Ubuntu Server has one of the cleanest and easiest Linux distribution installers. However, in many cases, its designers choose to ignore security in favor of ease-of-use. The result? An install that is not secure by default.
Post Installation – Network
One of the quickest way for hackers to access systems are to use services that are not well documented or well understood. Once a system is in production, it is often unlikely the system will be further hardened so additional risk is created by not addressing services that are typically not being used.
Ubuntu allows the software sets to be chosen that the sys admin wishes to use; however, a closer look at an abridged version of netstat shows services that are not likely needed or unintended by the sys admin will appear:
root@sparky:~# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:pop3 *:* LISTEN
tcp 0 0 *:imap2 *:* LISTEN
udp 0 0 *:bootps *:*
udp 0 0 *:bootpc *:*
Ironically the first two entries: the Post Office Protocol version 3 (pop3) and the Internet Message Access Protocol version 2 (imap2) are installed and running despite Ubuntu having installed the more secure versions. Both of these older protocols were needed in years past for interoperability with older mail programs, but all major mail programs now support the more secure versions. (The biggest issues with these older services are clear text passwords; however, POP2 servers have also been vulnerable to root compromises.)
The bootps and bootpc entries are for providing dynamic addressing via the BOOTP and DHCP protocols — and are on by default although static addressing is being used, and will typically be used by a server install. Even if the intent was to provide DHCP services to the network, this option is not covered as part of the install and is hidden under the DNS selection of the install.
Having these unauthorized services running knocks the Ubuntu report card down to a B for authorization.
User Accounts – Keys to the Kingdom
Remote access combined with loose management of user IDs is a recipe for disaster. The key to secure system ID management is limiting the system to only those necessary and not allowing remote shell access to those accounts.
Reviewing Ubuntu’s system accounts show the following:
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
With the exception of the sshd, all of the system accounts are provided with an interactive shell session. So when any of these accounts are compromised interactive remote access is most likely the results. For example, a buffer overload for some of the mail processes could result in one of the mail related users (mail, news, uucp, etc.) providing remote access to the system through a shell login. Ubuntu should flag these accounts with the nologin option or possibly /bin/false.
Even of more concern is the fact that there are user IDs that are in use that were not made obvious by the installation process. For example, print server was not chosen, yet the lp user exists and is active. Other suspect accounts are news, uucp, list, irc.
Some arguments are made that the desire for standardization of user IDs across the distribution is more important than not including the user IDs. For example, uucp should always be UID 10. There is value to such a standard; however, a more secure method could be used by including intelligence into the package management and passwd programs. Or, a more simple option, to create the IDs and then to disable them to avoid the UID integer being used by another user ID.
While Ubuntu’s practice is not uncommon, the identity management must be tighter on a distribution aiming at the enterprise market on the server distribution. Therefore, an A- is warranted for standard identity management.
Summary
Ubuntu has one of the cleanest and easiest Linux distribution installers; however, its designers choose to ignore security in some areas as shown above. Although these issues can be addressed post install in most cases, the install is not secure by default.
Ronald McCarty is a systems/network professional and freelance author. Ron completed his undergraduate in CIS with University of Maryland and received his graduate degree from Capella University. Ron is the founder of Your Net Guard (
www.YourNetGuard.com) a company specializing in IT infrastructure support. His free time is spent with his best friend and wife, Claudia, and their two children. Ron can be reached atmccarty@mcwrite.net.
Comments on "Your Distro is Insecure: Ubuntu"
This is good in that I’ve noticed many of these in servers I use in the past and thought they were superfluous, but Linux admin is not something I do other than when I get forced into it–just not my real job. However, I’m not sure from the article’s close that this was a complete list or simply where the author ended. That would be good to know. I’m also in a bit of mystery about some of those extra users–when and under what circumstance are they needed? It also might have been helpful to illustrate a sample of the fixes to remove any lingering questions–I realize that is probably very basic for most readers, but it is critical for the reader missing that last bit of “how to” knowlege.
I took the time to read this article because I was worried about my computer. Instead, I find a bunch of anal retentive drivel that would seriously inconvenience many desktop users. Admittedly, the article talks about Ubuntu server, and may have valid points for people installing a server. Perhaps, it should have been titled “Your Linux Server Installs Insecurely” so that it would only reach the audience interested in it.
I doubt this article was meant for typical standalone workstations.
I agree there is a concern with the open user directories, but outside educational installations, true multi-user machines are becoming rare. For instance, with my provider, I am the sole user of a virtual machine. Isn’t that the rule nowadays?
This article probably shouldn’t have singled out Ubuntu. Although the brief information presented is true, it is also true of other Linux Distros and other varients of UNIX. The “Open by default” approach is often taken. I’ve worked on Solaris, HP-UX, Linux, etc for many years and if you want to secure them you have to clean it up after it’s installed. (Unless you get a pre-secured version…) This is only a couple of specific open issues – there are many many more areas. If you want to secure a system you have to start by ONLY installing and running the services you really need. Then remove/close off accounts, ports, SUID programs, etc. You will never secure a system when you just load and go.
OMG. This article is crap. FYI, Ubuntu uses dovecot for imap/pop. Dovecot supports only POP3 and IMAP4rev1. netstat can’t tell you what version of protocol is in use (telnet to the port and check it for your self!). bootpc/UDP – your system is runing dhclient (I guess you haven’t configured network in /etc/network/interfaces). bootps/UDP – you are even funnier; you are running DHCP server on you machine. Mind you, Ubuntu server won’t install dhcp server by default – it doesn’t even have a task for dhcp server. Are you trying to spread FUD?
‘So when any of these accounts are compromised interactive remote access is most likely the results.’
LOL! /bin/false would prevent that? How? What would stop attacker of running chsh?
You are totally clueless.
actaea- I agree with you 100%. In fact I was looking for something mature,instead what we get is rather disingenious in the least. This is supposed to be a server. To share files and serve sevices to users. This would normally be installed by an Administrator, unless it is for home use. Since it allows you to chose you password or leave it blank, that is your choice. And I agree. Because in a test environment, where the system does not have internet access, that can work wonders easily. I happen to have set up some servers on a test network and I know that in a real network I use secure pass phrase wherever possible. But I DO NOT want the hassel of entering a password everytime. Because I have no need for security at that level. And the services that are installed by default more than likely are a result of user response to beta testing etc. For your security purposes you would hae turned off these services. But for the general use, they may be required by others. These are suposed to be multi use systems and are a cheaper alternative to vmware. On the upside you can create a secure distro and post it. And it seems with most systems, that you will definitely need to make them secure before deploying them. Right?
I basically agree that all of these points have some validity.
But most of this are really _very_ shallow/ambiguous problems. I.E:
* is Non-TLS:ed pop3 really allowed? As matador mentioned, you can’t know that it allows plaintext, just because it’s port 110. Modern TLS handshakes often run on the same port as the older versions.
* While the shared-home-dir would be a problem on a company server, I would probably consider it a feature on a family-desktop or a home-server. Ubuntu is a Desktop for many uses you know. However, I agree that it should be an informed choice during installation. Cookie-stealing and whatnot. And who have never accidentally managed to write some sensitive info to the wrong files? An Inotify on the relvant files of your friends, and you could propably harvest for some mischief.
* As matador says. Buffer overflow in any service would not in any way be rescued by whatever etc/passwd says. The only added security would be in combination with a bad admin, setting a weak password when password on services that shouldn’t have password. Only in this particular instance would passwd even matter.
* Also, I wonder how you managed to install the dhcpd? If that was unclear during install, that’s a general usability-issue, not only a security-issue (also may cause problems on network, consume needless resources and all kinds of bad). Same mostly goes for dhclient, should not be running if you’ve really configured statically, for many more reasons than just security.
But what about the _really_ interesting stuff? Things I’d REALLY find interesting for security in a server (and I have no idea of Ubuntu Server, never tried it):
* Is stack and heap-randomization enabled in the -server kernel?
* Is iptables configured with careful defaults?
* Is apparmor/selinux configured at all? (Sadly, this is one of the things I’m often forced by time to remove from CentOS-installs just because it breaks some apps and I don’t have the time to dig enough to learn and fix it properly.)
* What binaries are installed setuid?
* Is there any IDS pre-configured?
* Even simple things like denyhosts?
So, all in all, while all your points hold some validity, they wouldn’t exactly turn me away from Ubuntu Server by themselves.
Given the issues, it seems like there’s a bit o’ grade inflation going on. I’d say that B or B- are more appropriate grades.
I am missing the point of this article. Isn’t it a given that a fresh install will have little to no security? Even distros like EnGarde need post-install configuration. If you want a secure system and doesn’t have the know-how find someone else who does. If it’s your job to secure the system you may be better off looking for another line of work.
1) There are numerous protections in kernel and during compilation of programs – http://wiki.ubuntu.com/CompilerFlags
2) There are no iptables rules by default. If you enable ufw, you get some
3) apparmor is configured (mysql, bind9, slapd…)
denyhosts is available in repository, but enabled by default. Same goes to fail2ban (which might be better option than denyhosts)
‘but not enabled by default’
That’s why I use Debian, especially for servers. It’s more stable, and secure.
Bahahahaha! Linux really isn’t for everybody.
Those extra users are merely a placeholder and are disabled by default. It is not possible to log into these accounts without using root.
What about 8.04 LTS
Yeah, what boban said. I’d be more interested in hearing about an LTS version, as those are the only ones I would ever put on a production server.
I have this developed over time I have not updated for 8.0.4 other than DJBDNS everything will work as described
http://slobodankrajinovic.blogspot.com/2008/02/linux-generic-server-based-on-ubuntu.html
Thanks for every other informative web site. Where else may just I am getting that kind of info written in such an ideal method? I’ve a project that I’m just now working on, and I have been at the glance out for such info.
Hello there! I know this is kinda off topic nevertheless I’d figured I’d ask.
Would you be interested in trading links or maybe guest authoring a blog article or vice-versa?
My site addresses a lot of the same topics
as yours and I feel we could greatly benefit from each other.
If you’re interested feel free to send me an email. I look forward to hearing from you! Wonderful blog by the way!
my blog post develop iphone apps on windows
These De – Puy products were proven to be defective and harmful to the patients
who used them. We are able to bend at the hips and perform other
activities concerning the hip thanks to this bone.
(2) compression of abdominal contents results, impeding circulation,.