Hardening your Pinebook Pro - Printable Version

Hardening your Pinebook Pro - Printable Version

+- PINE64 (https://forum.pine64.org)
+-- Forum: Pinebook Pro (https://forum.pine64.org/forumdisplay.php?fid=111)
+--- Forum: Linux on Pinebook Pro (https://forum.pine64.org/forumdisplay.php?fid=114)
+--- Thread: Hardening your Pinebook Pro (/showthread.php?tid=8302)

Pages: 1 2

RE: Hardening your Pinebook Pro - e-minguez - 11-25-2019

I think one of the best improvements with regards security would be to deliver images with disk encryption enabled. The password can be a default one then force users to change it...

RE: Hardening your Pinebook Pro - Arwen - 11-25-2019

@e-minguez, Lets make it clear to others, full disk encryption is "at rest". Meaning if an attacker / cracker gets in via network while the Pinebook Pro is booted, the full disk encryption does nothing to stop them from copying / damaging any file they can. (What I mean by any file they can, is if they got in as a normal user, they can only copy / damage files a normal user has access to.)

While I intend to use root OS encryption as well as swap encryption, normal hardening attempts to prevent remote access. Far more common loss of data compared to physical theft today.

Last, full disk encryption does not stop someone with physical access to the computer, (even if powered off), if they have the password. Or can guess it. (And in the case of hostile govenment agents, beat it out of the owner.)

RE: Hardening your Pinebook Pro - Arwen - 12-07-2019

One other thing that probably should be done, is re-create the host SSH keys. SSH host keys should be unique per host. From what I can tell, the default Debian comes with host SSH keys already created from July 11, 2019;

Code:
# ls -l ssh_host_*

-rw------- 1 root root  668 Jul 11 16:55 ssh_host_dsa_key

-rw-r--r-- 1 root root  609 Jul 11 16:55 ssh_host_dsa_key.pub

-rw------- 1 root root  227 Jul 11 16:55 ssh_host_ecdsa_key

-rw-r--r-- 1 root root  181 Jul 11 16:55 ssh_host_ecdsa_key.pub

-rw------- 1 root root  411 Jul 11 16:55 ssh_host_ed25519_key

-rw-r--r-- 1 root root  101 Jul 11 16:55 ssh_host_ed25519_key.pub

-rw------- 1 root root 1675 Jul 11 16:55 ssh_host_rsa_key

-rw-r--r-- 1 root root  401 Jul 11 16:55 ssh_host_rsa_key.pub

Plus, remove the in-secure DSA host key.

Here is how to do it.
As user "root", simply run the following commands. If you like, you can put the hostname in the comment, like "MyHost rsa hostkey".

Code:
cd /etc/ssh

rm ssh_host_*

ssh-keygen -t 4096 -t rsa -C "rsa hostkey" -f ./ssh_host_rsa_key

ssh-keygen -t 521 -t ecdsa -C "ecdsa hostkey" -f ./ssh_host_ecdsa_key

ssh-keygen -t ed25519 -C "ed25519 hostkey" -f ./ssh_host_ed25519_key

Note that you will be asked for a passphrase. Per SSH manual page, host keys must have an empty passphrase. Simply hit return when prompted, (twice per key).

RE: Hardening your Pinebook Pro - ElektromAn - 12-09-2019

Maybe there is a "bug" in the default debian image.
Normally host keys are generated at first boot with a clean image aka without *any* hostkeys.

Also please disable PAM in sshd.config, (I don't trust PAM modules)
after you have copied your pubkeys on your computer.