Thread replies: 14
Thread images: 2
Thread images: 2
File: servers.jpg (15KB, 240x135px) Image search:
[Google]
15KB, 240x135px
Let's have a system hardening thread, any operating system welcome. Share your tips and tricks for securing your operating system! For debian stable users, here are some sysctl tweaks that you might enjoy. You can add these lines to /etc/sysctl.d/99-sysctl.conf:# Prevents leaking of internal kernel addresses to make kernel exploits harder.
kernel.kptr_restrict = 1
# Controls use of performance events system by unprivledged users (without CAP_SYS_ADMIN). The default value is 1.
# -1: Allow use of (almost) all events by all users
# >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
# >=1: Disallow CPU event access by users without CAP_SYS_ADMIN
# >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
kernel.perf_event_paranoid = 2
# Disable the magic SysRq key which allows users to perform low-level commands regardless of the system's state. Often used to recover from freezes.
kernel.sysrq = 0
# Setting ptrace_scope to value 1 blocks one process from examining and modifying another process unless the second process (child) was started by the first process (parent).
kernel.yama.ptrace_scope = 1
You can also uncomment the other tweaks in this file, but remember to read up on what they do.
>>
>>59368541
I don't see the point in disabling SysRq. Just set it to be able to reboot/shutdown, which is something anybody who has physical access can do anyways. What if you need to force shutdown via SysRq? That's much more likely than some bad actor walking into your room.
>>
File: gnome calculator automatic connections.png (377KB, 1920x1080px) Image search:
[Google]
377KB, 1920x1080px
For anyone interested in how to secure their Linux machines, these links may help you:
https://github.com/lfit/itpol/blob/master/linux-workstation-security.md
https://wiki.archlinux.org/index.php/Security
Also, I'd like to ask the following question to see if anyone knows of a suitable solution: is there any kind of application firewall for Linux? I know that the usual answer is that they are mostly useless because they can be easily bypassed, but what I want is to be aware of (and be able to deny) automatic connections that some desktop programs might attempt.
For example, GNOME Calculator automatically fetches third party content over HTTP and parses the response. I'd like to avoid things like these.
I know about Douane (https://github.com/Douane/Douane), but it's unmaintained, unaudited and clunky to install. There is also Subgraph OS, a Debian-based security-focused distro still in alpha, that comes with an interactive application firewall of their own, this is what I'd ideally want (pic related). Subgraph is very promising, but it's not mature yet.
The only solution I've come up with is disabling network access to my regular user and using another user just for internet browsing in another virtual terminal, but some background DE processes could still be leaking. I can't be the only one who worries about this, so how do people do it?
>>
Bump for interest
>>
Thought my thread died. Let's try to revive it.
>>59369487
Right you are. Seems like went a little crazy with the settings.
>>59369518
Best option: Don't use programs that do that.
Alternative: Use an excellent sandboxing program called 'firejail'. You can control network settings by simply not giving it any network access at all. It's available in debian's backports repos, Ubuntu LTS, and I'm sure it should be included with Fedora. I would also recommend using firejail for web browsers, it's a great program that is actively developed.
>>
>>59370363
>and I'm sure it should be included with Fedora
*should be included in Fedora's repos.
>>
the cia is in ur tv peepin ur nudes
>>
>>59370363
>Best option: Don't use programs that do that.
The problem is: how do I know which programs do that? I only knew about GNOME Calculator because the Subgraph devs used it as an example. What about the rest of programs (even music players make tons of automatic connections: http://thesimplecomputer.info/choosing-a-linux-music-player)? What about everything that run as background? It's simply impossible to evaluate this on a program-by-program basis, that's why I want an application firewall.
>>
all trivial to bypass
try harder my man
>>
>>59370363
Better option is to start all firejailed program with --net=some_bridge and use iptables to enable/disable/filter networking, since it allows you to enable or disable network access or filtering at will on a per-program basis.
Also it can use overlayfs, private directories and x11 isolation among other things, which is nice.
What I'd like to do is write a bunch of scripts to help manage that, especially with regard to networking, so there's a one-command (and perhaps even tray icon + 1-button) way to enable/disable/filter networking, as well as do per-program VPN.
>>
>>59371726
tcpdump and sniff with wireshark?
Block connections on hardware level
>>
>>59371843
>tcpdump and sniff with wireshark?
I don't think that's a solution. There are programs that make automatic connections only under certain circumstances (example: GNOME Calculator when entering financial mode).
As I said, it's just not feasible to control this on a per program basis. Besides, behavior can change in future versions. An application firewall that only lets certain programs have networking access is what I need.
>>59371807
>use iptables to enable/disable/filter networking, since it allows you to enable or disable network access or filtering at will on a per-program basis.
How can I do that with iptables? AFAIK per-program filtering isn't possible.
>>
>>59371726
Only.open web, ssl, or dns ports when you need to
Also, is password was Sudo a security.risk.
>>
>>59372099
You use firejail --net=brX to isolate the program's net (it uses netns in the backend). Then you use iptables -A FORWARD -i brX -o eth0 -j ACCEPT, for example. This will forward anything which connects over brX straight unto eth0. You can then modify or delete the rule at will. Deleting the rule will prevent anything connected to brX from getting any network access. Of course brX needs to exist in advance (with brctl addbr brX).
I use it to force some programs to connect exclusively through tor without their needing to be aware of any network specifics while other programs run clear.
Thread posts: 14
Thread images: 2
Thread images: 2