Linux System Hardening Guide

Discussion in 'Linux Guides (Generic)' started by booman, May 20, 2020.

  • by booman, May 20, 2020 at 9:16 PM
  • booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    8,344
    Likes Received:
    626
    Trophy Points:
    113
    Location:
    Linux, Virginia
    Home page:
    No system is absolutely secure!

    No matter how many steps or processes you implement, there is always a potential security hole.

    This guide is going to present a few ways to secure your system from intrusions, malicious software and unwanted connections. There is always a balance between security and convenience. The more secure your system is, the less convenient is it to use.

    Who wants a “bricked” computer because it is so secure you can’t even use it?

    Please use some of the suggestions below as a baseline to secure your system. Then implement more in the future as you learn how to manage them.


    Linux Built-In Security
    • sudo
    • Permissions
    Every Linux distribution includes security features like other operating systems.
    Users are tied to groups with access to their own files and data. Linux adds another layer of security when an application needs to run or install. The current user needs to be in the super user group, then enter a password when software is installed or permissions need to be changed. If you copy any executable files from one computer to another, the execute permissions are disabled. The root file system also has extra security requiring you to enter your super user password before making any changes to files or directories.


    Local User Access
    • Limited Account (no SU/Sudo access)
    Creating a limited user account can be useful for secure browsing, gaming and personal use. This limited account can not install any software, updates or packages. This account will not store any files or data locally as it is meant for temporary use. It is not a member of any Unix groups which prevents sudo capabilities. If this account is compromised there is no way to gain access deeper in the system through “sudo” or “su”. You can configure users who need “sudo” access to be in a group names: Wheel

    Admin Workaround
    If you need to install a game or application, use the “Switch User” option by going to the logout button. Login as a super user and install the software, then switch back to your limited user.

    upload_2020-5-21_8-57-42.png

    upload_2020-5-21_8-58-14.png

    Note: If your distribution does not provide the “Switch User” option you will need to use the TTY shell and start your graphical environment. This is outside the scope of this guide.


    https://wiki.archlinux.org/index.php/Su#su_and_wheel


    Encryption
    • /
    • /home
    • /boot
    Encryption does not protect your data from malicious threats or harmful software. Instead it protects your data from physical theft. Most Linux distributions have an application called: dm-crypt

    You create a partition for your sensitive data (LUKS partition). When you unlock it, you can format it and mount it. Then use it for any purpose, even an operating system.

    Another way to encrypt your hard drive is using an “encryption layer”. You can encrypt a directory on your hard drive and can result in poor performance but offer more flexibility.

    Arch Wiki
    https://wiki.archlinux.org/index.php/Disk_encryption

    Note: Do not encrypt your UEFI partition


    File System Backup
    • Timeshift
    • Snapshots
    Snapshots can roll your system back in time by creating a copy of your system files and configurations. This way if your system breaks or is compromised you can roll back to an earlier date when it was stable and secure. There is also risk of your snapshot backups being compromised as well. So it is recommended to keep them on an external drive or a separate partition.

    Note: The best method of cleaning up a compromised system is a fresh installation of Linux

    upload_2020-5-21_8-59-27.png

    Firmware
    • UEFI
    • BIOS
    Every motherboard has some type of firmware that communicates between the hardware and software. Legacy computers have what is called a BIOS hosted on a chip on the motherboard. Newer systems have a bootloader called UEFI on a hard drive partition (FAT). Both have very similar settings, but UEFI has significantly more settings and control than BIOS.

    In order to enter your UEFI it requires a reboot and a keyboard key pressed while booting. Each computer has security settings in UEFI to secure your hardware and firmware configurations.


    Browsers
    • Sandbox Firefox
    • Firejail
    • Noscript plugin
    Web browsers are one the most vulnerable ways to exploit your system. Websites can cache (store files) cookies, scripts, images and more on your local computer.

    Noscript
    Noscript is a plugin that refuses all scripts that run in the browser. Then you can manually whitelist scripts you want to enable for a specific webpage/URL.


    Firejail
    Sandboxing is a better way to secure your browser as it removes access to your /home/username directory. Firejail can run for all applications on your system, but can affect applications like Wine. Firejail provides profile templates (may need to install separately) to configure what you want Firefox to allow.

    Then run Firefox with the following command: firejail firefox

    Now Firefox only has access to the downloads directory (depending on the profile you use). If it is exploited by a malicious plugin, extension, script or other method it only has access to downloads, not other /home/username directories. It also prevents local scripts from being launched by your browser.


    Applications
    • Apparmor
    Apparmor can be configured with profiles to allow applications to access only what they need to run. If an application tries to access a system process or service that is out-of-scope, then Apparmor will deny it. The profiles are common to Linux software environments. This adds slightly more security over the default file permission restrictions on Linux.


    External Devices (USB)
    • USB Guard
    Your system firmware (UEFI) can be compromised with an external USB device. This means someone could steal your computer, use a USB flash drive to boot into their own operating system and access your files. Encryption can prevent this, but another layer of security helps by denying physical access.

    UEFI Password
    Every computer has an ability to secure its firmware with a password. This protects malicious hacking and booting USB devices. Make sure to configure your firmware to only boot to internal hard drive first. Please keep the password in a secure location. Losing the password could “brick” your device as well.

    USB Guard
    USB Guard can deny all unauthorized USB access to a running Linux operating system only. You can manually whitelist each device you want to allow communication. The safest option is to completely deny all USB access, but obviously we might need a flash drive, external webcam, speakers or even a controller to user our system. USB Guard blocks devices on a kernel level by default.

    https://wiki.archlinux.org/index.php/USBGuard


    Firewall
    • ufw
    • gufw (With a Graphical User Interface)
    Applications that run over a network connect via ports through the operating system network configuration. Applications like games, browsers, FTP and more. Firewalls can protect your computer from malicious incoming connections from outside the computer. The most secure configuration is DENY all incoming connections. Then open ports as needed depending on the application you are using. By default most Linux distributions have disabled network facing services.

    Example: Open port 22 in order to allow an SSH connection on the local network only.

    upload_2020-5-21_9-2-33.png


    Antivirus
    Many feel an antivirus is not necessary in Linux. This is partially true depending on how you use Linux. If you are using Wine, sharing documents with people who use Windows or downloading files with executables from non-trusted sites… an antivirus may be helpful. If you were to download a compromised Word document and send it to a friend who uses Windows. This could infect or compromise their system. With an antivirus you can scan the downloaded file before sending it.

    The majority of threats and malicious software is written to execute in a Windows environment and probably won’t affect your Linux processes. Some have actually scanned their distribution with an antivirus and it resulted in finding threats, but after researching they found it was in part of the definitions meant for Windows environments.


    Official Repositories
    • Distribution Repositories
    • PPA
    Distribution Repositories
    Repositories are collections of software packages. All your software and updates are installed from a repository. Distributions are normally configured to use their official repositories. You can also add your own depending on the software and updates you want to install.

    upload_2020-5-21_9-3-28.png

    Each repository is handled by communities or single individuals who create software, compile them for ready-to-use installations and updates. By using a Linux distribution, you are choosing to trust all officially packaged software provided by the people who package for your chosen distribution. Most distributions are also open to add unofficial repositories, such as PPA’s for Ubuntu and Mint.

    In Mint you can check the source of all the repositories by looking in the source file:
    /etc/apt/source.list
    Each URL is a repository

    PPA (Personal Package Archive)
    A PPA is a software repository you can add to your distribution to install software and/or updates for that software. Anyone can create an unofficial repository and potentially include malicious software with it, so you should never blindly trust an unofficial source. Any PPA you add will also be located in the source file:
    /etc/apt/source.list

    For example:
    Install an application like simplescreenrecorder and it requires a PPA to automatically update it.

    Arch User Repository AUR
    Arch users can additionally use the AUR to download the source code and compile it themselves. This process has been automated in AUR, but its important to inspect the PKGBUILD file to check the source code URLs. Also check included patches/install scripts to verify nothing malicious is included. This could take some time researching if you aren’t familiar with the process.

    .DEB Files
    Debian, Ubuntu, Mint and other distributions (based on Debian) can install applications via .deb

    Any developer can create a .deb installer so it is important to investigate the maintainer or source before installing it. You can also inspect a .deb by opening it with Archive Manager. Checking out the directories and included files, then researching online.

    Flatpak and Snap
    Other ways to provide software from 3rd party repositories is applications like Flatpak and Snap. These can install other unnecessary packages (aka bloatware) and anyone developer can add their package to them. Please use at your own risk and investigate software before installing it.
    Last edited: May 21, 2020
    Daerandin likes this.

Comments

Discussion in 'Linux Guides (Generic)' started by booman, May 20, 2020.

  1. cloasters
    Thank you very much, booman! This is a very helpful post!
    booman likes this.
  2. booman
    Thank Daerandin as well! He's is the reason I thought of creating a guide and he's helping as well.
  3. Daniel~
    Daerandin and Booman!
    You guys do good work together. This is one handy all in one place security guide. Very accessible for beginners and does a good job of putting various security measures into perspective

    We don't all have the same security needs and you do a fine job of laying our who is likely to need what.

    Thank you very much for enriching GOL and my personal meager bit of knowledge.
    booman likes this.
  4. Daerandin
    Security is a very broad subject, and being careful with what you install on your system is, in my opinion, one of most important ways to keep your system secure. That and taking some steps to secure your web browser such as using NoScript and Firejail to sandbox your browser.

    This guide is good at helping people be more aware of what actions they take regarding their own system, and that is where it starts.

    I do hope anyone interested will dive deeper into the topics of interest.
    booman and cloasters like this.
  5. cloasters

    Thanks very much Daerandin, this is most helpful!
  6. booman
    So true! Unfortunately, I test so many games that I end up downloading a lot of executables. So far I think it has been painless as Linux isn't quite as susceptible as Windows, but I also run .exe files in PlayOnLinux/Wine all the time. Most of them are downloaded from itch.io which is supposed to be legitimate, but you never know.

    After creating this guide I am now more suspicious of PPA's and applications on the web.

    Thank you for your help Daerandin!
  7. Daerandin
    Actually, the fact that I also run a lot of windows .exe files in wine is the whole reason why I decided to create a separate user on my system. I do all my gaming with this user, and this user can't use sudo or su, so just in case something is compromised it can't access the rest of the system. I specifically don't do anything else with this user, only games, so all personal files are kept separate with my main user.
    booman likes this.

Share This Page