back to article UK cyber security boffins dispense Ubuntu 18.04 wisdom

The UK’s National Cyber Security Centre (NCSC) has dispensed advice aimed at securing Ubuntu installs and followed it up with help for Dixons customers. The NCSC, part of the UK’s Government Communications Headquarters (GCHQ) exists to make the UK a safer place to do business online and, in an unusual step for a Government …

Anonymous Coward

Finally took the plunge with 18.04 last night..

... Really wish I hadn't.

Usually, it takes me 10-20 minutes to get a new VM up and running. After 2 hours of xrdp crashing causing the Ubuntu Desktop, I decided to junk it and try Server instead, which had a completely different set of problem.

I was spitting blood... so much in fact, I actually downloaded Fedora! (that's how desperate things got).

9
9
Silver badge

Re: Finally took the plunge with 18.04 last night..

What VM host were you using?

Virtualbox on Win10 let me build an 18.04 VM with no problems at all.

3
0
Anonymous Coward

Re: Finally took the plunge with 18.04 last night..

Yeah, but WHICH Fedora?

Fedora is actually nice.

2
2

Re: Finally took the plunge with 18.04 last night..

I spun up a few lamp installs on a 16.04 host last week with kvm/qemu. No issues so far.

2
0

Re: Finally took the plunge with 18.04 last night..

Strange. I've been running 18.04 for a few months with no problems.

However I usually do a nice clean reinstall - copy all my files off to the NAS box and then wipe and install from freshly downloaded media. I've found upgrading ubuntu releases in place is... well... not always a good idea.

8
0

Re: Finally took the plunge with 18.04 last night..

I didn't find desktop too bad; it worked for the limited use case I wanted it for. Some 'interesting' decisions made by the devs but it basically works.

18.04 Server is a turd; it's one thing to completely change the way you do network configuration, quite another to have the new complicated method not work properly. I blame fiddling for the sake of it by bored inept devs for that mess.

Then I found a whole set of basic configuration options wouldn't work properly whichever of a dozen methods I tried to use, rendering the whole thing useless.

16.04 at least worked.

3
0
Silver badge

Re: Finally took the plunge with 18.04 last night..

Try ubuntu 18.. it gos slooooow.

1
4

Re: Finally took the plunge with 18.04 last night..

Downvoted for spelling.

1
0
Meh

Re: Finally took the plunge with 18.04 last night..

Eh?

Vmware workstation 12. Download as fast your internet will allow. Install I think is 4 lines of text might have been 5.

Time to create is about five minutes of a few sliding scales and some numbers then next next. Then depending on your install it takes as long as it did with a disk. For windows 7 I think mine took about 20 minutes to go through the normal install wizard.

Once setup install time is a double click and watch it load, maybe twenty seconds for windows 7. This is on Ubuntu on my dell XPS 13.

Sounds like you had a bad experience but VMWare workstation 12 also passes through 3D graphics, much better than virtualbox.

1
0
Devil

Re: Finally took the plunge with 18.04 last night..

Get a Mac Use Arch.

0
0
Silver badge

VPNs?

So we've got one part of GCHQ trying to get people to use VPNs and another part of GCHQ that would dearly love VPNs to be banned. Reminds me of that old saying about a house divided against itself...

34
0
Silver badge

Re: VPNs?

Twas ever thus. CESG, now part of the UK NCSC, is the UK government’s National Technical Authority for Information Assurance, providing advice on protecting information and systems. Other parts of GCHQ - I'm not familiar with their org chart - try to break the cyber and crypto security of comms and systems.

Similar to the NSA and their NCSC, in the USA.

7
0

Re: VPNs?

Go read the linked page at www.ncsc.gov.uk.

"To meet the principles....Use a Prime or Foundation Grade IPsec VPN client configured as per that product’s security procedures to give data-in-transit protection."

This contains a link to "approved" software including IPSec VPN clients.

Now guess how many are listed for Linux. Or just follow the link and have a look for yourself.

1
0

Number of vulns means nothing

The number could be increased by the sheer number of packages Ubuntu supply, or the diligence shown in finding and reporting them. It's really frustrating when even news sites use it as some sort of security quality metric.

17
1
Silver badge

Re: Number of vulns means nothing

having to security vulnerabilities only means *you're not fixing them* ther's no such thing as bug free code at the OS level

5
2

Re: Number of vulns means nothing

Vulnerability counts of this type are very misleading. You just keep changing the product names to keep the numbers down. Sum all the MS Server counts regardless of version and then start making comparisons.

12
1

Good idea.

"cut down on the admin rights..."

Yes, that's one thing that has always puzzled me about Debian based systems. Why is it that sudo is used instead of su? To me that looks like an invitation to meddling and the chance of doing serious damage to your system.

I use PCLinuxOS and their forum has a piece on the potential abuse of sudo and why sudo is not recommended for use in PCLOS.

See here

11
2
Silver badge

Re: Good idea.

Why is it that sudo is used instead of su?

Several reasons. Firstly, sudo logs all its invocations. (If you use sudo -i, that log becomes less useful). Secondly, sudo can be configured to only allow a user to run a certain subset of commands. su is an all or nothing command. Finally, su requires the destination user's password (e.g. root) whereas sudo requires the current user's password (or not at all). One benefit of this, is that when an employee leaves, you don't have to change all the root passwords, you just delete their account.

Is sudo perfect? No. As your linked article mentions, the user's password becomes the keys to the kingdom rather than a separate root password.

Know the facts and make your choice.

49
0
Silver badge

Re: Good idea.

On Debian systems you can use sudo or su. Personally, on my Debian 8 box, I use su.

On Debian-based Ubuntu and it's derivatives, you're quite right. You use sudo instead of su.

8
0
Boffin

Re: Good idea.

As others have mentioned, sudo gives you much more fine-grained control over who is allowed to do what. But there are other advantages over plain su:

- You have an audit trail of who ran which admin command when. For some of us, that is a compliance requirement.

- Communicating a shared password is difficult. Tends to happen via e-mail which is NOT secure.

- When you have 20+ servers, changing the administrator password because Joe Admin left the company is not so simple.

- Passwords can be cracked or leaked, so a security compromise of one server quickly becomes a site-wide problem (unless you use unique passwords, which complicates the distribution issue further).

I try to avoid passwords as much as possible, to the extent that my personal servers do not have passwords (a '!' for the password field in /etc/shadow). Logins can only happen via ssh using SSH keys or certificates, and sudo is setup to require a one-time password or physical token (Yubikey). If you must use passwords, at least make sure you keep them centralized (ldap directory or similar).

In other words, think about how you implement security instead of just bashing some random tool based on a 7 year old forum post.

21
1
Silver badge

Re: Good idea.

"Firstly, sudo logs all its invocations. Secondly, sudo can be configured to only allow a user to run a certain subset of commands."

Those, in my view are because sudo is a kludge to overcome:

"su is an all or nothing command."

Which it has become as a kudge because root is now used for a great many purposes which could and should have separate administrators: e.g lpadmin to manage printers, bin to install and upgrade S/W. But that was too inconvenient so root got handed all the powers.

"Finally, su requires the destination user's password (e.g. root) whereas sudo requires the current user's password (or not at all). "

You say that as if it's an advantage. If the user has adopted a weak password that's all that stands between anybody who cracks it and root permissions. Requiring a second password provides an extra layer of protection.

"One benefit of this, is that when an employee leaves, you don't have to change all the root passwords, you just delete their account."

Again, it's the convenience thing.

I harbour suspicions about that (convenient)option to enter further sudo commands within a given period. It opens the door to an exploit.

9
12
Silver badge

Re: Good idea.

"When you have 20+ servers, changing the administrator password because Joe Admin left the company is not so simple."

I think the word you were looking for was "convenient". Do not trade security for convenience.

"Passwords can be cracked or leaked, so a security compromise of one server quickly becomes a site-wide problem (unless you use unique passwords, which complicates the distribution issue further)."

Just so. If an admin's personal password is cracked what stands between the cracker and root? If you have multiple admin users the cracker only has to get lucky with one of them.

"In other words, think about how you implement security instead of just bashing some random tool based on a 7 year old forum post."

I don't have to base my dislike of sudo on any thing as recent as a 7 year old forum post. I can make up my own mind.

7
10
Silver badge

Re: Good idea.

The problem with putting security above convenience is that people are lazy, and if it's 'too hard' to stay secure, then, well, you won't stay secure.

For example, in this case, if you're relying on changing the root password on multiple servers because someone has left, and then a few weeks later someone else leaves, it's all too easy for that task to be postponed until it's forgotten about.

The easier you make it to be secure, the more likely people are going to stay secure.

20
1

Re: Good idea.

Do not trade security for convenience.

Err, security vs convenience is a fundamental trade-off. For example, no root password gives no security but maximum convenience.

16
0
hmv

Re: Good idea.

"Requiring a second password provides an extra layer of protection."

See rootpw and targetpw configuration options.

"to enter further sudo commands within a given period"

See timestamp_timeout

It's a little harsh to condemn a useful tool just because its default configuration isn't to your liking. My preferred method is to keep root's password secret (and in the DR firesafe) and require long and strong passwords for administrators (audited by actually running John the Ripper).

8
0
Silver badge

Re: Good idea.

A major factor is there is no root account. So you have to guess both the account name(s) that have sudo rights AND a matching password. If you ever look at your SSH/auth logs without any tight IP restrictions you will see lots of attempts to log in with names such as: root, admin, pi, test, oracle...

7
0
Bronze badge

Re: Good idea.

You have 20+ servers, and you want to change passwords by hand? SW guy here. This is why devops has become a thing.

2
4
Bronze badge

Re: Good idea.

Really? You'd put passwords in a script? Where do you store it, GIT?

(Genuine question, mainframe chap here; the idea of anyone outside the console having rights to install software is bizarre to me in a server environment).

11
1
Anonymous Coward

Re: Good idea.

https://www.michaelwlucas.com/tools/sudo Sudo Mastery

I should add that I have no ties to the writer of publisher, just thought it could potentially help.

1
0
Anonymous Coward

Re: Good idea.

"If the user has adopted a weak password that's all that stands between anybody who cracks it and root permissions."

This should not be an issue.

With roughly 2,000 employees, about a dozen can get root access on servers, infrastructure devices, etc. The rest, including developers, vendors, etc, cannot. That dozen knows better than to use weak passwords.

Just make sure you keep the sudo group small and aware.

5
0
Anonymous Coward

Re: Good idea.

You have 20+ servers, and you want to change passwords by hand? SW guy here. This is why devops has become a thing.

------------------------------------------------------------------------------------------------------------------------------

We have 400+ servers, and local root passwords are *always* set by hand... then never used.

Root access is by sudo, or by privileged individual Windows accounts.

Using root passwords is very discouraged except in extreme emergencies when access to central authentication servers is broken, as it muddies up tracking by logging multi-user accounts.

5
2
FAIL

Re: Good idea.

I once worked for a tech firm where the Director of IT insisted he be allowed to use a 2-letter password, and that I covered this up in the logs and audits.

In my experience those who should know better are often the worst offenders and more likely to get caught out though their own cockiness and over-confidence.

2
0
Silver badge

Re: Good idea.

Presumably ordinary users are urged to use a password-store program with long passwords because it's a good idea, and not just to annoy them. But what do I know?

I have a password-store at work; I have to input 3 passwords to open it. One of those is "password". I don't actually use it to store passwords in. If I did, then they wouldn't be behind "password".

1
0
Bronze badge

Re: Good idea.

I'm taking your earnestness on faith. OF COURSE no password is hardcoded in any software created by a competent programmer. (Let alone a software engineer.) It gets passed in when the program is run. And not on the command line because logs.

1
0
Bronze badge

Re: Good idea.

So, which is it.."never used" or only used in "extreme emergencies"? The policy implications of the two use cases are substantially different.

If it is in fact never used, then what matters what it is? Disable it & be done. Heck, this is an exception to the "never hard coded" rule I just mentioned.

If it is in fact held in reserve for "extreme emergencies", then you have a problem: how do you know that one of the 400 by-hand settings was not mis-typed? This is a serious amount of toil you are bragging about. Would you still be proud to set 8000 root passwords by hand? 160000?

We use software because we are stupid & because unnecessary energy expenditure is a bad thing. You can continue to manage 400 root passwords by hand because you consider it to be "secure", but I can all but guarantee that the actual failure rate you experience will be significantly higher than if this were managed by good software.

1
0
Silver badge

Re: Good idea.

> ... those who should know better are often the worst offenders ...

You expect the "Director" to know better?

2
0
Silver badge

"in an unusual step for a Government agency, does a pretty good job of dispensing sensible security advice."

I don't know how you can say that. HMRC did a pretty good job of finding an email address I'd never given them and, only yesterday, wrote to tell me I'd got a tax rebate.

15
0
Silver badge

It's some kind of partnership operation that HMRC have with the Nigerian royal family.

26
0
Anonymous Coward

I don't know how you can say that. HMRC did a pretty good job of finding an email address I'd never given them and, only yesterday, wrote to tell me I'd got a tax rebate.

Just felt a need here to even things back out.

HRMC did a pretty good job of losing a new home address I'd given them, and wrote to me telling me I was getting surcharged for not doing my self-assessment!

7
0
Anonymous Coward

Twas ever thus.

2
0

Wasn't Ubuntu the one distro that sent your keystrokes to Amazon?

A feature of course, to be able to show ads more relevant results to the user when he is doing a local search on his own computer of his own files.

Do they still have that amazing feature?

5
16

@Ninjaturtle - Always pays to check your facts before splurting on t'internet for everyone to see.

10
4

@Adair:

Checked it especially for you:

https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks

Turns out they did have the amazing feature, exactly like I described. You're welcome.

4
11
Silver badge

"Do they still have that amazing feature?"

They were fairly quickly disabused of that as a good idea.

6
0

@ninjaturtle - Funnily enough I know all about that. I am more interested in the motive behind your apparent attempt to smear Ubuntu with the loaded and disingenuous nature of your comment.

9
3

@Adair:

Why do you call it 'smearing', when I'm just stating facts? Trying to downplay these facts as if they are not true, that's truly disingenuous.

I like free software and I certainly like Linux. What I don't like is companies that spy on people, thereby limiting their freedom, while justifying it by arguing the product doesn't cost money, even calling it free in the perverted sense of the word.

Remember Ubuntu boss Shuttleworth's response when they got caught out on the data leakage: "Erm, we already have root.".

8
5
hmv

No, in fact it was not exactly as you described. They sent the keystrokes to Amazon (insecurely) FROM the search application; your statement implied that all keystrokes were sent.

13
4
Anonymous Coward

@nonnijaturtle

"Why do you call it 'smearing', when I'm just stating facts? Trying to downplay these facts as if they are not true, that's truly disingenuous."

Because that was fucking ages ago, and blew such a stink that they removed it and havent done it again..

So unless you live under a rock with no news source, it's irrelevent to version 18.04 , it looks like your bringing it up as a smear

11
5

@ninjaturtle 'Why do you call it 'smearing'' - I think others have already adequately answered your question.

5
1
Bronze badge

Victim of its own success

May just be me, but with Ubuntu actuall getting the lions share of mainstream linux (actually coming pre-installed on some machines) have Cannonical made a rod ofr their own backs, much like Apple did with MacOS?

IE has its market share now made it a target, and consequently all the other Debian/Ubuntu based distros?

2
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018