IPv6 support, SafeBoot, AlpineLinux

2020-05-13 12:12:05 +02:00 · 2020-05-13 12:12:05 +02:00 · c0b6bc871a
parent 777ae32ba6
commit c0b6bc871a
1 changed files with 49 additions and 8 deletions
--- a/linux_hardening.txt
+++ b/linux_hardening.txt
@ -2,6 +2,7 @@ Linux Hardening Points and ideas
 License: GNU Free Documentation License - Version 1.3, 3 November 2008 (for details, see LICENSE.txt)
 Author: 51x

+
 =========
 Debian hardening points for workstations

@ -42,6 +43,7 @@ Debian hardening points for workstations
    -a exit,always -F arch=b32 -F euid=0 -S execve


+
 =====
 Kernel

@ -52,17 +54,19 @@ Kernel
    echo -e '''kernel.dmesg_restrict=1\nkernel.kptr_restrict=1\nkernel.kexec_load_disabled=1\nkernel.yama.ptrace_scope=1\nuser.max_user_namespaces=0''' >> /etc/sysctl.conf


+=====
+Booting with TPM
+
+https://safeboot.dev/
+
+

 =====
 Firewall

- Disable IPv6
-    echo 'blacklist ipv6' >> /etc/modprobe.d/blacklist
-    echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
-    echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6
-    echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

- Configure firewall to DROP everything by default and allow only manadotory connections for root and the first user. For IPv4.
+- Configure firewall to DROP everything by default and allow only manadotory connections for root, aptitude, dns and the first user. Edit before apply!
+
    #!/bin/bash
    IPT=/sbin/iptables
    $IPT -F
@ -70,16 +74,45 @@ Firewall
    $IPT -X
    $IPT -N Allower
    $IPT -A OUTPUT -j Allower
+    
    $IPT -A Allower -m owner --uid-owner 0 -j ACCEPT
    $IPT -A Allower -m owner --uid-owner 1000 -j ACCEPT
+    $IPT -A Allower -m owner --uid-owner 105 -j ACCEPT    # Aptitude
+    $IPT -A OUTPUT -m owner --uid-owner 112 -d 94.247.43.254 -p udp --dport 53 -j ACCEPT    # DNS, https://www.opennic.org/
+    
    $IPT -A INPUT --in-interface lo -j ACCEPT
    $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -P OUTPUT DROP
    $IPT -P INPUT DROP
    $IPT -P FORWARD DROP

- Additional firewall hardening: match UID and only allow the users that really need network. The following example is DNS server ACCEPT.
-    $IPT -A OUTPUT -m owner --uid-owner 112 -d 185.121.177.177 -p udp --dport 53 -j ACCEPT
+
+    IPT=/sbin/ip6tables
+    $IPT -F
+    $IPT -F -t nat
+    $IPT -X
+    $IPT -N Allower
+    $IPT -A OUTPUT -j Allower
+    
+    $IPT -A Allower -m owner --uid-owner 0 -j ACCEPT
+    $IPT -A Allower -m owner --uid-owner 1000 -j ACCEPT
+    $IPT -A Allower -m owner --uid-owner 105 -j ACCEPT    # Aptitude
+    $IPT -A OUTPUT -m owner --uid-owner 112 -d 94.247.43.254 -p udp --dport 53 -j ACCEPT    # DNS, https://www.opennic.org/
+    
+    $IPT -A INPUT --in-interface lo -j ACCEPT
+    $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+    $IPT -P OUTPUT DROP
+    $IPT -P INPUT DROP
+    $IPT -P FORWARD DROP
+
+
+
+- Optionally, disable IPv6
+    echo 'blacklist ipv6' >> /etc/modprobe.d/blacklist
+    echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
+    echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6
+    echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
+    


 =====
@ -99,6 +132,7 @@ Remote management
    GatewayPorts no  # Note that it won't allow port forawrding!


+
 =====
 Browser basics

@ -124,3 +158,10 @@ Gentoo hardening points

 Gentoo + musl + openrc or runit + luks (or zfs native enc) + zfs + apparmor or selinux
 Plus CACert and repobuilds.
+
+
+
+=========
+Alpine Linux laptop references
+https://wiki.alpinelinux.org/wiki/Setting_up_a_laptop
+https://faq.i3wm.org/question/83/how-to-run-i3lock-after-computer-inactivity.1.html