewall rules to shorten stateful opening times. More mitigation verification procedures. Enable Yubikey in firefox
I have found that some features / uses of yubikey with OS running in VMware do not function as expected, but do not have the exact snafu in front of me. What exactly you mean "Enable Yubikey in firefox" :unsure:
 

Victor M

Level 16
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
755
Using Firefox with firejail requires configuring the firefox-common.profile to allow u2f.

For hypervisors like vmware, you have to do something with the hypervisor to pass in the USB yubikey to the guest OS.
 
Last edited:
  • Like
Reactions: simmerskool

simmerskool

Level 40
Verified
Top Poster
Well-known
Apr 16, 2017
2,932
Using Firefox with firejail requires configuring the firefox-common.profile to allow u2f.

For hypervisors like vmware, you have to do something with the hypervisor to pass in the USB yubikey to the guest OS.
right, when I plug-in USB the VM screen popups up with do you want to use USB with VM or Host, even when I select VM, the yubi features work with some sites in VM but not others. the example that is coming to my mind (IIRC) is logging into webmail, it says press the button on the yubikey, I do, but the signal / code does not work, could be the online webmail server... :unsure: but the yubikey has always worked aok for that webmail from Host. The work around is easier than trying to figure this out, life is too short to waste hours on this...
 

Victor M

Level 16
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
755
Ah google account w yubikey w firejail firefox. Sometimes the prompt for the yubikey pin pops up and sometimes it doesn't. (google simply says press the button on the key which doesn't grant you acccess ) All I do in those cases is restart firejail firefox and it will always work the 2nd time around.( asks for the pin ) I have firefox set to open previous session on start. But this might be different for your vmware problem.

Why don't you install Linux as the host and windows as a vm inside Linux? The virt-manager hypervisor is pretty good and easy to use. All hypervisors are basically the same in my opinion. You have the main panel which allows you to create or start vm's. Each guest has a window to show what components are built into it, you can add components like extra nic's. I have used vmware, virtualbox, virt-manager and some other one which name I can't recall right now. And they all look work pretty similar. No learning curve.

You are going to live for a long time to come, don't say life is too short :)
 
Last edited:
  • Thanks
Reactions: simmerskool

simmerskool

Level 40
Verified
Top Poster
Well-known
Apr 16, 2017
2,932
Ah google account w yubikey w firejail firefox. Sometimes the prompt for the yubikey pin pops up and sometimes it doesn't. (google simply says press the button on the key which doesn't grant you acccess ) All I do in those cases is restart firejail firefox and it will always work the 2nd time around.( asks for the pin ) I have firefox set to open previous session on start. But this might be different for your vmware problem.

Why don't you install Linux as the host and windows as a vm inside Linux? The virt-manager hypervisor is pretty good and easy to use. All hypervisors are basically the same in my opinion. You have the main panel which allows you to create or start vm's. Each guest has a window to show what components are built into it, you can add components like extra nic's. I have used vmware, virtualbox, virt-manager and some other one which name I can't recall right now. And they all look work pretty similar. No learning curve.

You are going to live for a long time to come, don't say life is too short :)
Linux as Host in 2025 is definitely a possibility. I don't see myself buying new pc unless something breaks in this DigitalStorm box. I upgraded the cpu cooling a few years ago, and it is running fine on 7 year old hardware (until it doesn't). Live long and prosper is a better, but see
 

Victor M

Level 16
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
755
I can sort of count the hackers that try to attack my fortified ubuntu web site. Thats because the logs show attempts to fetch non-existant pages. Pages that are partciular to Wordpress, various .js and php scripts that I don't have, login pages, database stuff and so on. And they always try it multiples times and my reporting tool shows the count. I estimate around 5-6 hackers every week. If I count all the individual instances then there would be a lot more.

Two years ago, I put up an obnoxious fake IT security firm web site using wordpress under the name No Hackers Here as an experiment. It was taken down by attackers within a month.

What does that tell you? Hackers don't just attack big corporates where the rewards are huge. They also attack things they don't like, like security firms and security sites like mine. And they might not like sites like MT and @Jack can weigh in on this.

Here are my 2 cents' worth of advice if you are considering setting up a security related site.
a. don't have any moving parts if possible. Static web sites are safer. No js, no cgi,
b. don't use wordpress. While wordpress itself may be secure, it's various plug-in's aren't.
c. deploy on a cloud provider where you can control your security measures. Web hosting sites sometimes offer very little security mechs.
d. if you must have input fields, then don't trust any input. Do a whole lot of validation server side.
e. if you accept payment, then hand off the payment processing to paypal or similar. Don't do it yourself. If you do it yourself you assume
responsibiity over the credit card numbers which hackers want.
f. if you must have code, then do SAST, DAST and IAST.
g. go over the OWASP checklist and make sure you follow their suggested best practices.
 
Last edited:
  • Like
Reactions: simmerskool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top