Linux Hardening Points and ideas License: GNU Free Documentation License - Version 1.3, 3 November 2008 (for details, see LICENSE.txt) Author: 51x ========= Debian hardening points for workstations - While installing, set up LVM with LUKS encryption (/boot cannot be encrypted, you can keep it on a pendrive or a cryptostick) - Recommended mount options (add "discard" for SSD): /home rw,nodev,nouser,noexec,nosuid /tmp rw,nodev,noexec,nouser,nosuid /var/tmp rw,nodev,noexec,nouser,nosuid /var rw,nodev,nouser,nosuid # /var could be noexec too, but it would break apt that way. - Hide processes that the user don't need to see (fstab too) proc /proc proc defaults,hidepid=2 0 0 - Configure auto update to run everyday (on Debian "unattended-upgrades", on Ubuntu you can do it with Software Center settings) https://wiki.debian.org/UnattendedUpgrades - Remove unnecessary programs (eg. avahi-daemon and rpcbind) netstat -tulnp # Check listening apps and if not needed remove them apt-get remove avahi-daemon # "remove" will keep config files, purge deletes everythin! - Disable USB Mass Storages if you don't need them echo "blacklist usb-storage" | tee -a /etc/modprobe.d/blacklist.conf update-initramfs -u - Use apparmor for stricter privileges. # https://wiki.debian.org/AppArmor/HowToUse # https://help.ubuntu.com/12.04/serverguide/apparmor.html apt-get update apt-get install apparmor apparmor-profiles apparmor-utils apparmor-profiles-extra apparmor-easyprof firejail -y sed -i -e 's/GRUB_CMDLINE_LINUX_DEFAULT="/&security=apparmor /' /etc/default/grub sed -e 's/GRUB_TIMEOUT=5/GRUB_TIMEOUT=1/' /etc/default/grub update-grub - Setup auditd if you'd like. You can also send the logs to remote syslog-ng. Example audit.rules for EXEC logs: -a exit,always -F arch=b64 -F euid=0 -S execve -a exit,always -F arch=b32 -F euid=0 -S execve ===== Kernel - If you are compiling the kernel you may want ideas from: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings - Sysctl hardening options echo -e '''kernel.dmesg_restrict=1\nkernel.kptr_restrict=1\nkernel.kexec_load_disabled=1\nkernel.yama.ptrace_scope=1\nuser.max_user_namespaces=0''' >> /etc/sysctl.conf ===== Booting with TPM https://safeboot.dev/ ===== Firewall - Configure firewall to DROP everything by default and allow only manadotory connections for root, aptitude, dns and the first user. Edit before apply! #!/bin/bash IPT=/sbin/iptables $IPT -F $IPT -F -t nat $IPT -X $IPT -N Allower $IPT -A OUTPUT -j Allower $IPT -A Allower -m owner --uid-owner 0 -j ACCEPT $IPT -A Allower -m owner --uid-owner 1000 -j ACCEPT $IPT -A Allower -m owner --uid-owner 105 -j ACCEPT # Aptitude $IPT -A OUTPUT -m owner --uid-owner 112 -d 94.247.43.254 -p udp --dport 53 -j ACCEPT # DNS, https://www.opennic.org/ $IPT -A INPUT --in-interface lo -j ACCEPT $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -P OUTPUT DROP $IPT -P INPUT DROP $IPT -P FORWARD DROP IPT=/sbin/ip6tables $IPT -F $IPT -F -t nat $IPT -X $IPT -N Allower $IPT -A OUTPUT -j Allower $IPT -A Allower -m owner --uid-owner 0 -j ACCEPT $IPT -A Allower -m owner --uid-owner 1000 -j ACCEPT $IPT -A Allower -m owner --uid-owner 105 -j ACCEPT # Aptitude $IPT -A OUTPUT -m owner --uid-owner 112 -d 94.247.43.254 -p udp --dport 53 -j ACCEPT # DNS, https://www.opennic.org/ $IPT -A INPUT --in-interface lo -j ACCEPT $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -P OUTPUT DROP $IPT -P INPUT DROP $IPT -P FORWARD DROP - Optionally, disable IPv6 echo 'blacklist ipv6' >> /etc/modprobe.d/blacklist echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6 echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 ===== Cron echo ALL >>/etc/cron.deny # Check if you need to allow users! ===== Remote management - For enterprise, configure central management (eg. puppy, cf-engine or similar), that makes sure all users have the same config. - SSH for remote management if needed, example settings: Port 1234 ListenAddress 0.0.0.0 PermitRootLogin without-password # Use keys! PermitEmptyPasswords no PasswordAuthentication no # Generate your SSH key with a password! AllowUsers user1 user2 # No other users will be allowed X11Forwarding no PermitTunnel no GatewayPorts no # Note that it won't allow port forawrding! ===== Browser basics - Use the following extenstions for FireFox: NoScript HTTPS Everywhere Privacy Badger - Use the following extenstions for Chromium: ScriptBlock HTTPS Everywhere Privacy Badger You can also use privoxy in the place of Privacy Badger: https://www.privoxy.org/ Know that allowing javascript exposes you to hardcore tracking (eg. javascript audio API fingerprinting which is used by several big sites). ========= Gentoo hardening points Gentoo + musl + openrc or runit + luks (or zfs native enc) + zfs + apparmor or selinux Plus CACert and repobuilds. ========= Alpine Linux laptop references https://wiki.alpinelinux.org/wiki/Setting_up_a_laptop https://faq.i3wm.org/question/83/how-to-run-i3lock-after-computer-inactivity.1.html