IPv6 support, SafeBoot, AlpineLinux

master
six 2020-05-13 12:12:05 +02:00
parent 777ae32ba6
commit c0b6bc871a
1 changed files with 49 additions and 8 deletions

View File

@ -2,6 +2,7 @@ Linux Hardening Points and ideas
License: GNU Free Documentation License - Version 1.3, 3 November 2008 (for details, see LICENSE.txt)
Author: 51x
=========
Debian hardening points for workstations
@ -42,6 +43,7 @@ Debian hardening points for workstations
-a exit,always -F arch=b32 -F euid=0 -S execve
=====
Kernel
@ -52,17 +54,19 @@ Kernel
echo -e '''kernel.dmesg_restrict=1\nkernel.kptr_restrict=1\nkernel.kexec_load_disabled=1\nkernel.yama.ptrace_scope=1\nuser.max_user_namespaces=0''' >> /etc/sysctl.conf
=====
Booting with TPM
https://safeboot.dev/
=====
Firewall
- Disable IPv6
echo 'blacklist ipv6' >> /etc/modprobe.d/blacklist
echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
- Configure firewall to DROP everything by default and allow only manadotory connections for root and the first user. For IPv4.
- Configure firewall to DROP everything by default and allow only manadotory connections for root, aptitude, dns and the first user. Edit before apply!
#!/bin/bash
IPT=/sbin/iptables
$IPT -F
@ -70,16 +74,45 @@ Firewall
$IPT -X
$IPT -N Allower
$IPT -A OUTPUT -j Allower
$IPT -A Allower -m owner --uid-owner 0 -j ACCEPT
$IPT -A Allower -m owner --uid-owner 1000 -j ACCEPT
$IPT -A Allower -m owner --uid-owner 105 -j ACCEPT # Aptitude
$IPT -A OUTPUT -m owner --uid-owner 112 -d 94.247.43.254 -p udp --dport 53 -j ACCEPT # DNS, https://www.opennic.org/
$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -P OUTPUT DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
- Additional firewall hardening: match UID and only allow the users that really need network. The following example is DNS server ACCEPT.
$IPT -A OUTPUT -m owner --uid-owner 112 -d 185.121.177.177 -p udp --dport 53 -j ACCEPT
IPT=/sbin/ip6tables
$IPT -F
$IPT -F -t nat
$IPT -X
$IPT -N Allower
$IPT -A OUTPUT -j Allower
$IPT -A Allower -m owner --uid-owner 0 -j ACCEPT
$IPT -A Allower -m owner --uid-owner 1000 -j ACCEPT
$IPT -A Allower -m owner --uid-owner 105 -j ACCEPT # Aptitude
$IPT -A OUTPUT -m owner --uid-owner 112 -d 94.247.43.254 -p udp --dport 53 -j ACCEPT # DNS, https://www.opennic.org/
$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -P OUTPUT DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
- Optionally, disable IPv6
echo 'blacklist ipv6' >> /etc/modprobe.d/blacklist
echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
=====
@ -99,6 +132,7 @@ Remote management
GatewayPorts no # Note that it won't allow port forawrding!
=====
Browser basics
@ -124,3 +158,10 @@ Gentoo hardening points
Gentoo + musl + openrc or runit + luks (or zfs native enc) + zfs + apparmor or selinux
Plus CACert and repobuilds.
=========
Alpine Linux laptop references
https://wiki.alpinelinux.org/wiki/Setting_up_a_laptop
https://faq.i3wm.org/question/83/how-to-run-i3lock-after-computer-inactivity.1.html