Hardening your Pinebook Pro

**Arwen** · 11-12-2019, 08:34 PM

There are several things I tend to do, making client systems listen on fewer external services. And not run un-needed local services.

What do you do?

Here is my list, (a work in progress);

SSHD - Disable Root login
File - /etc/ssh/sshd_config
PermitRootLogin no
Service - systemctl restart sshd

NTPD - Don't allow others to use me for time source
File - /etc/ntp.conf
restrict 127.0.0.1 nomodify nopeer noquery limited kod
restrict [::1]
interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
Service - systemctl restart ntpd

Chromium browser
Launcher change: --password-store=basic

SMBD - Disable Samba services
systemctl stop smbd
systemctl disable smbd
systemctl stop nmbd
systemctl disable nmbd

Avahi service
systemctl stop avahi-daemon.service
systemctl stop avahi.daemon. socket
systemctl stop dbus-org.freedesktop.Avahi.service
systemctl disable avahi-daemon.service
systemctl disable avahi.daemon. socket
systemctl disable dbus-org.freedesktop.Avahi.service

PineFan · 11-12-2019, 11:07 PM

This is of interest to me as well, so thank you for starting this discussion on hardening the PBP.

In addition, have also been hoping for a discussion of firewalls (UFW?) including best practices and setup/configurations recommendations and examples. (I thought UFW often came installed with Debian but doesn't appear to be present in the PBP)

I am not expert in securing Linux so will not add my two cents but will certainly follow other's responses with interest.

hdk · 11-13-2019, 12:44 AM

Arwen, splendid initiative.
Findings:
Chromium browser:
Chromium | chrome://settings
"Aw, Snap Someting went wrong displaying this webpage" (after 1 second)

**xalius** · 11-13-2019, 03:59 AM

Thanks for the post, should we move this to tutorials?

**Arwen** · 11-13-2019, 05:29 AM

(11-13-2019, 03:59 AM)xalius Wrote: Thanks for the post, should we move this to tutorials?

Perhaps. I had not thought of it that way.

This has OS specific items to Linux, though SSH & NTP changes can apply to FreeBSD. In some ways, a thread for each item could be appropriate. Other Linux distros don't use systemd, (the "systemctl" command), or may have additional default settings that it may be desirable to change.

Your call.

DrYak · 11-13-2019, 10:15 AM

(11-12-2019, 11:07 PM)PineFan Wrote: In addition, have also been hoping for a discussion of firewalls (UFW?) including best practices and setup/configurations recommendations and examples. (I thought UFW often came installed with Debian but doesn't appear to be present in the PBP)

There are quite a few firewall-related packages in debian. But currently...

Code:
$ apt search firewall | grep 'installed'

wget/oldstable,oldstable,now 1.18-5+deb9u3 armhf [installed]

None of them is amon the list of installed application.

The new 'standard' (i.e.: most popularly installed everywhere, like pulseaudio or systemd) firewall is firewalld

There are tutorials for installing firewalld on debian 10 buster
and in my personal experience (Raspbian on a Pi3+) it more or less works the same on Debian 9:

install the package
use `firewall-cmd` to test some rules
use `firewall-cmd --permanent` to store them in the permanent set to be loaded on next boot

**Arwen** · 11-23-2019, 05:51 PM

If you have few things listening on your network, (mine only listens on SSH, port 22), then a firewall is someone un-needed for in-coming attacks. Of course, firewalls can prevent malware from contacting control servers. Or sending out personal data.

My preference is a tar pit, like Labrea. It takes connections from many standard services, like mail, telnet, ftp and feeds them into a slow response tar pit. Meaning a denial of service attack may happen in such slow motion that the attacker can be blocked easily before they get anywhere. (Plus, those services, like incoming mail, ftp and telnet are fake, just lures to find port scanners so you can block them.)

Last, you don't have to have a firewall to perform some protections. I tend to block certain IP ranges to remove web ads or attackers. Basically set the return route to 127.0.0.1, so they get no response to any inquiries.

hdk · 11-24-2019, 01:17 AM

Fail2ban uses iptables to block IP adress ranges.

**Arwen** · 11-24-2019, 11:36 AM

(11-24-2019, 01:17 AM)hdk Wrote: Fail2ban uses iptables to block IP adress ranges.

I've heard good things about fail2ban.

Perhaps it's time I implemented it on my laptop and cloud server.

hdk · 11-25-2019, 12:16 AM

https://github.com/fail2ban/fail2ban/wiki
https://www.fail2ban.org/wiki/index.php/MANUAL_0_8

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	Upgrading Armbian from v24.2.1 gnome, breaks pinebook pro	Sb2024	0	144	11-10-2024, 02:50 PM Last Post: Sb2024
	Pinebook pro won't boot after bootloader installation	jwensouls	4	1,004	08-21-2024, 04:17 AM Last Post: KC9UDX
	[Pinebook Pro/Mobian/XFCE4] can fix touch or screen in greeter not both	SynthGal	0	413	05-31-2024, 09:42 AM Last Post: SynthGal
	Debian on Pinebook Pro	u974615	7	2,943	03-31-2024, 10:11 AM Last Post: u974615
	Pinebook Pro upgrading from the factory image	yamsoup	12	4,259	02-22-2024, 04:02 PM Last Post: tllim
	Help installing Manjaro on eMMC of Pinebook Pro	pine4546464	4	3,285	12-13-2023, 07:22 PM Last Post: trillobite
	Need Help Recovering Manjaro /boot Contents on Pinebook Pro	calinb	6	3,560	12-11-2023, 03:47 AM Last Post: calinb
	Gentoo on Pinebook Pro RELEASE	jannik2099	54	104,336	12-08-2023, 11:25 PM Last Post: tllim
	Boot Order in Pinebook Pro	food	8	2,732	11-23-2023, 07:37 AM Last Post: KC9UDX
	PineBook Pro seems to go to deep sleep, but doesn't wake up	pogo	11	7,515	08-31-2023, 04:20 PM Last Post: TRS-80

Login




Remember me Lost Password?

About Us