Security Checklist
UNDER CONSTRUCTION: The document is currently being modified! |
Introduction
This is geared at providing a checklists one can walk through after setting up a new Arch Linux installation that has an open connection to the internet. Whether it is a server or just a machine at home that you have ports open on; some if not all of this information might be useful to you.
WARNING: While I have administered BSD and Linux machines for many years now, I am not a security expert! |
Root Restrictions
The root user, or super-user account, is the command-line God. It is all powerful and has no allegiances but has the one downfall of doing whatever it is told. To this end it does precisely what it is told, even if that might spell it's own doom and destruction.
Not actually meant in a religious way, more as a scare tactic in to taking it seriously. |
Before continuing verify that your user account, not root, has proper access to sudo (non-restricted with password prompt).
If not, one can simple install sudo. First su to root or login as root via KVM.
# pacaur -S sudo |
And then set the privileges correctly.
# visudo |
%wheel ALL=(ALL) ALL |
Then just make sure the user is apart of the wheel group.
# gpasswd -a kyau wheel |
Provided everything works, log back into the regular user account to begin restricting the root account.
Editor
Hard-code the EDITOR shell variable for the root account.
Putting this in bashrc versus bash_profile makes sure it is used with non-interactive shells in addition to login shells. In addition add a default editor for sudo.
# echo "EDITOR=/usr/bin/rvim\nSUDO_EDITOR=/usr/bin/rvim" | sudo tee --append /root/.bashrc |
If the root account already has a bashrc file setup, make sure it does not already include an EDITOR setting. |
Then hard-code the editor used for visudo to prevent users from launching it with a prefix EDITOR=editor visudo.
# sudo visudo |
Add the following line near the top.
Defaults editor=/usr/bin/rvim |
ArchWiki: "Running a text editor as root can be a security vulnerability as many editors can run arbitrary shell commands or affect files other than the one you intend to edit."
From now on since it is now setup, use sudoedit in order to edit files as the root account instead of using sudo vim file.
This actually has a two-fold response. First it is added security as the file is edited as a copy in user-space and then copied back over the original with sudo once the editor is closed. Second, because the editor then runs in user-space it will use all of the current logged in users settings and themes for said editor along with using their specified editor of choice.
Wheel only Superuser
In order to restrict access to the su command to only the wheel group, edit both /etc/pam.d/su and /etc/pam.d/su-l and uncomment the following.
# Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid |
Firewall
Uncomplicated Firewall or ufw is a great choice and it's simple to setup.
Install the package.
# pacaur -S ufw |
Setup some basic rules that will allow SSH but deny everything else.
# sudo ufw default deny # sudo ufw allow SSH |
WARNING: It is highly recommended to open a new SSH window at this point (without closing the current) and verify SSH access still works. |
Enable ufw on boot and then start the service.
# sudo systemctl enable ufw # sudo ufw enable |
To query the rules being applied use the status command argument.
# sudo ufw status |
To see a list of all applications in the ufw database use the app argument.
# sudo ufw app list |
If the creation of a custom application is needed, make one in the /etc/ufw/applications.d directory.
# sudoedit /etc/ufw/applications.d/mycustomapp |
[mycustomapp] title=My Custom App description=Custom App for Blah ports=11000:11005/tcp|11010/udp |
This would create a custom application filter on ports 11000-11005 using tcp and port 11010 using udp. It would then merely need to be enabled.
# sudo ufw allow mycustomapp |
Blacklisting IPs
It might be desirable to blacklist an IP address, maybe you have seen brute force attempts from it or maybe you just want to block it. This can be done by editing /etc/ufw/before.rules. Add the blacklisting to the end of the file before COMMIT.
# sudoedit /etc/ufw/before.rules |
## blacklist section # block just 8.8.8.8 -A ufw-before-input -s 8.8.8.8 -j DROP # block 8.8.*.* -A ufw-before-input -s 8.8.0.0/16 -j DROP # don't delete the 'COMMIT' line or these rules won't be processed COMMIT |
Disable Remote Ping
Change ACCEPT to DROP in the following lines of /etc/ufw/before.rules.
# ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT |
If IPv6 is being used the same can be done inside of /etc/ufw/before6.rules as well.
Crontab
Restricting access to crontab is as simple as creating a /etc/cron.allow and inserting only the names of users you want to allow access to crontab. Every other user on the system will be denied crontab access.
# sudoedit /etc/cron.allow |
root kyau |
File Permissions
The default file permissions, umask 0022, are not setup for security. The NSA themselves recommend a umask of 0077 for maximum security, which makes new files not readable by users other than the owner.
# sudoedit /etc/profile |
Find the line that marks umask 022 and change it to:
umask 077 |
Then make sure the user directory is already setup with the proper permissions, we can also add the boot directory and the firewall configs if present.
# sudo chmod -R go-rwx /root /home/kyau /boot /etc/ufw/ |
Hide Processes
Hiding all other users' processes can make it very difficult for an attacker to assess a system. Adding a line for proc in the fstab file with the right options can limit all users' ability to view processes aside from their own. An exception can also be made for users belonging to the wheel group.
# sudoedit /etc/fstab |
proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=wheel 0 0 |
Legacy Services
If at all possible disable all legacy services, there are just too many vulnerabilities in these services. They include but are not limited to: NIS, RSH client/server, talk client/server, telnet, TFTP, XINETD, CHARGEN, Daytime, echo, discard and time.
There are also a few non-legacy services it is recommended to stay away from: X Window system, Avahi Print Server, DHCP server, LDAP, NFS/RPC, DNS server, FTP server, Samba and SNMP.
While some of these services might be required such as DNS, it is highly recommended if at all possible to run these on a private secluded VPS all by itself. This way if that host were to get compromised there would not be any sensitive data aside from the DNS records which are already publicly accessible.
Sysctl
Being honest, Arch Linux comes fairly secure out of the box. Things like source routed packets, packet forwarding, multicast packet forwarding and ICMP redirection all default to disabled. Alas, improvements can still be made.
Sysctl can be used to change kernel parameters at runtime by adding to the file /etc/sysctl.d/50-security.conf. There are several improvements that can be made here security wise. Not all of these will be optimal in every use case scenario, but none of them will have harmful effects on your system unless you are running it as a router.
Log Martian Packets
Setup logging on martian packets so as an administrator one can diagnose the system when an attacker is sending spoofed packets.
net.ipv4.conf.default.log_martians=1 net.ipv4.conf.all.log_martian=1 |
Secure ICMP Routing Redirects
If the source gateway is compromised then an user can update the routing table using Secure ICMP redirects. This can potentially lead to remote packet capture.
This can be disabled.
net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 |
Send Redirects
An unauthorized user can use a compromised host to send ICMP redirects packets to another routing device to corrupt its routing. This functionality can be disabled.
net.ipv4.conf.default.send_redirects=0 net.ipv4.conf.all.send_redirects=0 |
TCP SYN
An attacker can start a DDoS attack at the server by flooding it with SYN packets without initializing three way handshake. Setting this will helps protect against SYN flood attacks, however it only kicks in when net.ipv4.tcp_max_syn_backlog is reached.
net.ipv4.tcp_syncookies=1 |
TCP Time-wait
To protect against TCP time-wait assassination hazards drop all RST packets for sockets in the time-wait state (not widely supported outside of Linux, but conforms to RFC).
net.ipv4.tcp_rfc1337=1 |
Restrict Kernel Log Access
Kernel logs can contain sensitive system information that you might not want everyone on your system to have access to. This will restrict access to only the root account.
kernel.dmesg_restrict=1 |
Restrict Kernel Pointers Access
Allowing all users to view kernel pointer addresses can make it easier for kernel exploits to occur. Again restrict this to only the root account.
kernel.kptr_restrict=1 |