Security Basics

Most attacks usually come from 1) login services like SSH, TeamViewer, and Remote Desktop (XRDP) with weak or known passwords, 2) vulnerabilities in internet browsers and email clients, and 3) vulnerabilities in externally shared services, particularly web apps and network shares.

Here are some of our recommendations for a more secure system. We can help you with any or all topics.

Block External Connections

Services like SSH open ports to the internet. A firewall can limit which IP networks can reach your services, for example, here are some instructions that limit incoming ssh (port 22) connections to BU’s IP space, including the VPN and wireless networks:

$ sudo apt install ufw
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
$ sudo ufw allow from 128.197.0.0/16 to any port 22
$ sudo ufw allow from 10.0.0.0/8 to any port 22
$ sudo ufw allow from 168.122.0.0/16 to any port 22
$ sudo ufw allow from 155.41.0.0/16 to any port 22
$ sudo ufw enable

By default Ubuntu doesn’t not have a firewall turned on, because there are no servers running by default. The ufw commanded used above, stands for UncomplicatedFireWall. It a good place to start, but is a simplified interface for configuring iptables. If you need more power, you can remove ufw and use iptables directly.

You can find more documentation on ufw, or ask us for help, enghelp@bu.edu

Patch System Vulnerabilities

Keep your operating system up-to-date with patches that remove security vulnerabilities. We recommend configuring automatic security updates. Most importantly keep you browser and email client updated. For instance, install Chrome from Google’s repository and let apt keep it updated. If you have any external services, like a website or TeamViewer, running, please keep them updated.

Install End-Point Protection

CrowdStirke Falcon provides lightweight virus scanning and intrusion detection. Currently the IS&T installation page does not include Linux, but we can help you with that. We just can’t post it publicly.

Lock the Boot Menu

If you have untrusted users with physical access to your machine, you should secure the grub boot menu to prevent users from starting in “recovery mode”, which grants root access.