Hardening Ubuntu mate via a GUI

Is it possible to harden Ubuntu via a GUI, such as a GUI on a router? That would make things a lot easier. The Ubuntu Tweak(I think it was called Ubuntu tweak) is considered insecure. Any other alternative would make Ubuntu Mate almost perfect.

[quote=“vr_anticipator, post:1, topic:13397”]Is it possible to harden Ubuntu via a GUI, such as a GUI on a router?[/quote]Harden it in what respect? It already comes installed with gufw and since there are no widespread Linux virii in the wild, an AV would serve very little purpose.

So, launch gufw (Control Center -> Firewall Configuration) and harden access to it that way. Other than that, the fact the root account is in fact disabled (in all Ubuntu flavours) is enough hardening by default.

If you’re that concerned with security, Linux might in fact not be for you. It already is far more secure and robust than Windows but it might simply not be enough for you. Ever considered FreeBSD?

1 Like

In terms of being invulnerable from script kiddies. In a way that it is hard for someone to steal my banking information for instance. Note, I think that I have OCD and Generalized anxiety disorder. In other words, I might be having another “episode”. Lol. Thanks for the idea though. But I like Ubuntu Mate. I’ll stick with it for some time.

[quote=“vr_anticipator, post:3, topic:13397”]Note, I think that I have OCD and Generalized anxiety disorder.[/quote]I can empathize on the OCD. Although in me it tends to be mysophobia in which it reveals itself.

Anyhow, let me reassure you – even though the Linux kernel was not designed with security in mind, the kernel as a whole actually is quite secure. The script kiddies aren’t going to attack that one. Then, userspace maybe? Well, possibly. But, 2 things there – first of all, updates. Given the fact you’re OCD-y in nature, I’m confident you can be as OCD as I am and update not once a day but basically every hour. Or whenever you have a spare moment. I’m bored, so sometimes I update every 5 minutes.
Getting in the habit of updating regularly will ensure that the whole userspace experience is as secure as is available. Typically speaking, vulnerabilities that are used in the wild don’t live long within the Linux ecosphere. At least, that’s been my experience.
Which brings me to the second point – script kiddies in particular aren’t creative enough to write their own tools. They used someone else’s tools and given the fact Linux’s representation on the desktop is marginal at best (a few percent), there simply is no interest in creating Linux-specific tools for script kiddies to use.

Take the recent WannaCry/Crypt/whatever outbreak – Windows specific. And that just goes on and on. Always Windows specific. Not happening on Linux. Not yet anyhow. Which is no passcard to just do whatever you will on Linux. Responsible use still is key but ultimately, odds of you finding yourself with an empty bank account as a result of a compromised Ubuntu installation are exceedingly remote.

TL;DR – Rest easy. I understand. I’m every bit as OCD as you are (if not more so) and I feel perfectly safe with Ubuntu MATE.

2 Likes

You sir are awesome :smiley: Thanks for the reassuring. BTW, I have mysophobia too after getting the dreaded strep throat 5 times in two years. I’ll learn iptables these days and I will put that in to practice. I use the ufw, but it won’t hurt to learn the linux firewall. Thanks for the reassuring mate. This is what I wanted to read. Cheers

2 Likes

Sorry if this makes you both break out in hives but the single largest security threat to linux is linux itself.

To clarify that, the largest real threat to the linux kernel, that threat is the fact that basically all of userspace is the old west, and the entirety of the thing is such a PITA to configure that no matter what you look up via google et-al you’re going to find that people are consistently being told by “experts” to “just enter these commands” which sometimes start with “sudo”.

Just in case you haven’t got my drift yet, the big advantage that i see in the more forward-looking distros like mageia (redhat-derived) or ubuntu-mate (debian-derived) is that people actually seem to be addressing those configurability issues, the ones that lead linux people who have been trained to believe that linux is “safe” because the kernel is like cast-iron, to just “issue these commands” which they probably have no idea about, with regard to what they do, where they came from, or if they are safe or trojan horses.

Get a trojan horse into linux, and you have the same problem any other OS has. And you have the same solution. What’s the solution to an alien infection? Wipe the host’s hard-drive and reinstall. For windows folks “reinstall” is probably still the shudder-inducing word it was when i used windows.

Nice thing about linux is “reinstall” means “format the partition and copy your backup to it”. With the right setup, we’re talking the time it takes to reboot onto a portable drive, format a partition (gedit) and copy files (rsync) with a little editing to /etc/fstab.

That’s another reason i like linux, backing up a windows system so you can restore what you had, exactly as it was the last time you backed it up, was a mortal PITA with reboots to ghostscript or whatever the thing was called, etc. I run my linux system backups, meaning backups of the system partition as it is running, via rsync, which is a mortal PITA to use just like most linux commands, but at least i can do backups with the system running, and i was never crazy enough to even attept that under windows.

Anyway a linux system is as susceptible to a trojan as any other OS, but if you can keep those off you’re pretty much good to go.

Being the recovered paranoiad-guy that i am, i like my backups. I live in a forest, that’s why i pay for homeowner’s insurance, forests burn down hereabouts. It’s like the AAA card i bought maybe 5 years ago, it’s a superstition thing, isn’t it?

Anyway, i avoid system updates whenever i can. The kernel is solid, and i’m careful who i invite onboard, and besides that the only thing worth stealing is my code, which will almost certainly be free anyway once it’s written, which of course it isn’t being right now, it’s waiting for me to get done here.

1 Like

Do you mind providing a how to backup files and restore them after a vulnerability? Thanks for the reply.

[quote=“crankypuss, post:6, topic:13397”]Sorry if this makes you both break out in hives but the single largest security threat to linux is linux itself.[/quote]Whereas I understand what you’re trying to say, I’m not sure I agree with it. Particularly not given the implied context of the OP.

Even a GUI can be a dangerous thing. Face it, certain configuration actions simply require elevated privileges. There is no way to circumvent that, nor should we. The fact they demand elevated privilegs is in part the reason the Linux ecosphere is more secure than the Windows ecosphere.

Now, take your average Tom, -censored- or Harry or the grandparent that is more comfortable riding a horse and carriage and what do we get? In any kind of phishing attempt, the easier it is to get them to do what they should not be doing, the more successfull our attempts become. So, ask them to “Click” here and enter their password, they go – “Oh, I know that!”

Ask them instead to open up a terminal and pipe together a string of layered sudo commands and they go – “Do what now?”[quote=“crankypuss, post:6, topic:13397”]Anyway, i avoid system updates whenever i can.[/quote]Not sure that is wise. One example:

See, the -nix ecosphere, even though it is more secure than Windows and has the potential to be even more secure is not immune to the single biggest point of failure in any circumstance – the human. As in, software bugs. Bugs are created by humans (we’re doing the coding) and typically do require updates to actually be removed from your system.[quote=“crankypuss, post:6, topic:13397”]
the only thing worth stealing is my code[/quote]For others, this does not necessarily apply. They may actually have things worth stealing. Hence regular updates to avoid things like WannaCrypt, Shellshock, Heartbleed and so forth and so on.

Edit: Just for the record, the possible entry points for attack keep increasing. See:

So, even more important to keep things updated. Because, even media players can become the victim of attack now. :wink:

I disagree, fwiw. I'd say that's true of linux, but not operating systems in general. Anything that requires elevated privileges can be done without them (assuming you're privileged to do it in the first palce) but it generally costs a reboot. And linux was spawned by a tradition of mainframes, with many users, so the very idea of a reboot was trained-in anathema, nobody wanted the company's 40 or 600 users forming a mob outside his door to ask why the system was down. When you power-cycle your tablet or laptop you know why, you just wait for it to get done. Mostly the only time my tablet or cellphone get power-cycled is during a system upgrade, usually they're just put to sleep. Different ballgame from old-time multi-user systems, and allowing telnet is a major hole of-itself imo (but nobody asked that and i don't much care).

But if you look at the world around you, laptops and tablets and cellphones and refrigerators are only multi-user systems after the penetrators have penetrated, they're all single-user computing systems except maybe the refrigerator, but habituated thinking keeps us pandering to the idea that every system has to be multi-user. Duh, multi-user is what networks are for, so we're not so smart as we used to think we had to be, google is better at looking things up all the time, and taking google as an example you have a conceptual star network that looks just the same as a mainframe hookup with 500+ users.

Every OS ought to be multi-thread and multi-process, but that's just what you need to support one user, which happens to be how many we usually have at a time these days.

Anyway jmo fwiw, i don't think either one of us is getting paid to be right, and if we are we're getting paid too little. :slight_smile:

[quote=“crankypuss, post:9, topic:13397”]Anything that requires elevated privileges can be done without them[/quote]Which would also allow possible malware to affect your system in undesirable ways without elevated privileges. No, TYVM. I’ll take my elevated privileges system, with disabled root account and take pleasure in the knowledge that the worst that could happen is me losing my home folder.

And, remember UAC? Microsoft actually made it a point to implement explicit elevated privileges access controls into Windows. So, even they agree it’s actually a better idea to have to ask for confirmation before just blatantly installing a driver or whatever.

Honestly, in this day and age with WannaCrypt, XData, Shellshock and a plethora of other exploits, vulnerabilities it simply is better to assume the worst (the world being a very dangerous place) than it is to assume your PC is safe and does not require elevated privileges controls. Why do you think the Ubuntu crew disabled root in the first place (hence us requiring sudo to actually get anything done)?

The most important thing to realize is that security, after initial hardening, is a continuous process of auditing and adjusting. Good security requires a layered approach. Security is as good as you configure it to be. Security should permeate every aspect of what one does with or in computing environments.

Android is globally the most popular OS available by a substantial margin and Android is not a single user OS. Furthermore, Android when used correctly does not suffer anywhere near the number of infections/exploits the second most popular OS globally does, with that OS being Windows.

The reason for the lower number of exploits under operating systems such as Android is due solely to the fact that software is downloaded from a central, controlled software repository and not as some random .msi installer file from some random corner of the internet. There is no doubt that separating userland and system files ‘enhances security’ and Windows has UAC which is a watered down variant of sudo.

Effectively, there is no way you can argue that account elevation does not enhance security - Substantially.

Furthermore, avoiding important updates is not enhancing security, in fact such an approach achieves the polar opposite.