This section is going to be more technical and positioned to users who are more versed in Linux/BSD styled systems. While I will make mention of this now, get rid of Windows and read up about GNU/Linux in the section An Introduction To GNU/Linux. While this document is titled as "Hardware Security" this is going to be an overarching compiled list of hardware and software hardening for your GNU/Linux system.
Documenting the base information from your install will be beneficial to you in the future. This list should include the following to prevent any discrepancies or tampering.
Minimizing system packages can greatly increase the overall security of your system. Since software bugs are one of the main barriers to security, having fewer packages mean the vulnerability surface gets smaller. Smaller footprint, smaller attack surface. As previously mentioned, you want to maintain a list of all installed packages installed in your system.
To ensure good reinforcement of strong password policies is to enable password expiration for your user account. You can set expiration dates for user passwords by using the chage command in GNU/Linux. This will prompt your system to ask users to set a new password once the existing password expires.
The Linux file-system divides everything into several parts based on their use case. You can separate the critical portions of the file-system into different partitions of your disk storage. For example, the following file-systems should be split into different partitions. This helps to isolate the sensitive portions of your system. Thus, even if a malicious user gains access to some part of the system, they can not roam freely through the entire system.
You should give extra attention to the underlying system partitions. Malicious users may leverage partitions like /tmp, /var/tmp, and /dev/shm to store and execute unwanted programs. You can take steps to secure your partitions by adding some parameters to your /etc/fstab file. Open this following file using a Linux text editor.
Find the line that contains the /tmp location. Now, append the parameters nosuid, nodev, noexec, and ro as a comma-separated list after defaults.
They offer the following functionalities –
File-system stacked level encryption
Ecryptfs It is a cryptographic stacked Linux filesystem. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel key-ring. This solution is widely used, as the basis for Ubuntu's Encrypted Home Directory, naively within Googles ChromeOS, and transparently embedded in several network attached storage (NAS) devices.
EncFS It provides an encrypted file-system in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the file-system interface. You can find links to source and binary releases below. EncFS is open source software, licensed under the GPL.
Block device level encryption
Loop AES Fast and transparent file system and swap encryption package for Linux. No source code changes to Linux kernel. Works with 3.x, 2.6, 2.4, 2.2 and 2.0 kernels.
VeraCrypt It is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X and Linux based on TrueCrypt codebase.
dm-crypt+LUKS dm-crypt is a transparent disk encryption subsystem in Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, removable media, partitions, software RAID volumes, logical volumes, and files.
While I will emphasize a usage of GPG or similar services like PGP and OpenPGP, you will also want to always use secure communication services such as ssh, scp, rsync, or sftp for remote data transfer. While using these services, make attempts to use GPG encryption to encrypt and sign your data along with all messages passed in your circle of trust.
Avoid or remove them! While I will be the first to defend these legacy communcations and how fun/special/interesting they are... they are NOT secure. All or near all legacy programs do not provide essential security during data transmission. These include...
The Linux kernel has a lot of runtime parameters. You can easily tweak some of them to improve Linux hardening. Using the sysctl command allows the root/admin to configure these kernel parameters. You may also modify the /etc/sysctl.conf file for kernel tweaking. For example, add the below line at the end of your sysctl configuration to allow system reboots after 10 seconds of a kernel panic.
Add the below line to randomize the addresses for mmap base, heap, stack, and VDSO pages.
The next line will make the kernel ignore ICMP errors.
You can add as many rules as you like and customize existing rules to fit your kernel requirements.
Install Clamav and a tool to send email notifications apt-get update && apt-get install clamav clamav-freshclam heirloom-mailx
Be sure that the virus definition will be updated with service ClamAV-freshclam start
To do a manual update of the virus definitions freshclam -v
iptables uses three different chains: input, forward, and output.
Input – This chain is used to control the behavior for incoming connections. For example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.
Forward – This chain is used for incoming connections that are not actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, NATing, or something else on your system that requires forwarding, you won’t even use this chain.
There is one way to check whether or not your system uses/needs the forward chain.
Output – This chain is used for outgoing connections. For example, if you try to ping neocities.org, iptables will check its output chain to see what the rules are regarding ping and neocities.org before making a decision to allow or deny the connection attempt.
Before going in and configuring specific rules, you will want to decide what you want the default behavior of the three chains to be. In other words, what do you want iptables to do if the connection does not match any existing rules? To see what your policy chains are currently configured to do with unmatched traffic, run the iptables -L command.
More times than not, you will want your system to accept connections by default. Unless you have changed the policy chain rules previously, this setting should already be configured. Here is the command to accept connections by default:
By defaulting to the accept rule, you can then use iptables to deny specific IP addresses or port numbers, while continuing to accept all other connections. We will get to those commands in a minute. If you would rather deny all connections and manually specify which ones you want to allow to connect, you should change the default policy of your chains to drop. Doing this would probably only be useful for servers that contain sensitive information and only ever have the same IP addresses connect to them.
With your default chain policies configured, you can start adding rules to iptables so it knows what to do when it encounters a connection from or to a particular IP address or port. In this guide, we’re going to go over the three most basic and commonly used “responses”.
The best way to show the difference between these three rules is to show what it looks like when a PC tries to ping a Linux machine with iptables configured for each one of these settings.
With your policy chains configured, you can now configure iptables to allow or block specific addresses, address ranges, and ports. In these examples, we will set the connections to DROP, but you can switch them to ACCEPT or REJECT, depending on your needs and how you configured your policy chains.
Note: In these examples, we are going to use iptables -A to append rules to the existing chain. iptables starts at the top of its list and goes through each rule until it finds one that it matches. If you need to insert a rule above another, you can use iptables -I [chain] [number] to specify the number it should be in the list.
Connections from a single IP address. This example shows how to block all of the IP addresses in the 10.10.10.0/24 network range. You can use a netmask or standard slash notation to specify the range of IP addresses.
Connections from a range of IP addresses. This example shows how to block all of the IP addresses in the 10.10.10.0/24 network range. You can use a netmask or standard slash notation to specify the range of IP addresses.
Connections to a specific port. This example shows how to block SSH connections from 10.10.10.10.
You can replace “ssh” with any protocol or port number. The -p tcp part of the code tells iptables what kind of connection the protocol uses. If you were blocking a protocol that uses UDP rather than TCP, then -p udp would be necessary instead. This example shows how to block SSH connections from any IP address.
As mentioned earlier, a lot of protocols are going to require two-way communication. For example, if you want to allow SSH connections to your system, the input and output chains are going to need a rule added to them. But, what if you only want SSH coming into your system to be allowed? Will not adding a rule to the output chain also allow outgoing SSH attempts? That is where connection states come in, which give you the capability you would need to allow two way communication but only allow one way connections to be established. Take a look at this example, where SSH connections FROM 10.10.10.10 are permitted, but SSH connections TO 10.10.10.10 are not. However, the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts.
The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes. This command can differ depending on your distribution:
List the currently configured iptables rules: iptables -L Adding the -v option will give you packet and byte information, and adding -n will list everything numerically.
To clear all the currently configured rules, you can issue the flush command.
Set Up Default Policies
This section mainly pertains to daemons. A lot of services and daemons are started during system boot. Disabling those that are not mandatory can help in hardening and improve your boot time. Since most modern distributions use systemd instead of init scripts, you can use systemctl for finding these services.
These commands will display such service and daemons. You can disable a specific service by using the below command.
GNU/Linux provides automation support by means of cron jobs. You can specify routine tasks using the cron scheduler. root/admin users must make sure that ordinary users are unable to access or put entries in the crontab. Simply put their usernames in the /etc/cron.deny file to do this.
This command will disable cron for all users in your server except root. To allow access for a specific user, add his username to the /etc/cron.allow file.
Core dumps are memory snapshots that contain crash information of executables. These are created when binaries stop working or crash. They contain too much sensitive information about the system and may threaten your security if fallen into the wrong hands. And so it is always a good idea to restrict core dumps on your machine.
Run the above commands to restrict core dumps on your system.
It is always a good idea to disable as many peripherals as possible that are uneeded or unused. This makes your system secure against attackers who have gained direct access to the infrastructure you are connected to. Firewire is the generic name of the IEEE 1394 hardware interface. It is used for connecting digital devices like Camcorders. Disable it by using the following command.
The thunderbolt interface provides connections between your system and high-speed peripherals like hard disk storages, RAID arrays, network interfaces, and so on. You can disable it by using the below command.
The Ctrl+Alt+Delete key combinations allow users to force reboot many GNU/Linux distributions. This can be a problem for you as a user. root/admin users should disable this hotkey in order to maintain proper GNU/Linux hardening. You can run the following command to disable this in systemd based systems.
If you are on systems that use init V instead of systemd, edit the /etc/inittab file and comment out the following line by appending a hash before it.
You need to be always prepared for unforeseen problems. Backing up your workstation or server can prove extremely beneficial in the long run. Thankfully, a large number of backup utility for Linux exists to make system backups easier. Moreover, you must automate the backup process and store your system data safely. Employing disaster management and recovery solutions can be also useful when it comes to data management.