๐ A complete yet beginner friendly guide on how to secure Linux
๐ก Newskategorie: Linux Tipps
๐ Quelle: reddit.com
Securing linux: - Iโve seperated categories by โ_โ - Iโd recommend using sudo -s
at the beginning to avoid having to constantly enter your password
Note: For arch based distros I mention pamac as opposed to pacman, as itโs easier to use, and all arch based distros for e.g Garuda, Manjaro, etc have pamac. Since some of these packages are AURs, you need to go to the pamac gui app, settings, and enable the AUR repo.
__________________________________________________________________________________________
UsbGuard: Protect yourself from physical usb attacks and executing malware/backdoors, this can work by making usbโs read only, unless you explicitly whitelist it.
Ubuntu based: sudo apt install usbguard
Arch based: sudo pamac install usbguard
To allow a usb device permanently simply run:
usbguard list-devices
usbguard allow-device EnterTheIdHere -p
_____________________________________________________________________________________________
SSH: Essentially, remote access to your devices terminal.
If this is enabled and you donโt use it, itโs best to disable it.
ubuntu based: sudo systemctl disable ssh.service
Arch based (manjaro, Garuda, etc): sudo systemctl disable sshd
_____________________________________________________________________________________________
If you do use it:
Changing the ssh port:
Thereโs a few ways to secure ssh, the most obvious being to change the port. A lot argue that this is pointless, but itโll at least deter less advanced attackers.
The default port is 22 for everyone.
sudo nano /etc/ssh/sshd_config
Change โPort 22โ to any unused port. If ur unsure which port hasnt been used, try 22000.
_____________________________________________________________________________________________
Fai2ban - deters brute force attacks
Ubuntu/debian based: sudo apt install fail2ban
Arch based: sudo pamac install fail2ban-client
Configuring fail2ban:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
โBan timeโ = how long attackers are banned, โfind timeโ = if an attacker enter a password incorrectly, how long do you have to wait before the incorrect password counter resets, โmaxretryโ = the max amount of incorrect passwords before the ban, โignore ipโ = you may want to whitelist your own ip. Make sure to change fail2banโs port to the one you chose in the previous step. โport = yourporthereโ
_____________________________________________________________________________________________
Ssh keys (advanced) * see the bottom of this post
_____________________________________________________________________________________________
Network firewall: Only allow internet access to applications which need it.
This can mitigate spyware/trojans, which are rare on linux anyways, and stopping apps from collecting unnecessary info.
Opensnitch does a decent job at this, has a gui which prompts you once when an app wants to use the internet. Although installing this is a bit of a pain since itโs not on any repos, so youโll have to manually install it.Ubuntu based:
- Getting the dependencies
sudo apt-get install protobuf-compiler libpcap-dev libnetfilter-queue-dev python3-pip
go get
github.com/golang/protobuf/protoc-gen-go
go get -u
github.com/golang/dep/cmd/dep
python3 -m pip install --user grpcio-tools
- Getting opensnitch and building it
go get github.com/evilsocket/opensnitch
cd $GOPATH/src/github.com/evilsocket/opensnitch
- If command 8 didnโt work, just cd into the downloaded opensnitch folder
make
sudo make install
- Enabling the service
sudo systemctl enable opensnitchd
sudo service opensnitchd start
opensnitch-ui
Arch based: Someone made an aur, which saves you so much time:
pamac install opensnitch-git
sudo systemctl start opensnitchd
_____________________________________________________________________________________________
Malware/rootkit scanner: I wouldnโt really say this is necessary, but if you think you have malware then you can run a scan:
Ubuntu based: sudo apt-get install clamav clamav-daemon
Arch based: sudo pamac install clamav
_____________________________________________________________________________________________
File permissions: You may want to get familiar with chmod, and chown, to change file permissions. For e.g, if you store important files somewhere you may want to make it require root access in order to read/write: in which case youโd run:
sudo chown root:root /path/to/application
sudo chmod 700 /path/to/application
_____________________________________________________________________________________________
Sandboxing
Iโd suggest learning firejail, or bubblewrap (more advanced), to sandbox and isolate apps.
However, if that sounds too complicated, then downloading apps as flatpaks is a great way to have some security, whilst not a silver bullet, its extremely easy to use and permissions can be managed through itโs gui app: flatseal, or just cli.
_____________________________________________________________________________________________
Other, more general tips below:
_____________________________________________________________________________________________
DNS: not really linux related, but Iโd recommend doing this.
By default, ur using plain text dns, itโs vulnerable to mitm attacks, your isp can log all traffic, etc. By doing this, youโd also have the ability to block ads/trackers/malware/and malicious ipโs reported for ssh attacks
Youโll be selfhosting adguard home (only takes 1 command), and can even use this on other devices, but if you donโt want to leave your computer on 24/7, then you can use it solely on your own device.
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
Thatโs it, then go to http://localhost:3000, to access its web gui. (It might not be port 3000, as I did this ages ago, but it says in the terminal, change the ports to anything else within the web gui if planning on selfhosting the apps below)
Itโs best to setup https for its web interface, but feel free to skip this step:
openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out adguard1234g.crt -keyout adguard1234g.key
Go to settings > encryption settings > enable https, force https, and quite simply copy and paste adguard1234g.crt into the certificate field, and adguard1234g.key into the key field. Thatโs it. You can access it through https not http now. https://localhost
_____________________________________________________________________________________________
Adguard Home recommended settings
Configuring adguard home should be common sense since it has an easy to use gui. But hereโs my recommendations:
Settings > dns > in the first box enter any dns provider. Iโd recommend using quad9 as its recent move to switzerland, and change in privacy policy, makes it the best dns provider in terms of privacy imo. Its also one of the fastest.
Quad9โs Dnscrypt: 2.dnscrypt-cert.quad9.net
Quad9โs dns over tls: tls://dns.quad9.net
Filters > Blocklist
Iโd recommend using oisd.nlโs blocklist for ad/tracker/malware/crypto/etc blocking without false positives, or if youโre brave use energised unified/ultimate but be willing to whitelist a lot of stuff.
Why not pihole? Because by default it doesnโt support, dns over tls not dnscrypt, not https for its web interface, etc.
dont use dns-over-https as itโs useless in terms of privacy. Why? The SNI, and OCSP fields arenโt encrypted, which allow seeing the ip address of all queries.
_____________________________________________________________________________________________
Secure cloud storage:
Use cryptomator to auto encrypt files when uploading files to cloud. Use veracrypt for a more secure, but manual option, or just GnuPg which is included by default in most distros, however gnupg doesnโt support folder encryption.
Or selfhost nextcloud on a device which is on 24/7 for your own cloud storage. Itโs incredibly easy to setup (with https), and requires 2 commands.
sudo snap install nextcloud
sudo nextcloud.enable-https self-signed
_____________________________________________________________________________________________
Password manager:
Use bitwarden for a free hosted option, keepassxc for an offline/local option, or vaultwarden for a selfhosted option.
_____________________________________________________________________________________________
*ssh keys are a great way to secure ssh logins, as itโll be unique to you and can even be combined with a passphrase. Bare in mind, this causes issues with a lot of ssh clients, filezilla (sftp file transfer)โs ssh key implementation isnt compatible with openssl, most mobile clients lack this feature.
ssh-keygen
ssh-copy-id username@remote_host
- change to ssh key for login.
If ssh-copy-id doesnt work, youโll need to manually copy the key to your authorised keys.
Now, the server has your public key, and you ssh via your private key.
_____________________________________________________________________________________________
Lastly, use lynis for system audit, and overview of security risks
cd
git clone
https://github.com/CISOfy/lynis
cd lynis
lynis audit system
_____________________________________________________________________________________________
if anyone else has any other advice that Iโve missed, share it in the comments and Iโll edit this post with ur username
[link] [comments] ...