Skip to content

Basics

Knowledge

  • An un-hackable system is impossible. If a legitimate user can access so can a non legitimate one.

Threat model

Who are you defending against? Your little brother or the NSA?

Assets

  • What do you want to protect?
  • What happens if a system is compromised?
  • Tampering (integrity) vs stealing (confidentiality) vs losing (integrity) vs availability.
  • Systems vs reputation.
  • Liability (legal action against you).

Threats

  • Who can attack you?
  • How can they attack you?
  • What are they trying to accomplish?
  • Why are they doing it?
  • What are the consequences of said attack?
  • How much will it cost?

Attack Trees: Modeling Security Threats.

Linux

Boot

Partitions

Partition Size
/ Programs
/boot 500MiB
/var Variable files
/var/log This will fill
/var/log/audit This will fill fast
/home Whatever is left
/tmp Can be in RAM
swap 1/2 RAM or 2xRAM

It is impossible to give an estimation on what you need. Go by experience and use case.

GRUB

Set a password for editing GRUB entries

Set a password for editing GRUB entries 1. Generate a password. 
grub-mkpasswd-pbkdf2
---
grub.pbkdf2.sha512.10000.[]
2. Set a password and a custom user. 
/etc/grub.d/40_custom
---
set superusers="otilio"
password_pbkdf2 otilio grub.pbkdf2.sha512.10000.[]
3. Insert `--unrestricted` after `${CLASS}` in the line `echo "menuentry '$(echo "$title" [...]` inside the function `linux_entry` so you can boot from those entries without username and password. 
/etc/grub.d/10_linux
---
echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} --unrestricted \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
4. Rebuild grub. 
grub-mkconfig -o /boot/grub/grub.cfg

Set a password for editing GRUB entries and booting

Set a password for editing entries and booting 1. Generate a password. 
grub-mkpasswd-pbkdf2
---
grub.pbkdf2.sha512.10000.[]
2. Set a password and a custom user. 
/etc/grub.d/40_custom
---
set superusers="otilio"
password_pbkdf2 otilio grub.pbkdf2.sha512.10000.[]
3. Rebuild GRUB. 
grub-mkconfig -o /boot/grub/grub.cfg

Remove GRUB timeout

Remove GRUB timeout 
/etc/default/grub
---
GRUB_TIMEOUT=0

File Systems

LUKS

Backup the LUKS header

sudo cryptsetup luksHeaderBackup /dev/mapper/cl_main-00 --header-backup-file luks-header.backup

Restore the LUKS header

sudo cryptsetup luksHeaderRestore /dev/mapper/cl_main-00 --header-backup-file luks-header.backup

LVM

Kernel

sysctl

## Swappiness
vm.vfs_cache_pressure = 100
vm.swappiness = 60
## Disable magic-sysrq (reisub)
kernel.sysrq = 0
## Disable coredumps for SUID programs
fs.suid_dumpable = 0
## Restrict access to kernel logs
kernel.dmesg_restrict = 1

Network

# IPv4

## Do not answer to pings
net.ipv4.icmp_echo_ignore_broadcasts = 1

## Ignore
net.ipv4.icmp_ignore_bogus_error_responses = 1

## Disable ICMP redirections
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

##
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

## Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.ip_forward = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0

# IPv6

## Disable IPv6
;net.ipv6.conf.all.disable_ipv6 = 1
;net.ipv6.conf.default.disable_ipv6 = 1
;net.ipv6.conf.lo.disable_ipv6 = 1
;net.ipv6.conf.enp1s0.disable_ipv6 = 1

##
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.enp1s0f0.use_tempaddr = 2
net.ipv6.conf.enp1s0f1.use_tempaddr = 2
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.router_solicitations = 2
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.all.forwarding = 0

Modules

System

Users

root

  • /etc/securetty file which lists terminals from which root can log in. ttys on /dev/ from where root login is allowed. man securetty

su

sudo

doas

PolicyKit

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/policykit

Run graphical utilites with administration privileges.

Network

PAM

Services

Cron

Firewall

IPTables, nftables, fail2bana

Systemd

NTP

You need a NTP client like chrony

sudo timedatectl set-ntp true

Stop listening on wildcard. 1. Remove all -I and --interface from /etc/default/ntp. 1. Edit /etc/ntp.conf

interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
## Listen on a interface
#interface listen 192.168.0.23

Audit

OpenSCAP

Logs

Integrity

AIDE and/or TripWire

Sources

  • Linux Server Security (2005) - Michel D Pauer - O'Reilly Media

OLD STUFF

Best practices

  • Create a security policy and stick to it
  • Revise, test and update (if necessary) your security policy
  • Use strong passwords
  • Remove/disable unnecessary software/files
  • Backup and test the backups
  • Update (Carefully)
  • Security by obscurity does not work but it helps

Kernel

linux-hardened

In ArchLinux there is a patched kernel

sudo pacman -S linux-hardened linux-hardened-headers

Restrict access to kernel logs

/etc/sysctl.d/50-dmesg-restrict.conf
-------------------------------------
kernel.dmesg_restrict = 1

IPv6 Privacy Extensions

Your computer's IPv6 address is generated through your MAC address, this is bad.

The solution is to enable the IPV6 privacy extensions.

NetworkManager

Edit `/etc/NetworkManager/NetworkManager.conf

[connection]
ipv6.ip6-privacy=2

Result

ip a
-----
2: enp3s0: [...]
    link/ether xx:xx:xx:xx:xx:xx [...]
    inet 10.0.5.12/24 [...]
    inet6 fe80::d789:a71b:50cd:123c/64 [...]

Success, right?

sudo nmap -PR 10.0.5.12
------------------------
Nmap scan report for 10.0.5.12
Host is up (0.00019s latency).
All 1000 scanned ports on 10.0.5.12 are filtered
MAC Address: xx:xx:xx:xx:xx:xx (...)

So... if you are in the same LAN (Logical) your computer will answer all ARP requests from anyone.

Solution: Enabe ARP filtering in the firewall. It can become painful: new network, new rules; access to a local device, more new rules; MAC spoofing, now this is useless.

ARP firewall

EVERY interface requires it's own rules.

arptables

## Recreate the arp table
arptables --flush

## Default policies
arptables -P INPUT DROP
arptables -P OUTPUT ACCEPT
arptables -P FORWARD DROP

## Allow devices
arptables -A INPUT --source-ip <router ip> --source-mac <router mac> -i wlp3s0 -j ACCEPT
arptables -A INPUT --source-ip <router ip> --source-mac <router mac> -i enp0s25 -j ACCEPT

## Save the rules
arptables-save > /etc/arptables.conf

## Restart the service
systemctl restart arptables

nftables

nftables can not filter by MAC and IP

## Create filter table
nft add table arp filter

## ARP default policy
nft add chain arp filter input { type filter hook input priority 0; policy drop; }
nft add chain arp filter output { type filter hook output priority 0; policy accept; }
nft add chain arp filter forward { type filter hook output priority 0; policy drop; }

## Add a set [optional]
nft add set arp filter allowed_mac_addresses { type ether_addr ;}
nft add element arp filter allowed_mac_enp0s25 { xx:xx:xx:xx:xx:xx, xx:xx:xx:xx:xx:xx }

## ARP rules
nft add rule arp filter input iifname "wlp3s0" ether saddr { xx:xx:xx:xx:xx:xx, xx:xx:xx:xx:xx:xx } accept
nft add rule arp filter input iifname "enp0s25" ether saddr @allowed_mac_addresses accept

Links

https://theprivacyguide1.github.io/linux_hardening_guide.html

https://wiki.archlinux.org/index.php/USBGuard

https://wiki.archlinux.org/index.php/Security