Comments on: Your Distro is Insecure: Ubuntu

By: hip flexor strain running

hip flexor strain running — Tue, 04 Jun 2013 09:02:49 +0000

These De – Puy products were proven to be defective and harmful to the patients
who used them. We are able to bend at the hips and perform other
activities concerning the hip thanks to this bone.
(2) compression of abdominal contents results, impeding circulation,.

By: develop iphone apps on windows

develop iphone apps on windows — Thu, 30 May 2013 20:47:25 +0000

Hello there! I know this is kinda off topic nevertheless I’d figured I’d ask.

Would you be interested in trading links or maybe guest authoring a blog article or vice-versa?
My site addresses a lot of the same topics
as yours and I feel we could greatly benefit from each other.

If you’re interested feel free to send me an email. I look forward to hearing from you! Wonderful blog by the way!

my blog post develop iphone apps on windows

By: Cheap Webhost

Cheap Webhost — Wed, 23 Nov 2011 23:50:06 +0000

Thanks for every other informative web site. Where else may just I am getting that kind of info written in such an ideal method? I’ve a project that I’m just now working on, and I have been at the glance out for such info.

By: jrichter

jrichter — Wed, 30 Nov -0001 00:00:00 +0000

This is good in that I’ve noticed many of these in servers I use in the past and thought they were superfluous, but Linux admin is not something I do other than when I get forced into it–just not my real job. However, I’m not sure from the article’s close that this was a complete list or simply where the author ended. That would be good to know. I’m also in a bit of mystery about some of those extra users–when and under what circumstance are they needed? It also might have been helpful to illustrate a sample of the fixes to remove any lingering questions–I realize that is probably very basic for most readers, but it is critical for the reader missing that last bit of “how to” knowlege.

By: actaea

actaea — Wed, 30 Nov -0001 00:00:00 +0000

I took the time to read this article because I was worried about my computer. Instead, I find a bunch of anal retentive drivel that would seriously inconvenience many desktop users. Admittedly, the article talks about Ubuntu server, and may have valid points for people installing a server. Perhaps, it should have been titled “Your Linux Server Installs Insecurely” so that it would only reach the audience interested in it.

By: edantes

edantes — Wed, 30 Nov -0001 00:00:00 +0000

I doubt this article was meant for typical standalone workstations.

I agree there is a concern with the open user directories, but outside educational installations, true multi-user machines are becoming rare. For instance, with my provider, I am the sole user of a virtual machine. Isn’t that the rule nowadays?

By: linmag@perd.org

linmag@perd.org — Wed, 30 Nov -0001 00:00:00 +0000

This article probably shouldn’t have singled out Ubuntu. Although the brief information presented is true, it is also true of other Linux Distros and other varients of UNIX. The “Open by default” approach is often taken. I’ve worked on Solaris, HP-UX, Linux, etc for many years and if you want to secure them you have to clean it up after it’s installed. (Unless you get a pre-secured version…) This is only a couple of specific open issues – there are many many more areas. If you want to secure a system you have to start by ONLY installing and running the services you really need. Then remove/close off accounts, ports, SUID programs, etc. You will never secure a system when you just load and go.

By: matador

matador — Wed, 30 Nov -0001 00:00:00 +0000

OMG. This article is crap. FYI, Ubuntu uses dovecot for imap/pop. Dovecot supports only POP3 and IMAP4rev1. netstat can't tell you what version of protocol is in use (telnet to the port and check it for your self!). bootpc/UDP - your system is runing dhclient (I guess you haven't configured network in /etc/network/interfaces). bootps/UDP - you are even funnier; you are running DHCP server on you machine. Mind you, Ubuntu server won't install dhcp server by default - it doesn't even have a task for dhcp server. Are you trying to spread FUD?

'So when any of these accounts are compromised interactive remote access is most likely the results.'

LOL! /bin/false would prevent that? How? What would stop attacker of running chsh?

You are totally clueless.

By: kmdennis

kmdennis — Wed, 30 Nov -0001 00:00:00 +0000

actaea- I agree with you 100%. In fact I was looking for something mature,instead what we get is rather disingenious in the least. This is supposed to be a server. To share files and serve sevices to users. This would normally be installed by an Administrator, unless it is for home use. Since it allows you to chose you password or leave it blank, that is your choice. And I agree. Because in a test environment, where the system does not have internet access, that can work wonders easily. I happen to have set up some servers on a test network and I know that in a real network I use secure pass phrase wherever possible. But I DO NOT want the hassel of entering a password everytime. Because I have no need for security at that level. And the services that are installed by default more than likely are a result of user response to beta testing etc. For your security purposes you would hae turned off these services. But for the general use, they may be required by others. These are suposed to be multi use systems and are a cheaper alternative to vmware. On the upside you can create a secure distro and post it. And it seems with most systems, that you will definitely need to make them secure before deploying them. Right?

By: rawler

rawler — Wed, 30 Nov -0001 00:00:00 +0000

I basically agree that all of these points have some validity.

But most of this are really _very_ shallow/ambiguous problems. I.E:
* is Non-TLS:ed pop3 really allowed? As matador mentioned, you can't know that it allows plaintext, just because it's port 110. Modern TLS handshakes often run on the same port as the older versions.
* While the shared-home-dir would be a problem on a company server, I would probably consider it a feature on a family-desktop or a home-server. Ubuntu is a Desktop for many uses you know. However, I agree that it should be an informed choice during installation. Cookie-stealing and whatnot. And who have never accidentally managed to write some sensitive info to the wrong files? An Inotify on the relvant files of your friends, and you could propably harvest for some mischief.
* As matador says. Buffer overflow in any service would not in any way be rescued by whatever etc/passwd says. The only added security would be in combination with a bad admin, setting a weak password when password on services that shouldn't have password. Only in this particular instance would passwd even matter.
* Also, I wonder how you managed to install the dhcpd? If that was unclear during install, that's a general usability-issue, not only a security-issue (also may cause problems on network, consume needless resources and all kinds of bad). Same mostly goes for dhclient, should not be running if you've really configured statically, for many more reasons than just security.

But what about the _really_ interesting stuff? Things I'd REALLY find interesting for security in a server (and I have no idea of Ubuntu Server, never tried it):
* Is stack and heap-randomization enabled in the -server kernel?
* Is iptables configured with careful defaults?
* Is apparmor/selinux configured at all? (Sadly, this is one of the things I'm often forced by time to remove from CentOS-installs just because it breaks some apps and I don't have the time to dig enough to learn and fix it properly.)
* What binaries are installed setuid?
* Is there any IDS pre-configured?
* Even simple things like denyhosts?

So, all in all, while all your points hold some validity, they wouldn't exactly turn me away from Ubuntu Server by themselves.

By: mikemtnbikes

mikemtnbikes — Wed, 30 Nov -0001 00:00:00 +0000

Given the issues, it seems like there’s a bit o’ grade inflation going on. I’d say that B or B- are more appropriate grades.

By: haroldmodesto

haroldmodesto — Wed, 30 Nov -0001 00:00:00 +0000

I am missing the point of this article. Isn’t it a given that a fresh install will have little to no security? Even distros like EnGarde need post-install configuration. If you want a secure system and doesn’t have the know-how find someone else who does. If it’s your job to secure the system you may be better off looking for another line of work.

By: matador

matador — Wed, 30 Nov -0001 00:00:00 +0000

1) There are numerous protections in kernel and during compilation of programs – http://wiki.ubuntu.com/CompilerFlags
2) There are no iptables rules by default. If you enable ufw, you get some
3) apparmor is configured (mysql, bind9, slapd…)

denyhosts is available in repository, but enabled by default. Same goes to fail2ban (which might be better option than denyhosts)

By: matador

matador — Wed, 30 Nov -0001 00:00:00 +0000

‘but not enabled by default’

By: okhayat

okhayat — Wed, 30 Nov -0001 00:00:00 +0000

That’s why I use Debian, especially for servers. It’s more stable, and secure.

By: matador

matador — Wed, 30 Nov -0001 00:00:00 +0000

Bahahahaha! Linux really isn’t for everybody.

By: ric

ric — Wed, 30 Nov -0001 00:00:00 +0000

Those extra users are merely a placeholder and are disabled by default. It is not possible to log into these accounts without using root.

By: boban

boban — Wed, 30 Nov -0001 00:00:00 +0000

What about 8.04 LTS

By: alalcoolj

alalcoolj — Wed, 30 Nov -0001 00:00:00 +0000

Yeah, what boban said. I’d be more interested in hearing about an LTS version, as those are the only ones I would ever put on a production server.

By: boban

boban — Wed, 30 Nov -0001 00:00:00 +0000

I have this developed over time I have not updated for 8.0.4 other than DJBDNS everything will work as described

http://slobodankrajinovic.blogspot.com/2008/02/linux-generic-server-based-on-ubuntu.html