...
What's the most complete guide on hardening a Linux OS?
Other urls found in this thread:
a.co
sharpencryptedpig.noblogs.org
learn.cisecurity.org
a.b.c.d:port
git.zx2c4.com
vez.mrsk.me
youtube.com
twitter.com
Install (Hardened) Gentoo
1. Unplug the internet
Linux hacks?
a.co
Somewhat outdated, but have some good ideas.
Edgy.
Thank you.
This one doesn't encrypt /home/, but it's very easy to do so (just add a home LVM).
It also doesn't go into detail about the hardened kernel, specifically GRSecurity, but that's easy enough (there are a few variables that you don't enable if you want your computer to function, and read the "help" section under PaX).
Thank you too.
Uninstalling it
Uninstall Lintrash and install BSD
what the fug is this link? why is it cia-niggafied into an unclear and mysterious url?
PAX is a real pain the in the ass to deal with sometimes, but whenever you get your flags properly set, GrSecurity is actually quite usable.
Sorry, it's not reddit, so nobody cares about shortened url.
thats because g has become reddit
Puffer a cutest
I would unironically suggest using Gentoo. Since it's compiled from source you have control over compiler/linker flags as well as the USE flags which could reduce attack surface a bit by not including things that aren't necessary (e.g. imagine being hit by an exploit in a systemd library just because some retarded software requires it even though your system uses openrc).
>That one time Gentoo isn't a meme.
Shame, I was going to use Arch.
>how do I harden linux
>>use hardened gentoo
>edgy
neo-Sup Forums, ladies and gentlemen
Suck a dick, I thought he was memeing.
I got something 4 u 2 harden OP
metapod owo
Google "disa stigs red hat"
That's a good place to start.
Obviously ignore the bits about changing the update repository to the government's update server.
Danke das ist sehr gut
Yes, the restraining order.
>BTFO
he put a restraint order on himself to control himself with me
>btfo
>Weak par.
Try again, bucko. ;)
/flex
You take this too seriously, relax and have fun man, you dont have to look cool for us
>Projection the post.
Heh, whatever helps you keep your ego standing up :)
It isn't my ego I need to worry about, it is yours, clearly all of this online banter is some form of self-affirmation. Don't worry, user, I'm here for you as a friend and confidant.
>hardening
>Linux
>>>>>>>>>>>>>>hardening Linux
Brah.
>OS literally forces you to start shit as root if you want to use ports under 1024 for no fucking reason
>inb4 muh fucking rsh, ancient software that doesn't even fucking matter now that the Internet is a thing
>suid bits literally open privilege escalation attacks on anything that has them if it has a logic error/potential buffer overflow in it
>even some attacks on the entire system of it, but using buffer overflows to set the bit on in-memory processes so just setting fucking nosuid on mount doesn't help much
Linux security is a fucking joke. Come back when someone with a brain decides to remove the 1024 port root restriction and the entire fucking suid cancer.
>Wireshark tells you not to run its 2 million lines as root
>Samba literally requires it thanks to the dropped-on-head ideas of Linux devs
Lol, hope you feel better soon friend :3
I will once we've boosted your self-confidence. ;)
>You are unleashing the bantermal!
>OS literally forces you to start shit as root if you want to use ports under 1024 for no fucking reason
there is a plenty good reason for this
>inb4 muh fucking rsh, ancient software that doesn't even fucking matter now that the Internet is a thing
wut
>suid bits literally open privilege escalation attacks on anything that has them if it has a logic error/potential buffer overflow in it
wut
>even some attacks on the entire system of it, but using buffer overflows to set the bit on in-memory processes so just setting fucking nosuid on mount doesn't help much
wut
>Wireshark tells you not to run its 2 million lines as root
sounds like a good idea to me
>Samba literally requires it thanks to the dropped-on-head ideas of Linux devs
wut
>there is a plenty good reason for this
ok, give me some of them.
use bsd
most of those ports are reserved for system processes some of which are explicit root privs
but it doesn't even matter, just use iptables to route your traffic to the appropriate ports using a redirect as admins have been doing forever
or, as of more recently, just use netcap
>rewrite Samba to use different ports and use iptables to map the privileged ports to them!
Yeah, that's viable.
Hang yourself
what the hell are you talking about
you can change the port in smb.conf (i always run samba with non-standard ports like all of my services)
smb ports = 445 139
Was that so difficult?
XDDDDDDDDDDD i LOVE that meme
>change ports in samba
>change ports in sshd
>change ports in httpd
Oh boy, we're making progress now. Maybe in 50 years we won't have vulnerable shit running as root! Or maybe we could just get rid of the useless privileged port designation instead.
Everyone is going to have a
it has nothing to do with that. people just use non-standard ports to reduce the attack surface
you're just complaining because you are stupid as shit and don't know what the hell you're doing (which is quite clear from your questions)
>rewrite Samba
kill yourself
Remove all the unused things
Patch all the things
Firewall all the things
Enforce AppArmor/SELinux all the things
Reconfigure all the things
Audit all the things
CIS makes some good PDFs of configuration changes for hardening but you'll have to give them your email: learn.cisecurity.org
>force people to run shit as root instead of a less privileged user
>ur dumb lol it's a good design
Kill yourself.
>just add extra bullshit like iptables rules to bypass these retarded restrictions
Just UNIX things mirite
>not running samba as root
this is clearly an xy problem that you are too stupid to recognize
Just disable the floppy drive.
Just stahp
We know you are frustrated but this really isn't a linux problem, it's a user incompetence problem.
Just go read some how-to guides instead of wasting your time shitposting.
>65535 ports
>root is reserved for 1024 of them\
>can be easily circumvented for weird use scenarios
>this is somehow a problem
>force people to run shit as root instead of a less privileged user
No one is forcing you to do that. The moment you say that linux is 'forcing' you to do something just means that you don't know how to do it.
Yeah, it's pretty simple to code you app so that it starts as root, opens the port, then drops its root privileges. This is how most web servers work now.
>run http server on some retarded port
>have to use a.b.c.d:port
Amazing.
>open port, drop root privileges
This is somehow better than starting it without root. Now you have to make sure that you're not vulnerable before dropping privileges and you need to make sure that you drop privileges correctly. You also have to make sure your privilege dropping code in the kernel isn't flawed.
>run http server on some retarded port
>have to use a.b.c.d:port
>Amazing.
Are you really this retarded or do you have no networking experience whatsoever? It's literally a single iptables rule to forward external traffic to your internal port.
>need to change configuration to host it on another port and also need another kernel function or root program to redirect it
Great, now you need to worry about exploits in iptables too.
what are you even talking about
iptables just configures the kernel firewall
you have absolutely no idea what you are talking about
>iptables just configures the kernel firewall
ok, kernel firewall, netfilter, whatever the fuck you call it.
You're still not explaining how adding all this bullshit is good for security instead of letting a user host a service on a port that applications will use.
it's good for security because there are about a trillion fucking bots around the world right now that port sniff every single internet-exposed service between port 1 and port 1024 with common configuration exploits and potentially 0days
my workplace doesn't even allow standard ports to be whitelisted, as is consistent with a good security policy
all services are run on non-standard ports and firewall redirects are handled on the host server
your question basically boils down to...why do we have firewalls?
>my workplace doesn't even allow standard ports to be whitelisted, as is consistent with a good security policy
If you have a public web server, it's going to be on port 80 and/or 443. If you have a Samba server, it's going to be on ports 139 and 445. Adding additional layers between
>start program
>bind to port
>process packets
is adding more to your attack surface. Running those services as root is retarded because oh shit zero day = your server belongs to someone else now.
>If you have a public web server, it's going to be on port 80 and/or 443. If you have a Samba server, it's going to be on ports 139 and 445. >Adding additional layers between
>start program
>bind to port
>process packets
>is adding more to your attack surface.
First, if I have web-users that aren't me or my associates, then yes my external port 80 would be standard. In all other scenarios it will most definitely not be standard and ideally I would use ssh port forwarding for ALL services or just run an openVPN. Everything is, at the minimum, encrypted. For god's sake I would never expose samba to the internet, that's fucking asinine for so many reasons.
Also, opening a non-standard port implies closing the standard port, which does decrease the attack surface since non-standard ports are much less likely to be exploited.
>I would never expose samba to the internet, that's fucking asinine for so many reasons.
No kidding, but you have to run it on the default ports if you're trying to host file servers on Linux for an organization. Just because it's on your network doesn't mean it's ok to have swiss cheese systems all over it.
>Running those services as root is retarded because oh shit zero day = your server belongs to someone else now.
for you
>>suid bits literally open privilege escalation attacks on anything that has them if it has a logic error/potential buffer overflow in it
>linux security is a joke because the thing hardening guides tell you to disable can be exploited if not disabled
slow down there
Internet of (all the) things.
There is no guide on earth that will show you how to disable suid in the kernel. Disabling it on the mounted filesystems only partially solves the issue. If you read the next line you'd see that I touched on that.
See
git.zx2c4.com
for an example. Adding shit like this just adds more shit that should be audited.
This thread is getting out of hand.
b
u
m
centos 7 with a hardening + audit guide is a pretty ok non gentoo start
p
>OS literally forces you to start shit as root if you want to use ports under 1024 for no fucking reason
it's called setcap you nonce
to add to this. port forwarding. and i also believe firewalld has a new way to get around privileged ports
nope
I just downloaded this book, what's it like?
SECURITY TIPS in order of difficulty:
Level 1: Use firefox with "pocket" disabled, and with addons for security and privacy.
Level 2: Don't save your passwords on a plaintext or in some "cloud" service like lastpass, create and remember one good main password and use KeePassX (and I mean the one with an X) and use the option to generate the rest.
Level 3: Replace your e-mail provider with a more safe, more appropriate provider.
Level 4: Use GNU/Linux. Start with Lubuntu for easy mode (stay away from something called BSD).
Level 5: Use a GNU/Linux distro free from "systemd", which is suspected to be the last resort of secret agencies to create chaos on "hacker friendly" operating systems.
---Begins to cost money from here---
Level 6: Buy a router compatible with LibreCMC and install LibreCMC.
Level 7: Buy a VPN service in some privacy friendly country.
Level 8: Buy a computer pre-installed with Libreboot or compatible and install it yourself.
---End of money cost---
---Start of extreme high security---
Level 9: Browse the web with javascript and cookies disabled by default.
Level 10: Encrypt your e-mail with GnuPG.
Level 11: Use Mutt for e-mail client, as to avoid web beacons (tracking pixels).
Level 12: Use YaCy with collaborative database disabled when in need to search on the web.
Level 13: Use Exim in your own server for e-mail.
Level 14: Tunnel all your communications through i2p, not Tor, to navigate internet.
Level 15: Use the Linux-libre kernel.
Level 16: Use AppArmor.
Level 17: Use grsecurity.
Level 18: Use only libre software (software "free as in freedom").
Level 19: Reduce the amount of software installed in your computer.
Level 20: Use text-based programs with less library dependencies than the GUI counterparts.
Level 21: Use Firejail with your applications.
Level 22: Use a source based distro.
Level 23: Use a source based distro without crypto libraries on its package manager.
Haven't dig much just skim. Related vez.mrsk.me
Much appreciated.
What's wrong with Tor?
I trust Lovecruft, not to mention, she's pretty attractive.
Download Bastille. It's a hardening script with excellent tutorial-like documentation which explains why every action is taken. It's a little old but all of the foundations apply to present day systems.
Is more of an added layer of ((((security)))) on i2p than a flaw in Tor. For what I can tell on my limited understanding, you get a double anonymization, one for the exit and another for incoming transmissions.
Also, some people are kind of shaky for the college students that claimed had break Tor and went taken out before exposing their discoveries (why the university did such thing?). And lets not forget Jacob Appelbaum was taken out of their project with allegations of sexual abuse but was later revealed it was a smear campaign.
>Level 5: Use a GNU/Linux distro free from "systemd", which is suspected to be the last resort of secret agencies to create chaos on "hacker friendly" operating systems.
lolwut now that's some tinfoil hat tier bullshit. The complain with systemd is that it creates binary logs, which frankly isn't a problem from a security/privacy perspective since systemd itself it still open source so the binary logs can only contain what the source code instructs it to contain.
Thank you.
>Is more of an added layer of ((((security)))) on i2p than a flaw in Tor. For what I can tell on my limited understanding, you get a double anonymization, one for the exit and another for incoming transmissions.
Interesting, I'll have a look into it.
>And lets not forget Jacob Appelbaum was taken out of their project with allegations of sexual abuse but was later revealed it was a smear campaign.
That was certainly a strange debacle.
>lolwut now that's some tinfoil hat tier bullshit. The complain with systemd is that it creates binary logs, which frankly isn't a problem from a security/privacy perspective since systemd itself it still open source so the binary logs can only contain what the source code instructs it to contain.
No? The complaint with systemd is that it's being written by retards that don't even fucking use Linux or know the first thing about it.
>posts bug that was fixed within days
>was obviously a pitfall of coreutils before coreutils had built in safetybelts
>complains that it's buggy
yeah ok
I have Lynis on my list and does an in depth system auditing, of course this goes beyond simple configuration.
Other tools are
For Anti Juice Jacking: USBGuard
Host Intrusion Detection Framework: Tiger
Integrity Check: Samhain or Tripwire (which works with Tiger)
Rootkit Detection: Chkrootkit or rkhunter
System Logging: sysklogd
Man-In-The-Middle (MITM) Detection: ArpON or arpwatch
Network Intrusion Detection: Suricata
Network Intrusion Prevention: Sshguard
Some of these tools are good only for servers of course.
systemd apologist detected
systemd is a too fast growing part of linux that tries to accomplish too many things in one monolithic entity
it is all about minimizing attack surface, auditing something like systemd is close to impossible because of how fast it expands and grows
>>posts bug that was fixed within days
>>was obviously a pitfall of coreutils before coreutils had built in safetybelts
>>complains that it's buggy
>retards writing systemdicks don't even consider shit like . and ..
Wow. I'm amazed at the high quality of the code these amazing systemd developers are writing! I'm sure sometimes my entire system will get wiped out, but it's ok because systemd.
>systemd apologist detected
yes. features not bugs
My plan was to seperate data servers, from the computer I would interact with on the Internet.
For instance, have a desktop computer set up for easy of browsing using a hardened Linux OS and downloading large files.
While for casual and illicit browsing for software and ebooks, use Tails.
Then carry it across to the data server on flash storage of some kind.
To note, the plan would be to run Tails off of a shitty laptop without a HDD/SSD.
Hello lennart.
This is an interesting thread.
Well, you definitely want a server separate from a main computer on which you access nothing else than the http port. Problem always is how much you plan on stripping down your daily use computer as to ensure less "potential" security holes.
Even then Stallman was a visionary, he downloaded raw html via an intermediary.
To mention an important event that has the potential of being a massive harm is the snappy/flatpak apocalypse, by attempting to make Linux more like Windows we get a lot of code, a lot of libraries to be check.
In short, level 22 is the alternative, but it comes at the cost of compiling everything yourself, and even then you need to make sure to use a base system without libraries that are not easy to check (I am looking at you Python).
Back to your plan, using Tails is a good strategy, I prefer not to go for that because is an already baked distro with a bunch of personal choices from the maintainers who themselves may not be taking all precautions. Not that I think myself more smart, but is for peace of mind and because having complete control of what is in your system is one good way you know you are not going to get scammed into snake oil.
>Well, you definitely want a server separate from a main computer on which you access nothing else than the http port. Problem always is how much you plan on stripping down your daily use computer as to ensure less "potential" security holes.
I spend all day reading ebooks, mostly on mathematics, soon moving onto physics, chemistry; electrical engineering/mechatronics and computer engineering and computer science along with computer security.
Aside from that, browsing chans, watching the odd YouTube video and occasionally playing Dwarf Fortress.
So, I don't need a great deal of 'features'.
>To mention an important event that has the potential of being a massive harm is the snappy/flatpak apocalypse, by attempting to make Linux more like Windows we get a lot of code, a lot of libraries to be check.
I really hope they don't, free software always needs to be a thing. If not only for economic frugality, but freedom from the criminal cartels they call "government".
>In short, level 22 is the alternative, but it comes at the cost of compiling everything yourself, and even then you need to make sure to use a base system without libraries that are not easy to check (I am looking at you Python).
Understood.
>Back to your plan, using Tails is a good strategy, I prefer not to go for that because is an already baked distro with a bunch of personal choices from the maintainers who themselves may not be taking all precautions.
As I said, that's just for an ease of use anonymizer for casual browsing, the big files and more intensive work would be done on the custom hardened distro on a desktop.
>Suck a dick
Do you mean sorry?
Why would I be sorry?
Because you misunderstood, and quite rudely.
But whatever, at least you understand what he meant now.
You can only be sorry if your heart truly feels regret and your brain will never commit it again. I cannot say, it certainty that it will never happen again, therefore I cannot tell you I am sorry, that would be a lie.
fair enough
Nice polo neck, it certainly does the Jobs.
Get it?