This guide will lead you to hardening and tuning your Ubuntu 16.04 in a few steps without any expense. As an Information Security Enthusiast, my Ubuntu box is setting up like the following and I use the box every day.
Kernel Hardening and Tuning
Make sure you enabled the "No Execute (NX)" or "Execute Disable (XD)" in the BIOS/UEFI.
sudo nano /etc/sysctl.conf
To make it looks like the following :
To reload it :
sudo sysctl -p
ARP Spoofing
One of the common attacks is Man In The Middle attack. It can use with browser attack too. This guide will help to protect your Ubuntu from being spoofing. Meanwhile, make sure to set ARP related settings in your router if the feature is available. Most home routers have no such feature.
HOWTO : ArpON on Ubuntu 16.04 LTS
Anti-Malware
Most Linux users (including advanced users) misunderstand that Linux will never and impossible to infect with malware. However, it is not true. Almost all operating systems are facing to the threats.
HOWTO : ClamAV 0.99 on Ubuntu 16.04 LTS
This guide will lead you to set up ClamAV for "Scan On Access" instead of "Scan On Demand".
Storage Performance Tuning
(A) SSD
Verify TRIM is supported :
sudo hdparm -I /dev/sda | grep TRIM
If the output is similar to the below which is supported :
* Data Set Management TRIM supported (limit 1 block)
If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :
cat /etc/lvm/lvm.conf | grep issue_discards
If the output is similar to the below which is enabled :
issue_discards = 1
Then set the following to "deadline" if it is not done yet.
cat /sys/block/sda/queue/scheduler
noop [deadline] cfq
If not, set it :
sudo nano /etc/rc.local
Insert the following before "exit 0" :
echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 1024 > /sys/block/sda/queue/nr_requests
echo deadline > /sys/block/sda/queue/scheduler
* make sure your device is sda (or sdb ...)
To reload it or reboot your system :
sudo /etc/rc.local
After that, you need to edit the partition table (/etc/fstab) :
To make it looks like the following :
/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1
sudo mount -a
sudo mount -o remount /
If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.
You can add "scsi_mod.use_blk_mq=1" to kernel parameter, such as "/etc/default/grub".
(B) Hard Drive
sudo nano /etc/rc.local
Insert the following before "exit 0" :
echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 1024 > /sys/block/sda/queue/nr_requests
* make sure your device is sda (or sdb ...)
To reload it or reboot your system :
sudo /etc/rc.local
After that, you need to edit the partition table (/etc/fstab) :
To make it looks like the following :
ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1
sudo mount -a
sudo mount -o remount /
If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.
Firefox Hardening and Tuning
Most malicious attacks nowadays are via browsers. Therefore, we need to protect ourselves even we are using Linux.
(A) Apparmor For Firefox
AppArmor is a Linux Security Module implementation of name-based access controls.
sudo apt-get update
sudo apt-get install apparmor-utils apparmor-profiles
sudo nano /etc/apparmor.d/usr.bin.firefox
To make it looks like the following and it is compatible to Firefox 51.0.1 or later :
sudo rm /etc/apparmor.d/disable/usr.bin.firefox
Reload the rules :
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox
(B) Firefox Add-ons
NoScript
Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.
* You are not required to enable it as it will block the javascript that most modern websites are using. You need to disable it globally to make the XSS attack protection by default.
uBlock Origin (Optional)
Finally, an efficient blocker. Easy on CPU and memory. (Please refer to the official site for details)
WebRTC Control
Have control over WebRTC (disable or enable) and protect your IP address.
BetterPrivacy
Remove or manage a new and uncommon kind of cookies, better known as LSO's.The BetterPrivacy safeguard offers various ways to handle Flash-cookies set by Google, YouTube, Ebay and others...
HTTPS Everywhere
Encrypt the web! HTTPS Everywhere is a Firefox extension to protect your communications by enabling HTTPS encryption automatically on sites that are known to support it, even when you type URLs or follow links that omit the https: prefix.
Speed Tweaks (SpeedyFox)
This extension provides a list to almost all the settings that you may need to alter in order to enhance Firefox's speed.
(C) Optional
(1) Firefox Add-ons :
User-Agent Switcher
The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of a browser.
Youtube High Definition
YouTube High Definition is a powerful tool that will let you automatically play all YouTube videos in HD (High Definition), turn off annotations, change video player size, auto stop videos, auto mute videos, control embedded videos and much more.
Youtube Flash-Html5
Play YouTube Videos in Flash or HTML5 Player.
(2) Browse with "New Private Window" feature
Finally, you may consider to use Intrusion Detection and Prevention System (IDPS) to protect your network. My project "
Almond Croissants" which is an IDPS that can deploy to your network (in front or/and behind the router). Or, you may also consider to use TOR to protect your privacy with my project "
NightHawk".
Reference
WebRTC IPS
IP Leak
That's all! See you.