Best Practices for Security on Your New Ubuntu Server: AppArmor, Certs, eCryptfs, and Encrypted LVM

  1. Best Practices for Security on Your New Ubuntu Server: Users, Console and Firewall
  2. Best Practices for Security on Your New Ubuntu Server: AppArmor, Certs, eCryptfs, and Encrypted LVM
  3. How Do I Secure My Linux Server?
Reading Time: 5 minutes

When security is paramount to your business a few security implementations can go a long way.  In the first article of our Ubuntu security series you’ll find effective tactics that can be easily enforced.

We continue with our second article in our Ubuntu Security series, where we will be suggesting further options to consider.

What is AppArmor?

AppArmor is a Linux kernel security module which allows an administrator to implement program based restrictions (as opposed to user based restrictions) to limit resources and control access. It is installed and loaded by default and uses a profile of a program to determine what access and/or permissions it requires. To install the apparmor-profiles package from a terminal prompt:

apt install apparmor-profilesAppArmor profiles have two modes: enforcement and complain.

  • Enforcement mode: This profile enforces the policy defined in the profile and will report any policy violation attempts (either in the syslog or in auditd).
  • Complain mode: Profiles in this mode will not enforce policy, but instead simply report policy violation attempts. This model is mainly used for testing and development.

 

What are SSL Certificates?

When a web browser connects to a website, the HTTP protocol is used to communicate with the web server where the site is hosted at. Typically, this transmission of data is unguarded. This means that the data can be viewed by any interested third party. As you can imagine, if you’re sending any important personal or credit care information, having it out in the open is not ideal or secure at all. Because of this, SSL/TLS certificates are used on the server to ensure the communication between the browser and the server are secure.

According to Wikipedia:

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL) are cryptographic protocols designed to provide communications security over a computer networ.

To clarify, SSL’s provide a method to protect communications between a user and a server. This allows for private info to pass between the client and the website. Newer TLS encryptions version cover:

  • TLS v1.0
  • TLS v1.1
  • TLS v1.2
  • TLS v1.3

What is TLS?

TLS or Transport Layer Security is the newest offering that is paired with OpenSSL which provides improved security and stability for the current protocols. TLS is usually implemented on or alongside SSL via Nginx, Apache, Exim or other services on the server.

Ubuntu proves an easy way to implement this type of SSL/TLS security measures. If more info is needed, O’Reilly’s Network Security with OpenSSL is a very good in-depth reference.

 

What is eCryptfs?

eCryptfs is software which encrypts a file, folder or partition to secure its contents. It sounds a lot more complicated than it is, although the functionality can get deep, the usual focus is on creating a space which is protected and cannot be read unless specifically allowed by an admin.

The basic steps to use eCryptfs are:

  1. Mount an encrypted directory
  2. Add info to that directory
  3. Unmount the directory
  4. Profit! Data is secure…!

eCryptfs can be found in the standard Ubuntu repositories and can be installed with apt-get:

apt-get -y install ecryptfs-utilsNext, we will create a directory called brobdingnagian (…as in gigantic. Pulled from the name of a country in Jonathan Swift’s Gulliver’s Travels called Brobdingnag)

root@server:/home/david# mkdir /home/brobdingnagian

Afterward, let’s encrypt the directory /home/brobdingnagian/ by mounting it with the file system type eCryptfs:

mount -t ecryptfs /home/brobdingnagian /home/brobdingnagian

Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 <<<<<
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 3
Select key bytes:
1) 24
Selection [24]: 1
Enable plaintext passthrough (y/n) [n]: <-- Press ENTER
Enable filename encryption (y/n) [n]: <-- Press ENTER
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=24
ecryptfs_cipher=des3_ede
ecryptfs_sig=daab07b0664284a2
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [daab07b0664284a2] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs

Verify the secure folder is mounted.

mount |grep brobdingnagian
/home/brobdingnagian on /home/brobdingnagian type ecryptfs (rw,relatime,ecryptfs_sig=daab07b0664284a2,ecryptfs_cipher=des3_ede,ecryptfs_key_bytes=24,ecryptfs_unlink_sigs)
Add a file to the folder:

cp /home/david/Desktop/rsync.content.txt /home/brobdingnagian/rsync.content.txtIs the file actually in there? Yes!

ls /home/brobdingnagian/rsync.content.txt
/home/brobdingnagian/rsync.content.txt

Did it retain the content of the file?
cat /home/brobdingnagian/rsync.content.txt
Lorem ipsum dolor sit amet, nostro everti pri ad, eam saepe nemore in, id maiorum interesset vim. Ex voluptatum necessitatibus sit, augue aeterno vituperatoribus no mel. Ut possim percipitur definitionem qui, graeco corpora efficiantur id sit. Ex has nisl virtute eloquentiam. Pri cu veritus recusabo indoctum. Ut invenire referrentur pri, voluptaria sententiae vix at. In mel oblique imperdiet definiebas, salutandi constituam sadipscing at pri, ut eleifend cotidieque eam.
Yes!

Now, let’s unmount the folder…

umount /home/brobdingnagian/
umount: /home/brobdingnagian/: not mounted.
Again, let’s check to see if we can read the file

cat /home/brobdingnagian/rsync.content.txt
'1'C5'N''%"3DUfw`A_''&'?`'='''/'g'!>'_CONSOLEګ'fB'''''v'X''\''1''>AL]C'3L'''G''9x''~''3''''''e?'~'''H'''''~''')'x'Oj'\'_<''''''l╹'`c'q''''Z'''8+!o''vb'''&'mw','''<^<'GF&''''''I?'''!'>{%;'T'--'''''''i'Z''"J_B['''Xa''9'"'''''ă'm,l4=';}'''iUsG'&R;'*'4Fi''>'7"1j4'X''~'''a''_ۘ8,'o&A'_F'''_Cư<#v''s'b'}''5''1''d'c7'''ayZ6

(…and so on for another hundred lines)

So, the file is encrypted and unreadable in the folders unmounted state. The only way to review the encrypted file again is to remount the folder. This is accomplished in the same way as above. You will have to re-enter the passphrase you created to encrypt the folder in the first place, or the re-mount will fail with the error:
Could not unlink the key(s) from your keying. Please use `keyctl unlink` if you wish to remove the key(s). Proceeding with umount” Once you re-mount the drive, your data will be available again.

Since we’re talking about encryption, let’s discuss LVM for a minute.

 

What is LVM?

LVM stands for Logical Volume Management. The Ubuntu documentation describes LVM as

a system of managing logical volumes, or filesystems, that is much more advanced and flexible than the traditional method of partitioning a disk into one or more segments and formatting that partition with a filesystem.

All of the versions of Ubuntu from 12.10 forward include the ability to install Ubuntu onto an encrypted LVM, which allows all partitions in the logical volume, including swap, to be encrypted.

Some of the perks of LVM are:

  • You can create as many LVM’s as you want
  • Operations on the partition can be done live and
  • You can move, expand and shrink partitions as needed
  • You also have the ability to freeze an existing Logical Volume in time, at any moment, even while the system is running. You can then continue to work from the original volume as you would normally, but the snapshot will remain as a static image of the original, frozen in time at the moment it was created. (How cool is that?!)

See the Ubuntu wiki for more info on how to leverage these features.

This concludes our second article in our Ubuntu security series, on our next and last article we will be introducing other security options related to SSH keys, SELinux, 2-Factor Auth and IPv6.  If configuring these options is outside your wheelhouse, consider adding our Server Protection Package to your Linux environment. It comes at an affordable price with routine vulnerability scans, hardened server configurations, anti-virus and malware remediation. Keep yourself ahead of the game so you can get back to focusing on growing your business.

Series Navigation<< Best Practices for Security on Your New Ubuntu Server: Users, Console and FirewallHow Do I Secure My Linux Server? >>

Author Bio

About the Author: David Singer

I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Here's 75 % off, Launch a New VPS Today. Find out why 30,000 customers have chosen our Best-in-Class Performance & 24x7 Heroic Support