Ubuntu usually comes out of the box with a pretty good set of security features. However there are some really great tools out there that can help to save some hassle…

1 – backup-manager
2 – fail2ban
3 – chrootkit, tiger, john
4 – KVM
5 – Nessus

1 – Backup – backup-manager

Security is about backup. Your server get attacked, it’s always good to have a backup of your data somewhere. the tricky part comes when the attacker finds out how to access your backup and get rid of it… Let’s focus only on hardware problems, mistakes or malicious script. (Did you ever get any??)

One great tool available on Ubuntu is Backupmanager.
To install it, simply type:

apt-get install backup-manager

In its configuration file (/etc/backup-manager.conf, Backup-manager will allow you to backup:

• your files (using tar.gz),
• your mysql database,
• a subversion repository,
• or actually anything else you want using the wonderful "pipe" method.

The tar.gz method allows you to do incremental backup which is great to save space on your backup device.
Also you will be able to specify different directories in the BM_TARBALL_DIRECTORIES configuration variable

export BM_TARBALL_DIRECTORIES="/etc /var/lib/ /var/www /root /home/"

With the mysql method you can setup an export of a selection or all your detabases.

export BM_MYSQL_DATABASES="__ALL__"

The pipe method works that way:

# Archive a remote MySQL database through SSH:
#    BM_PIPE_COMMAND[0]="ssh host -c \"mysqldump -ufoo -pbar base\""
#    BM_PIPE_NAME[0]="base"
#    BM_PIPE_FILETYPE[0]="sql"
#    BM_PIPE_COMPRESS[0]="gzip"
# This will make somthing like: localhost-base.20050421.sql.gz

# Archive a specific directory, on a remote server through SSH:
#    BM_PIPE_COMMAND[0]="ssh host -c \"tar -c -z /home/user\""
#    BM_PIPE_NAME[0]="host.home.user"
#    BM_PIPE_FILETYPE[0]="tar.gz"
#    BM_PIPE_COMPRESS[0]=""
# This will make somthing like: localhost-host.home.user.20050421.tar.gz

Once we know what to collect, we can select the way to backup the data.
Several methods are available:

• scp
• ssh-gpg
• ftp
• rsync
• s3 (Amazon bucket)

The configuration is easy, just follow the instruction in the comments of the configuration file.
You can also decide to use the DVD burning option.

2 – Access control – fail2ban

Fail2ban helps you to lower the load on your server if you get a lot of dictionary attacks from script kiddies. After a given number of attempts to connect to the server without success, the IP of the requester gets blacklisted for some minutes or hours.

Installation:

apt-get install fail2ban

Configuration files:

/etc/fail2ban/

Wikipedia article
Official website

3 – Checking Scripts – chrootkit, tiger, john

These 3 scripts will make different checks on your system in order to find security breaches.

apt-get install chrootkit tiger john

chrootkit

chrootkit will make a quick check of the main binaries of the filesystem and look for well known signatures of rootkits. These rootkits typically come with script kiddies trying dictionary attacks on ssh. (See fail2ban)

john

John the ripper is a great tool to evaluate the strength of your password. The longer it takes to break your password and the better your choosed your password 🙂
You can execute john the ripper that way.

john -user:root /etc/shadow

tiger

tiger is an excellent tool to check hundreds of sources of security breaches. Tiger will use john the ripper and chrootkit.
you can run tiger directly or call it with the -H option which will give you a neat HTML output, easier to browse. The output is usually extremely detailed and contains a lot of information on how to harden the security of your server.
To get more information about a given section you can use:

tigexp fsys006a

The listed files are device files that are located in non-standard
locations.  These should be checked.  The variable FS_DEVDIRS can be
set in the 'tigerrc' file to specify other directories which can contain
device files.

4 – Virtualization – KVM

One great way to protect your server is to run a set of virtual machines.
Imagine you need to run a webserver with some specific experimental parameters and you want to make sure it’s not going to interfere with your production environment. Or you are making some script demo server with an administration interface available to anyone with very high priviledges on the system. Say a webmin server for example.
Some funny guy decide to delete the whole system. Smart. But too bad, you managed to setup that system on a virtual machine. The machine was monitored by a little script on the host machine. If the machine becomes unaccessible, it shutdowns the vitual machine and restore a backup of the virtual machine. The backup is a simple file of about 2Gb which contains everything needed. About 2 minutes after the smart guy tried to screw up everything, the machine is back online. Too bad…

KVM is now available with Ubuntu 8.10 Intrepid.

The first thing you need to do is to check if the CPU of your server supports virtualization:

egrep '(vmx|svm)' --color=always /proc/cpuinfo

Then you can install the needed packages:

apt-get install kvm libvirt-bin ubuntu-vm-builder qemu bridge-utils

More information

5 – Nessus

Nessus is known to be the ultimate world best security tool by the website insecure.org.
Nessus is what we call a vulnerability assessment tool. It’s not free for commercial use but it’s ok for home use. It is very well supported and developed. More than 20,000 plugins are available…

More information

References:

http://ubuntuforums.org/showthread.php?t=510812
http://sectools.org/
http://www.nessus.org/nessus/
http://help.ubuntu.com/community/KVM
http://www.webmin.com/
http://en.wikipedia.org/wiki/Fail2ban
http://www.fail2ban.org
http://www.backup-manager.org