## page was renamed from UbuntuTips/Others/UbuntuSecurity ## URLに使われるページ名はアルファベット(WikiName形式)を用いる ## 以下のタイトルを内容に沿ったものに変更する #title [翻訳中]Ubuntu における セキュリティ ## 「6.06 Dapper Drake」といった形式で箇条書きにする ## バージョン非依存のTipの場合は「すべて」と記述 * '''対象とするUbuntuのバージョン''' * 留保 ## 以下にTipsを記述 ||原文||[[http://ubuntuforums.org/member.php?u=89054|bodhi.zazen]] 氏による[[http://ubuntuforums.org/showthread.php?t=510812|Ubuntu Security]]|| <
> || /!\ 翻訳中の日本語の方は[[https://wiki.ubuntulinux.jp/Nimu/UbuntuSecurity?action=raw|こちら]]から見れます。(日本語と呼べるレベルじゃありませんが)<
>手伝っていただけるとありがたいですが、私が放棄してしまう可能性もあります。|| I am writing this guide as a concerned member of the Ubuntu Community. Security is a concern for us all and in welcoming new (and experienced) users to Ubuntu I would like to demystify the complexities of security that come with your new OS. ## 私はこのガイドを Ubuntu コミニティーと関係のあるメンバーとして書きました。 セキュリティーは私達すべてに関係があり、Ubuntu に新しい(とエキスパート)ユーザーを歓迎する 私は新しい OS に伴なうセキュリティーの複雑さを分かり易く説明したい。 ||Disclaimer : I am not an expert in security. This document is intended as a security overview for new users. This thread is not intended as an all inclusive how-to or discuss the merits of any particular security measure. I offer no guarantee that by running Ubuntu with any or all of these suggestions your security will be foolproof or that you will never be cracked.|| ## : 私はセキュリティの専門家ではありません。この文章は新米ユーザーにセキュリティに対する概観を意図したものです。この 包括的な HowTo を I would like to direct any general security discussions to the [[http://ubuntuforums.org/forumdisplay.php?f=7|Servers & Security]] and any comments on this introductory sticky [[http://ubuntuforums.org/showthread.php?t=510792|here]]. ## 私は直接一般的なセキュリティに関する議論を[http://ubuntuforums.org/forumdisplay.php?f=7 Servers & Security] でしたいです。そして [http://ubuntuforums.org/showthread.php?t=510792 ここ] に紹介的なステッキーにいくつかのコメントがあります。 I would like to thank the Ubuntu Staff, especially jdong and compiledkernel for their review and suggestions. '''The two most common cracks posted on these forums are ssh and vnc, both running with password authentication.''' If you wish to run these services, please secure them. * In the case of ssh, use keys (and disable password authentication) and either configure iptables or use a service such as denyhosts or fail2ban (both are in the repositories). 1. Ubuntu Wiki configure SSH 1. Ubuntu wiki SSH Keys 1. !DenyHosts 1. !Fail2Ban 1. bodhi.zazen's iptables primer * In the case of VNC, either tunnel it over ssh, use FreeNX, or use VPN. 1. VNC Over SSH 1. Ubuntu Wiki FreeNX 1. Ubuntu wiki OpenVPN ## フォーラムに投稿された 2 つの一般的な ssh と vnc のクラック ## もしあなたがそれらのサービスを動かしたいと思うなら、セキュアにしてください。 ## * SSH の場合 ## 1. Ubuntu Wiki SSH ## 1. Ubuntu Wiki SSH キー ## 1. ##== Introduction == == 序文 == Security is an ongoing process and, like an onion, it has layers and stinks. The best defense you have is to read and learn how to secure your OS. ## セキュリティは現在進行中の事柄で、玉葱に似ていて、層と悪臭を持っています。最良の守備はあなたがどのように OS をセキュアにするかについて読み、学ぶことです。 Alas, there is no single action you can take to achieve absolute security (the only safe computer is one that is turned off, disconnected from the Internet, and in a locked vault) and security concerns and "ease of use" are sometimes competing concerns. ## まあ 存在しない たった一つの方法 あなたのできる 成し遂げる 絶対のセキュリティ(ただの安全なコンピューターは、電源がオフで、インターネットに繋がず、金庫に保管されている) セキュリティに関することと”簡単に使うこと”は時々矛盾する。 ##=== Clarification of terms === === 用語の解説 === The "[[#WindowMindeset|Windows Mindset]]" is intended as exactly that. I assume most new users are coming from Windows and the issues under this section are both most familiar to them and areas of FAQ on the forums (how often do we see questions from the "Ubuntu Mindset" on ABT?). ## [#WindowMindeset Windows Mindset] はそれをきっちり意図している。私は多くの新米ユーザーはWindwosから来ているこのセクションでの議論はもっともそういう人になじみ深くフォーラムで多い質問() 思う。 The "[[#UbuntuMindset|Ubuntu Mindset]]" is thus likely new information for most new users. ## [#UbuntuMindset Ubuntu Mindset] は多くの新米ユーザーにとって新しい情報です。 ''Those divisions/titles are intended to divide security information into familiar/unfamiliar territory (assuming the reader comes from a Windows background) or to lighten up an otherwise dry topic. Specifically it is my intention that the "Windows mindset" will help users new to Linux (Ubuntu) feel more at home by starting with familiar themes. These titles or divisions are certainly not intended to convey more or less importance to any particular issue, those decisions I leave for "self determination".'' ## これらの部分/タイトルはなじみ深いかなじみ深くないかで分割すること意図している。 ## == Summary == == 要約 == There is no such thing as "security in a box (tm)". Information security is an active job -- it is not installing some product on the system and sitting back and relaxing. ## security in a box → http://security.ngoinabox.org/ (?) セキュリティ情報は動的なものです。 The good news ~ Ubuntu (Linux) is fairly secure "out of the box". ## 良いニュースです Ubuntu (Linux) はかなり安全です TODO: out of the box ::すぐに使える (?) == How to proceed == ## === 方針 === Prepare to read, read, read ... do not expect to get through this document in one session. ## 何度も読む覚悟をしてください。1回この文章を読んだだけで得られるとは期待しないでください。 ||<>|| ##== Intro == == 前書き == ##=== Basics === === 基礎 === This advice is fairly generic and applies to almost any OS. These simple steps offer a solid foundation that you should be able to implement almost immediately. * Enforce strong passwords http://en.wikipedia.org/wiki/Password_strength * In general, do not write your passwords down, and if you must, keep them in a secure place (Do not put them on a sticky note attached to your monitor for example). * Limit root access (Do not log in or run programs as root). Ubuntu accomplishes this by locking the root account and the use of sudo. * Consider creating an account without sudo access for "daily use". * Additional information : [[https://help.ubuntu.com/community/RootSudoRootSudo|- Community Ubuntu Documentation]] * Configure sudo : [[http://www.gratisoft.us/sudo/man/sudoers.html|Sudoers Manual]] * Physical access (physical access = big security hole). Physical access allows root access to your system (via a live CD if necessary). * Do not install software or add repositories from untrusted sources (See also "Social engineering" below). * This includes running scripts that modify your /etc/apt/sources.list Take care not to let the "need" to run the newest/latest/greatest compromise security. * Likewise, do not run code or enter commands into the terminal from untrusted sources. If you are unsure of what a command might do best do a google search first. * Keep your system up to date. Updates, particularly security updates, bring you the newest and latest fixes. * If you run a server, it is your responsibility to learn how to secure it. ## このアドバイスはとても一般的でほとんどの OS にあてはまります。この簡単なステップはしっかりとした基礎を提供し、ただちに実行することが出来るはずです。 ## * 強固なパスワード ## * 一般的に、パスワードは書き残してはいけない。安全な場所に保管する。(たとえば付箋に書いてディスプレイに貼るようなことはしてはいけない) ## * root へのアクセスを制限する(ログインしない root 権限でプログラムを動かさない)。Ubuntu は root アカウントをロックし、sudo を使うのでそれが出来る。 ## * 日常操作のための sudo を使えないアカウントの作成を考慮する。 ## * 参照 : [https://help.ubuntu.com/community/RootSudoRootSudo - Community Ubuntu Documentation] ## * sudo の設定 : [http://www.gratisoft.us/sudo/man/sudoers.html Sudoers Manual] ## * 物理的アクセス(物理的アクセス = 深刻なセキュリティホール)。物理的アクセスはシステムにrootアクセス(必要であれば、Live CD 経由で) TODO:: ## * 信頼できないソース(情報源?)からのソフトウェアのインストールやリポジトリの追加はしない。(ソーシャルエンジニアリングを参照) ## * これは /etc/apt/sources.list への変更をするスクリプトを含みます。newest/latest/greatest ## * その上、信頼できないソース(情報源?)からのコードを動かしたり、端末にコマンドを打ち込んだりしない。コマンドが何をするのかが分からなかったら、まず google で検索するのが一番です。 ## * システムを最新版に保ってください。アップデート、特にセキュリィティアップデート、は新しい、最近の fix をもたらします。 ## * もしサーバーを稼動させるなら、どのように安全にするかを学ぶ責任があります。 [[http://www.psychocats.net/ubuntu/security|Psychocats ~ Security on Ubuntu]] 日本語訳が [[http://web.archive.org/web/20071011073531/http://rion.sakura.ne.jp/misc/security.shtml|こちら]](注 : Internet Archive )にあります。 Thanks to Johan! for the advice on 3rd party repos ||Note: Social Engineering. Click [[http://www.securityfocus.com/infocus/1527|here]] for more information.|| ## ソーシャルエンジニアリング {{{ Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.[1] While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim. }}} ~ Quote from Wikipedia ## Wikipediaからの引用 == The Windows Mindset == ##== Windows 的考え方 == If you are coming from a Windows background you are used to terms like antivirus, spyware, and firewalls. Linux is different and these are not as important. They are discussed first because these are FAQ on the forums. Unfortunately, it is sometimes difficult for new users to wade through some of the FUD (some of which is produced by anti-virus companies) ... ## もしあなたが アンチウイルス、スパイウェア、ファイアウォールなど Linux は異なり、重要でない。フォーラムに FAQ があるので、最初に議論する。不幸なことに、新米ユーザにとって時々FUD(いくつかはアンチウイルス会社が生産する)の中を進んでいくのは困難だ。 ##=== Viruses === === ウイルス === The fact of the matter is: viruses/worms take advantage of flaws or holes in the code. At this time of this writing, there are no significant Linux viruses "in the wild". Linux boxes are no less targets than any other OS, many of the large (ie valuable) Internet sites run on *nix so there is no lack of motivation to crack into *nix. ## 問題の真相 : ウイルス/ワーム はコードの欠陥や穴に漬け込む。これを書いた時点では、"自然界に"深刻な Linux ウイルスは存在していません。Linux マシンはほかの OS と同じくらいターゲットになります。たくさんの巨大な(すなわち価値のある) インターネットサイトは *nix で動いており *nix をクラックする動機は不足していません。 Do not believe the suggestion that the Linux community is complacent or "behind the times" in terms of viruses, or any other security issue. Linux developers have not "ignored" viruses, rather the OS is built to be highly resistant to them and since the code is "Open" there are literally thousands of eyes watching ... ## ウイルスに関して Linux コミュニティは自己満足で”時代遅れ”な提案を信じてはいけない、Linux 開発者は”無視する” コードがオープンなのは文字通り何千もの目が見ている This is an example of what it would take to install malware on an Ubuntu box : ## これは Ubuntu マシンでマルウェアをインストールする ::TODO:: 例です。 [[http://www.gnu.org/fun/jokes/evilmalware.html|Install evilmalware]] (Don't worry, that link will NOT install anything ) ## (心配しないで、そのリンクは何もインストールしないよ。) For the most part, Linux anti-virus programs scan for Windows viruses which do not run on Linux. There are increasing reports, however, that Windows malware may run in wine, as such I added a section reviewing what I feel you should know about security if you choose to install and run wine (see below). ## 多くの場合、Linux アンチウイルスプログラムは Linux で動かない Windows のウイルスをスキャンします。しかしながら、Windows マルウェアは wine 上で動くかもしれない。Wine をインストールして動かすならば、セキュリティについて知って欲しい。 Please understand, anti-virus programs, and in fact most [[http://en.wikipedia.org/wiki/Host_based_intrusion_detection_system|HIDS]], are "reactive" in that they can only protect you from known viruses. They can only protect you against malware after it is developed and incroporated into HIDS, not before. Furthermore the "fix" will be to close any hole(s) in the code, these fixes will be available through security updates (which are more frequent in Linux then your previous OS if you are coming from Windows). ## アンチウイルスプログラムについて知って欲しい。 [http://en.wikipedia.org/wiki/Host_based_intrusion_detection_system HIDS]( ホスト型侵入防止システム)は既知のウイルスからあなたを保護することに機敏です。/incroporated/incorporated Reasons '''AGAINST''' antivirus on Ubuntu: 1. They scan primarily for Windows viruses. 1. There is a high rate of false positives. 1. Isolation/inoculation is poor. 1. And currently there are no known active Linux viruses (so there is essentially nothing to detect). ## Ubuntu でアンチウイルスソフトに反対する理由:: ## 1. アンチウイルスソフトは Windows ウイルスを検査することが第一であるから。 ## 1. TODO:: ## 1. 現在、知られて活動中の Linux ウイルスはない(なので、何も検出できない) Reasons '''FOR''' antivirus on Ubuntu: * You are running a file or mail server with Windows clients. * You wish to scan files before transferring them, by email, flash drive, etc., to a Windows machine. ## Ubuntu でアンチウイルスに賛成する理由:: ## * Windows クライアントのためにファイルサーバやメールサーバを稼動させている ## * それらのクライアントに転送する前にファイルをスキャンしたい。TODO:: Running antivirus can make some sense if you are intending to "protect" Windows users, however, IMO, for a variety of reasons, it is best if Windows users learn to protect themselves. ## アンチウイルスソフトを動かすことは Windows ユーザーを"保護する"のを意図するのであれば 私見では、様々な理由、Windows ユーザーが自分自身を守ることを学ぶことがベストです。 ||Note: There have been many documented cases in Windows and Linux that a buffer overflow in an antivirus product has been an attack vector!|| ## Note: ##If you would like to run an antivirus program on Ubuntu you have several choices : もしあなたが Ubuntu でアンチウイルスソフトを動かしたいのならば。幾つかの選択肢があります。 * [[https://help.ubuntu.com/community/Antivirus|Antivirus]] * [[https://help.ubuntu.com/community/ClamAV|ClamAV]] * http://www.avast.com/eng/avast-for-linux-workstation.html * http://www.pandasoftware.com/download/linux.htm * http://www.centralcommand.com/linux_server.html * http://www.f-prot.com/products/home_use/linux/ ## 以下 /wine/Wine/ === A few comments on wine === ## === Wine に対する意見 === Discussions about running Windows viruses on wine crop up from time to time and it is possible to run some Windows viruses on wine. ## 将来 Wine で Windows ウイルス が動く そして 幾つかの Windows ウイルスが Wine 上で動くのを可能にする ##See these links : リンク:: * [[http://www.avertlabs.com/research/blog/index.php/2009/02/23/running-windows-malware-in-linux/|McAfee Avert Labs Blog]] * [[http://www.linux.com/articles/42031|http://www.linux.com/articles/42031]] So what do you need to know about Windows viruses if you want to run wine? 1. First, the "golden rule" : '''DO NOT RUN WINE AS ROOT'''. If you are '''NOT''' running wine as root then wine will not have the necessary permissions to affect system files. 1. So, if you are running wine as a user, a Windows virus will be confined to your home directory. 1. You can further confine the "fake c drive" located at ~/.wine if you remove any symbolic links outside ~/.wine. With a default installation there is link with a default installation / configuration of wine : {{{ ~/.wine/dosdevices/z: -> links to / }}} A link from ~/.wine/dosdevices to the root directory ( / ) should concern you for obvious reasons. You can remove it with : {{{ unlink ~/.wine/dosdevices/z: }}} Do not worry, that command will not affect wine at all, I run it all the time You may need to make a link in ~/.wine/dosdevices to your cdrom and/or you may be tempted to link to your home directory, but I advise against keeping using these links (beyond the time needed for actually installing applications). I advise against any links to removable devices (it should not be *that* difficult to copy files needed to the appropriate location in ~/.wine/drive_c ). 1. Consider running an antivirus program and scanning ~/.wine and any removable devices or other locations you use outside of ~/.wine to store programs or data to be used with wine. Scan any data / applications you use with Windows. 1. Consider confining wine with Apparmor. 1. Be sure to file a bug report with the wine project as they have a very active security team (it is unrealistic, however, to expect the wine team to be able to protect you from all Windows viruses all the time). [[http://bugs.winehq.org/|Wine Bug Reports]] 1. Take the same precautions with wine as you would with Windows. Do not install untrusted applications from untrusted sources. ## だからもしあなたが Wine を使いたいならば Windwos ウイルスについて知る必要がある ## 1. 鉄則: '''Wine を Root 権限で動かさない''' ## 1. Wine をユーザ権限で動かしたら、Windows ウイルスはあなたのホームディレクトリに閉じ込められるだろう。 ## 1. もしあなたが ~/.wine の外側のシンボリックリンクを消すならば、あなたは偽りの C ドライブを {{{~/.wine}}} を指すようにし、閉じ込めることが出来る。デフォルトの状態では ## {{{ ## ~/.wine/dosdevices/z: -> links to / ## }}} ## ~/.wine/dosdevices から ルートディレクトリ ( / ) へのリンクは明らかな理由によりあなたを不安にするはずだ。 ## リンクを消す方法 ## {{{ ## unlink ~/.wine/dosdevices/z: ## }}} ## 心配しないで、このコマンドは Wine に対して何の影響も与えません。私はこれをいつも実行しています。 ## ~/.wine/dosdevices にリンクする必要があるかもしれない。CD-ROM やホームディレクトリにリンクしたくなり、 ## ## 1. ~/.wine とリムーバブルデバイスなどに Windows と一緒に使ういくつかのデータやアプリケーションをスキャンする。考慮する。 ## 1. Apparmor で wine のアクセスを制限することを考えるべきです。 ## ## Windows と同じで、 信頼できないソースからの信頼できないアプリケーションを動かさない。 If you follow the above advice, Windows viruses will be confined to ~/.wine and they do not have permission to change system files. This means to remove them you simply: {{{ rm -rf ~/.wine }}} ## もしアドバイスの上に従うなら、Windows ウイルスは ~/.wine に閉じ込められるだろうし、Windows ウイルスはシステムファイルを変更するパーミッションを持たない。これはあなたが簡単にWindows ウイルスを消せることを意味する。 ## {{{ ## rm -rf ~/.wine ## }}} '''Please take care, this command deletes everything in your wine directory including all data and all applications.''' ## 注意 : このコマンドはあなたの Wine ディレクトリのデータやアプリケーションのすべてを消します。 You then need to restore your wine directory from a known good backup (you do keep backups ?). ## あなたは 戻す必要があるなら ##=== Firewall === === ファイアーウォール === Edit: I posted a series of 3 blogs introduction firewall configuration : * [[http://blog.bodhizazen.net/linux/firewall-ubuntu-gufw/|GUFW (gui)]] * [[http://blog.bodhizazen.net/linux/firewall-ubuntu-desktops/|UFW - Desktops]] * [[http://blog.bodhizazen.net/linux/firewall-ubuntu-servers/|UFW - Servers]] Discussions about firewalls often are passionate (just search the Ubuntu forums). By default, Ubuntu includes a firewall, iptables, but by default nothing is engaged. This is reasonable as a default Ubuntu install opens zero ports to the outside world, so a firewall is redundant. However, installing "server software" will cause ports to open, so some people like to use a firewall as a catch-all layer to find mistakes in their configuration. ## ファイアーウォールに関する議論はたいてい (Ubuntu フォーラムで検索)。デフォルトでは Ubuntu は iptables というファイアーウォールを含んでいる。しかしなにも::TODO::。これはデフォルトでは外部に向ってポートを開いていないということで適切である。しかしながら、サーバーソフトウェアをインストールするとポートは開けられるだろうし 設定においてあらゆる::TODO:: Another use for firewalls is for the administrator to forcibly impose network policies on the user. For example, users may not talk to example.com, open up a listening port for remote connections, and so on. ## 他方、ファイアーウォールを使うことは管理者がユーザーに強制的にネットワークポリシーを押し付けるのに::TODO::。たとえばユーザーは example.com と::TODO::かもしれない リモートコントロールのためにポートを開く Also, a periodic audit of the system for open ports is a good practice. For example, running the "nmap" command from another machine, or using one of many online port scanners: * http://nmap-online.com/ * https://www.grc.com/x/ne.dll?bh0bkyd2 ##また、システムの定期的な検査はよいやり方です。例えば、”nmap”コマンドを他のマシンで動かす、またはオンラインポートスキャンのうちの一つを Remember, what you care about are open ports. Closed ports and stealth ports are equally secure, in that they are inaccessible to the public. ## 閉じたポートやステルスポートは セキュア 外部からアクセスできない 覚えてください。 ##'''Iptables references :''' 参考:: * https://help.ubuntu.com/community/IptablesHowTo * http://www.linuxguruz.com/iptables/howto/ * http://iptables-tutorial.frozentux.net/iptables-tutorial.html * http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/security-guide/s1-fireall-ipt-act.html * https://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/ch-iptables.html ##update: I wrote an iptables reference here : [http://bodhizazen.net/Tutorials/iptables/ bodhi's iptables primer]. 追記: 私は [[http://bodhizazen.net/Tutorials/iptables/|ここ]] に iptables の参考文章を書きました。 The "problem" with iptables is that it is not particularly friendly to new users. Fortunately, there are several more user friendly interfaces available to allow you to manipulate your firewall (UFW, Firestarter, and Guarddog) : * [[https://help.ubuntu.com/8.04/serverguide/C/firewall.html|UFW (Uncomplicated Firewall)]] is the newest tool. It is a command line tool and is, IMO, superior to the gui tools. * To Configure iptables , UFW uses both configuration files '''/etc/default/ufw and /etc/ufw/before.rules''' and the command line. Howto: [[http://www.ubuntu-unleashed.com/2008/05/howto-take-use-setup-and-advantage-of.html|Use, setup, and Take advantage of the New Ubuntu Uncomplicated Firewall UFW]] * [[http://www.fs-security.com/|Firestarter]] is one of the most popular GUI front ends. * [[http://www.debianadmin.com/secure-ubuntu-desktop-using-firestarter-firewall.html|How to Firestarter]] * [[http://www.simonzone.com/software/guarddog/|Guard dog]] uses the KDE libraries. * [[http://www.simonzone.com/software/guarddog/manual2/index.html|Guarddog Online Guide]] ## iptables プログラムは新米ユーザーに優しくはない。幸運にも、いくつかのより優しいインターフェースの操作する(UFW, Firestarter, and Guarddog) source of confusion sometimes occurs when users feel the need to be running firestarter/Guarddog for their firewall to be active. '''This is untrue !''' Keep in mind that these applications are not firewalls, but rather configuration tools for ip tables. These applications should be run only to configure your firewall. Once configured, IP tables (the actual firewall) is active (at boot) without having to run firestarter/guarddog. firestarter will monitor traffic, but it runs as root and there are better monitoring programs, so configure you firewall, shut down firestarter/grauddog, and let IP tables do the rest ## 混同の情報は ユーザーにファイアーウォールをアクティブにするために firestarter や Guarddog を動かしておく必要があるように感じさせる。'''これは真実ではない!''' これらのアプリケーションはファイアーウォールではないということを頭に入れておくべきです。しかしどちらかといえば iptables のための設定ツールです。これらのアプリケーションはファイアーウォールを設定するために動かすべきだ。一度設定すれば、firestarter/guarddog を動かす必要はなく iptables (実際のファイアーウォール)はアクティブです。firestarter はトラフィックのモニターが出来るでしょう。しかしそれはルートとして動き、もっとよいモニタープログラムがあるので、ファイアーウォールを設定したら firestarter/guarddog を終了するべきだ。そして iptables に続きをさせるべきだ。 ##=== Browser / Spyware : Java/Flash/Ad-ware/Trackers/Cookies === === ブラウザ / スパイウェア : Java/Flash/Ad-ware/Trackers/Cookies === This is where most users will have the most risk. We all want Java/Flash, but our Internet browser opens us to attacks. ## これは多くのユーザーにとって危険性を持っている部分です。私達は Java/Flash を見たいです。でもインターネットブラウザーは攻撃のために開きます。 ## Java は Java スクリプト? I advise : 1. Deny all cookies and add trusted sites, allowing only for session. 1. Install [[https://addons.mozilla.org/en-US/firefox/addon/722|NoScript]]. Again block all and add trusted sites to a white list. 1. Install [[https://addons.mozilla.org/en-US/firefox/addon/1502|Safe History]] 1. Adblocking : I block with a hosts file rather then Adblock Plus or Adblock Filterset.G because a hosts file protects more then just firefox. * http://www.mvps.org/winhelp2002/hosts.htm * Linux script : http://hostsfile.mine.nu/downloads/updatehosts.sh.txt ## 1. すべてのクッキーの拒絶と信頼出来るサイトにセッションのみ許可の追加をする。 ## 1. [https://addons.mozilla.org/en-US/firefox/addon/722 NoScript] のインストールをする。すべてブロックし、信頼できるサイトのホワイトリストへの追加をする。 ## 1. [https://addons.mozilla.org/en-US/firefox/addon/1502 Safe History] のインストールをする。 ## 1. Adblocking : 私はAdblock Plus や Adblock Filterset でなくホストファイルでブロックしている。ホストファイル は firefox 以外でも保護するから。 ## * http://www.mvps.org/winhelp2002/hosts.htm ## * Linux スクリプト : http://hostsfile.mine.nu/downloads/updatehosts.sh.txt Edit: Thank you Seisen for pointing out that No Script also blocks flash. ## See this link for additional information : [http://ubuntuforums.org/showthread.php?t=671604 How to Secure Firefox] 追加情報:: [[http://ubuntuforums.org/showthread.php?t=671604|How to Secure Firefox]] == The Ubuntu Mindset == ##=== Permissions and Encryption === === パーミッションと暗号化 === The first layer of defense is file permissions. Permissions are used to set access and thus protect both system and user files. * [[http://www.comptechdoc.org/os/linux/usersguide/linux_ugfilesp.html|Basic permissions]] * [[http://help.ubuntu.com/FilePermissions|FilePermissions]] See also '''umask''' at the bottom of that link. The umask value can be set in ~/.bashrc. ## 防御の最初の層はファイルパーミッションです。パーミッションはアクセスの設定のために使われます。システムとユーザーファイルを守ります。 ## '''umask''' umask value (ファイルモード作成マスク値)は{{{~/.bashrc}}}で設定できます。 To set a "private home", as a user, {{{ chmod 700 $HOME }}} [[http://hep.pa.msu.edu/user/groups.html|Sharing files in UNIX]] ## ユーザ権限で、プライベートホームを次のように設定します。 ## {{{ ## chmod 700 $HOME ## }}} ## [http://hep.pa.msu.edu/user/groups.html Sharing files in UNIX] Encryption is used as an additional layer of protection. One limit of encryption is that protection is only offered when mounting an encrypted partition (once the partition is mounted it is accessible/crackable just like any other file). The tools included with Ubuntu include GPG, LUKS, and ecryptfs. ## 暗号化は保護の追加的な層です。暗号化されたパーティション (一度マウントしたらほかのファイルと同じようにアクセス/クラックできるようになります。) Ubuntu ではGPG, LUKS, eCryptfs ==== GPG ==== * [[http://ubuntuforums.org/showthread.php?p=4903822|Advanced GnuPG Concepts - Advanced Key Generation]] ==== LUKS ==== LUKS is available as an option on the "alternate" CD. ## LUKS は "alternate" CD でオプションとして設定可能です。 [[http://users.piuha.net/martti/comp/ubuntu/en/cryptolvm.html|How to install Ubuntu into an encrypted partition using the Alternate CD]] ##Additional links on LUKS: 追加情報:: * [[http://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile|HOWTO: Automatically Unlock LUKS Encrypted Drives With A Keyfile]] * [[http://ubuntuforums.org/showthread.php?t=1034910|HOWTO: re-install / upgrade over existing dm-crypt / LUKS system]] * [[http://ubuntuforums.org/showthread.php?p=4530641|How to Resize a LUKS Encrypted File System]] ==== eCryptfs ==== With ecryptfs you can encrypt your home directory (both desktop and alternate CD as of Ubuntu 9.04 Jaunty), swap, a private directory, or any other directory. * [[http://bodhizazen.net/Tutorials/Ecryptfs/|bodhi.zazen's Ecryptfs tutorial ]] ## eCryptfs によって、ホームディレクトリ(Ubuntu 9.10 Jauntyでの デスクトップ CD や "alternate" CD)、スワップ、個人用ディレクトリ、その他のディレクトリを暗号化できます。 ==== TrueCrypt ==== * http://www.howtoforge.com/truecrypt_data_encryption ##=== Root kits === === ルートキット === ##From http://en.wikipedia.org/wiki/Rootkit : http://en.wikipedia.org/wiki/Rootkit より引用 {{{ The term rootkit (also written as root kit) originally referred to a set of recompiled Unix tools such as ps, netstat, w and passwd that would carefully hide any trace of the intruder that those commands would normally display, thus allowing the intruders to maintain root access (highest privilege) on the system without the system administrator even seeing them. The term is no longer restricted to Unix-based operating systems ... }}} ##Root kit detection: ==== ルートキット検出プログラム ==== * rkhunter * http://wiki.linuxquestions.org/wiki/Rootkit_Hunter * chkrootkit * http://www.howtoforge.com/howto_chkrootkit_portsentry === Intrusion Detection === ||Note: Adding an intrusion detection system like Snort that analyzes network traffic for attack patterns, it can potentially introduce additional vulnerabilities. There have been documented examples of vulnerabilities in Snort's preprocessor that granted hackers Snort user, or even root user, access to the system!|| ##My initial suggestions are [http://www.ossec.net/ OSSEC HIDS] and [http://www.ossec.net/ Snort]. 私の最初の 提案は [[http://www.ossec.net/|OSSEC HIDS]] と [[http://www.ossec.net/|Snort]] です。 ##See : [http://ubuntuforums.org/showthread.php?t=919472 Ubuntu Forums ~ Intrusion Detection] 参照 : [[http://ubuntuforums.org/showthread.php?t=919472|Ubuntu Forums ~ Intrusion Detection]] ##How to's: How To : * [[http://ubuntuforums.org/showthread.php?t=919472|Intrusion Detection]] * http://www.howtoforge.com/intrusion_detection_with_ossec_hids * [[http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1083823,00.html|How to Snort]] ##=== Compiledkernel's Suggested Applications === === compiledkernel の提案したアプリケーション === compiledkernel's suggested applications (Nagios, ntop, and darkstat are in the Ubuntu Repositories, check the home page to see if newer versions are available): * [[http://www.nagios.org/about/|Nagios]] ~ A host and service monitor designed to inform you of network problems. * [[http://www.zenoss.com/product/core|ZenOSS]] ~ An open source IT monitoring product that delivers the functionality to effectively manage the configuration, health, performance of networks, servers and applications through a single, integrated software package. * [[http://www.ntop.org/overview.html|ntop]] ~ A network traffic probe that shows the network usage, similar to what the popular top Unix command does. * [[http://dmr.ath.cx/net/darkstat/|darkstat]] ~ A packet sniffer that runs as a background process on a cable/DSL router, gathers all sorts of statistics about network usage, and serves them over HTTP. ##compiledkernel の提案したアプリケーション (Nagios, ntop, darkstat Ubuntu のレポジトリにあります, 最新版が入手可能でないか公式サイトを確認してください。): ## * [http://www.nagios.org/about/ Nagios] ~ ネットワークの問題の情報を報告するためのホストとサービスのモニター ## * [http://www.zenoss.com/product/core ZenOSS] ~ An open source IT monitoring product that delivers the functionality to effectively manage the configuration, health, performance of networks, servers and applications through a single, integrated software package. ## * [http://www.ntop.org/overview.html ntop] ~ A network traffic probe that shows the network usage, similar to what the popular top Unix command does. ## * [http://dmr.ath.cx/net/darkstat/ darkstat] ~ A packet sniffer that runs as a background process on a cable/DSL router, gathers all sorts of statistics about network usage, and serves them over HTTP. ##=== Running Server(s) === === サーバの運用 === Part of setting up a server is reading/learning how to secure it. Common servers include NFS, Samba, FTP, SSH, VNC, RDP, and HTTP. If the "how-to" you are following does not review security, you need to keep looking ..."Desktops" become "Servers" if server software is installed. Questions to ask yourself include: 1. What port(s) or services does this software provide? 1. Who will be able to connect to this? (i.e. is it restricted to a range of IP addresses Password protected?) 1. What level of access will the visitor have to the system? (i.e. does the server run under a restricted user, or the root acount? What can this restricted user do in a worst case scenario?) 1. Does this service expose any additional information that's useful to a hacker? (i.e. does it allow users to transmit their passwords in cleartext? Does it have a 'statistics' view that reveals logged-in users, ip addresses, network configuration, or other potentially helpful information?) 1. What is the security history of this software? Does it have a history of vulnerability and patch after patch? Or has it had a relatively unmarred history? ##Examples : 例:: * [[https://help.ubuntu.com/community/AdvancedOpenSSH|SSH]] * [[https://help.ubuntu.com/community/VNCOverSSH|VNC]] * [[http://www.howtoforge.com/apache_mod_security|Apache]] === Hardened Kernels === Hardened kernels are modifications to the Linux kernel that add additional security measures. This could include: 1. The randomization of ports, memory addresses, process ID's, and other information that is typically predictable. This can thwart off many types of common attacks. 1. Identify and prevent buffer overflow attacks from resulting in compromise by killing compromised processes (PaX bundled with grsecurity, or Redhat's Exec-Shield combined with prelink randomization). Edgy and higher contain GCC stack protection enforced in most applications, but is unable to respond to several kinds of attacks that a kernel-layer enforcer could. Likewise, PaX and friends have weakness that GCC stack protection helps cover, so the two work great as a duo. 1. Hiding information that Linux usually allows everyone to see, including all running processes on the system, load averages, CPU info, IP addresses, etc. Obscuring this information can help keep attackers "in the dark" so to speak. 1. More aggressive enforcement of buffer overflow protection than what Ubuntu's standard gcc stack protector can do. 1. Adding additional restrictions on the capabilities of regular users that prevent channels of attack. 1. Additional permissions systems that allow finer-grained tuning of various aspects of Linux. These techniques combined have been shown to be very effective in the real world in guarding against unknown attacks. For example, many administrators of hardened kernel servers either report or even prove that their hardened systems were invulnerable to newly discovered security holes, or that the severity of a breach was significantly reduced. The most common hardened kernel patch is called "grsecurity2" (http://grsecurity.org/), which does everything on this list. This requires, however, that you manually patch and recompile the kernel. SELinux and !AppArmor do the "additional permissions systems" part. The basic theory is that by providing finer definitions of permissions than UNIX users and the "chmod" bits, even a successful attack against one service is virtually useless to attacking the rest of the system. ||Note: !AppArmor is installed by default as of Hardy, Ubuntu 8.04. There are , however, minimal profiles and they are set to complain mode.|| ##|| !AppArmor は Ubuntu 8.04 Hardy ではデフォルトではインストールされていません。しかしながら、ちょっとのプロファイルと学習モードに設定されたものがある|| ##!AppArmor Links リンク:: * [[https://help.ubuntu.com/community/AppArmor|AppArmor ~ Ubuntu Community Wiki]] * [[http://en.opensuse.org/AppArmor_Geeks|AppArmor Geeks (OpenSUSE)]] * [[http://bodhizazen.net/aa-profiles/|bodhizazen's (and others) AppArmor repository]] All of these hardened systems, however, take effort on the administrator's behalf to implement. They also take a lot of trial-and-error to find the correct balance of user functionality and security restrictions. Tightening the rules too much could cause various applications to stop working, and not tightening them enough could lead to a weaker security setup. If you run a large multiuser system where you must grant people shell access, or run services that have that unfortunate long history of attacks, then it is highly recommended that you look into setting up a hardened kernel. ##=== Reading the Logs === === ログを読む === Learn how to read your system logs and become familiar with "normal" activity. It should go without saying, your first introduction to system logs should *not* be when you suspect your system has been compromised. You should also be aware that if someone has root access they can alter system logs. This is when it is most helpful to be aware of "normal" activity. [[https://help.ubuntu.com/community/LinuxLogFiles|Ubuntu wiki ~ Linux Log Files]] There is a package called "logwatch" that e-mails to you the new portions of your log every night. This can help make log reading more enjoyable. ## logwatch パッケージ === How to perform a hardened installation === This how to will walk you through a hardened install with an encrypted root partition and other goodies. This is a link to a how to for Debian : ## Debian 向けの HowTo [[http://www.hermann-uwe.de/blog/towards-a-moderately-paranoid-debian-laptop-setup--part-1-base-system|Towards a moderately paranoid Debian laptop setup]] You will need to use the "Alternate" install disk. ## "alternate" CD を使う必要がある [[http://users.bigpond.net.au/hermanzone/|How to Alternate Install]] Thank you to Uwe Hermann for posting a How-to for the moderately paranoid and hermanzone for the How-to with the alternate CD === Screening your system === ## === システムの検査 === There is a package, tiger, which will screen your system for potential security holes. While not complete it may be an excellent place to start (tiger does not check your firewall for example). ## tiger パッケージは潜在的なセキュリティホールを検査します。 For an overview of tiger see [[http://www.penguin-soft.com/penguin/man/8/tiger.html|man tiger]] , scroll to the bottom and you will see a listing and brief description of the tests performed (modules). ## tiger についての概観 Install by any means, tiger john chkrootkit {{{ sudo apt-get install tiger john chkrootkit }}} Run tiger from the command line with : {{{ sudo tiger -H }}} The -H flag will produce a very nice HTML document. The command tigexp can be used to explain the results. {{{ $ /usr/sbin/tigexp pass014w The listed login ID is disabled in some manner ('*' in passwd field, etc), but the login shell for the login ID is a valid shell (from /etc/shells or the system equivalent). A valid shell can potentially enable the login ID to continue to be used. The login shell should be changed to something that doesn't exist, or to something like /bin/false. }}} Tiger should give you some ideas on things to research. As always there can be false positives so take care not to either panic or blindly make system changes without understanding what you are doing and how to undo your changes (ie make backups of system files before you edit them). == Forensics == What to do when you think you have been cracked : 1. Power off. 1. Disconnect/disable your Internet connectivity. 1. Now take a deep breath, re-boot, and read the logs. Ask for help if needed, but you really need to confirm that your system has been compromised. 1. If you have been compromised, and have the time and interest, boot a live CD and image your hard drive. This image can then be used for forensic analysis. 1. Re-install. Unfortunately, IMHO, there is no way to trust a compromised system. 1. When you install, be sure to install off line, use a stronger password, and research intrusion detection. Intrusion References * [[http://www.cert.org/certcc.html|CERT® Coordination Center (CERT/CC)]] * [[http://web.archive.org/web/20080109214340/http://www.cert.org/tech_tips/intruder_detection_checklist.html|CERT® Coordination Center ~ Intruder Detection Checklist]] Whew ... ## TODO: ## 1. 電源オフ ## 1. インターネット回線の切断/無効化 ## 1. 深呼吸、再起動、ログを読む。 ## 1. TODO: ## 1. 再インストール ## 1. オフライン、強固なパスワード ## IMHO: in my humble opinion ## 侵入 リファレンス ## ふー === Further Reading: === ## === リンク === * [[https://help.ubuntu.com/community/Security|Ubuntu wiki ~ Security page]] * [[https://help.ubuntu.com/community/InstallingSecurityTools|Ubuntu wiki ~ Installing Security Tools]] * [[http://web.archive.org/web/20070805184032/http://doc.gwos.org/index.php/SecurityAnalysis|UDSF Security Analysis Tools]] * [[http://www.itsecurity.com/features/ubuntu-secure-install-resource/|The Big Ol' Ubuntu Security Resource]] * [[http://www.linuxforums.org/security/locking_down_ubuntu.html|Locking Down Ubuntu]] * [[http://www.ubuntugeek.com/category/security/|Ubuntu geek ~ Security category]] * [[http://www.linuxquestions.org/questions/showthread.php?t=45261|Security references]] Topics include Basics, firewall, Intrusion detection, Chroot, Forensics/Recovery, and Securing networked services. ~ Thank you to unSpawn at [[http://www.linuxquestions.org/|LinuxQuestions.org]] Last edited by bodhi.zazen; 4 Weeks Ago at 11:42 AM.. Reason: Updated 4.2.2009