This is an old revision of the document!
Table of Contents
Secure Ubuntu System - Add Software
Install Useful Software
The following software packages are really useful and recommended to be installed.
Please note that additional software is installed as per the instructions below, but the actual configuration of each individual software package will be done later.
Get root privileges (optional)
Because we must run all the next steps from this document with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing:
sudo -i
…and entering the Administrator's password, adminpass.
IMPORTANT: If this is done, then remember to remove the sudo command from the front of any future issued command.
DANGER: Do NOT use the following command:
sudo su
and do NOT enable the root login by running:
sudo passwd root
and giving root a password.
With these options one can log in as the root user, but this is frowned upon by the Ubuntu developers and community for various reasons.
If for some reason the root account has been enabled then disable it again, issuing the following command:
sudo passwd -dl root
Install binutils (highly recommended)
The programs in this package are used to assemble, link and manipulate binary and object files. They may be used in conjunction with a compiler and various libraries to build programs.
Issue the following command to install it:
sudo aptitude install binutils
Install most (highly recommended)
most is an improvement of the more and less commands, allowing data to be viewed in a scrollable window.
In addition to displaying ordinary text files, most can also display binary files as well as files with arbitrary ASCII characters.
Issue the following command to install it:
sudo aptitude install most
Install sysv-rc-conf (highly recommended)
Issue the following command:
sudo aptitude install sysv-rc-conf
sysv-rc-conf provides a terminal GUI for managing /etc/rc{runlevel}.d/ symlinks.
The interface comes in two different flavours, one that simply allows turning services on or off and another that allows for more fine tuned management of symlinks.
Unlike most runlevel-config programs, you can edit startup scripts for any runlevel, not just your current one.
Install htop (highly recommended)
Issue the following command:
sudo aptitude install htop
htop is an interactive process viewer, which allows killing and renicing of processes without entering their PIDs.
Install facter (highly recommended)
Issue the following command:
sudo aptitude install facter
facter is a system information utility that makes it easy to determine information about the system hardware.
It is an alternative to the lshw command.
Install nmap (highly recommended)
Issue the following command:
sudo aptitude install nmap
nmap is a network security monitor.
It is used to check the security of the system.
It can also be used to check for networking problems.
Install hping3 (highly recommended)
Issue the following command:
sudo aptitude install hping3
hping3 is a network tool able to send customized packets.
Using hping3 allows the following to be tested:
- Test firewall rules
- Advanced port scanning
- Test net performance using different protocols, packet size, TOS (type of service) and fragmentation.
- Path MTU discovery
- Remote OS fingerprinting
- TCP/IP stack auditing
- A lot more
Install 7-zip (highly recommended)
Issue the following command:
sudo aptitude install p7zip-full
The 7z (7-Zip) archive format offers good compression ratios and is an open source format.
p7zip is easy to use on the command line.
To compress a file named testfile to testfile.7z:
p7zip testfile
To decompress the archive:
p7zip -d testfile.7z
References
Install logrotate (highly recommended)
Logs on a heavily loaded server grow quickly and can overwhelm the file system. When analyzing logs, usually the period of time of interest is fairly recent. So, keeping logs a reasonable size is important.
Issue the following command:
sudo aptitude install logrotate
Install PHP (highly recommended)
PHP is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.
Issue the following command:
sudo aptitude install php5 php5-cli php5-cgi php5-common php5-curl php5-dbg php5-dev php5-fpm php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xcache php5-xmlrpc php5-xsl
Install MySQL (highly recommended)
MySQL is a powerful database management system used for organizing and retrieving data.
Issue the following command:
sudo aptitude install mysql-server mysql-client
During the installation, MySQL will ask you to set a root password. If you miss the chance to set the password while the program is installing, it is very easy to set the password later from within the MySQL shell. Make this a strong password.
Once you have installed MySQL, we should activate it with this command:
sudo mysql_install_db
Finish up by running the MySQL set up script:
sudo /usr/bin/mysql_secure_installation
The prompt will ask you for your current root password. Type it in.
Enter current password for root (enter for none):
OK, successfully used password, moving on..
Then the prompt will ask you if you want to change the root password. Go ahead and choose N and move on to the next steps.
It’s easiest just to say Yes to all the other options. At the end, MySQL will reload and implement the new changes.
By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] y ... Success! By default, MySQL comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] y ... Success! Cleaning up…
Once you're done with that you can finish up by installing PHP.
Verify that MySQL is running
Issue the following command:
sudo netstat -tap | grep mysql
If MySql is running, a line of data will be returned by the above command. For example:
tcp 0 0 localhost:mysql *:* LISTEN 12542/mysqld
Note that MOST Apache users probably want the libapache2-mod-php5 package.
The following extensions are built in: bcmath bz2 calendar Core ctype date dba dom ereg exif fileinfo filter ftp gettext hash iconv libxml mbstring mhash openssl pcntl pcre Phar posix Reflection session shmop SimpleXML soap sockets SPL standard sysvmsg sysvsem sysvshm tokenizer wddx xml xmlreader xmlwriter zip zlib.
sudo aptitude install apache2-utils libapache2-mod-php5
Install traceroute (recommended)
Issue the following command:
sudo aptitude install traceroute
Install traceroute if you need a tool for diagnosing network connectivity problems.
The traceroute utility displays the route used by IP packets on their way to a specified network (or Internet) host. Traceroute displays the IP number and host name (if possible) of the machines along the route taken by the packets. Traceroute is used as a network debugging tool. If you're having network connectivity problems, traceroute will show you where the trouble is coming from along the route.
Install lftp (recommended)
Issue the following command:
sudo aptitude install lftp
lftp is a file retrieving tool that supports FTP, HTTP, FISH, SFTP, HTTPS and FTPS protocols under both IPv4 and IPv6. lftp has an amazing set of features, while preserving its interface as simple and easy as possible.
The main two advantages over other ftp clients are reliability and ability to perform tasks in background. It will reconnect and reget the file being transferred if the connection broke. You can start a transfer in background and continue browsing on the ftp site. It does this all in one process.
When you have started background jobs and feel you are done, you can just exit lftp and it automatically moves to nohup mode and completes the transfers. It has also such nice features as reput and mirror. It can also download a file as soon as possible by using several connections at the same time.
lftp can also be scriptable, it can be used to mirror sites, it lets you copy files among remote servers (even between FTP and HTTP). It has an extensive online help. It supports bookmarks, and connecting to several ftp/http sites at the same time.
Install fsarchiver (recommended)
Issue the following command:
sudo aptitude install fsarchiver
fsarchiver is a system tool that allows you to save the contents of a file-system to a compressed archive file. The file-system can be restored on a partition which has a different size and it can be restored on a different file-system. Unlike tar/dar, FSArchiver also creates the file-system when it extracts the data to partitions. Everything is checksummed in the archive in order to protect the data. If the archive is corrupt, you just loose the current file, not the whole archive.
do a [Ctrl]+[Alt]+[F1] and log in to a TTY session.
This takes you down below the GUI interface instead of using a GUI based TTY emulator like Konsole, X-Term, or GNOME Terminal.
To get back to the default GUI session, do [Ctrl]+[Alt]+[F7].
By default, there are 6 non-graphical systems (1-6) and 6 that display graphics (7-12). This can of course be changed but that's usually enough. Linux is a multi-session platform meaning multiple people can be logged into one machine at once performing a variety of tasks individually.