16 April 2013

Ubuntu Linux: Improving Privacy and Reducing Attack Surface

For the past several years, I have been a big fan of and advocate for the use of Canonical's Ubuntu Linux distribution. It is fast, reliable, easy to use and rock solid. I have installed Ubuntu server and desktop versions on laptops, desktops and servers both at home and in large data center environments. I have never regretted this choice even once.

Because I value stability, I typically favor the Long Term Support or LTS versions of Ubuntu which are supported for five years after the release date. Because most of the features I need are found in the very stable 10.04 LTS version, I only recently to upgraded to the 12.04 LTS version. Unfortunately, I quickly found some things in 12.04 that were not pleasing to me. While some were easy to fix (like getting rid of the Unity desktop), some required a bit more investigation.

When I install a new operating system, I like to understand what the “normal” network activity for the operating system looks like after the normal boot cycle and as I use the system. I like to understand during the normal course of operation what network services my system is communicating with and the nature of those communications. Call me paranoid if you want, but knowing what “normal” network activity looks like and being able to explain how that “normal” activity may impact my privacy seems only prudent. As it turns out, Ubuntu 12.04 LTS contains a number of features that seek to enhance the user experience but at the potential expense of user privacy.

Probably the most dangerous in terms of privacy is the zeitgeist application installed in 12.04. According to the zeitgeist documentation, “zeitgeist is a service which logs the user's activities and events (files opened, websites visited, conversations held with other people, etc.) and makes the relevant information available to other applications. It serves as a comprehensive activity log and also makes it possible to determine relationships between items based on usage patterns.” The information collected is stored in a subdirectory of the users home directory and is available to other applications via either the Zeitgeist API or via the Dbus API. No technical restriction is placed on how those applications consume this data or where this data goes once it is consumed by an application. The dangers for abuse here should be obvious. We can protect ourselves from this potential abuse by removing zeitgeist and purging the data that has already been collected in the user directories.

Another danger to privacy not at all unique to Ubuntu or other Linux distributions is the danger of memory contents containing potentially sensitive information being sent outside the organization through crash database submission programs. In Ubuntu, the crash database submission program is contained in a package called “whoopsie”. A good description of how whoopsie works can be found here. Not every crash results in the submission of a memory image, but if one is submitted, it could potentially contain sensitive memory contents. If you are using a stable release such as 12.04 LTS, your need to run this package should be very minimal. By removing the whoopsie package, the potential to transmit sensitive memory contents outside the organization is eliminated. If you find that you need crash submission functionality at a later date, you can manually install the package and remove it once the problem is solved.

After these issues were solved, I noticed two IP addresses that frequently had persistent open TCP connections from my system. These IP addresses were and which correspond to mulberry.canonical.com and mistletoe.canonical.com, respectively. Using the command netstat -pnt, I could see that the process opening these connections was the ubuntu-geoip-provider. That makes sense since these machines also have a DNS record that maps the IP addresses above to geoip.ubuntu.com. But what are these connections? And why are the persistent? And what data is moving across them? As it turns out, this process is part of a GeoClue implementation which as been integrated into Ubuntu (and several other Linux distributions).

Some investigation reveals that GeoClue “is a modular geoinformation service built on top of the D-Bus messaging system. The goal of the Geoclue project is to make creating location-aware applications as simple as possible.” Essentially, through these persistent connections, you are allowing Canonical's servers potentially to track your geographic location. That may or may not be a bad thing, but you as a user should know and have the opportunity to determine how you feel about it and adjust settings accordingly. Unfortunately, Canonical has not made this easy nor to do they call attention to the fact that this is happening at all. Worse yet, they don't make it easy to remove the packages containing this feature as there are several reports stating that various features of the Gnome desktop were broken on removal. What is a guy to do in this situation? Easy answer: block network communication to these IP addresses using iptables (a firewall implemented by the Linux kernel).

As a last measure, if we are going to configure iptables to block outbound geo-ip traffic, good security practice also dictates that we harden our host and allow only inbound traffic corresponding to services we actually need. Most people need, at a minimum, secure shell (SSH) so we will start with just allowing SSH inbound. Also, we will add a rule to disable IP forwarding so that we don't inadvertently become a path for others to use to forward malicious or unwanted traffic. By doing these simple things, we have dramatically reduced the attack surface or our operating system for any external attacker.

So, now that we know what we want to do, how do we do it? Again, it is simple. Download the pangolin-lockdown-utility script.  First, read it to understand exactly what it does. All of the actions are clearly explained in the comments. Once you are comfortable with it, you can execute it as is or modify it to create additional inbound rules, etc. If you execute the utility as-is, you will have a system that limits inbound traffic only to SSH, restricts outbound geo-ip traffic, turns off IP forwarding, doesn't transmit potentially sensitive images of memory outside of your organization and doesn't track the files you open, conversations you have or websites you visit. Seems like a vast improvement to me. But, hey, I am the paranoid one, right?