+- PINE64 (https://forum.pine64.org)
+-- Forum: Pinebook Pro (https://forum.pine64.org/forumdisplay.php?fid=111)
+--- Forum: Linux on Pinebook Pro (https://forum.pine64.org/forumdisplay.php?fid=114)
+--- Thread: Hardening your Pinebook Pro (/showthread.php?tid=8302)
Pages:
1
2
Hardening your Pinebook Pro - Arwen - 11-12-2019
There are several things I tend to do, making client systems listen on fewer external services. And not run un-needed local services.
What do you do?
Here is my list, (a work in progress);
SSHD - Disable Root login
File - /etc/ssh/sshd_config
PermitRootLogin no
Service - systemctl restart sshd
NTPD - Don't allow others to use me for time source
File - /etc/ntp.conf
restrict 127.0.0.1 nomodify nopeer noquery limited kod
restrict [::1]
interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
Service - systemctl restart ntpd
Chromium browser
Launcher change: --password-store=basic
SMBD - Disable Samba services
systemctl stop smbd
systemctl disable smbd
systemctl stop nmbd
systemctl disable nmbd
Avahi service
systemctl stop avahi-daemon.service
systemctl stop avahi.daemon. socket
systemctl stop dbus-org.freedesktop.Avahi.service
systemctl disable avahi-daemon.service
systemctl disable avahi.daemon. socket
systemctl disable dbus-org.freedesktop.Avahi.service
RE: Hardening your Pinebook Pro - PineFan - 11-12-2019
This is of interest to me as well, so thank you for starting this discussion on hardening the PBP.
In addition, have also been hoping for a discussion of firewalls (UFW?) including best practices and setup/configurations recommendations and examples. (I thought UFW often came installed with Debian but doesn't appear to be present in the PBP)
I am not expert in securing Linux so will not add my two cents but will certainly follow other's responses with interest.
RE: Hardening your Pinebook Pro - hdk - 11-13-2019
Arwen, splendid initiative.
Findings:
Chromium browser:
Chromium | chrome://settings
"Aw, Snap Someting went wrong displaying this webpage" (after 1 second)
RE: Hardening your Pinebook Pro - xalius - 11-13-2019
Thanks for the post, should we move this to tutorials?
RE: Hardening your Pinebook Pro - Arwen - 11-13-2019
(11-13-2019, 03:59 AM)xalius Wrote: Thanks for the post, should we move this to tutorials?Perhaps. I had not thought of it that way.
This has OS specific items to Linux, though SSH & NTP changes can apply to FreeBSD. In some ways, a thread for each item could be appropriate. Other Linux distros don't use systemd, (the "systemctl" command), or may have additional default settings that it may be desirable to change.
Your call.
RE: Hardening your Pinebook Pro - DrYak - 11-13-2019
(11-12-2019, 11:07 PM)PineFan Wrote: In addition, have also been hoping for a discussion of firewalls (UFW?) including best practices and setup/configurations recommendations and examples. (I thought UFW often came installed with Debian but doesn't appear to be present in the PBP)
There are quite a few firewall-related packages in debian. But currently...
Code:
$ apt search firewall | grep 'installed'
wget/oldstable,oldstable,now 1.18-5+deb9u3 armhf [installed]The new 'standard' (i.e.: most popularly installed everywhere, like pulseaudio or systemd) firewall is firewalld
There are tutorials for installing firewalld on debian 10 buster
and in my personal experience (Raspbian on a Pi3+) it more or less works the same on Debian 9:
- install the package
- use `firewall-cmd` to test some rules
- use `firewall-cmd --permanent` to store them in the permanent set to be loaded on next boot
RE: Hardening your Pinebook Pro - Arwen - 11-23-2019
If you have few things listening on your network, (mine only listens on SSH, port 22), then a firewall is someone un-needed for in-coming attacks. Of course, firewalls can prevent malware from contacting control servers. Or sending out personal data.
My preference is a tar pit, like Labrea. It takes connections from many standard services, like mail, telnet, ftp and feeds them into a slow response tar pit. Meaning a denial of service attack may happen in such slow motion that the attacker can be blocked easily before they get anywhere. (Plus, those services, like incoming mail, ftp and telnet are fake, just lures to find port scanners so you can block them.)
Last, you don't have to have a firewall to perform some protections. I tend to block certain IP ranges to remove web ads or attackers. Basically set the return route to 127.0.0.1, so they get no response to any inquiries.
RE: Hardening your Pinebook Pro - hdk - 11-24-2019
Fail2ban uses iptables to block IP adress ranges.
RE: Hardening your Pinebook Pro - Arwen - 11-24-2019
(11-24-2019, 01:17 AM)hdk Wrote: Fail2ban uses iptables to block IP adress ranges.I've heard good things about fail2ban.
Perhaps it's time I implemented it on my laptop and cloud server.
RE: Hardening your Pinebook Pro - hdk - 11-25-2019
https://github.com/fail2ban/fail2ban/wiki
https://www.fail2ban.org/wiki/index.php/MANUAL_0_8