A complete yet beginner friendly guide on how to secure Linux

reddit

Securing linux: – I’ve seperated categories by “_“ – I’d recommend using sudo -s at the beginning to avoid having to constantly enter your password

Note: For arch based distros I mention pamac as opposed to pacman, as it’s easier to use, and all arch based distros for e.g Garuda, Manjaro, etc have pamac. Since some of these packages are AURs, you need to go to pamac’s gui app, settings, and enable the AUR repo. Else replace “pamac install” with “pacman -S”

__________________________________________________________________________________________

UsbGuard: Protect yourself from physical usb attacks and executing malware/backdoors, this can work by making usb’s read only, unless you explicitly whitelist it.

sudo ln -s /dev/null /etc/systemd/system/usbguard.service #in order for unmask to work

Ubuntu based: sudo apt install usbguard

Arch based: sudo pamac install usbguard

__________________________________________________________________________________________

Configuring USBGuard

After installation run:

  1. usbguard generate-policy #steps 1-2 whitelists already connected devices, e.g your current mouse/keyboard/storage
  2. usbguard generate-policy > /etc/usbguard/rules.conf
  3. systemctl unmask usbguard.service systemctl
  4. start usbguard.service
  5. systemctl enable usbguard.service

To allow a usb device permanently simply run:

usbguard list-devices

usbguard allow-device EnterTheIdHere -p

_____________________________________________________________________________________________

SSH: Essentially, remote access to your devices terminal.

If this is enabled and you don’t use it, it’s best to disable it.

ubuntu based: sudo systemctl disable ssh.service

Arch based (manjaro, Garuda, etc): sudo systemctl disable sshd

_____________________________________________________________________________________________

If you do use it:

Changing the ssh port:

There‘s a few ways to secure ssh, the most obvious being to change the port. A lot argue that this is pointless, but it’ll at least deter less advanced attackers.

The default port is 22 for everyone.

sudo nano /etc/ssh/sshd_config

Change “Port 22” to any unused port. If ur unsure which port hasnt been used, try 99.

_____________________________________________________________________________________________

Fai2ban – deters brute force attacks

Ubuntu/debian based: sudo apt install fail2ban

Arch based: sudo pamac install fail2ban-client

Configuring fail2ban:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

sudo nano /etc/fail2ban/jail.local

“Ban time” = how long attackers are banned, “find time” = if an attacker enter a password incorrectly, how long do you have to wait before the incorrect password counter resets, “maxretry“ = the max amount of incorrect passwords before the ban, “ignore ip” = you may want to whitelist your own ip. Make sure to change fail2ban’s port to the one you chose in the previous step. “port = yourporthere“

_____________________________________________________________________________________________

Ssh keys (advanced) * see the “ssh key” section below

_____________________________________________________________________________________________

Network firewall: Only allow internet access to applications which need it.

This can mitigate spyware/trojans, which are rare on linux anyways, and stopping apps from collecting unnecessary info.

Opensnitch does a decent job at this, has a gui which prompts you once when an app wants to use the internet. Although installing this is a bit of a pain since it’s not on any repos, so you’ll have to manually install it.Ubuntu based:

  1. Getting the dependencies
  2. sudo apt-get install protobuf-compiler libpcap-dev libnetfilter-queue-dev python3-pip
  3. go get github.com/golang/protobuf/protoc-gen-go
  4. go get -u github.com/golang/dep/cmd/dep
  5. python3 -m pip install --user grpcio-tools
  6. Getting opensnitch and building it
  7. go get github.com/evilsocket/opensnitch
  8. cd $GOPATH/src/github.com/evilsocket/opensnitch
  9. If command 8 didn’t work, just cd into the downloaded opensnitch folder
  10. make
  11. sudo make install
  12. Enabling the service
  13. sudo systemctl enable opensnitchd
  14. sudo service opensnitchd start
  15. opensnitch-ui

Arch based: Someone made an aur, which saves you so much time:

  1. pamac install opensnitch-git
  2. sudo systemctl start opensnitchd

_____________________________________________________________________________________________

Malware/rootkit scanner: I wouldn’t really say this is necessary, but if you think you have malware then you can run a scan:

Ubuntu based: sudo apt-get install clamav clamav-daemon

Arch based: sudo pamac install clamav

_____________________________________________________________________________________________

File permissions: You may want to get familiar with chmod, and chown, to change file permissions. For e.g, if you store important files somewhere you may want to make it require root access in order to read/write: in which case you‘d run:

sudo chown root:root /path/to/application

sudo chmod 700 /path/to/application

_____________________________________________________________________________________________

Sandboxing

I’d suggest learning firejail, or bubblewrap (more advanced), to sandbox and isolate apps.

However, if that sounds too complicated, then downloading apps as flatpaks is a great way to have some security, whilst not a silver bullet, its extremely easy to use and permissions can be managed through it’s gui app: flatseal, or just cli.

_____________________________________________________________________________________________

Other, more general tips below:

_____________________________________________________________________________________________

DNS: not really linux related, but I’d recommend doing this.

By default, ur using plain text dns, it’s vulnerable to mitm attacks, your isp can log all traffic, etc. By doing this, you’d also have the ability to block ads/trackers/malware/and malicious ip’s reported for ssh attacks

You’ll be selfhosting adguard home (only takes 1 command), and can even use this on other devices, but if you don’t want to leave your computer on 24/7, then you can use it solely on your own device.

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

That’s it, then go to http://localhost:3000, to access its web gui. (It might not be port 3000, as I did this ages ago, but it says in the terminal, change the ports to anything else within the web gui if planning on selfhosting the apps below)

It’s best to setup https for its web interface, but feel free to skip this step:

openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out adguard1234g.crt -keyout adguard1234g.key

Go to settings > encryption settings > enable https, force https, and quite simply copy and paste adguard1234g.crt into the certificate field, and adguard1234g.key into the key field. That’s it. You can access it through https not http now. https://localhost

_____________________________________________________________________________________________

Adguard Home recommended settings

Configuring adguard home should be common sense since it has an easy to use gui. But here’s my recommendations:

Settings > dns > in the first box enter any dns provider. I’d recommend using quad9 as its recent move to switzerland, and change in privacy policy, makes it the best dns provider in terms of privacy imo. Its also one of the fastest.

Quad9’s Dnscrypt: 2.dnscrypt-cert.quad9.net

Quad9’s dns over tls: tls://dns.quad9.net

Filters > Blocklist

I’d recommend using oisd.nl’s blocklist for ad/tracker/malware/crypto/etc blocking without false positives, or if you’re brave use energised unified/ultimate but be willing to whitelist a lot of stuff.

Why not pihole? Because by default it doesn’t support, dns over tls, dnscrypt, or https for its web interface, etc.

dont use dns-over-https as it’s useless in terms of privacy. Why? The SNI, and OCSP fields aren’t encrypted, which allow seeing the ip address of all queries.

_____________________________________________________________________________________________

Secure cloud storage:

Use cryptomator to auto encrypt files when uploading files to cloud. Use veracrypt for a more secure, but manual option, or just GnuPg which is included by default in most distros, however gnupg doesn’t support folder encryption.

Or selfhost nextcloud on a device which is on 24/7 for your own cloud storage. It’s incredibly easy to setup (with https), and requires 2 commands.

sudo snap install nextcloud

sudo nextcloud.enable-https self-signed

https://localhost

_____________________________________________________________________________________________

Password manager:

Use bitwarden for a free hosted option, keepassxc for an offline/local option, or vaultwarden for selfhosted bitwarden.

___________________________________________________________________________________________

*ssh keys are a great way to secure ssh logins, as it‘ll be unique to you and can even be combined with a passphrase. Bare in mind, this causes issues with a lot of ssh clients, filezilla (sftp file transfer)’s ssh key implementation isnt compatible with openssl, most mobile clients lack this feature.

ssh-keygen

ssh-copy-id username@remote_host – change to ssh key for login.

If ssh-copy-id doesnt work, you’ll need to manually copy the key to your authorised keys.

Now, the server has your public key, and you ssh via your private key.

_____________________________________________________________________________________________

Lastly, use lynis for system audit, and overview of security risks

cd

git clone https://github.com/CISOfy/lynis

cd lynis

lynis audit system

_____________________________________________________________________________________________

Physical attacks:

_____________________________________________________________________________________________

Further securing against physical attacks, when making this post, my intention was leaning closer towards software but included usbguard as it’s probably the most likely physical attack you’ll face, due to how fast and easily it can be performed. However, see the below sections if you want to secure against physical attacks:

_____________________________________________________________________________________________

Encryption:

Its worth noting that, despite having a password, an attacked with physical access to your device can access all files. Encryption solves this problems, and there’s 2 types:

_____________________________________________________________________________________________

Full disk encryption:

Securing and encrypting all files. More convenient than encrypted volumes as you’ll only need to enter your password once, on boot. But it can have an impact on performance by lowering read/write speeds.

Luks: can only be enabled when you’re installing ur os.

Veracrypt’s full disk encryption: can be used after installation. More secure than Luks as it’s had countless security audits, and encrypts the keyfiles in memory preventing malware from accessing it (unlike Luks)

_____________________________________________________________________________________________

Encrypted Volumes:

Encrypt only confidential files within volumes, less convenient, but doesnt impact the entire os’s performance.

Use Veracrypt

___________________________________________________________________________________________

Which encryption algorithm + hash to use?

I didn’t want to overly bloat this post so I said it in a comment instead, see here:

My comment

_____________________________________________________________________________________________

u/13Zero’s advice:

Bios password:

so no one can go around your bootloader password by booting off of an external drive

When booting, press all of the f keys (f1 – f12) and esc, until you get the bios, somewhere in the bios, there’ll be a security section, and underneath that will be “password” option.

Unfortunately, I can’t provide an exact guide for this of these as it’s specific to your device.

_____________________________________________________________________________________________

u/13Zero’s advice:

Boot loader password: – (Advanced)

so no one can change kernel parameters and, say, boot directly into a root terminal

Ubuntu, Arch

_____________________________________________________________________________________________

if anyone else has any other advice that I’ve missed, share it in the comments and I’ll edit this post with ur username

Edits: u/Mister001X

As a general advice it is always a bad idea to run curl installing software from random/untrusted sources.

u/kpcyrd

pamac install arch-audit-gtk

A great tool, notifying you on missing security updates, and vulnerable packages. With support for tor to anonymise requests. Although, bare in mind this tool is already in lynis, so get this only if you want a tray application + notifs.

submitted by /u/SombreSerenity
[link] [comments]