The officially official Devuan Forum!

You are not logged in.

#1 2021-06-02 13:43:10

meridian
Member
Registered: 2021-06-01
Posts: 4  

Some security configuration after installation

Here are some configuration things that can be done after a Devuan (or GNU/Linux) installation, mainly improving security. The more often, commands must be done as root. I adopted an impersonal style to be as short as possible. Some tips are surely perfectible, they don't come from a super-expert… and, like we say, hope that's help, not being a too long post!


1. Testing burned files before installation

After the stage Writing an image to a CD/DVD or USB drive described at Devuan website https://www.devuan.org/os/documentation … all-devuan, add a test for the burned ISO files, which are rarely but sometimes wrong. Mount the image and cd into it, then:

md5sum --ignore-missing --quiet -c md5sum.txt

The ISO can be burned again in case of failed file(s), if they are important for the installation.


2. Removing unwanted packages

Installing the minimal number of packages is a good thing to decrease the risk of security bugs. For example desktop environments brings many packages that can be removed if not wanted.

As explained by greenjeans at https://dev1galaxy.org/viewtopic.php?id=1123, unwanted packages can be removed by modifying the Depends: string of the package bringing them, in /var/lib/dpkg/status. The Version: string can also be incremented.

And as explained by Excalibur at https://dev1galaxy.org/viewtopic.php?id=3904, unwanted packages can also be set in /etc/apt/preferences.d/ file(s). This prevent master packages to be pulled in again when comes a new version of a dependent one (at least when the Version: string of the master package was not changed).


3. Removing pulseaudio

As explained by larsH in https://dev1galaxy.org/viewtopic.php?id=3732, pulseaudio can be removed, alsa will be used instead. So:

apt-get purge pulseaudio && apt-get autoremove

Sound volume can be set with the alsamixer command. Keybord controls are no longer in use. To get keyboard volume controls add thoses commands to the desktop environment keys XF86AudioRaiseVolume, XF86AudioLowerVolume and XF86AudioMute:

amixer set Master 5%+
amixer set Master 5%-
amixer set Master toggle

To get playing controls, install playerctl and add thoses commands to the desktop environment keys XF86AudioPlay, XF86AudioPrev and XF86AudioNext:

playerctl -p player_name play-pause
playerctl -p player_name previous
playerctl -p player_name next

Replace player_name with the player to be controlled, mpv, vlc, etc.: only one player can be there controlled…

No more sound in Firefox (without further config?): a good security improvment –or a very bad thing for someones…


4. Is ipv6 used?

If ipv6 isn't used, set it in the kernel command line. In /etc/default/grub, modify GRUB_CMDLINE_LINUX by adding ipv6.disable=1:

GRUB_CMDLINE_LINUX="[…] ipv6.disable=1"

"[…]" means optional other settings. Then refresh the /boot/grub/grub.cfg file:

update-grub

Testing after a reboot:

# returns a string containing 'ipv6.disable=1'
cat /proc/cmdline
# returns nothing
sysctl -a | grep ipv6
5. sysctl

From man sysctl: sysctl is used to modify kernel parameters at runtime. The parameters available are those listed under /proc/sys/.

Values can be added to improve security. Some keys in the default /etc/sysctl.conf can be uncommented. Otherwise below keys can be added in /etc/sysctl.conf or file(s) in /etc/sysctl.d (the filenames must end with .conf, not being packages names).

The sysctl kernel.org documentation is somehow outdated: https://www.kernel.org/doc/html/latest/ … index.html.

Some values are already set but can be set again in case of changes in the kernel distribution.

File system keys

# no links dereference for unowned files
# defaults to 1
fs.protected_hardlinks = 1
# defaults to 1
fs.protected_symlinks = 1

# no setuid binaries core dump
# defaults to 0
fs.suid_dumpable = 0

Kernel keys

# must be 1 at least. 3 is the more restrictive value which
# may lead to compilation problems if packages are build.
# if set to 3 this value can't be changed at run time.
# is yama in use?: cat /sys/kernel/security/lsm
# defaults to 0
kernel.yama.ptrace_scope = 3

# no SysReq
# defaults to 438
kernel.sysrq = 0

# ASLR activation
# defaults to 2
kernel.randomize_va_space = 2

# bigger PIDs max value
# defaults to 32768
kernel.pid_max = 65536

# kernel memory addresses obfuscation
# defaults to 0
kernel.kptr_restrict = 2

# no dmesg for unprivileged users
# defaults to 1
kernel.dmesg_restrict = 1

# performance events system restrictions
# defaults to 3
kernel.perf_event_paranoid = 3
# defaults to 39750
kernel.perf_event_max_sample_rate = 1
# defaults to 25
kernel.perf_cpu_time_max_percent = 1

Virtual memory key

# no first pages memory mapping
# defaults to 65536
vm.mmap_min_addr = 65536

Network keys

For a desktop computer or a server making no routing.

ipv4

# ignore ICMP ECHO requests
# defaults to 0
net.ipv4.icmp_echo_ignore_all = 1
# defaults to 1
net.ipv4.icmp_echo_ignore_broadcasts = 1

# no route between interfaces
# defaults to 0
net.ipv4.ip_forward = 0

# no reverse filtering
# defaults to 0
net.ipv4.conf.all.rp_filter = 1
# defaults to 0
net.ipv4.conf.default.rp_filter = 1

# no source routing packets
# defaults to 0
net.ipv4.conf.all.accept_source_route = 0
# defaults to 0
net.ipv4.conf.default.accept_source_route = 0

# no ICMP redirections
# defaults to 1
net.ipv4.conf.all.accept_redirects = 0
# defaults to 1
net.ipv4.conf.default.accept_redirects = 0
# defaults to 1
net.ipv4.conf.all.secure_redirects = 0
# defaults to 1
net.ipv4.conf.default.secure_redirects = 0
# defaults to 1
net.ipv4.conf.all.send_redirects = 0
# defaults to 1
net.ipv4.conf.default.send_redirects = 0

# unusual IPs logging
# defaults to 0
net.ipv4.conf.all.log_martians = 1
# defaults to 0
net.ipv4.conf.default.log_martians = 1

# conforming to RFC 1337
# defaults to 0
net.ipv4.tcp_rfc1337 = 1

# no RFC 1122 violation log
# defaults to 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# greater local port range
# defaults to 32768 60999
net.ipv4.ip_local_port_range = 32768 65535

# using SYN cookies
# defaults to 1
net.ipv4.tcp_syncookies = 1

ipv6 (unknown defaults)

# if ipv6 is not used and not deactivated
net.ipv6.conf.all.disable_ipv6 = 1

# no router solicitations
net.ipv6.conf.all.router_solicitations = 0
net.ipv6.conf.default.router_solicitations = 0

# no router preferences by router advertisements
net.ipv6.conf.all.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0

# no autoconfigured prefixes from router advertisements
net.ipv6.conf.all.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_pinfo = 0

# no learning from router advertisements
net.ipv6.conf.all.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_defrtr = 0

# no autoconfigured addresses from router advertisements
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.default.autoconf = 0

# no ICMP redirect
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# no source routing
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# max autoconfigured addresses by interface
net.ipv6.conf.all.max_addresses = 1
net.ipv6.conf.default.max_addresses = 1


6. Suid and sgid binaries

It is better to remove some suid/sgid bits, binaries with it can be run with often root privileges (suid) or some groups ones (sgid). A normal user will not be able to run removed suid/sgid binaries. Removing these bits is a matter of tries and tests.

Getting suid binaries:

find / -type f \( -perm -4000 \) -exec ls -lg {} \; 2>/dev/null

The same with -perm -2000 to get sgid binaries.

For example:

chmod ug-s /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/passwd /usr/bin/chfn \
/usr/bin/bwrap /usr/bin/chage /usr/bin/chsh /usr/bin/bsd-write /usr/bin/wall /usr/sbin/pppd

chmod ug-s /bin/fusermount              # if FUSE isn't used
chmod ug-s /usr/lib/openssh/ssh-keysign # if ssh isn't used

Usually suid/sgid bits are not removed for su, sudo, mount, umount, Xorg.wrap, unix_chkpwd, ntfs-3g, expiry, pkexec, crontab, (m)locate.


7. nftables

iptables is installed with Devuan and is now beeing replaced by nftables, so:

apt-get install nftables && apt-get purge iptables

The nftables service is not installed and must be configured. To install it within the init scripts:

cp /usr/share/doc/nftables/examples/sysvinit/nftables.inits /etc/init.d/nftables

Then set the execution flag:

chmod u+x /etc/init.d/nftables

See https://dev1galaxy.org/viewtopic.php?pid=28547#p28547 from GlennW: some header lines must be changed, from:

# Default-Start:
# Default-Stop:      0 1 2 3 4 5 6

To:

# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6

The ruleset in /etc/nftables.conf.dpkg-dist makes nothing. Here is a very minimal ruleset (for a desktop computer, ipv4 only) which only accepts established inputs, forwards nothing and outputs everything, to be added in a newly created /etc/nftables.conf:

#!/usr/sbin/nft -f

flush ruleset

table ip filter {
  chain INPUT {
    type filter hook input priority 0; policy drop;
    ct state invalid counter drop
    iif "lo" counter accept
    ct state established counter accept
  }

  chain FORWARD {
    type filter hook forward priority 0; policy drop;
    counter
  }

  chain OUTPUT {
    type filter hook output priority 0; policy accept;
    counter
  }
}

Make the file executable:

chmod u+x /etc/nftables.conf

Then add the service and launch it:

# OpenRC
rc-update add nftables default
rc-service nftables start

# System V init
update-rc.d nftables enable
service nftables start

To display the ruleset (with counted packets):

nft list ruleset
8. Scripts

Some scripts in different locations, which of course must be executable.

System.map(s)

/boot/System.map* file(s) must be readable by root only, even if /boot is a separate partition remaining unmounted. Making an /etc/kernel/postinst.d/zzz-smap-perms script runned by apt after kernel installation:

#!/bin/bash

echo "Setting System.map(s) readable by root only"
chmod go-r /boot/System.map*

exit $?

Wake on lan

Scripts in /etc/boot.d are run at launch time by the rc.local service in the default runlevel. To deactivate wake on lan (here for eth0), set /etc/boot.d/no_eth0_wol (ethtool must be installed):

#!/bin/bash

itf=eth0

echo "[....] Setting no wake on lan ($itf)"
ethtool -s $itf wol d

exit $?

Wake on lan is reactivated after suspend, another script can be made in /etc/pm/sleep.d/no_eth0_wol if pm-utils is installed (the script is also called before suspend and makes nothing):

#!/bin/sh

itf=eth0

. "${PM_FUNCTIONS}"

case "$1" in
  hibernate|suspend) ;;
  thaw|resume)
	  echo "No $itf wake on lan"
	  ethtool -s $itf wol d
	;;
	*) exit $NA ;;
esac

exit $?

--

That's all for today!

Offline

#2 2021-06-02 13:52:48

dice
Member
Registered: 2020-11-22
Posts: 559  
Website

Re: Some security configuration after installation

You missed a step.

always.....

Verify the images

Installation images distributed by Devuan are signed so that they can be verified as coming from Devuan. Verifying images lets you know they have not been altered prior to you receiving them.

Get the Devuan developers signing keys and import them to your keychain.

user@hostname:~$ gpg --import devuan-devs.gpg

Use the signed SHA256SUMS.asc from the release archive to verify the image.

user@hostname:~$ gpg --verify SHA256SUMS.asc

A report of a good signature indicates everything is fine.

openbsd signify would be a nice addition for this security measure.

https://man.openbsd.org/signify

Last edited by dice (2021-06-02 14:01:40)

Offline

#3 2021-06-03 09:06:17

meridian
Member
Registered: 2021-06-01
Posts: 4  

Re: Some security configuration after installation

@Dice, I said "After the stage" you are speaking of.

Offline

#4 2021-06-03 12:34:59

dice
Member
Registered: 2020-11-22
Posts: 559  
Website

Re: Some security configuration after installation

meridian wrote:

@Dice, I said "After the stage" you are speaking of.

Not trying to be a nitpick here, but step one in your post should include both integrity check and verification check.

Offline

#5 2021-06-08 03:50:25

tylerdurden
Member
From: /home
Registered: 2018-07-16
Posts: 10  

Re: Some security configuration after installation

Been using Devuan for about three years now and it powers every single one of my machines. I keep learning thanks to posts like these. Lots of goodies to add to my personal documentation there. Thanks a ton for sharing! 👍

Offline

#6 2021-06-09 06:51:24

meridian
Member
Registered: 2021-06-01
Posts: 4  

Re: Some security configuration after installation

@Dice again, "Not trying to be a nitpick here"? You perfectly succeed. Knowing better than others what theirs posts should be? Wonderfullll! (I don't repeat Devuan howto from the webpage I link, obviously, I add an optional step.) Read precisely what was written: your posts are some kind of noise.

Offline

#7 2021-06-09 08:54:59

dice
Member
Registered: 2020-11-22
Posts: 559  
Website

Re: Some security configuration after installation

meridian wrote:

@Dice again, "Not trying to be a nitpick here"? You perfectly succeed. Knowing better than others what theirs posts should be? Wonderfullll! (I don't repeat Devuan howto from the webpage I link, obviously, I add an optional step.) Read precisely what was wroten: your posts are some kind of noise.

okay no need to be rude, i was confused with your wording.

meridian wrote:
1. Testing burned files before installation

After the stage Writing an image to a CD/DVD or USB drive described at Devuan website https://www.devuan.org/os/documentation … all-devuan, add a test for the burned ISO files, which are rarely but sometimes wrong. Mount the image and cd into it, then:

md5sum --ignore-missing --quiet -c md5sum.txt

The ISO can be burned again in case of failed file(s), if they are important for the installation.

the mount the image bit instead of usb/cd or dvd caught me offguard. I thought you were mounting the iso file not the usb or dvd/cd.

So imo the line Mount the image and cd into it, then: should read Mount the CD/DVD or USB and cd into it, then:

Last edited by dice (2021-06-09 08:58:58)

Offline

#8 2021-06-21 18:00:37

zapper
Member
Registered: 2017-05-29
Posts: 382  

Re: Some security configuration after installation

dice wrote:

You missed a step.

always.....


openbsd signify would be a nice addition for this security measure.

https://man.openbsd.org/signify

I think the "You missed a step

always......"

Is what turned off Meridian...

Just a heads up.

Not judging, just sayin, you came across as prideful, even if you aren't in actuality.


Black Lives Matter!  I am white, but I prefer equality over hatred.
Haughtiness comes before a fall, pride before destruction.
Peace be with you!
No one can serve two masters. Either you will hate the one and love the other, or you will be devoted to the one and despise the other. You cannot serve both God and mammon!

Offline

#9 2021-06-22 12:24:37

dice
Member
Registered: 2020-11-22
Posts: 559  
Website

Re: Some security configuration after installation

zapper wrote:
dice wrote:

You missed a step.

always.....


openbsd signify would be a nice addition for this security measure.

https://man.openbsd.org/signify

I think the "You missed a step

always......"

Is what turned off Meridian...

Just a heads up.

Not judging, just sayin, you came across as prideful, even if you aren't in actuality.

prideful ? what a load of bollocks.

"I  always"  is what i should have posted so as not turn off persons on the internet.

Offline

#10 2021-06-22 12:27:03

zapper
Member
Registered: 2017-05-29
Posts: 382  

Re: Some security configuration after installation

dice wrote:
zapper wrote:
dice wrote:

You missed a step.

always.....


openbsd signify would be a nice addition for this security measure.

https://man.openbsd.org/signify

I think the "You missed a step

always......"

Is what turned off Meridian...

Just a heads up.

Not judging, just sayin, you came across as prideful, even if you aren't in actuality.

prideful ? what a load of bollocks.

"I  always"  is what i should have posted so as not turn off persons on the internet.

That was just how I saw it... you can choose to take my advice or not.

It's ultimately your choice what you wish to believe.

That being said, I have to read what bollocks even means... wink

EDIT: It was not even close to my intention to say things you considered rubbish.  But yeah, like I said above...

It is your choice what you want to believe... wink

Last edited by zapper (2021-06-22 12:28:18)


Black Lives Matter!  I am white, but I prefer equality over hatred.
Haughtiness comes before a fall, pride before destruction.
Peace be with you!
No one can serve two masters. Either you will hate the one and love the other, or you will be devoted to the one and despise the other. You cannot serve both God and mammon!

Offline

#11 2021-06-22 12:28:24

dice
Member
Registered: 2020-11-22
Posts: 559  
Website

Re: Some security configuration after installation

You must be bored replying to old threads zapper.

Offline

#12 2021-06-22 12:29:05

zapper
Member
Registered: 2017-05-29
Posts: 382  

Re: Some security configuration after installation

dice wrote:

You must be bored replying to old threads zapper.

Somewhat, lol.

But its also early where I am and its raining alot, so I won't be going anywhere today lol.

Also, the thread started in June man... just sayin. heh.

It's not like I necroed a three year old thread, now thats being bored! hehe...

Last edited by zapper (2021-06-22 12:30:31)


Black Lives Matter!  I am white, but I prefer equality over hatred.
Haughtiness comes before a fall, pride before destruction.
Peace be with you!
No one can serve two masters. Either you will hate the one and love the other, or you will be devoted to the one and despise the other. You cannot serve both God and mammon!

Offline

#13 2021-06-22 12:32:14

dice
Member
Registered: 2020-11-22
Posts: 559  
Website

Re: Some security configuration after installation

zapper wrote:
dice wrote:

You must be bored replying to old threads zapper.

Somewhat, lol.

But its also early where I am and its raining alot, so I won't be going anywhere today lol.

Also, the thread started in June man... just sayin. heh.

It's not like I necroed a three year old thread, now thats being bored! hehe...

Well its getting old and what you posted has no relevance to the thread so now we are just messing up the OP's thread.

Heres an idea, why dont you delete your posts and when you finish ill delete mine.

Offline

#14 2021-06-22 12:36:42

zapper
Member
Registered: 2017-05-29
Posts: 382  

Re: Some security configuration after installation

dice wrote:
zapper wrote:
dice wrote:

You must be bored replying to old threads zapper.

Somewhat, lol.

But its also early where I am and its raining alot, so I won't be going anywhere today lol.

Also, the thread started in June man... just sayin. heh.

It's not like I necroed a three year old thread, now thats being bored! hehe...

Well its getting old and what you posted has no relevance to the thread so now we are just messing up the OP's thread.

Heres an idea, why dont you delete your posts and when you finish ill delete mine.


I sent you a pm, as to what I think we should do...

If golinux sees this thread, I hope it will be locked. smile

My final reply btw... from here on out, pm me.


Black Lives Matter!  I am white, but I prefer equality over hatred.
Haughtiness comes before a fall, pride before destruction.
Peace be with you!
No one can serve two masters. Either you will hate the one and love the other, or you will be devoted to the one and despise the other. You cannot serve both God and mammon!

Offline

#15 2021-06-22 12:37:55

dice
Member
Registered: 2020-11-22
Posts: 559  
Website

Re: Some security configuration after installation

I dont reply to pm's. It goes through email and im not doing that. Why not just delete your posts? It was just a misunderstanding i had and now you are making it an issue after 3 weeks since it was posted.

Last edited by dice (2021-06-22 12:40:09)

Offline

#16 2021-06-24 09:41:53

meridian
Member
Registered: 2021-06-01
Posts: 4  

Re: Some security configuration after installation

Don't know why but I can't edit the post. There is a typo in 7. nftables, second command line, nftables.init not nftables.inits, so:

cp /usr/share/doc/nftables/examples/sysvinit/nftables.init /etc/init.d/nftables

edit: @tylerdurden, very late thanks for your thanks… the same things as you about many useful posts I read some days, life goes on learning!

Last edited by meridian (2021-06-24 19:58:54)

Offline

Board footer