====== Secure Ubuntu System - Add Software ======
===== Install Useful Software =====
The following software packages are really useful and recommended to be installed.
Please note that additional software is installed as per the instructions below, but the actual configuration of each individual software package will be done later.
===== Get root privileges (optional) =====
Because we must run all the next steps from this document with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing:
sudo -i
...and entering the Administrator's password, adminpass.
**IMPORTANT**: If this is done, then remember to remove the **sudo** command from the front of any future issued command.
**DANGER**: Do **__NOT__** use the following command:
sudo su
and do **__NOT__** enable the root login by running:
sudo passwd root
and giving root a password.
With these options one can log in as the root user, but this is frowned upon by the Ubuntu developers and community for various reasons.
If for some reason the root account has been enabled then disable it again, issuing the following command:
sudo passwd -dl root
----
===== Install binutils (highly recommended) =====
The programs in this package are used to assemble, link and manipulate binary and object files.
They may be used in conjunction with a compiler and various libraries to build programs.
Issue the following command to install it:
sudo aptitude install binutils
----
===== Install most (highly recommended) =====
**most** is an improvement of the more and less commands, allowing data to be viewed in a scrollable window.
In addition to displaying ordinary text files, most can also display binary files as well as files with arbitrary ASCII characters.
Issue the following command to install it:
sudo aptitude install most
----
===== Install sysv-rc-conf (highly recommended) =====
Issue the following command:
sudo aptitude install sysv-rc-conf
**NOTE:** **sysv-rc-conf** provides a terminal GUI for managing /etc/rc{runlevel}.d/ symlinks.
The interface comes in two different flavours, one that simply allows turning services on or off and another that allows for more fine tuned management of symlinks.
Unlike most runlevel-config programs, you can edit startup scripts for any runlevel, not just your current one.
----
===== Install htop (highly recommended) =====
Issue the following command:
sudo aptitude install htop
**NOTE:** **htop** is an interactive process viewer, which allows killing and renicing of processes without entering their PIDs.
----
===== Install facter (highly recommended) =====
Issue the following command:
sudo aptitude install facter
**NOTE:** **facter** is a system information utility that makes it easy to determine information about the system hardware.
It is an alternative to the **lshw** command.
----
===== Install nmap (highly recommended) =====
Issue the following command:
sudo aptitude install nmap
**NOTE:** **nmap** is a network security monitor.
It is used to check the security of the system.
It can also be used to check for networking problems.
----
===== Install hping3 (highly recommended) =====
Issue the following command:
sudo aptitude install hping3
**NOTE:** **hping3** is a network tool able to send customized packets.
Using hping3 allows the following to be tested:
* Test firewall rules
* Advanced port scanning
* Test net performance using different protocols, packet size, TOS (type of service) and fragmentation.
* Path MTU discovery
* Remote OS fingerprinting
* TCP/IP stack auditing
* A lot more
----
===== Install 7-zip (highly recommended) =====
Issue the following command:
sudo aptitude install p7zip-full
**NOTE:** The **7z** (7-Zip) archive format offers good compression ratios and is an open source format.
p7zip is easy to use on the command line.
To compress a file named testfile to testfile.7z:
p7zip testfile
To decompress the archive:
p7zip -d testfile.7z
**References:**
* http://www.7-zip.org/
----
===== Install logrotate (highly recommended) =====
Logs on a heavily loaded server grow quickly and can overwhelm the file system. When analyzing logs, usually the period of time of interest is fairly recent. So, keeping logs a reasonable size is important.
Issue the following command:
sudo aptitude install logrotate
----
===== Install PHP (highly recommended) =====
PHP is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.
Issue the following command:
sudo aptitude install php5 php5-cli php5-cgi php5-common php5-curl php5-dbg php5-dev php5-fpm php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xcache php5-xmlrpc php5-xsl
----
===== Install MySQL (highly recommended) =====
MySQL is a powerful database management system used for organizing and retrieving data.
Issue the following command:
sudo aptitude install mysql-server mysql-client
During the installation, MySQL will ask you to set a root password. If you miss the chance to set the password while the program is installing, it is very easy to set the password later from within the MySQL shell. Make this a strong password.
Once you have installed MySQL, we should activate it with this command:
sudo mysql_install_db
Finish up by running the MySQL set up script:
sudo /usr/bin/mysql_secure_installation
The prompt will ask you for your current root password. Type it in.
Enter current password for root (enter for none):
OK, successfully used password, moving on..
Then the prompt will ask you if you want to change the root password. Go ahead and choose N and move on to the next steps.
It’s easiest just to say Yes to all the other options. At the end, MySQL will reload and implement the new changes.
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up…
Once you're done with that you can finish up by installing PHP.
----
==== Verify that MySQL is running ====
Issue the following command:
sudo netstat -tap | grep mysql
If MySql is running, a line of data will be returned by the above command. For example:
tcp 0 0 localhost:mysql *:* LISTEN 12542/mysqld
**NOTE:** MOST Apache users probably want the **libapache2-mod-php5** package.
The following extensions are built in:
* bcmath
* bz2
* calendar
* Core
* ctype
* date
* dba
* dom
* ereg
* exif
* fileinfo
* filter
* ftp
* gettext
* hash
* iconv
* libxml
* mbstring
* mhash
* openssl
* pcntl
* pcre
* Phar
* posix
* Reflection
* session
* shmop
* SimpleXML
* soap
* sockets
* SPL
* standard
* sysvmsg
* sysvsem
* sysvshm
* tokenizer
* wddx
* xml
* xmlreader
* xmlwriter
* zip
* zlib
sudo aptitude install apache2-utils libapache2-mod-php5
----
===== Install traceroute (recommended) =====
Issue the following command:
sudo aptitude install traceroute
**NOTE:** Install **traceroute** if you need a tool for diagnosing network connectivity problems.
The traceroute utility displays the route used by IP packets on their way to a specified network (or Internet) host.
Traceroute displays the IP number and host name (if possible) of the machines along the route taken by the packets.
Traceroute is used as a network debugging tool.
If you're having network connectivity problems, traceroute will show you where the trouble is coming from along the route.
----
===== Install lftp (recommended) =====
Issue the following command:
sudo aptitude install lftp
**NOTE:** **lftp** is a file retrieving tool that supports FTP, HTTP, FISH, SFTP, HTTPS and FTPS protocols under both IPv4 and IPv6.
lftp has an amazing set of features, while preserving its interface as simple and easy as possible.
* The main two advantages over other ftp clients are reliability and ability to perform tasks in background.
* It will reconnect and reget the file being transferred if the connection broke.
* You can start a transfer in background and continue browsing on the ftp site. It does this all in one process.
* When you have started background jobs and feel you are done, you can just exit lftp and it automatically moves to nohup mode and completes the transfers.
* It has also such nice features as reput and mirror.
* It can also download a file as soon as possible by using several connections at the same time.
* lftp can also be scriptable, it can be used to mirror sites, it lets you copy files among remote servers (even between FTP and HTTP).
* It has an extensive online help.
* It supports bookmarks, and connecting to several ftp/http sites at the same time.
----
===== Install fsarchiver (recommended) =====
Issue the following command:
sudo aptitude install fsarchiver
**NOTE:** **fsarchiver** is a system tool that allows you to save the contents of a file-system to a compressed archive file.
The file-system can be restored on a partition which has a different size and it can be restored on a different file-system.
Unlike tar/dar, FSArchiver also creates the file-system when it extracts the data to partitions.
Everything is checksummed in the archive in order to protect the data.
If the archive is corrupt, you just loose the current file, not the whole archive.
----
do a [Ctrl]+[Alt]+[F1] and log in to a TTY session.
This takes you down below the GUI interface instead of using a GUI based TTY emulator like Konsole, X-Term, or GNOME Terminal.
To get back to the default GUI session, do [Ctrl]+[Alt]+[F7].
By default, there are 6 non-graphical systems (1-6) and 6 that display graphics (7-12). This can of course be changed but that's usually enough. Linux is a multi-session platform meaning multiple people can be logged into one machine at once performing a variety of tasks individually.
https://unix.stackexchange.com/questions/4126/what-is-the-exact-difference-between-a-terminal-a-shell-a-tty-and-a-con
https://docs.freebsd.org/44doc/usd/12.vi/paper.html