Hardening your Pinebook Pro software

Hardening your Pinebook Pro software - Printable Version

+- PINE64 (https://forum.pine64.org)
+-- Forum: Pinebook Pro (https://forum.pine64.org/forumdisplay.php?fid=111)
+--- Forum: Pinebook Pro Tutorials (https://forum.pine64.org/forumdisplay.php?fid=117)
+--- Thread: Hardening your Pinebook Pro software (/showthread.php?tid=8516)

Hardening your Pinebook Pro software - Arwen - 12-07-2019

Here is a guide to some of the hardening you can do on your Pinebook Pro's OS and applications. Each post will be dedicated, (and edited for corrections and updates), for a specific type of hardening.

Hardening SSH:

Disable Root login:
File - /etc/ssh/sshd_config
PermitRootLogin no
Service - systemctl restart sshd

One other thing that probably should be done, is re-create the host SSH keys. SSH host keys should be unique per host. From what I can tell, the default Debian comes with host SSH keys already created from July 11, 2019;

Code:
# ls -l ssh_host_*

 -rw------- 1 root root  668 Jul 11 16:55 ssh_host_dsa_key

 -rw-r--r-- 1 root root  609 Jul 11 16:55 ssh_host_dsa_key.pub

 -rw------- 1 root root  227 Jul 11 16:55 ssh_host_ecdsa_key

 -rw-r--r-- 1 root root  181 Jul 11 16:55 ssh_host_ecdsa_key.pub

 -rw------- 1 root root  411 Jul 11 16:55 ssh_host_ed25519_key

 -rw-r--r-- 1 root root  101 Jul 11 16:55 ssh_host_ed25519_key.pub

 -rw------- 1 root root 1675 Jul 11 16:55 ssh_host_rsa_key

 -rw-r--r-- 1 root root  401 Jul 11 16:55 ssh_host_rsa_key.pub

Plus, remove the in-secure DSA host key.

Here is how to do it.
As user "root", simply run the following commands. If you like, you can put the hostname in the comment, like "MyHost rsa hostkey".

Code:
cd /etc/ssh

 rm ssh_host_*

 ssh-keygen -b 4096 -t rsa -C "rsa hostkey" -f ./ssh_host_rsa_key

 ssh-keygen -b 521 -t ecdsa -C "ecdsa hostkey" -f ./ssh_host_ecdsa_key

 ssh-keygen -t ed25519 -C "ed25519 hostkey" -f ./ssh_host_ed25519_key

Note that you will be asked for a passphrase. Per SSH manual page, host keys must have an empty passphrase. Simply hit return when prompted, (twice per key).

Hardening NTP;

Don't allow others to use Pinebook Pro for time source:
File - /etc/ntp.conf
restrict 127.0.0.1 nomodify nopeer noquery limited kod
restrict [::1]
interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
Service - systemctl restart ntpd

Disable Samba services, (if you are not using them);

Disable services:
systemctl stop smbd
systemctl disable smbd
systemctl stop nmbd
systemctl disable nmbd

Disable Avahi, (zeroconf & service discovery);

Disable service:
systemctl stop avahi-daemon.service
systemctl stop avahi.daemon. socket
systemctl stop dbus-org.freedesktop.Avahi.service
systemctl disable avahi-daemon.service
systemctl disable avahi.daemon. socket
systemctl disable dbus-org.freedesktop.Avahi.service

Chromium browser:
Launcher change: --password-store=basic

RE: Hardening your Pinebook Pro software - jpakkane - 12-07-2019

A safer and simpler version is to remove the SSH server altogether. Unless you need to SSH into your pbpro, this should be the recommended approach:

sudo apt-get purge openssh-server

Use "purge" instead of "uninstall", so that all configuration files and pregenerated keys are also removed.

Note that the ssh client remains installed, so you can still SSH to remote machines as usually.

RE: Hardening your Pinebook Pro software - e-minguez - 12-10-2019

(12-07-2019, 03:33 PM)Arwen Wrote: ...
Disable Samba services, (if you are not using them);

Disable services:
systemctl stop smbd
systemctl disable smbd
systemctl stop nmbd
systemctl disable nmbd

Disable Avahi, (zeroconf & service discovery);

Disable service:
systemctl stop avahi-daemon.service
systemctl stop avahi.daemon. socket
systemctl stop dbus-org.freedesktop.Avahi.service
systemctl disable avahi-daemon.service
systemctl disable avahi.daemon. socket
systemctl disable dbus-org.freedesktop.Avahi.service
...

Tip: You can stop and disable the services with a single command:

systemctl disable <service> --now

HTH!

RE: Hardening your Pinebook Pro software - Arwen - 12-10-2019

(12-10-2019, 09:56 AM)e-minguez Wrote:
(12-07-2019, 03:33 PM)Arwen Wrote: ...
Disable Samba services, (if you are not using them);

Disable services:
systemctl stop smbd
systemctl disable smbd
systemctl stop nmbd
systemctl disable nmbd

Disable Avahi, (zeroconf & service discovery);

Disable service:
systemctl stop avahi-daemon.service
systemctl stop avahi.daemon. socket
systemctl stop dbus-org.freedesktop.Avahi.service
systemctl disable avahi-daemon.service
systemctl disable avahi.daemon. socket
systemctl disable dbus-org.freedesktop.Avahi.service
...

Tip: You can stop and disable the services with a single command:

systemctl disable <service> --now

HTH!

Thanks, I had not got that far in the "systemctl" manual page.

RE: Hardening your Pinebook Pro software - hdk - 12-11-2019

Create a periodic snapshot of your powerpro system.