Hardening your Pinebook Pro
#1
There are several things I tend to do, making client systems listen on fewer external services. And not run un-needed local services.

What do you do?

Here is my list, (a work in progress);

SSHD - Disable Root login
File - /etc/ssh/sshd_config
PermitRootLogin no
Service - systemctl restart sshd

NTPD - Don't allow others to use me for time source
File - /etc/ntp.conf
restrict 127.0.0.1 nomodify nopeer noquery limited kod
restrict [::1]
interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
Service - systemctl restart ntpd

Chromium browser
Launcher change: --password-store=basic

SMBD - Disable Samba services
systemctl stop smbd
systemctl disable smbd
systemctl stop nmbd
systemctl disable nmbd

Avahi service
systemctl stop avahi-daemon.service
systemctl stop avahi.daemon. socket
systemctl stop dbus-org.freedesktop.Avahi.service
systemctl disable avahi-daemon.service
systemctl disable avahi.daemon. socket
systemctl disable dbus-org.freedesktop.Avahi.service
--
Arwen Evenstar
Princess of Rivendale
#2
This is of interest to me as well, so thank you for starting this discussion on hardening the PBP.

In addition, have also been hoping for a discussion of firewalls (UFW?) including best practices and setup/configurations recommendations and examples. (I thought UFW often came installed with Debian but doesn't appear to be present in the PBP)

I am not expert in securing Linux so will not add my two cents but will certainly follow other's responses with interest.
#3
Arwen, splendid initiative.
Findings:
Chromium browser:
Chromium | chrome://settings
"Aw, Snap Someting went wrong displaying this webpage" (after 1 second)
#4
Thanks for the post, should we move this to tutorials?
Come have a chat in the Pine IRC channel >>
#5
(11-13-2019, 03:59 AM)xalius Wrote: Thanks for the post, should we move this to tutorials?
Perhaps. I had not thought of it that way.

This has OS specific items to Linux, though SSH & NTP changes can apply to FreeBSD. In some ways, a thread for each item could be appropriate. Other Linux distros don't use systemd, (the "systemctl" command), or may have additional default settings that it may be desirable to change.

Your call.
--
Arwen Evenstar
Princess of Rivendale
#6
(11-12-2019, 11:07 PM)PineFan Wrote: In addition, have also been hoping for a discussion of firewalls (UFW?) including best practices and setup/configurations recommendations and examples.  (I thought UFW often came installed with Debian but doesn't appear to be present in the PBP)

There are quite a few firewall-related packages in debian. But currently...
Code:
$ apt search firewall | grep 'installed'
wget/oldstable,oldstable,now 1.18-5+deb9u3 armhf [installed]
None of them is amon the list of installed application.

The new 'standard' (i.e.: most popularly installed everywhere, like pulseaudio or systemd) firewall is firewalld

There are tutorials for installing firewalld on debian 10 buster
and in my personal experience (Raspbian on a Pi3+) it more or less works the same on Debian 9:
  • install the package
  • use `firewall-cmd` to test some rules
  • use `firewall-cmd --permanent` to store them in the permanent set to be loaded on next boot
#7
If you have few things listening on your network, (mine only listens on SSH, port 22), then a firewall is someone un-needed for in-coming attacks. Of course, firewalls can prevent malware from contacting control servers. Or sending out personal data.

My preference is a tar pit, like Labrea. It takes connections from many standard services, like mail, telnet, ftp and feeds them into a slow response tar pit. Meaning a denial of service attack may happen in such slow motion that the attacker can be blocked easily before they get anywhere. (Plus, those services, like incoming mail, ftp and telnet are fake, just lures to find port scanners so you can block them.)

Last, you don't have to have a firewall to perform some protections. I tend to block certain IP ranges to remove web ads or attackers. Basically set the return route to 127.0.0.1, so they get no response to any inquiries.
--
Arwen Evenstar
Princess of Rivendale
#8
Fail2ban uses iptables to block IP adress ranges.
#9
(11-24-2019, 01:17 AM)hdk Wrote: Fail2ban uses iptables to block IP adress ranges.
I've heard good things about fail2ban.

Perhaps it's time I implemented it on my laptop and cloud server.
--
Arwen Evenstar
Princess of Rivendale
#10
https://github.com/fail2ban/fail2ban/wiki
https://www.fail2ban.org/wiki/index.php/MANUAL_0_8


Possibly Related Threads…
Thread Author Replies Views Last Post
  Upgrading Armbian from v24.2.1 gnome, breaks pinebook pro Sb2024 0 144 11-10-2024, 02:50 PM
Last Post: Sb2024
  Pinebook pro won't boot after bootloader installation jwensouls 4 1,004 08-21-2024, 04:17 AM
Last Post: KC9UDX
  [Pinebook Pro/Mobian/XFCE4] can fix touch or screen in greeter not both SynthGal 0 413 05-31-2024, 09:42 AM
Last Post: SynthGal
  Debian on Pinebook Pro u974615 7 2,943 03-31-2024, 10:11 AM
Last Post: u974615
  Pinebook Pro upgrading from the factory image yamsoup 12 4,259 02-22-2024, 04:02 PM
Last Post: tllim
  Help installing Manjaro on eMMC of Pinebook Pro pine4546464 4 3,285 12-13-2023, 07:22 PM
Last Post: trillobite
  Need Help Recovering Manjaro /boot Contents on Pinebook Pro calinb 6 3,560 12-11-2023, 03:47 AM
Last Post: calinb
  Gentoo on Pinebook Pro RELEASE jannik2099 54 104,336 12-08-2023, 11:25 PM
Last Post: tllim
  Boot Order in Pinebook Pro food 8 2,732 11-23-2023, 07:37 AM
Last Post: KC9UDX
  PineBook Pro seems to go to deep sleep, but doesn't wake up pogo 11 7,515 08-31-2023, 04:20 PM
Last Post: TRS-80

Forum Jump:


Users browsing this thread: 1 Guest(s)