Hardening your Pinebook Pro software
12-07-2019, 03:33 PM
(This post was last modified: 12-10-2019, 03:48 PM by Arwen.
Edit Reason: Added items. Corrected ssh-keygen syntax
)
Here is a guide to some of the hardening you can do on your Pinebook Pro's OS and applications. Each post will be dedicated, (and edited for corrections and updates), for a specific type of hardening.
Hardening SSH:
Disable Root login:
File - /etc/ssh/sshd_config
PermitRootLogin no
Service - systemctl restart sshd
One other thing that probably should be done, is re-create the host SSH keys. SSH host keys should be unique per host. From what I can tell, the default Debian comes with host SSH keys already created from July 11, 2019;
Plus, remove the in-secure DSA host key.
Here is how to do it.
As user "root", simply run the following commands. If you like, you can put the hostname in the comment, like "MyHost rsa hostkey".
Note that you will be asked for a passphrase. Per SSH manual page, host keys must have an empty passphrase. Simply hit return when prompted, (twice per key).
Hardening NTP;
Don't allow others to use Pinebook Pro for time source:
File - /etc/ntp.conf
restrict 127.0.0.1 nomodify nopeer noquery limited kod
restrict [::1]
interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
Service - systemctl restart ntpd
Disable Samba services, (if you are not using them);
Disable services:
systemctl stop smbd
systemctl disable smbd
systemctl stop nmbd
systemctl disable nmbd
Disable Avahi, (zeroconf & service discovery);
Disable service:
systemctl stop avahi-daemon.service
systemctl stop avahi.daemon. socket
systemctl stop dbus-org.freedesktop.Avahi.service
systemctl disable avahi-daemon.service
systemctl disable avahi.daemon. socket
systemctl disable dbus-org.freedesktop.Avahi.service
Chromium browser:
Launcher change: --password-store=basic
Hardening SSH:
Disable Root login:
File - /etc/ssh/sshd_config
PermitRootLogin no
Service - systemctl restart sshd
One other thing that probably should be done, is re-create the host SSH keys. SSH host keys should be unique per host. From what I can tell, the default Debian comes with host SSH keys already created from July 11, 2019;
Code:
# ls -l ssh_host_*
-rw------- 1 root root 668 Jul 11 16:55 ssh_host_dsa_key
-rw-r--r-- 1 root root 609 Jul 11 16:55 ssh_host_dsa_key.pub
-rw------- 1 root root 227 Jul 11 16:55 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 181 Jul 11 16:55 ssh_host_ecdsa_key.pub
-rw------- 1 root root 411 Jul 11 16:55 ssh_host_ed25519_key
-rw-r--r-- 1 root root 101 Jul 11 16:55 ssh_host_ed25519_key.pub
-rw------- 1 root root 1675 Jul 11 16:55 ssh_host_rsa_key
-rw-r--r-- 1 root root 401 Jul 11 16:55 ssh_host_rsa_key.pubHere is how to do it.
As user "root", simply run the following commands. If you like, you can put the hostname in the comment, like "MyHost rsa hostkey".
Code:
cd /etc/ssh
rm ssh_host_*
ssh-keygen -b 4096 -t rsa -C "rsa hostkey" -f ./ssh_host_rsa_key
ssh-keygen -b 521 -t ecdsa -C "ecdsa hostkey" -f ./ssh_host_ecdsa_key
ssh-keygen -t ed25519 -C "ed25519 hostkey" -f ./ssh_host_ed25519_keyHardening NTP;
Don't allow others to use Pinebook Pro for time source:
File - /etc/ntp.conf
restrict 127.0.0.1 nomodify nopeer noquery limited kod
restrict [::1]
interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
Service - systemctl restart ntpd
Disable Samba services, (if you are not using them);
Disable services:
systemctl stop smbd
systemctl disable smbd
systemctl stop nmbd
systemctl disable nmbd
Disable Avahi, (zeroconf & service discovery);
Disable service:
systemctl stop avahi-daemon.service
systemctl stop avahi.daemon. socket
systemctl stop dbus-org.freedesktop.Avahi.service
systemctl disable avahi-daemon.service
systemctl disable avahi.daemon. socket
systemctl disable dbus-org.freedesktop.Avahi.service
Chromium browser:
Launcher change: --password-store=basic
--
Arwen Evenstar
Princess of Rivendale
Arwen Evenstar
Princess of Rivendale
