Sunday, July 28, 2019

Preparing Ubuntu 19 for travel

These are the steps I take to prepare my Ubuntu system for travel. It's far from a complete list, but I think these preparations will help reduce risks before using your system away from home.

I'm assuming you've already done the basic cyber hygiene stuff like FDE, strong passwords, lock-screen, etc.

1. Disable Avahi

Avahi is an MDNS service. Here's a description from avahi.org:
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared.
Yeah, no thanks.  Let's disable that.
sudo systemctl disable avahi-daemon.service
sudo systemctl disable avahi-daemon.socket

2. Disable CUPS

I don't print from this computer so I don't need CUPS. CUPS runs a listening socket that I don't need and it also tries to start Avahi, so it's an unnecessary risk; Let's disable it.

sudo systemctl disable cups.service
sudo systemctl disable cups-browsed.service

3. Disable the NetworkManager connectivity check

By default, NetworkManager is configured to check for captive portals by periodically making HTTP GET requests. In Wireshark you'll a DNS query for connectivity-check.ubuntu.com, followed by an HTTP GET to http://connectivity-check.ubuntu.com/. This is a dead giveaway to anyone monitoring your traffic that your system runs Ubuntu and and NetworkManager.


This can be disabled by adding the text below to /var/lib/NetworkManager/NetworkManager-intern.conf
[connectivity] 
.set.enabled=false

4. Disable IPv6

I have no use for IPv6 on this machine, and since the addresses are ridiculous their presence makes traffic monitoring more difficult. I think the normal way to disable this is in the kernel via sysctl or sysctl.conf.

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1

Interestingly, these are already present at the bottom of my /etc/sysctl.conf, but my network interfaces still get IPv6 addresses. Why? If I check the values using sysctl, I can see that it's set for all, default, and lo, but not for my actual interfaces.

ted@a17:~$ sysctl net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1

ted@a17:~$ sysctl net.ipv6.conf.wlp69s0.disable_ipv6
net.ipv6.conf.wlp69s0.disable_ipv6 = 0

The suggestion in this bug report to add a line to /etc/rc.local didn't work for me at first, but then I found a more complete solution here. Add the following to /etc/rc.local to disable IPv6 at boot time (and make sure the file is executable).

#!/bin/bash
# /etc/rc.local

/etc/sysctl.d
/etc/init.d/procps restart

exit 0

5. Disable geoclue

This service attempts to geo-locate the host system and shares that information with local applications (including web browsers) over DBUS. If that's not bad enough, it also sends MDNS queries looking for NMEA-0183 servers on the local network. Presumably this means it would connect to such a server if it found one?


I'm pretty surprised this is enabled by default (and more people aren't complaining about it).

sudo systemctl disable geoclue.service

6. Block outbound SSDP

Some applications use SSDP to discover things they can interact with on the network, like IOT TVs and Refrigerators and stuff. Chromium sends out lots of SSDP messages while it's running. Since this isn't a service that can be disabled, and I don't want to configure each application not to send SSDP, let's make a firewall rule to block outboung SSDP.


All the SSDP traffic I'm seeing from my machine has a UDP destination port of 1900. Execute the following command to add a firewall rule to block it.

sudo ufw deny out 1900/udp

7. Remove saved WiFi networks

This serves two purposes. First, to prevent your system from sending out 802.11 probe requests, which leak information about where you've been and the networks you've connected to. Second, to prevent your system from automatically connecting to any networks. To do this, we'll remove all saved network connections at boot time.

Add the following to /etc/rc.local to remove all saved 802.11 network connections at startup:

while IFS=\: read -r type uuid
do
    if [ $type == 802-11-wireless ]; then
        nmcli con delete uuid "$uuid"
    fi

done < <(nmcli -t -f TYPE,UUID conn)

Note: I adapted the above from this stackoverflow answer.

8. Make sure Bluetooth and WiFi are disabled at boot

Bluetooth is probably the bigger risk of the two, but let's play it safe and rfkill both at startup. Add the following to /etc/rc.local.
rfkill block all

9. Disable crash reporting

This step is probably optional, but like the previous steps it helps reduce the amount of information your system is leaking about itself.

sudo systemctl disable apport.service

There's probably more we can do to protect a Ubuntu system from threats while away from home. If I think of anything else I'll make a follow up post.

No comments:

Post a Comment