This section is going to be more technical and positioned to users who are more versed in Linux/BSD styled systems. While I will make mention of this now, get rid of Windows and read up about GNU/Linux in the section An Introduction To GNU/Linux. While this document is titled as "Hardware Security" this is going to be an overarching compiled list of hardware and software hardening for your GNU/Linux system.
Documenting the base information from your install will be beneficial to you in the future. This list should include the following to prevent any discrepancies or tampering.
Minimizing system packages can greatly increase the overall security of your system. Since software bugs are one of the main barriers to security, having fewer packages mean the vulnerability surface gets smaller. Smaller footprint, smaller attack surface. As previously mentioned, you want to maintain a list of all installed packages installed in your system.
dpkg --list
dpkg --info *package
apt purge *package
To ensure good reinforcement of strong password policies is to enable password expiration for your user account. You can set expiration dates for user passwords by using the chage command in GNU/Linux. This will prompt your system to ask users to set a new password once the existing password expires.
chage
chage -l *user lists the current password expiration date for the user.
chage -l *user
chage -M 30 *user sets the expiration date after 30 days.
chage -M 30 *user
chage -E "2020-04-30" can set this date using a YYYY-MM-DD format.
chage -E "2020-04-30"
The Linux file-system divides everything into several parts based on their use case. You can separate the critical portions of the file-system into different partitions of your disk storage. For example, the following file-systems should be split into different partitions. This helps to isolate the sensitive portions of your system. Thus, even if a malicious user gains access to some part of the system, they can not roam freely through the entire system.
You should give extra attention to the underlying system partitions. Malicious users may leverage partitions like /tmp, /var/tmp, and /dev/shm to store and execute unwanted programs. You can take steps to secure your partitions by adding some parameters to your /etc/fstab file. Open this following file using a Linux text editor.
nano /etc/fstab
Find the line that contains the /tmp location. Now, append the parameters nosuid, nodev, noexec, and ro as a comma-separated list after defaults.
They offer the following functionalities
File-system stacked level encryption
Block device level encryption
While I will emphasize a usage of GPG or similar services like PGP and OpenPGP, you will also want to always use secure communication services such as ssh, scp, rsync, or sftp for remote data transfer. While using these services, make attempts to use GPG encryption to encrypt and sign your data along with all messages passed in your circle of trust.
Avoid or remove them! While I will be the first to defend these legacy communications and how fun/special/interesting they are... they are NOT secure. All or near all legacy programs do not provide essential security during data transmission. These include...
The Linux kernel has a lot of runtime parameters. You can easily tweak some of them to improve Linux hardening. Using the sysctl command allows the root/admin to configure these kernel parameters. You may also modify the /etc/sysctl.conf file for kernel tweaking. For example, add the below line at the end of your sysctl configuration to allow system reboots after 10 seconds of a kernel panic.
sysctl
nano /etc/sysctl.conf
kernel.panic=10
Add the below line to randomize the addresses for mmap base, heap, stack, and VDSO pages.
kernel.randomize_va_space=2
The next line will make the kernel ignore ICMP errors.
net.ipv4.icmp_ignore_bogus_error_responses=1
You can add as many rules as you like and customize existing rules to fit your kernel requirements.
ClamAV Daily Scans (Debian/Ubuntu)
Install Clamav and a tool to send email notifications apt update amp apt install clamav clamav-freshclam heirloom-mailx
apt update amp apt install clamav clamav-freshclam heirloom-mailx
Be sure that the virus definition will be updated with service ClamAV-freshclam start
service ClamAV-freshclam start
To do a manual update of the virus definitions freshclam -v
freshclam -v
apt install chkrootkit
IP Tables
sudo apt install iptables
iptables uses three different chains: input, forward, and output.
Before going in and configuring specific rules, you will want to decide what you want the default behavior of the three chains to be. In other words, what do you want iptables to do if the connection does not match any existing rules? To see what your policy chains are currently configured to do with unmatched traffic, run the iptables -L command.
iptables -L
More times than not, you will want your system to accept connections by default. Unless you have changed the policy chain rules previously, this setting should already be configured. Here is the command to accept connections by default:
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
By defaulting to the accept rule, you can then use iptables to deny specific IP addresses or port numbers, while continuing to accept all other connections. We will get to those commands in a minute. If you would rather deny all connections and manually specify which ones you want to allow to connect, you should change the default policy of your chains to drop. Doing this would probably only be useful for servers that contain sensitive information and only ever have the same IP addresses connect to them.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
With your default chain policies configured, you can start adding rules to iptables so it knows what to do when it encounters a connection from or to a particular IP address or port. In this guide, we’re going to go over the three most basic and commonly used “responses”.
The best way to show the difference between these three rules is to show what it looks like when a PC tries to ping a Linux machine with iptables configured for each one of these settings.
With your policy chains configured, you can now configure iptables to allow or block specific addresses, address ranges, and ports. In these examples, we will set the connections to DROP, but you can switch them to ACCEPT or REJECT, depending on your needs and how you configured your policy chains.
Note: In these examples, we are going to use iptables -A to append rules to the existing chain. iptables starts at the top of its list and goes through each rule until it finds one that it matches. If you need to insert a rule above another, you can use iptables -I [chain] [number] to specify the number it should be in the list.
-I [chain] [number]
Connections from a single IP address. This example shows how to block all of the IP addresses in the 10.10.10.0/24 network range. You can use a netmask or standard slash notation to specify the range of IP addresses. iptables -A INPUT -s 10.10.10.10 -j DROP
iptables -A INPUT -s 10.10.10.10 -j DROP
Connections from a range of IP addresses. This example shows how to block all of the IP addresses in the 10.10.10.0/24 network range. You can use a netmask or standard slash notation to specify the range of IP addresses. iptables -A INPUT -s 10.10.10.0/24 -j DROP or iptables -A INPUT -s 10.10.10.0/255.255.255.0 -j DROP
iptables -A INPUT -s 10.10.10.0/24 -j DROP
iptables -A INPUT -s 10.10.10.0/255.255.255.0 -j DROP
Connections to a specific port. This example shows how to block SSH connections from 10.10.10.10. iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP
You can replace “ssh” with any protocol or port number. The -p tcp part of the code tells iptables what kind of connection the protocol uses. If you were blocking a protocol that uses UDP rather than TCP, then -p udp would be necessary instead. This example shows how to block SSH connections from any IP address. iptables -A INPUT -p tcp --dport ssh -j DROP
iptables -A INPUT -p tcp --dport ssh -j DROP
As mentioned earlier, a lot of protocols are going to require two-way communication. For example, if you want to allow SSH connections to your system, the input and output chains are going to need a rule added to them. But, what if you only want SSH coming into your system to be allowed? Will not adding a rule to the output chain also allow outgoing SSH attempts? That is where connection states come in, which give you the capability you would need to allow two way communication but only allow one way connections to be established. Take a look at this example, where SSH connections FROM 10.10.10.10 are permitted, but SSH connections TO 10.10.10.10 are not. However, the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts.
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT
The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes. This command can differ depending on your distribution:
sudo /sbin/iptables-save
/sbin/service iptables save
/etc/init.d/iptables save
List the currently configured iptables rules: iptables -L Adding the -v option will give you packet and byte information, and adding -n will list everything numerically.
-v
-n
To clear all the currently configured rules, you can issue the flush command. iptables -F
iptables -F
UFW (Debian/Ubuntu)
UFW, or Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall sudo apt install ufw
sudo apt install ufw
Using IPv6 with UFW sudo nano /etc/default/ufw
sudo nano /etc/default/ufw
Then make sure the value of "IPV6" is to equal "yes" Check UFW Status and Rules >sudo ufw status verbose
>sudo ufw status verbose
Set Up Default Policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
App Armor
SELinux
This section mainly pertains to daemons. A lot of services and daemons are started during system boot. Disabling those that are not mandatory can help in hardening and improve your boot time. Since most modern distributions use systemd instead of init scripts, you can use systemctl for finding these services.
systemctl list-unit-files --type=service
systemctl list-dependencies graphical.target
These commands will display such service and daemons. You can disable a specific service by using the below command.
systemctl disable service
systemctl disable httpd.service
GNU/Linux provides automation support by means of cron jobs. You can specify routine tasks using the cron scheduler. root/admin users must make sure that ordinary users are unable to access or put entries in the crontab. Simply put their usernames in the /etc/cron.deny file to do this.
echo ALL >>/etc/cron.deny
This command will disable cron for all users in your server except root. To allow access for a specific user, add his username to the /etc/cron.allow file.
Core dumps are memory snapshots that contain crash information of an executable. These are created when binaries stop working or crash. They contain too much sensitive information about the system and may threaten your security if fallen into the wrong hands. And so it is always a good idea to restrict core dumps on your machine.
echo 'hard core 0' >> /etc/security/limits.conf
echo 'fs.suid_dumpable = 0' >> /etc/sysctl.conf
sysctl -p
echo 'ulimit -S -c 0 > /dev/null 2>amp1' >> /etc/profile
Run the above commands to restrict core dumps on your system.
It is always a good idea to disable as many peripherals as possible that are unneeded or unused. This makes your system secure against attackers who have gained direct access to the infrastructure you are connected to. Firewire is the generic name of the IEEE 1394 hardware interface. It is used for connecting digital devices like Camcorders. Disable it by using the following command.
echo "blacklist firewire-core" >> /etc/modprobe.d/firewire.conf
The thunderbolt interface provides connections between your system and high-speed peripherals like hard disk storage, RAID arrays, network interfaces, and so on. You can disable it by using the below command.
echo "blacklist thunderbolt" >> /etc/modprobe.d/thunderbolt.conf
The Ctrl+Alt+Delete key combinations allow users to force reboot many GNU/Linux distributions. This can be a problem for you as a user. root/admin users should disable this hotkey in order to maintain proper GNU/Linux hardening. You can run the following command to disable this in systemd based systems.
systemctl mask ctrl-alt-del.target
If you are on systems that use init V instead of systemd, edit the /etc/inittab file and comment out the following line by appending a hash before it.
/etc/inittab
nano /etc/inittab
# ca::ctrlaltdel:/sbin/shutdown -t3 -r now
You need to be always prepared for unforeseen problems. Backing up your workstation or server can prove extremely beneficial in the long run. Thankfully, a large number of backup utility for Linux exists to make system backups easier. Moreover, you must automate the backup process and store your system data safely. Employing disaster management and recovery solutions can be also useful when it comes to data management.