Best Practices for Security on Your New Ubuntu Server

Posted on by David Singer | Updated:
Category: Series
Reading Time: 5 minutes

When security is paramount to your business, a few security implementations can go a long way.  In the first article of our Ubuntu security series you'll find effective tactics that can be easily enforced.

We continue with our second article in our Ubuntu Security series, where we will be suggesting further options to consider.

What is AppArmor?

AppArmor is a Linux kernel security module that allows an administrator to implement program-based restrictions (as opposed to user-based restrictions) to limit resources and control access. It is installed and loaded by default and uses a profile of a program to determine what access and/or permissions it requires. To install the apparmor-profiles package from a terminal prompt:

apt install apparmor-profiles

AppArmor profiles have two modes: enforcement and complain.

  • Enforcementmode: This profile enforces the policy defined in the profile and will report any policy violation attempts (either in the syslog or in auditd).
  • Complainmode: Profiles in this mode will not enforce policy, but instead simply report policy violation attempts. This model is mainly used for testing and development.

What are SSL Certificates?

When a web browser connects to a website, the HTTP protocol is used to communicate with the web server where the site is hosted at. Typically, this transmission of data is unguarded. This means that the data can be viewed by any interested third party. As you can imagine, if you're sending any important personal or credit care information, having it out in the open is not ideal or secure at all. Because of this, SSL/TLS certificates are used on the server to ensure the communication between the browser and the server are secure.

According to Wikipedia:

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL) are cryptographic protocols designed to provide communications security over a computer network.

To clarify, SSL’s provide a method to protect communications between a user and a server. This allows for private info to pass between the client and the website. Newer TLS encryption versions cover:

  • TLS v1.0
  • TLS v1.1
  • TLS v1.2
  • TLS v1.3

What is TLS?

TLS or Transport Layer Security is the newest offering that is paired with OpenSSL which provides improved security and stability for the current protocols. TLS is usually implemented on or alongside SSL via Nginx, Apache, Exim or other services on the server.

Ubuntu proves an easy way to implement this type of SSL/TLS security measure. If more info is needed, O'Reilly's Network Security with OpenSSL is an excellent in-depth reference.

What is eCryptfs?

eCryptfs is software which encrypts a file, folder or partition to secure its contents. It sounds a lot more complicated than it is, although the functionality can get deep, the usual focus is on creating a space that is protected and cannot be read unless specifically allowed by an admin.

The basic steps to use eCryptfs are:

  1. Mount an encrypted directory
  2. Add info to that directory
  3. Unmount the directory
  4. Profit! Data is secure…!

eCryptfs can be found in the standard Ubuntu repositories and can be installed with apt-get:

apt-get -y install ecryptfs-utils

Next, we will create a directory called brobdingnagian (...as in gigantic. Pulled from the name of a country in Jonathan Swift's Gulliver's Travels called Brobdingnag)

root@server:/home/david# mkdir /home/brobdingnagian

Afterward, let’s encrypt the directory /home/brobdingnagian/ by mounting it with the file system type eCryptfs:

mount -t ecryptfs /home/brobdingnagian /home/brobdingnagian
Passphrase:
 Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 <<<<<
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
 Selection [aes]: 3
 Select key bytes:
 1) 24
 Selection [24]: 1
 Enable plaintext passthrough (y/n) [n]: <-- Press ENTER
 Enable filename encryption (y/n) [n]: <-- Press ENTER
 Attempting to mount with the following options:
 ecryptfs_unlink_sigs
 ecryptfs_key_bytes=24
 ecryptfs_cipher=des3_ede
 ecryptfs_sig=daab07b0664284a2
 WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
 it looks like you have never mounted with this key
 before. This could mean that you have typed your
 passphrase wrong.
 Would you like to proceed with the mount (yes/no)? : yes
 Would you like to append sig [daab07b0664284a2] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : yes
 Successfully appended new sig to user sig cache file
 Mounted eCryptfs

Verify the secure folder is mounted.

mount |grep brobdingnagian
 /home/brobdingnagian on /home/brobdingnagian type ecryptfs (rw,relatime,ecryptfs_sig=daab07b0664284a2,ecryptfs_cipher=des3_ede,ecryptfs_key_bytes=24,ecryptfs_unlink_sigs)

Add a file to the folder:

cp /home/david/Desktop/rsync.content.txt /home/brobdingnagian/rsync.content.txt

Is the file actually in there? Yes!

ls /home/brobdingnagian/rsync.content.txt
/home/brobdingnagian/rsync.content.txt

Did it retain the content of the file?

cat /home/brobdingnagian/rsync.content.txt
 Lorem ipsum dolor sit amet, nostro everti pri ad, eam saepe nemore in, id maiorum interesset vim. Ex voluptatum necessitatibus sit, augue aeterno vituperatoribus no mel. Ut possim percipitur definitionem qui, graeco corpora efficiantur id sit. Ex has nisl virtute eloquentiam. Pri cu veritus recusabo indoctum. Ut invenire referrentur pri, voluptaria sententiae vix at. In mel oblique imperdiet definiebas, salutandi constituam sadipscing at pri, ut eleifend cotidieque eam.

Yes!

Now, let’s unmount the folder…

umount /home/brobdingnagian/
 umount: /home/brobdingnagian/: not mounted.

Again, let’s check to see if we can read the file

cat /home/brobdingnagian/rsync.content.txt
 '1'C5'N''%"3DUfw`A_''&'?`'='''/'g'!>'_CONSOLEګ'fB'''''v'X''\''1''>AL]C'3L'''G''9
x''~''3''''''e?'~'''H'''''~''')'x'Oj'\'_<''''''l╹'`c'q''''Z'''8+!o''vb'''&'mw',''
'<^<'GF&''''''I?'''!'>{%;'T'--'''''''i'Z''"J_B['''Xa''9'"'''''ă'm,l4=';}'''iUsG'&
R;'*'4Fi''>'7"1j4'X''~'''a''_ۘ8,'o&A'_F'''_Cư<#v''s'b'}''5''1''d'c7'''ayZ6

(...and so on for another hundred lines)

So, the file is encrypted and unreadable in the folder's unmounted state. The only way to review the encrypted file again is to remount the folder. This is accomplished in the same way as above. You will have to re-enter the passphrase you created to encrypt the folder in the first place, or the re-mount will fail with the error:
Could not unlink the key(s) from your keying. Please use `keyctl unlink` if you wish to remove the key(s). Proceeding with umount” Once you re-mount the drive, your data will be available again.

Since we’re talking about encryption, let’s discuss LVM for a minute.

What is LVM?

LVM stands for Logical Volume Management. The Ubuntu documentation describes LVM as “a system of managing logical volumes, or file systems, that is much more advanced and flexible than the traditional method of partitioning a disk into one or more segments and formatting that partition with a filesystem.

All the versions of Ubuntu from 12.10 forward include the ability to install Ubuntu onto an encrypted LVM, which allows all partitions in the logical volume, including swap, to be encrypted.

Some perks of LVM are:

  • We can create as many LVM's as you want
  • Operations on the partition can be done live and
  • We can move, expand and shrink partitions as needed
  • We can also freeze an existing Logical Volume in time, at any moment, even while the system is running. You can then continue to work from the original volume as you would normally, but the snapshot will remain as a static image of the original, frozen in time at the moment it was created. (How cool is that?!)

See the Ubuntu wiki for more info on how to leverage these features.

This concludes our second article in our Ubuntu security series, on our next and last article we will be introducing other security options related to SSH keys, SELinux, 2-Factor Auth, and IPv6.  If configuring these options is outside your wheelhouse, consider adding our Server Protection Package to your Linux environment. It comes at an affordable price with routine vulnerability scans, hardened server configurations, anti-virus, and malware remediation. Keep yourself ahead of the game so you can get back to focusing on growing your business.

Series Navigation
<< Previous ArticleNext Article >>
Avatar for David Singer

About the Author: David Singer

I am a g33k, Linux blogger, developer, student, and former Tech Writer for Liquidweb.com. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Latest Articles

Blocking IP or whitelisting IP addresses with UFW

Read Article

CentOS Linux 7 end of life migrations

Read Article

Use ChatGPT to diagnose and resolve server issues

Read Article

What is SDDC VMware?

Read Article

Best authentication practices for email senders

Read Article