Thread replies: 117
Thread images: 13
Thread images: 13
Anonymous
What's the most complete guide on hardening a Linux OS? 2017-04-21 07:11:59 Post No. 60004516
[Report] Image search: [Google]
What's the most complete guide on hardening a Linux OS? 2017-04-21 07:11:59 Post No. 60004516
[Report] Image search: [Google]
File: hardening_linux.jpg (18KB, 800x343px) Image search:
[Google]
18KB, 800x343px
What's the most complete guide on hardening a Linux OS?
Anonymous
2017-04-21 07:11:59
Post No. 60004516
[Report]
>>
Install (Hardened) Gentoo
>>
1. Unplug the internet
>>
File: 1486656661995.jpg (130KB, 1024x576px) Image search:
[Google]
130KB, 1024x576px
>>60004516
Linux hacks?
http://a.co/ecW7MtW
Somewhat outdated, but have some good ideas.
>>
>>60004553
>>60004607
Edgy.
>>60004682
Thank you.
>>
>>60004516
https://sharpencryptedpig.noblogs.org/post/2014/05/29/how-to-install-gentoo-hardened-with-encrypted-root-and-swapexpress-procedure/
This one doesn't encrypt /home/, but it's very easy to do so (just add a home LVM).
It also doesn't go into detail about the hardened kernel, specifically GRSecurity, but that's easy enough (there are a few variables that you don't enable if you want your computer to function, and read the "help" section under PaX).
>>
>>60004786
Thank you too.
>>
>>60004516
Uninstalling it
>>
>>60004927
>>60004516
Uninstall Lintrash and install BSD
>>
>>60004682
what the fug is this link? why is it cia-niggafied into an unclear and mysterious url?
>>
>>60004786
PAX is a real pain the in the ass to deal with sometimes, but whenever you get your flags properly set, GrSecurity is actually quite usable.
>>
>>60005006
Sorry, it's not reddit, so nobody cares about shortened url.
>>
>>60005068
thats because g has become reddit
>>
File: MangaRamblo.jpg (19KB, 300x255px) Image search:
[Google]
19KB, 300x255px
>>60004949
Puffer a cutest
>>
I would unironically suggest using Gentoo. Since it's compiled from source you have control over compiler/linker flags as well as the USE flags which could reduce attack surface a bit by not including things that aren't necessary (e.g. imagine being hit by an exploit in a systemd library just because some retarded software requires it even though your system uses openrc).
>>
>>60005354
>That one time Gentoo isn't a meme.
Shame, I was going to use Arch.
>>
>>60004739
>how do I harden linux
>>use hardened gentoo
>edgy
neo-/g/, ladies and gentlemen
>>
>>60005471
Suck a dick, I thought he was memeing.
>>
I got something 4 u 2 harden OP
>>
>>60005876
metapod owo
>>
Google "disa stigs red hat"
That's a good place to start.
Obviously ignore the bits about changing the update repository to the government's update server.
>>
>>60005899
Danke das ist sehr gut
>>
>>60005876
Yes, the restraining order.
>BTFO
>>
>>60005937
he put a restraint order on himself to control himself with me
>btfo
>>
>>60005978
>Weak par.
Try again, bucko. ;)
/flex
>>
>>60006026
You take this too seriously, relax and have fun man, you dont have to look cool for us
>>
File: 1488949037526.jpg (16KB, 360x360px) Image search:
[Google]
16KB, 360x360px
>>60006069
>Projection the post.
>>
>>60006125
Heh, whatever helps you keep your ego standing up :)
>>
>>60006139
It isn't my ego I need to worry about, it is yours, clearly all of this online banter is some form of self-affirmation. Don't worry, anon, I'm here for you as a friend and confidant.
>>
>>60004516
>hardening
>Linux
>>>>>>>>>>>>>>hardening Linux
Brah.
>OS literally forces you to start shit as root if you want to use ports under 1024 for no fucking reason
>inb4 muh fucking rsh, ancient software that doesn't even fucking matter now that the Internet is a thing
>suid bits literally open privilege escalation attacks on anything that has them if it has a logic error/potential buffer overflow in it
>even some attacks on the entire system of it, but using buffer overflows to set the bit on in-memory processes so just setting fucking nosuid on mount doesn't help much
Linux security is a fucking joke. Come back when someone with a brain decides to remove the 1024 port root restriction and the entire fucking suid cancer.
>Wireshark tells you not to run its 2 million lines as root
>Samba literally requires it thanks to the dropped-on-head ideas of Linux devs
>>
>>60006180
Lol, hope you feel better soon friend :3
>>
>>60006227
I will once we've boosted your self-confidence. ;)
>You are unleashing the bantermal!
>>
>>60006198
>OS literally forces you to start shit as root if you want to use ports under 1024 for no fucking reason
there is a plenty good reason for this
>inb4 muh fucking rsh, ancient software that doesn't even fucking matter now that the Internet is a thing
wut
>suid bits literally open privilege escalation attacks on anything that has them if it has a logic error/potential buffer overflow in it
wut
>even some attacks on the entire system of it, but using buffer overflows to set the bit on in-memory processes so just setting fucking nosuid on mount doesn't help much
wut
>Wireshark tells you not to run its 2 million lines as root
sounds like a good idea to me
>Samba literally requires it thanks to the dropped-on-head ideas of Linux devs
wut
>>
>>60006305
>there is a plenty good reason for this
ok, give me some of them.
>>
>>60004516
use bsd
>>
>>60006324
most of those ports are reserved for system processes some of which are explicit root privs
but it doesn't even matter, just use iptables to route your traffic to the appropriate ports using a redirect as admins have been doing forever
or, as of more recently, just use netcap
>>
>>60006424
>rewrite Samba to use different ports and use iptables to map the privileged ports to them!
Yeah, that's viable.
>>
>>60005851
Hang yourself
>>
>>60006482
what the hell are you talking about
you can change the port in smb.conf (i always run samba with non-standard ports like all of my services)
smb ports = 445 139
Was that so difficult?
>>
>>60006263
XDDDDDDDDDDD i LOVE that meme
>>
>>60006516
>change ports in samba
>change ports in sshd
>change ports in httpd
Oh boy, we're making progress now. Maybe in 50 years we won't have vulnerable shit running as root! Or maybe we could just get rid of the useless privileged port designation instead.
>>
>>60004516
Everyone is going to have a
>>
>>60006554
it has nothing to do with that. people just use non-standard ports to reduce the attack surface
you're just complaining because you are stupid as shit and don't know what the hell you're doing (which is quite clear from your questions)
>>
>>60006482
>rewrite Samba
kill yourself
>>
>>60004516
Remove all the unused things
Patch all the things
Firewall all the things
Enforce AppArmor/SELinux all the things
Reconfigure all the things
Audit all the things
CIS makes some good PDFs of configuration changes for hardening but you'll have to give them your email: https://learn.cisecurity.org/benchmarks
>>
>>60006607
>force people to run shit as root instead of a less privileged user
>ur dumb lol it's a good design
Kill yourself.
>just add extra bullshit like iptables rules to bypass these retarded restrictions
Just UNIX things mirite
>>
>>60006672
>not running samba as root
this is clearly an xy problem that you are too stupid to recognize
>>
Just disable the floppy drive.
>>
>>60006672
Just stahp
We know you are frustrated but this really isn't a linux problem, it's a user incompetence problem.
Just go read some how-to guides instead of wasting your time shitposting.
>>
>>60006672
>65535 ports
>root is reserved for 1024 of them\
>can be easily circumvented for weird use scenarios
>this is somehow a problem
>force people to run shit as root instead of a less privileged user
No one is forcing you to do that. The moment you say that linux is 'forcing' you to do something just means that you don't know how to do it.
>>
>>60006672
>>60006819
Yeah, it's pretty simple to code you app so that it starts as root, opens the port, then drops its root privileges. This is how most web servers work now.
>>
>>60006819
>run http server on some retarded port
>have to use http://a.b.c.d:port/ just to access it
Amazing.
>>60006858
>open port, drop root privileges
This is somehow better than starting it without root. Now you have to make sure that you're not vulnerable before dropping privileges and you need to make sure that you drop privileges correctly. You also have to make sure your privilege dropping code in the kernel isn't flawed.
>>
>>60006888
>run http server on some retarded port
>have to use http://a.b.c.d:port/ just to access it
>Amazing.
Are you really this retarded or do you have no networking experience whatsoever? It's literally a single iptables rule to forward external traffic to your internal port.
>>
>>60006917
>need to change configuration to host it on another port and also need another kernel function or root program to redirect it
Great, now you need to worry about exploits in iptables too.
>>
>>60006938
what are you even talking about
iptables just configures the kernel firewall
you have absolutely no idea what you are talking about
>>
>>60006955
>iptables just configures the kernel firewall
ok, kernel firewall, netfilter, whatever the fuck you call it.
You're still not explaining how adding all this bullshit is good for security instead of letting a user host a service on a port that applications will use.
>>
>>60006984
it's good for security because there are about a trillion fucking bots around the world right now that port sniff every single internet-exposed service between port 1 and port 1024 with common configuration exploits and potentially 0days
my workplace doesn't even allow standard ports to be whitelisted, as is consistent with a good security policy
all services are run on non-standard ports and firewall redirects are handled on the host server
your question basically boils down to...why do we have firewalls?
>>
>>60007028
>my workplace doesn't even allow standard ports to be whitelisted, as is consistent with a good security policy
If you have a public web server, it's going to be on port 80 and/or 443. If you have a Samba server, it's going to be on ports 139 and 445. Adding additional layers between
>start program
>bind to port
>process packets
is adding more to your attack surface. Running those services as root is retarded because oh shit zero day = your server belongs to someone else now.
>>
>>60007159
>If you have a public web server, it's going to be on port 80 and/or 443. If you have a Samba server, it's going to be on ports 139 and 445. >Adding additional layers between
>start program
>bind to port
>process packets
>is adding more to your attack surface.
First, if I have web-users that aren't me or my associates, then yes my external port 80 would be standard. In all other scenarios it will most definitely not be standard and ideally I would use ssh port forwarding for ALL services or just run an openVPN. Everything is, at the minimum, encrypted. For god's sake I would never expose samba to the internet, that's fucking asinine for so many reasons.
Also, opening a non-standard port implies closing the standard port, which does decrease the attack surface since non-standard ports are much less likely to be exploited.
>>
>>60007237
>I would never expose samba to the internet, that's fucking asinine for so many reasons.
No kidding, but you have to run it on the default ports if you're trying to host file servers on Linux for an organization. Just because it's on your network doesn't mean it's ok to have swiss cheese systems all over it.
>>
File: selinux-penguin-new_medium.png (77KB, 325x339px) Image search:
[Google]
77KB, 325x339px
>>60007159
>Running those services as root is retarded because oh shit zero day = your server belongs to someone else now.
for you
>>
>>60006198
>>suid bits literally open privilege escalation attacks on anything that has them if it has a logic error/potential buffer overflow in it
>linux security is a joke because the thing hardening guides tell you to disable can be exploited if not disabled
slow down there
>>
>>60006661
Internet of (all the) things.
>>
>>60007372
There is no guide on earth that will show you how to disable suid in the kernel. Disabling it on the mounted filesystems only partially solves the issue. If you read the next line you'd see that I touched on that.
See
https://git.zx2c4.com/CVE-2012-0056/about/
for an example. Adding shit like this just adds more shit that should be audited.
>>
This thread is getting out of hand.
>>
b
>>
>>
File: 1490370344210.jpg (116KB, 1280x720px) Image search:
[Google]
116KB, 1280x720px
>>60008350
m
>>
>>60004516
centos 7 with a hardening + audit guide is a pretty ok non gentoo start
>>
>>
>>60006198
>OS literally forces you to start shit as root if you want to use ports under 1024 for no fucking reason
it's called setcap you nonce
>>
>>60008835
to add to this. port forwarding. and i also believe firewalld has a new way to get around privileged ports
>>
File: rootkits_big.jpg (49KB, 474x631px) Image search:
[Google]
49KB, 474x631px
>>60004949
>>60005108
nope
>>
>>60009051
I just downloaded this book, what's it like?
>>
SECURITY TIPS in order of difficulty:
Level 1: Use firefox with "pocket" disabled, and with addons for security and privacy.
Level 2: Don't save your passwords on a plaintext or in some "cloud" service like lastpass, create and remember one good main password and use KeePassX (and I mean the one with an X) and use the option to generate the rest.
Level 3: Replace your e-mail provider with a more safe, more appropriate provider.
Level 4: Use GNU/Linux. Start with Lubuntu for easy mode (stay away from something called BSD).
Level 5: Use a GNU/Linux distro free from "systemd", which is suspected to be the last resort of secret agencies to create chaos on "hacker friendly" operating systems.
---Begins to cost money from here---
Level 6: Buy a router compatible with LibreCMC and install LibreCMC.
Level 7: Buy a VPN service in some privacy friendly country.
Level 8: Buy a computer pre-installed with Libreboot or compatible and install it yourself.
---End of money cost---
---Start of extreme high security---
Level 9: Browse the web with javascript and cookies disabled by default.
Level 10: Encrypt your e-mail with GnuPG.
Level 11: Use Mutt for e-mail client, as to avoid web beacons (tracking pixels).
Level 12: Use YaCy with collaborative database disabled when in need to search on the web.
Level 13: Use Exim in your own server for e-mail.
Level 14: Tunnel all your communications through i2p, not Tor, to navigate internet.
Level 15: Use the Linux-libre kernel.
Level 16: Use AppArmor.
Level 17: Use grsecurity.
Level 18: Use only libre software (software "free as in freedom").
Level 19: Reduce the amount of software installed in your computer.
Level 20: Use text-based programs with less library dependencies than the GUI counterparts.
Level 21: Use Firejail with your applications.
Level 22: Use a source based distro.
Level 23: Use a source based distro without crypto libraries on its package manager.
>>
>>60009080
Haven't dig much just skim. Related https://vez.mrsk.me/freebsd-defaults.txt
>>
>>60009205
Much appreciated.
>>
>>60009138
What's wrong with Tor?
I trust Lovecruft, not to mention, she's pretty attractive.
>>
>>60004516
Download Bastille. It's a hardening script with excellent tutorial-like documentation which explains why every action is taken. It's a little old but all of the foundations apply to present day systems.
https://www.youtube.com/watch?v=NjZUvQBT9As
>>
>>60009245
Is more of an added layer of ((((security)))) on i2p than a flaw in Tor. For what I can tell on my limited understanding, you get a double anonymization, one for the exit and another for incoming transmissions.
Also, some people are kind of shaky for the college students that claimed had break Tor and went taken out before exposing their discoveries (why the university did such thing?). And lets not forget Jacob Appelbaum was taken out of their project with allegations of sexual abuse but was later revealed it was a smear campaign.
>>
>>60009138
>Level 5: Use a GNU/Linux distro free from "systemd", which is suspected to be the last resort of secret agencies to create chaos on "hacker friendly" operating systems.
lolwut now that's some tinfoil hat tier bullshit. The complain with systemd is that it creates binary logs, which frankly isn't a problem from a security/privacy perspective since systemd itself it still open source so the binary logs can only contain what the source code instructs it to contain.
>>
>>60009297
Thank you.
>>60009301
>Is more of an added layer of ((((security)))) on i2p than a flaw in Tor. For what I can tell on my limited understanding, you get a double anonymization, one for the exit and another for incoming transmissions.
Interesting, I'll have a look into it.
>And lets not forget Jacob Appelbaum was taken out of their project with allegations of sexual abuse but was later revealed it was a smear campaign.
That was certainly a strange debacle.
>>
File: Capture.png (57KB, 812x615px) Image search:
[Google]
57KB, 812x615px
>>60009359
>lolwut now that's some tinfoil hat tier bullshit. The complain with systemd is that it creates binary logs, which frankly isn't a problem from a security/privacy perspective since systemd itself it still open source so the binary logs can only contain what the source code instructs it to contain.
No? The complaint with systemd is that it's being written by retards that don't even fucking use Linux or know the first thing about it.
>>
>>60009403
>posts bug that was fixed within days
>was obviously a pitfall of coreutils before coreutils had built in safetybelts
>complains that it's buggy
yeah ok
>>
>>60009297
I have Lynis on my list and does an in depth system auditing, of course this goes beyond simple configuration.
Other tools are
For Anti Juice Jacking: USBGuard
Host Intrusion Detection Framework: Tiger
Integrity Check: Samhain or Tripwire (which works with Tiger)
Rootkit Detection: Chkrootkit or rkhunter
System Logging: sysklogd
Man-In-The-Middle (MITM) Detection: ArpON or arpwatch
Network Intrusion Detection: Suricata
Network Intrusion Prevention: Sshguard
Some of these tools are good only for servers of course.
>>60009423
systemd apologist detected
>>
File: systemd.gif (3MB, 480x320px) Image search:
[Google]
3MB, 480x320px
>>60009359
systemd is a too fast growing part of linux that tries to accomplish too many things in one monolithic entity
it is all about minimizing attack surface, auditing something like systemd is close to impossible because of how fast it expands and grows
>>
>>60009423
>>posts bug that was fixed within days
>>was obviously a pitfall of coreutils before coreutils had built in safetybelts
>>complains that it's buggy
>retards writing systemdicks don't even consider shit like . and ..
Wow. I'm amazed at the high quality of the code these amazing systemd developers are writing! I'm sure sometimes my entire system will get wiped out, but it's ok because systemd.
>>
>>60009453
>systemd apologist detected
yes. features not bugs
>>
>>60009453
My plan was to seperate data servers, from the computer I would interact with on the Internet.
For instance, have a desktop computer set up for easy of browsing using a hardened Linux OS and downloading large files.
While for casual and illicit browsing for software and ebooks, use Tails.
Then carry it across to the data server on flash storage of some kind.
>>
>>60009555
To note, the plan would be to run Tails off of a shitty laptop without a HDD/SSD.
>>
>>60009359
Hello lennart.
>>
This is an interesting thread.
>>
>>60009555
>>60009569
Well, you definitely want a server separate from a main computer on which you access nothing else than the http port. Problem always is how much you plan on stripping down your daily use computer as to ensure less "potential" security holes.
Even then Stallman was a visionary, he downloaded raw html via an intermediary.
To mention an important event that has the potential of being a massive harm is the snappy/flatpak apocalypse, by attempting to make Linux more like Windows we get a lot of code, a lot of libraries to be check.
In short, >>60009138 level 22 is the alternative, but it comes at the cost of compiling everything yourself, and even then you need to make sure to use a base system without libraries that are not easy to check (I am looking at you Python).
Back to your plan, using Tails is a good strategy, I prefer not to go for that because is an already baked distro with a bunch of personal choices from the maintainers who themselves may not be taking all precautions. Not that I think myself more smart, but is for peace of mind and because having complete control of what is in your system is one good way you know you are not going to get scammed into snake oil.
>>
>>60009750
>Well, you definitely want a server separate from a main computer on which you access nothing else than the http port. Problem always is how much you plan on stripping down your daily use computer as to ensure less "potential" security holes.
I spend all day reading ebooks, mostly on mathematics, soon moving onto physics, chemistry; electrical engineering/mechatronics and computer engineering and computer science along with computer security.
Aside from that, browsing chans, watching the odd YouTube video and occasionally playing Dwarf Fortress.
So, I don't need a great deal of 'features'.
>To mention an important event that has the potential of being a massive harm is the snappy/flatpak apocalypse, by attempting to make Linux more like Windows we get a lot of code, a lot of libraries to be check.
I really hope they don't, free software always needs to be a thing. If not only for economic frugality, but freedom from the criminal cartels they call "government".
>In short, >>60009138 level 22 is the alternative, but it comes at the cost of compiling everything yourself, and even then you need to make sure to use a base system without libraries that are not easy to check (I am looking at you Python).
Understood.
>Back to your plan, using Tails is a good strategy, I prefer not to go for that because is an already baked distro with a bunch of personal choices from the maintainers who themselves may not be taking all precautions.
As I said, that's just for an ease of use anonymizer for casual browsing, the big files and more intensive work would be done on the custom hardened distro on a desktop.
>>
>>60005851
>Suck a dick
Do you mean sorry?
>>
>>60010085
Why would I be sorry?
>>
>>60010106
Because you misunderstood, and quite rudely.
But whatever, at least you understand what he meant now.
>>
>>60010119
You can only be sorry if your heart truly feels regret and your brain will never commit it again. I cannot say, it certainty that it will never happen again, therefore I cannot tell you I am sorry, that would be a lie.
>>
>>60010135
fair enough
>>
>>60010161
Nice polo neck, it certainly does the Jobs.
Get it?
>>
>>60009453
>I have Lynis on my list and does an in depth system auditing, of course this goes beyond simple configuration.
I'm trying it now, and it is superb. I can see Bastille & Lynis complementing eachother for setup and audit respectively.
I've never tried it but have only heard good things about Snort (IDS).
>>
>>60010314
Oh yes, and I also see a modified Bastille grabbing the results from Lynis for its automatic configuration.
>>
File: 1491028136641.jpg (46KB, 605x806px) Image search:
[Google]
46KB, 605x806px
>>60010203
goddam
>>
>>60010017
>I spend all day reading ebooks, mostly on mathematics, soon moving onto physics, chemistry; electrical engineering/mechatronics and computer engineering and computer science along with computer security.
>Aside from that, browsing chans, watching the odd YouTube video and occasionally playing Dwarf Fortress.
>So, I don't need a great deal of 'features'.
There is this idea floating around (even on /g/) of making a pure text based environment or near so you don't have many programs keep an eye. This concept of minimalism goes beyond what is regularly called ricing, and with some tweaks and practice is more usable if you get the hang of.
I talk of using programs with common hotkeys like vim but that cover different applications than text editing, like the dwb web browser does, which itself is a minimalist browser. The road map is to use curses (the library) to create text applications which replace common applications like ranger does for file browsers, and also go for the framebuffer to display things like pictures and even videos. If a document processor could handle and display LaTeX without anything but the framebuffer it would be an instant hit.
It doesn't exist yet, but if the idea gets more popularity it may reach developers that will look into it. Doesn't need to be just this idea but we do need new models as guidelines, the right people could pick this up, who knows.
>As I said, that's just for an ease of use anonymizer for casual browsing, the big files and more intensive work would be done on the custom hardened distro on a desktop.
You seem like having a plan, stick to it, but do a little experimentation first to get familiar with your environment.
I do want to mention, configuring iptables to block all but one port and the compulsory use of firejail to sandbox everything is enough for most use cases, this might help someone. I say this because more users sharing their personal configurations could help many people.
Anyway, good luck anon.
>>
>>60011126
Thank you for the advice, anon, all of this has been extremely useful.
>>
>>60007295
very underrated post
>>
>>60011374
I agree.
>>
>>60005471
>hardened gentoo
I was actually going to do this but I already manage to fuck my gentoo install constantly I can't imagine how hardened would be.
>>
>>60004516
The best way to harden Linux is to try to break linux.
>>
>>60013540
For real?
>>
>>60011592
Do you value security?
>>
>>60014678
offensive security
>>
>>60015105
I guess that makes sense, rather than just being passive.
>>
File: 1461666604809.jpg (123KB, 500x367px) Image search:
[Google]
123KB, 500x367px
>>60004516
>>60004682
>>60006198
>>60006740
>>60006819
>>60007273
>>60009403
>>60009457
>>60009555
>>60009750
>>60013540
I'd just like to interject for a moment. What you're referring to as Linux, is in fact, GNU/Linux, or as I've recently taken to calling it, GNU plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning GNU system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX.
Many computer users run a modified version of the GNU system every day, without realizing it. Through a peculiar turn of events, the version of GNU which is widely used today is often called "Linux", and many of its users are not aware that it is basically the GNU system, developed by the GNU Project.
There really is a Linux, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine's resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the GNU operating system: the whole system is basically GNU with Linux added, or GNU/Linux. All the so-called "Linux" distributions are really distributions of GNU/Linux.
>>
>>60009457
>auditing something like systemd is close to impossible because of how fast it expands and grows
Then shouldn't Linux itself be impossible to audit? Aren't even open source web browsers compromised then because of the sheer numbers of daily commits?
>>
>>60016868
it's an asinine point made by someone that obviously doesn't know shit
>>
>>60016256
Yeah, no fuck you. I can make a Linux system that doesn't have any GANOO userland components. Hell, it would probably be more secure and run better than a GANOO system.
Thread posts: 117
Thread images: 13
Thread images: 13