Ubuntu OS Updates with Security and Privacy

2021 December 05

Originally written 2016-April-26, Updated 2021-December-05

Never Forget DSA-3733, aka Validating signatures > MitM > RCE

The Debian developer community refused to implement transport cryptography for updates because “signing packages is secure enough”. Fuck that incompetence. This post is about "the how". If you want to read about "the why", please read my earlier post: https://yawnbox.com/blog/privacy-proposal-for-debian/

This is a quick guide on how to significantly improves the privacy and security of your Ubuntu server. It requires the installation of apt-transport-tor, an application that will allow apt transfers to occur over Tor. There is also an application called apt-transport-https that is already installed in Ubuntu 20.04 that we’ll leverage first.

The Wikimedia Ubuntu repo has a good TLS configuration, IPv6 and IPv4 support, and they don't block Tor: mirrors.wikimedia.org

Qualys SSL Labs grade: https://www.ssllabs.com/ssltest/analyze.html?d=mirrors.wikimedia.org&latest

If you only want increased security, this is what your /etc/apt/sources.list should look like:

deb https://mirrors.wikimedia.org/ubuntu/ focal main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ focal-updates main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ focal-backports main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ focal-security main restricted universe multiverse

If you want security and privacy, use tor.

Ubuntu Server 20.04 Focal apt privacy upgrade script

#!/bin/bash

mv /etc/apt/sources.list /etc/apt.sources.backup1

touch /etc/apt/sources.list

echo 'deb https://mirrors.wikimedia.org/ubuntu/ focal main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb https://mirrors.wikimedia.org/ubuntu/ focal-updates main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb https://mirrors.wikimedia.org/ubuntu/ focal-backports main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb https://mirrors.wikimedia.org/ubuntu/ focal-security main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb [arch=amd64] https://deb.torproject.org/torproject.org focal main' >> /etc/apt/sources.list

wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import

gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

apt update

apt install tor deb.torproject.org-keyring apt-transport-tor -y

mv /etc/apt/sources.list /etc/apt.sources.backup2

touch /etc/apt/sources.list

echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ focal main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ focal-updates main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ focal-backports main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ focal-security main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb [arch=amd64] tor+https://deb.torproject.org/torproject.org focal main' >> /etc/apt/sources.list

apt update && apt dist-upgrade -V

Or, if you trust me, run this script:

curl -s https://yawnbox.com/focal_apt_upgrade.sh | sudo sh

All your future apt update and dist-upgrade commands will now be performed via high-grade TLS over Tor.

yawnbox