Hardening your Pinebook Pro software
#1
Here is a guide to some of the hardening you can do on your Pinebook Pro's OS and applications. Each post will be dedicated, (and edited for corrections and updates), for a specific type of hardening.

Hardening SSH:


Disable Root login:
File - /etc/ssh/sshd_config
PermitRootLogin no
Service - systemctl restart sshd


One other thing that probably should be done, is re-create the host SSH keys. SSH host keys should be unique per host. From what I can tell, the default Debian comes with host SSH keys already created from July 11, 2019;
Code:
# ls -l ssh_host_*
-rw------- 1 root root  668 Jul 11 16:55 ssh_host_dsa_key
-rw-r--r-- 1 root root  609 Jul 11 16:55 ssh_host_dsa_key.pub
-rw------- 1 root root  227 Jul 11 16:55 ssh_host_ecdsa_key
-rw-r--r-- 1 root root  181 Jul 11 16:55 ssh_host_ecdsa_key.pub
-rw------- 1 root root  411 Jul 11 16:55 ssh_host_ed25519_key
-rw-r--r-- 1 root root  101 Jul 11 16:55 ssh_host_ed25519_key.pub
-rw------- 1 root root 1675 Jul 11 16:55 ssh_host_rsa_key
-rw-r--r-- 1 root root  401 Jul 11 16:55 ssh_host_rsa_key.pub
Plus, remove the in-secure DSA host key.


Here is how to do it.
As user "root", simply run the following commands. If you like, you can put the hostname in the comment, like "MyHost rsa hostkey".
Code:
cd /etc/ssh
rm ssh_host_*
ssh-keygen -b 4096 -t rsa -C "rsa hostkey" -f ./ssh_host_rsa_key
ssh-keygen -b 521 -t ecdsa -C "ecdsa hostkey" -f ./ssh_host_ecdsa_key
ssh-keygen -t ed25519 -C "ed25519 hostkey" -f ./ssh_host_ed25519_key
Note that you will be asked for a passphrase. Per SSH manual page, host keys must have an empty passphrase. Simply hit return when prompted, (twice per key).

Hardening NTP;

Don't allow others to use Pinebook Pro for time source:
File - /etc/ntp.conf
restrict 127.0.0.1 nomodify nopeer noquery limited kod
restrict [::1]
interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
Service - systemctl restart ntpd

Disable Samba services, (if you are not using them);

Disable services:
systemctl stop smbd
systemctl disable smbd
systemctl stop nmbd
systemctl disable nmbd

Disable  Avahi, (zeroconf & service discovery);

Disable service:
systemctl stop avahi-daemon.service
systemctl stop avahi.daemon. socket
systemctl stop dbus-org.freedesktop.Avahi.service
systemctl disable avahi-daemon.service
systemctl disable avahi.daemon. socket
systemctl disable dbus-org.freedesktop.Avahi.service

Chromium browser:
Launcher change: --password-store=basic
--
Arwen Evenstar
Princess of Rivendale
#2
A safer and simpler version is to remove the SSH server altogether. Unless you need to SSH into your pbpro, this should be the recommended approach:

sudo apt-get purge openssh-server

Use "purge" instead of "uninstall", so that all configuration files and pregenerated keys are also removed.

Note that the ssh client remains installed, so you can still SSH to remote machines as usually.
#3
(12-07-2019, 03:33 PM)Arwen Wrote: ...
Disable Samba services, (if you are not using them);

Disable services:
systemctl stop smbd
systemctl disable smbd
systemctl stop nmbd
systemctl disable nmbd

Disable  Avahi, (zeroconf & service discovery);

Disable service:
systemctl stop avahi-daemon.service
systemctl stop avahi.daemon. socket
systemctl stop dbus-org.freedesktop.Avahi.service
systemctl disable avahi-daemon.service
systemctl disable avahi.daemon. socket
systemctl disable dbus-org.freedesktop.Avahi.service
...

Tip: You can stop and disable the services with a single command:

systemctl disable <service> --now

HTH!
#4
(12-10-2019, 09:56 AM)e-minguez Wrote:
(12-07-2019, 03:33 PM)Arwen Wrote: ...
Disable Samba services, (if you are not using them);

Disable services:
systemctl stop smbd
systemctl disable smbd
systemctl stop nmbd
systemctl disable nmbd

Disable  Avahi, (zeroconf & service discovery);

Disable service:
systemctl stop avahi-daemon.service
systemctl stop avahi.daemon. socket
systemctl stop dbus-org.freedesktop.Avahi.service
systemctl disable avahi-daemon.service
systemctl disable avahi.daemon. socket
systemctl disable dbus-org.freedesktop.Avahi.service
...

Tip: You can stop and disable the services with a single command:

systemctl disable <service> --now

HTH!

Thanks, I had not got that far in the "systemctl" manual page.
--
Arwen Evenstar
Princess of Rivendale
#5
Create a periodic snapshot of your powerpro system.


Possibly Related Threads…
Thread Author Replies Views Last Post
  Pinebook Pro Recovery with Void Linux (xbps) bds 0 364 01-14-2024, 10:21 PM
Last Post: bds
  Write SD cards with Etcher for Pinebook Pro futurejones 17 29,385 03-19-2021, 12:52 AM
Last Post: Alex007
  [GUIDE] ArchLinuxARM on Pinebook Pro hku2 10 19,173 12-25-2020, 05:44 AM
Last Post: boteium
  Program SPI NOR Flash on Pinebook Pro with u-boot on micro SD Card hmuller 0 3,393 09-21-2020, 10:02 AM
Last Post: hmuller
  Installing Docker on Pinebook Pro - update 1/18/20 SuperXkoodA 4 7,445 03-24-2020, 03:19 PM
Last Post: chaoskampf
  Swaywm on Pinebook Pro anjanmomi 10 13,645 02-06-2020, 11:47 AM
Last Post: xmixahlx
  Quick Guide to installing Ubuntu Unity on your Pinebook Pro andybleaden@gmail.com 19 22,991 02-03-2020, 11:17 AM
Last Post: MIchael
  Installing Wine i386 on Pinebook Pro wrzomar 0 3,211 01-31-2020, 03:52 PM
Last Post: wrzomar

Forum Jump:


Users browsing this thread: 1 Guest(s)