Download | Devuan.org | Git | Bugs | Packages

The officially official Devuan Forum!

You are not logged in.

Pages: 1

#1 Re: Documentation » Some security configuration after installation » 2021-06-24 09:41:53

meridian

Don't know why but I can't edit the post. There is a typo in 7. nftables, second command line, nftables.init not nftables.inits, so: 

cp /usr/share/doc/nftables/examples/sysvinit/nftables.init /etc/init.d/nftables

edit: @tylerdurden, very late thanks for your thanks… the same things as you about many useful posts I read some days, life goes on learning!

#2 Re: Documentation » Some security configuration after installation » 2021-06-09 06:51:24

meridian

@Dice again, "Not trying to be a nitpick here"? You perfectly succeed. Knowing better than others what theirs posts should be? Wonderfullll! (I don't repeat Devuan howto from the webpage I link, obviously, I add an optional step.) Read precisely what was written: your posts are some kind of noise.

#3 Re: Documentation » Some security configuration after installation » 2021-06-03 09:06:17

meridian

@Dice, I said "After the stage" you are speaking of.

#4 Documentation » Some security configuration after installation » 2021-06-02 13:43:10

meridian
Replies: 15

Here are some configuration things that can be done after a Devuan (or GNU/Linux) installation, mainly improving security. The more often, commands must be done as root. I adopted an impersonal style to be as short as possible. Some tips are surely perfectible, they don't come from a super-expert… and, like we say, hope that's help, not being a too long post!

1. Testing burned files before installation

After the stage Writing an image to a CD/DVD or USB drive described at Devuan website https://www.devuan.org/os/documentation … all-devuan, add a test for the burned ISO files, which are rarely but sometimes wrong. Mount the image and cd into it, then: 

md5sum --ignore-missing --quiet -c md5sum.txt

The ISO can be burned again in case of failed file(s), if they are important for the installation.

2. Removing unwanted packages

Installing the minimal number of packages is a good thing to decrease the risk of security bugs. For example desktop environments brings many packages that can be removed if not wanted.

As explained by greenjeans at https://dev1galaxy.org/viewtopic.php?id=1123, unwanted packages can be removed by modifying the Depends: string of the package bringing them, in /var/lib/dpkg/status. The Version: string can also be incremented.

And as explained by Excalibur at https://dev1galaxy.org/viewtopic.php?id=3904, unwanted packages can also be set in /etc/apt/preferences.d/ file(s). This prevent master packages to be pulled in again when comes a new version of a dependent one (at least when the Version: string of the master package was not changed).

3. Removing pulseaudio

As explained by larsH in https://dev1galaxy.org/viewtopic.php?id=3732, pulseaudio can be removed, alsa will be used instead. So:

apt-get purge pulseaudio && apt-get autoremove

Sound volume can be set with the alsamixer command. Keybord controls are no longer in use. To get keyboard volume controls add thoses commands to the desktop environment keys XF86AudioRaiseVolume, XF86AudioLowerVolume and XF86AudioMute:

amixer set Master 5%+
amixer set Master 5%-
amixer set Master toggle

To get playing controls, install playerctl and add thoses commands to the desktop environment keys XF86AudioPlay, XF86AudioPrev and XF86AudioNext:

playerctl -p player_name play-pause
playerctl -p player_name previous
playerctl -p player_name next

Replace player_name with the player to be controlled, mpv, vlc, etc.: only one player can be there controlled…

No more sound in Firefox (without further config?): a good security improvment –or a very bad thing for someones…

4. Is ipv6 used?

If ipv6 isn't used, set it in the kernel command line. In /etc/default/grub, modify GRUB_CMDLINE_LINUX by adding ipv6.disable=1:

GRUB_CMDLINE_LINUX="[…] ipv6.disable=1"

"[…]" means optional other settings. Then refresh the /boot/grub/grub.cfg file:

update-grub

Testing after a reboot:

# returns a string containing 'ipv6.disable=1'
cat /proc/cmdline
# returns nothing
sysctl -a | grep ipv6
5. sysctl

From man sysctl: sysctl is used to modify kernel parameters at runtime. The parameters available are those listed under /proc/sys/.

Values can be added to improve security. Some keys in the default /etc/sysctl.conf can be uncommented. Otherwise below keys can be added in /etc/sysctl.conf or file(s) in /etc/sysctl.d (the filenames must end with .conf, not being packages names).

The sysctl kernel.org documentation is somehow outdated: https://www.kernel.org/doc/html/latest/ … index.html.

Some values are already set but can be set again in case of changes in the kernel distribution.

File system keys

# no links dereference for unowned files
# defaults to 1
fs.protected_hardlinks = 1
# defaults to 1
fs.protected_symlinks = 1

# no setuid binaries core dump
# defaults to 0
fs.suid_dumpable = 0

Kernel keys

# must be 1 at least. 3 is the more restrictive value which
# may lead to compilation problems if packages are build.
# if set to 3 this value can't be changed at run time.
# is yama in use?: cat /sys/kernel/security/lsm
# defaults to 0
kernel.yama.ptrace_scope = 3

# no SysReq
# defaults to 438
kernel.sysrq = 0

# ASLR activation
# defaults to 2
kernel.randomize_va_space = 2

# bigger PIDs max value
# defaults to 32768
kernel.pid_max = 65536

# kernel memory addresses obfuscation
# defaults to 0
kernel.kptr_restrict = 2

# no dmesg for unprivileged users
# defaults to 1
kernel.dmesg_restrict = 1

# performance events system restrictions
# defaults to 3
kernel.perf_event_paranoid = 3
# defaults to 39750
kernel.perf_event_max_sample_rate = 1
# defaults to 25
kernel.perf_cpu_time_max_percent = 1

Virtual memory key

# no first pages memory mapping
# defaults to 65536
vm.mmap_min_addr = 65536

Network keys

For a desktop computer or a server making no routing.

ipv4

# ignore ICMP ECHO requests
# defaults to 0
net.ipv4.icmp_echo_ignore_all = 1
# defaults to 1
net.ipv4.icmp_echo_ignore_broadcasts = 1

# no route between interfaces
# defaults to 0
net.ipv4.ip_forward = 0

# no reverse filtering
# defaults to 0
net.ipv4.conf.all.rp_filter = 1
# defaults to 0
net.ipv4.conf.default.rp_filter = 1

# no source routing packets
# defaults to 0
net.ipv4.conf.all.accept_source_route = 0
# defaults to 0
net.ipv4.conf.default.accept_source_route = 0

# no ICMP redirections
# defaults to 1
net.ipv4.conf.all.accept_redirects = 0
# defaults to 1
net.ipv4.conf.default.accept_redirects = 0
# defaults to 1
net.ipv4.conf.all.secure_redirects = 0
# defaults to 1
net.ipv4.conf.default.secure_redirects = 0
# defaults to 1
net.ipv4.conf.all.send_redirects = 0
# defaults to 1
net.ipv4.conf.default.send_redirects = 0

# unusual IPs logging
# defaults to 0
net.ipv4.conf.all.log_martians = 1
# defaults to 0
net.ipv4.conf.default.log_martians = 1

# conforming to RFC 1337
# defaults to 0
net.ipv4.tcp_rfc1337 = 1

# no RFC 1122 violation log
# defaults to 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# greater local port range
# defaults to 32768 60999
net.ipv4.ip_local_port_range = 32768 65535

# using SYN cookies
# defaults to 1
net.ipv4.tcp_syncookies = 1

ipv6 (unknown defaults)

# if ipv6 is not used and not deactivated
net.ipv6.conf.all.disable_ipv6 = 1

# no router solicitations
net.ipv6.conf.all.router_solicitations = 0
net.ipv6.conf.default.router_solicitations = 0

# no router preferences by router advertisements
net.ipv6.conf.all.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0

# no autoconfigured prefixes from router advertisements
net.ipv6.conf.all.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_pinfo = 0

# no learning from router advertisements
net.ipv6.conf.all.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_defrtr = 0

# no autoconfigured addresses from router advertisements
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.default.autoconf = 0

# no ICMP redirect
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# no source routing
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# max autoconfigured addresses by interface
net.ipv6.conf.all.max_addresses = 1
net.ipv6.conf.default.max_addresses = 1

6. Suid and sgid binaries

It is better to remove some suid/sgid bits, binaries with it can be run with often root privileges (suid) or some groups ones (sgid). A normal user will not be able to run removed suid/sgid binaries. Removing these bits is a matter of tries and tests.

Getting suid binaries:

find / -type f \( -perm -4000 \) -exec ls -lg {} \; 2>/dev/null

The same with -perm -2000 to get sgid binaries.

For example:

chmod ug-s /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/passwd /usr/bin/chfn \
/usr/bin/bwrap /usr/bin/chage /usr/bin/chsh /usr/bin/bsd-write /usr/bin/wall /usr/sbin/pppd

chmod ug-s /bin/fusermount              # if FUSE isn't used
chmod ug-s /usr/lib/openssh/ssh-keysign # if ssh isn't used

Usually suid/sgid bits are not removed for su, sudo, mount, umount, Xorg.wrap, unix_chkpwd, ntfs-3g, expiry, pkexec, crontab, (m)locate.

7. nftables

iptables is installed with Devuan and is now beeing replaced by nftables, so:

apt-get install nftables && apt-get purge iptables

The nftables service is not installed and must be configured. To install it within the init scripts:

cp /usr/share/doc/nftables/examples/sysvinit/nftables.inits /etc/init.d/nftables

Then set the execution flag:

chmod u+x /etc/init.d/nftables

See https://dev1galaxy.org/viewtopic.php?pid=28547#p28547 from GlennW: some header lines must be changed, from:

# Default-Start:
# Default-Stop:      0 1 2 3 4 5 6

To:

# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6

The ruleset in /etc/nftables.conf.dpkg-dist makes nothing. Here is a very minimal ruleset (for a desktop computer, ipv4 only) which only accepts established inputs, forwards nothing and outputs everything, to be added in a newly created /etc/nftables.conf:

#!/usr/sbin/nft -f

flush ruleset

table ip filter {
  chain INPUT {
    type filter hook input priority 0; policy drop;
    ct state invalid counter drop
    iif "lo" counter accept
    ct state established counter accept
  }

  chain FORWARD {
    type filter hook forward priority 0; policy drop;
    counter
  }

  chain OUTPUT {
    type filter hook output priority 0; policy accept;
    counter
  }
}

Make the file executable:

chmod u+x /etc/nftables.conf

Then add the service and launch it:

# OpenRC
rc-update add nftables default
rc-service nftables start

# System V init
update-rc.d nftables enable
service nftables start

To display the ruleset (with counted packets):

nft list ruleset
8. Scripts

Some scripts in different locations, which of course must be executable.

System.map(s)

/boot/System.map* file(s) must be readable by root only, even if /boot is a separate partition remaining unmounted. Making an /etc/kernel/postinst.d/zzz-smap-perms script runned by apt after kernel installation:

#!/bin/bash

echo "Setting System.map(s) readable by root only"
chmod go-r /boot/System.map*

exit $?

Wake on lan

Scripts in /etc/boot.d are run at launch time by the rc.local service in the default runlevel. To deactivate wake on lan (here for eth0), set /etc/boot.d/no_eth0_wol (ethtool must be installed):

#!/bin/bash

itf=eth0

echo "[....] Setting no wake on lan ($itf)"
ethtool -s $itf wol d

exit $?

Wake on lan is reactivated after suspend, another script can be made in /etc/pm/sleep.d/no_eth0_wol if pm-utils is installed (the script is also called before suspend and makes nothing):

#!/bin/sh

itf=eth0

. "${PM_FUNCTIONS}"

case "$1" in
  hibernate|suspend) ;;
  thaw|resume)
	  echo "No $itf wake on lan"
	  ethtool -s $itf wol d
	;;
	*) exit $NA ;;
esac

exit $?

--

That's all for today!

Pages: 1

Board footer

Forum Software