IPv6 support, SafeBoot, AlpineLinux
parent
777ae32ba6
commit
c0b6bc871a
|
@ -2,6 +2,7 @@ Linux Hardening Points and ideas
|
||||||
License: GNU Free Documentation License - Version 1.3, 3 November 2008 (for details, see LICENSE.txt)
|
License: GNU Free Documentation License - Version 1.3, 3 November 2008 (for details, see LICENSE.txt)
|
||||||
Author: 51x
|
Author: 51x
|
||||||
|
|
||||||
|
|
||||||
=========
|
=========
|
||||||
Debian hardening points for workstations
|
Debian hardening points for workstations
|
||||||
|
|
||||||
|
@ -42,6 +43,7 @@ Debian hardening points for workstations
|
||||||
-a exit,always -F arch=b32 -F euid=0 -S execve
|
-a exit,always -F arch=b32 -F euid=0 -S execve
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
=====
|
=====
|
||||||
Kernel
|
Kernel
|
||||||
|
|
||||||
|
@ -52,17 +54,19 @@ Kernel
|
||||||
echo -e '''kernel.dmesg_restrict=1\nkernel.kptr_restrict=1\nkernel.kexec_load_disabled=1\nkernel.yama.ptrace_scope=1\nuser.max_user_namespaces=0''' >> /etc/sysctl.conf
|
echo -e '''kernel.dmesg_restrict=1\nkernel.kptr_restrict=1\nkernel.kexec_load_disabled=1\nkernel.yama.ptrace_scope=1\nuser.max_user_namespaces=0''' >> /etc/sysctl.conf
|
||||||
|
|
||||||
|
|
||||||
|
=====
|
||||||
|
Booting with TPM
|
||||||
|
|
||||||
|
https://safeboot.dev/
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
=====
|
=====
|
||||||
Firewall
|
Firewall
|
||||||
|
|
||||||
- Disable IPv6
|
|
||||||
echo 'blacklist ipv6' >> /etc/modprobe.d/blacklist
|
|
||||||
echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
|
|
||||||
echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6
|
|
||||||
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
|
|
||||||
|
|
||||||
- Configure firewall to DROP everything by default and allow only manadotory connections for root and the first user. For IPv4.
|
- Configure firewall to DROP everything by default and allow only manadotory connections for root, aptitude, dns and the first user. Edit before apply!
|
||||||
|
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
IPT=/sbin/iptables
|
IPT=/sbin/iptables
|
||||||
$IPT -F
|
$IPT -F
|
||||||
|
@ -70,16 +74,45 @@ Firewall
|
||||||
$IPT -X
|
$IPT -X
|
||||||
$IPT -N Allower
|
$IPT -N Allower
|
||||||
$IPT -A OUTPUT -j Allower
|
$IPT -A OUTPUT -j Allower
|
||||||
|
|
||||||
$IPT -A Allower -m owner --uid-owner 0 -j ACCEPT
|
$IPT -A Allower -m owner --uid-owner 0 -j ACCEPT
|
||||||
$IPT -A Allower -m owner --uid-owner 1000 -j ACCEPT
|
$IPT -A Allower -m owner --uid-owner 1000 -j ACCEPT
|
||||||
|
$IPT -A Allower -m owner --uid-owner 105 -j ACCEPT # Aptitude
|
||||||
|
$IPT -A OUTPUT -m owner --uid-owner 112 -d 94.247.43.254 -p udp --dport 53 -j ACCEPT # DNS, https://www.opennic.org/
|
||||||
|
|
||||||
$IPT -A INPUT --in-interface lo -j ACCEPT
|
$IPT -A INPUT --in-interface lo -j ACCEPT
|
||||||
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
$IPT -P OUTPUT DROP
|
$IPT -P OUTPUT DROP
|
||||||
$IPT -P INPUT DROP
|
$IPT -P INPUT DROP
|
||||||
$IPT -P FORWARD DROP
|
$IPT -P FORWARD DROP
|
||||||
|
|
||||||
- Additional firewall hardening: match UID and only allow the users that really need network. The following example is DNS server ACCEPT.
|
|
||||||
$IPT -A OUTPUT -m owner --uid-owner 112 -d 185.121.177.177 -p udp --dport 53 -j ACCEPT
|
IPT=/sbin/ip6tables
|
||||||
|
$IPT -F
|
||||||
|
$IPT -F -t nat
|
||||||
|
$IPT -X
|
||||||
|
$IPT -N Allower
|
||||||
|
$IPT -A OUTPUT -j Allower
|
||||||
|
|
||||||
|
$IPT -A Allower -m owner --uid-owner 0 -j ACCEPT
|
||||||
|
$IPT -A Allower -m owner --uid-owner 1000 -j ACCEPT
|
||||||
|
$IPT -A Allower -m owner --uid-owner 105 -j ACCEPT # Aptitude
|
||||||
|
$IPT -A OUTPUT -m owner --uid-owner 112 -d 94.247.43.254 -p udp --dport 53 -j ACCEPT # DNS, https://www.opennic.org/
|
||||||
|
|
||||||
|
$IPT -A INPUT --in-interface lo -j ACCEPT
|
||||||
|
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
$IPT -P OUTPUT DROP
|
||||||
|
$IPT -P INPUT DROP
|
||||||
|
$IPT -P FORWARD DROP
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
- Optionally, disable IPv6
|
||||||
|
echo 'blacklist ipv6' >> /etc/modprobe.d/blacklist
|
||||||
|
echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
|
||||||
|
echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6
|
||||||
|
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
=====
|
=====
|
||||||
|
@ -99,6 +132,7 @@ Remote management
|
||||||
GatewayPorts no # Note that it won't allow port forawrding!
|
GatewayPorts no # Note that it won't allow port forawrding!
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
=====
|
=====
|
||||||
Browser basics
|
Browser basics
|
||||||
|
|
||||||
|
@ -124,3 +158,10 @@ Gentoo hardening points
|
||||||
|
|
||||||
Gentoo + musl + openrc or runit + luks (or zfs native enc) + zfs + apparmor or selinux
|
Gentoo + musl + openrc or runit + luks (or zfs native enc) + zfs + apparmor or selinux
|
||||||
Plus CACert and repobuilds.
|
Plus CACert and repobuilds.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
=========
|
||||||
|
Alpine Linux laptop references
|
||||||
|
https://wiki.alpinelinux.org/wiki/Setting_up_a_laptop
|
||||||
|
https://faq.i3wm.org/question/83/how-to-run-i3lock-after-computer-inactivity.1.html
|
||||||
|
|
Loading…
Reference in New Issue