Home
Features
Benefits
Technologies
Cloud
Specifications
Resources
Download
Security:

Ubuntu Server Edition

Ubuntu Server Edition is built on the solid foundation of Debian Linux, a distribution known for its in-built security. Ubuntu's Security team works together with Debian and other leading vendors security teams to make sure Ubuntu remains as secure as possible when issues are discovered and publishes notices when patches are released.

The team also continuously improves the preventive security features delivered with Ubuntu. A complete security features list and matrix is maintained on the security wiki pages.

Here are some of the most interesting security features built into Ubuntu:

No open ports

By default, Ubuntu does not install default services that listen on open network ports. (The astute reader will note that local network service clients like DHCP and Avahi are the only exception.) This reduces the chances that a system would be compromised through a service that was installed without the explicit knowledge of the administrator. See the detailed current Ubuntu Security Team policy for more details.

Role-based administration

Ubuntu also implements a role-based administration model with no default root access. Other Linux distributions typically provide this root access but role-based administration allows for better security, error prevention and auditing. This is particularly useful on systems where more than one user might have been given root access, as in a traditional model. This default can be reversed once the user is confident that root access will be secure in their particular situation.

No X server by design

By design, Ubuntu Server Edition does not include an X server or any graphical desktop applications. This is a deliberate choice as we believe that most servers should be serviced remotely, are safer without the addition of code that needs direct communication from user space to hardware, and should not be used as a desktop by their administrator.

"So I applaud the Ubuntu team’s common sense (and courage) in keeping the X Window System out of the default installation of Ubuntu Server."
--Mick Bauer in April 2008 Linux Journal - "Security Features in Ubuntu Server"

Security Updates and Landscape

Our security team monitors vulnerabilities in all the packages we maintain and quickly prioritizes and responds by releasing patches for the affected packages for all maintained versions of Ubuntu. This is a free service that is available regardless of any support subscription. Subscribers to our technical support additionally get the possibility to apply these patches on multiple machines at the same time, thus considerably reducing the burden on system administrators. This is done through the use of Landscape, Canonical's web-based systems management service, and is a vital service for any deployment environments.

Kernel & Compiler Hardening

Our security team also proactively works on hardening the kernel and making the compilers stricter on their verifications of good practice. Hardening techniques help prevent intruders from taking down a server. 8.04 includes these security features:

  • ASLR (Address Space Layout Randomisation) consists of several built-in memory protection techniques so that stack, heap, library, and executable code locations in user space are harder to predict. Additionally, the memory locations are maintained privately ("maps protection"). Even if an attacker finds a vulnerability, ASLR can make it harder for it to be exploited.

  • Stack protection adds a random value (called a canary and acting as a fuse) to the edge of the stack, placed before the return address, so that when exiting a function the integrity of the stack can be verified. Vulnerabilities involving "stack overflows" are rendered significantly more difficult to exploit by an attacker.

  • Heap protection: GNU libc provides internal memory allocation consistency checking and pointer obfuscation. If a bug in an application accidentally mismanaged its resources, for example allowing a heap overflow, or asking
    to free the same memory twice (double free), these runtime protections can block attackers from exploiting those flaws.

  • Non-executable memory: memory areas meant for executable code are the only regions that will be allowed to execute. This is available using any kernel on 64-bit processors, or when running the "-server" kernel on a processor that provides the "nx" capability. This means that attackers cannot easily inject their malicious executable code into a vulnerable application.

  • Kernel Memory Address Protection consists of multiple techniques to restrict the part of the kernel memory user space tools can access. For example, this allows X windows to access device memory, but does not allow access to kernel memory, which can prevent the installation of root kits.

  • NULL Address Space Protection: the lower 64K of memory is not allowed to be allocated. This can protect a system if an attacker attempts to exploit a kernel vulnerability involving null pointer exception handling.

AppArmor

Security can also be greatly enhanced in Ubuntu through the use of mandatory access control (MAC) rules provided by AppArmor. It allows the system administrator to associate each programme with a security profile which restricts the authority and access rights of that programme. It supplements the traditional UNIX discretionary access control with additional rules that control what programmes are allowed to be accessed. Thus you can control which file or any other system resources the programme has access to. To simplify the setup of these rules, AppArmor integrates a learning mode that can be activated programme by programme to establish a typical rules set that can then be turned into enforcement based on real usage of the services or applications.

Learn more about AppArmor >>

Uncomplicated Firewall

Starting with version 8.04, Ubuntu provides ufw (Uncomplicated Firewall), a command line utility with a name that reveals a lot about it's aim. If iptables configuration is too complicated for your needs, ufw does make it very simple to add host based rules protection for your server (or desktop). In order to maintain backward compatibility, ufw is disabled but installed by default, and enabling it is just a command away. Because ufw uses the service list, you do not need to know the port numbers you want to open, you just need to specify the protocol name you want to enable, for example: 

sudo ufw enable
sudo ufw allow smtp
sudo ufw allow http

is all you need to have your server only accept connections on port 25(smtp) and 80(http).

For more information, please read the Firewall section of the Server Guide >>.

 

New in 8.10:

Uncomplicated Firewall

Common services now inform ufw of the ports that are recommended for their proper enabling, so the administrator can open them in a single simple command ufw allow <application>.

Encrypted private directories

The ecryptfs-utils package now provides support for a secret encrypted folder in a user's Home Folder.

If you have not selected this option during the setup of your server, you can enable this feature by typing the following from a command prompt: 

sudo aptitude install ecryptfs-utils
ecryptfs-setup-private

For more information, please read the Encrypted private directory tutorial >> 

Compiler security-hardening features by default

The gcc compiler now defaults to enabling several security hardening features and warnings. This stops many undiscovered security vulnerabilities, rendering them unexploitable.

Network services compiled as position-independent executables

To take advantage of the kernel's ability to randomize the in-memory location of executables, many network services were compiled as position-independent executables (PIE), including: apache2, bind9, openldap, postfix, cups, openssh, postgresql-8.3, samba, dovecot, dhcp3. This makes certain kinds of security vulnerabilities even harder to exploit.

New in 9.04:

Support for full home directory encryption

Per-user home directory encryption, seamlessly integrated with your login password, protects all of your home directory data with strong, per-file encryption without paying performance penalties for encrypting the entire filesystem. It can also incrementally backup the underlying encrypted data with virtually zero performance penalty.

Filename encryption

The module ecryptfs now fully encrypts the file name as well as the file content, providing an extra level of security to the encryption.

Uncomplicated Firewall

Version 0.27 of ufw brings many easy-to-use new features:

  • ufw now has debconf support, which means that you can enable ufw and setup some basic rules via the installer, and most importantly for server, via preseeding. Any "simple" rule can be preseeded (ie: ufw allow 22/tcp) as well as application profiles (ie: Cups, DNS, Imap (Secure), Pop3 (Secure), SSH, Samba, Smtp, WWW, WWW (Secure)), but not complex one (ie: ufw allow from 192.168.0.0/16 to any port 22 proto tcp).
  • ufw can now be used to add iptables REJECT directives, both for rules and as the default policy.
  • Rules can now be inserted, rather than just appended to the end.
  • ufw now has the concept of log levels (off, low, medium, high, full) and can log on a per rule basis as well.

See the updated manpage for more details.

screen-profiles (byobu)

screen-profiles (byobu) is a new package that provides a colored text interface with tabbed windows, ability to background processes, dynamically updated status indicators for the distro, release, reboot-required, updates-available, ec2-cost, system load, num-cpus, cpu-frequency, total memory, memory used, date/time, etc..

New in 9.10:

AppArmor

AppArmor in Ubuntu 9.10 features an improved parser that uses cache files, greatly speeding up AppArmor initialisation on boot. AppArmor also now supports 'pux' which, when specified, means a process can transition to an existing profile if one exists or simply run unconfined if one does not.   

Please see the AppArmor documentation for information on using AppArmor in Ubuntu.   

New profiles

In addition to the above changes to AppArmor itself, several profiles were added. Enforcing profiles for ntpd, and libvirt are enabled by default. Complain mode profiles for Dovecot are now available in the apparmor-profiles package.    

An AppArmor profile is now available for Apache in the libapache2-mod-apparmor package. When used in combination with the mod_apparmor Apache module, web applications can now be protected and isolated from each other. Instructions for enabling the profile are in the /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 file.   

Please see the SecurityTeam/KnowledgeBase for a full listing of readily available profiles in Ubuntu.   

Libvirt

Libvirt now contains AppArmor integration when using KVM or QEMU. Libvirtd is configured to launch virtual machines that are confined by uniquely restrictive AppArmor profiles. This feature significantly improves virtualisation in Ubuntu by providing user-space host protection as well as guest isolation.   This is particularly important for multi tenant usage of Ubuntu Enterprise Cloud.

Uncomplicated Firewall

The Uncomplicated Firewall now has support for filtering by interface and egress filtering when using the ufw command. Documentation for ufw is also improved to help users better utilise the ufw framework and take full advantage of Linux netfilter's power and flexibility. See UbuntuFirewall#Features for a full list of features.   

Non-eXecutable Emulation

Non-eXecutable (NX) memory protection, also known as eXecute-Disable (XD), has always been available in Ubuntu for any systems that had the hardware to support it and ran the 64-bit kernel or the 32-bit server kernel. The 32-bit PAE desktop kernel (linux-image-generic-pae) now also provides the PAE mode needed for hardware with the NX CPU feature.   

For systems that lack NX hardware, the 32-bit kernels now provide an approximation of the NX CPU feature via software emulation that can help block many exploits an attacker might run from stack or heap memory.   

Blocking Module Loading

To block the loading of any further modules after boot (generally for servers with unchanging hardware), the /proc/sys/kernel/modules_disabled one-way sysctl flag now exists to add another layer of protection against attackers loading kernel rootkits.   

Position-Independent Executables

Building on the work done in Ubuntu 8.10 and 9.04 to proactively protect Ubuntu from unknown threats by using strict compiler flags, more applications have been built as Position-Independent Executables (PIE) to take advantage of the Address Space Layout Randomisation (ASLR) available in the Ubuntu kernel.   

In addition to the growing program list, PIE programs are now also built with the BIND_NOW linker flag to take full advantage of the existing RELRO linker flag. This results in PIE programs having fewer places in their memory that can be controlled to redirect program flow when an attacker attempts memory-corruption exploits.