Ubuntu 20.04 LTS Security Checklist
This is just a collection of my notes on what I typically do with this Linux operating system in terms of security baseline hardening. Some of this guidance follows EUD security guidance from the National Cyber Security Centre in the UK.
- Ensure UEFI firmware is on with the physical or virtual machine. In VMWARE make sure UEFI is on in advanced settings and the UEFI box is checked if creating a virtual configuration.
2. Ensure Access control is set to the status of encrypted. Access to the virtual machine will be encrypted with a password/passphrase. Create a passphrase with atleast 16 characters. This will prevent evil maid attacks on your vm when not in use.
3. During installation reduce the threat surface to your machine by running a minimal installation. To save time on patching download updates while installing ubuntu.
4. Ensure to encrypt your installation by using the advanced features and encrypting the ubuntu installation.
5. I recommend a 16 character passphrase or longer as your security key for encryption. If this is a physical machine and you have stored sensitive data in the past on the hard disk make sure to overwrite the empty disk space. This will increase install time but ensure proper sanitation of previous data on the hard disk.
6. Ensure you pick atleast a 16 character passphrase for login. Ensure the box is checked to require password to log in.
7. After boot deter the use of cloud services unless absolutely needed. Cloud services can be handy in backup situations but depending on your security configuration you could accidently disclose sensitive data if your cloud account is not properly security and configured. MFA/2FA should be required if you need to use a cloud account with your installation.
8. To protect your system privacy do not send system info to canonical.
9. Do not enable location services
10. Install system updates by issuing the following commands:
sudo apt update
sudo apt dist-upgrade
11. By default the firewall is left off on Ubuntu. Enable the ubuntu firewall by issuing the following command:
sudo ufw enable
12. Go into Settings > Privacy
Disable Connectivity Checker
I find file history is not needed. Trash I typically leave alone because I have my machine full disk encrypted at rest from the OS level and VM level.
The defaults on screen lock should be fine.
Sending Error reports to canonical could be a privacy issue and I recommend it be disabled.
This section is dedicated to operational security aspects of running Ubuntu in day to day operations.
Password security:
My favorite password manager is keepassxc. You can install it by doing the following:
sudo snap install keepassxc
Just make sure you backup your database somewhere.
FireFox Security:
Go to Firefox Preferences
Under General scroll down to the bottom of network settings. Click the settings button. Enable DNS over HTTPS and select Custom. I prefer to use Quad9.
Reference URL: https://www.quad9.net/doh-quad9-dns-servers/
More Info on Quad9: https://quad9dns.quad9.net/dns/
Navigate to Privacy and Security. Make sure autofill of Logins and Passwords is Unchecked.
Make sure firefox will never remember history. For privacy reasons I prefer any website visits be erased when my browser is closed.
Never allow FireFox Data Collection and Use
Install the following firefox add ons:
Since we are running pretty much in private mode because we aren’t allow history. Yes we want this extension to run in Private Windows.
Next Install HTTPS everywhere. Its important that your browser always maintain secure connections to webservers.
This is the important extension to have. Since a web browser can be an initial vector of compromise its important to limit the amount of scripts especially javascript that runs in your browser.
Email Communication:
There is really only one service I can recommend for secure email communication that has out of the box encryption mechanisms that requires almost no knowledge to set up. I use the Free basic tier and I am pretty happy with their service. I rarely communicate via email outside of the corporate realm but if I have to this is what I prefer.
PGP:
If you must use PGP. Open terminal:
sudo apt install seahorse-nautilus
This will install seahorse utilities in the nautilus file system and comes in super handy to encrypt individual files with symmetric or asymmetric encryption.
How to create a safe encryption key for post quantum cryptography:
ECC keys using curve 25519 is my preferred method of an encryption key. Its a personal choice but I definitely choose to start moving away from RSA Keys.
URL References:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r1.pdf
To Create your own ECC key:
There are alot of reasons why I stick to curve25519. You can read more about it here:
Secure Instant Messenger and File Sharing:
Alot of people are going to divert on recommendations here. Yes, Signal in my opinion is a great encrypting messaging platform. It has its limitations though which is mainly around using a phone number to get started.
When is comes to identity verification for encrypted conversations keybase.io is pretty awesome.
To install on ubuntu:
Install curl first.
Then you will need to download the file. Followed by installing it with the install command as seen below.
Reference my PGP guidance from above for generating your own key. You can let keybase generate one for you but I prefer to generate my own.
VPN Services:
For full disclosure I may be on the hunt for a new VPN provider. For now yes I am currently using private internet access.
You can install by doing the following:
Once you are logged into the VPN click on settings
In the connection settings choose wireguard
You can read more about WireGuard at the following URL:
In the network tab switch to custom DNS and choose 9.9.9.9 as the primary DNS.
You can read more about Quad 9 here:
