Hello every1 I had a call recently form call center and they said my security is in a threat. Ofcourse I ignored them and than my system started to playng up. My browser start triping mouse not working properly etc. I turned on my firewall and it is stareted to wark better but I was wondering if any1 can help me boost my security on Ubunut Mate.
1 Like
You've provided little for us to help with.
You mention Ubuntu MATE; I'd firstly check you're using a supported release of Ubuntu [MATE], that you've applied all updates & not disabled security or other sources that can cause further updates to not be detected.
I'd check your mirror, is it an official mirror? and is it up to date, the list can be read at Mirrors : Ubuntu where you'll find many for country (Australia for me), or you can just use the main Ubuntu archive too (best for security updates).
If you're release is beyond standard support; ie. extended - ensure you read & applied the required Security Changes appropriate for your release, that were published in the last 6-8 weeks before extended support was required; as some updates for ESM are provided by snap packages only; but that was documented (and why you needed to make the documented changes).
To start with I usually sudo apt update and read the messages, look for any missing lines, no warnings etc... I take note of where the packages are coming from, often ping that address and confirm the actual address that DNS converts the human name to is correct; ie. ensure archive.ubuntu.com actually gets translated to an internet address that is owned by Canonical - ie. legitimate & I don't have a corrupted DNS... I do usually also check my sources directly; to ensure they're correct, as they do differ by releases & how you actually release-upgraded your system - but you gave no specifics as to what you're using here (ie. release matters more than Ubuntu MATE detail).
This is generic detail though, and only a start.
2 Likes
If your device is that compromised already, then I would not use it (online) unless absolutely necessary.
I would probably take it offline, make a backup of simple files that aren't likely to be compromised (e.g. photos, documents), and do a complete factory reset. I'd use secure boot, encrypted filesystem, fresh install of Ubuntu MATE, configure firewall (e.g. ufw), unattended upgrades, and ClamAV just in case.
From there, I'd add probably add a VM, block the backup from mounting to the host filesystem (assume its on a USB), and pass it through to the VM to mount there + check the integrity of the backed up files that I wanted to keep from the system (using anti-virus or other means).
I'd probably also reset passwords + add MFA to any accounts that I might have regularly used on the device; especially if they relate to government or financial services.
2 Likes
I have found a video on youtube how to boost sequirty. I check the logins on the computer and no one except me didn’t log in remotely. Yes I was considering and opting of reistalling everythign but I have so much stuff on my pc that I didn’t want to do it. However it seems working ok now all those probelme have gone away sicne I turned on firewall. No one loged in on my computer remotely so that is good sign. I think it was some sort off issue with the browser but I don’t konw exactly.
1 Like
Hi, @Cossack and welcome to the Ubuntu MATE Community!
Yes I found this video on youtube about security and I can tell you one thing my system was not secured none of that stuff was installed. But now I have installed it it is much better. https://www.youtube.com/watch?v=QxNsyrftJ8I
2 Likes
Now that I have installed firewall it is showing this so I’m little bit more secured than I was without it.
Status: active
To Action From
22 ALLOW Anywhere
2222/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
22/tcp LIMIT Anywhere
443/tcp ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
2222/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) LIMIT Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
1 Like
Does any1 konw what all this open ports mean?
sudo ss -tupln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 224.0.0.251:5353 0.0.0.0:* users:(("steamwebhelper",pid=31982,fd=216))
udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* users:(("avahi-daemon",pid=1011,fd=12))
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=936,fd=13))
udp UNCONN 0 0 0.0.0.0:50700 0.0.0.0:* users:(("avahi-daemon",pid=1011,fd=14))
udp UNCONN 0 0 0.0.0.0:27036 0.0.0.0:* users:(("steam",pid=2903,fd=123))
udp UNCONN 0 0 [::]:45343 [::]:* users:(("avahi-daemon",pid=1011,fd=15))
udp UNCONN 0 0 [::]:5353 [::]:* users:(("avahi-daemon",pid=1011,fd=13))
udp UNCONN 0 0 [fe80::c3f4:1f75:cb31:f16a]%wlp3s0:546 [::]:* users:(("NetworkManager",pid=1014,fd=27))
tcp LISTEN 0 128 127.0.0.1:45963 0.0.0.0:* users:(("steam",pid=2903,fd=48))
tcp LISTEN 0 128 127.0.0.1:45945 0.0.0.0:* users:(("steam",pid=2903,fd=77))
tcp LISTEN 0 128 0.0.0.0:4735 0.0.0.0:* users:(("sshd",pid=1239,fd=3))
tcp LISTEN 0 128 127.0.0.1:57343 0.0.0.0:* users:(("steam",pid=2903,fd=41))
tcp LISTEN 0 4096 127.0.0.1:9050 0.0.0.0:* users:(("tor",pid=1255,fd=6))
tcp LISTEN 0 128 127.0.0.1:631 0.0.0.0:* users:(("cupsd",pid=1213,fd=7))
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=936,fd=14))
tcp LISTEN 0 128 0.0.0.0:27036 0.0.0.0:* users:(("steam",pid=2903,fd=124))
tcp LISTEN 0 128 127.0.0.1:27060 0.0.0.0:* users:(("steam",pid=2903,fd=75))
tcp LISTEN 0 128 [::]:4735 [::]:* users:(("sshd",pid=1239,fd=4))
tcp LISTEN 0 128 [::1]:631 [::]:* users:(("cupsd",pid=1213,fd=6))
Most of these are only listening to local addresses (e.g. 0.0.0.0 or 127.0.0.1), i.e. your machine. Some programs will communicate via TCP/IP (or UDP) and that's what these typically cover.
The interesting ones are the ones with an IP address like [::] - they are listening on all IPv6 addresses, e.g.:
If ufw is configured to deny incoming connections, then I think these listeners will hear nothing anyway.
1 Like
Cheers thanks! Oh some of them the applications I have opened like steam. But I’m not sure what is avahi daemon what is that application?
Yes none of this processees look too suspicious I checked them all.
Does this looks ok for firewall set up. I have limited port 22 but it is still shows 22(v6) ALLOW not sure what that means tho?
There is ipv4 and ipv6. Probably you use ipv4.
Port 22 (ssh) is closed for ipv4 but open for ipv6.
You could disable ipv6 all together since you don't use it.
sudo vi /etc/sysctl.conf add line at the bottom
net.ipv6.conf.all.disable_ipv6 = 1
save, exit
apply: sudo sysctl -p
verify: cat /proc/sys/net/ipv6/conf/all/disable_ipv6 should be 1
1 Like
Ok thanks I will disable them but if they not disabled then nothing can go throught anyways isn’t it?
1 Like
correct, since you dont use ipv6 nothing will pass.
1 Like
That list of rules tells me that there are, essentially, no restrictions.
If your system is not default DENY for in or out, then, in my view, there are big holes for Malware to act unimpeded.
Allowing outgoing anywhere will permit any malware already resident "inside" to forward the harvested "goods" to a pre-established destination.
Outgoing should be
-
either initiated by only you (an ALLOW rule), or
-
related to your already established connections (another ALLOW rule, which may already exist, but you need to verify that it does exist).
You might also wish to review a few discussions on the topic of security. Allow me to offer the following:
You might also want to look at some system configuration files, like
- /etc/security/access.conf.Oasis
- /etc/ssh/ssh_config.Oasis
- /etc/ssh/ssh_config.d/ssh_client.conf.Oasis
- /etc/ssh/sshd_config.d/sshd_server.conf.Oasis
- /etc/pam.d/login.Oasis
2 Likes