title: "linux hardening" date: 2021-09-24 --- today we will deal with a great subject, hardening in linux. what is more obvious, encrypt your disk completely or at least your user's folder would be interesting. well, on this day i'm just going to show you how to encrypt your home directory. note: we will be using alpine linux (3.14) as the operating system to develop this article encrypting home directory ========================= first let's install the necessary packages. if you are using alpine linux (3.14) too, enable the community repository. --- # apk add ecryptfs-utils rsync lsof --- after installing them, we have to load the modules into the kernel: --- # modprobe ecryptfs --- now let's run as root to encrypt the user's home: note: the user whose home directory you want to encrypt does not have to be logged in. --- # ecryptfs-migrate-home -u <user> --- when done, the user must log in before restarting the computer. if the user can access the files in the user's home directory, you can remove the backup folder in /home/<user>.<random_characters> the user must also run this command to get the random encryption key and store it in a safe place (outside the encrypted home directory and not on the same machine) in case a recovery is needed: --- # ecryptfs-unfrap-passphrase --- hardening openssh ================= well, here we'll start with limiting login attempts... /etc/ssh/sshd_config --- MaxAuthTries 2 --- this will only allow 1 login attempt per connection. you must restart the ssh server. this step is probably one of the most important for a really secure ssh server. let's restrict login as root user: /etc/ssh/sshd_config --- PermitRootLogin no --- to avoid logging in with leaked user passwords, let's disable password authentication (don't forget to configure ssh keys). /etc/ssh/sshd_config --- PasswordAuthentication no --- as an additional measure related to passwords, we will also disable authentication with empty passwords. this will prevent login attempts if the user's password is set to an empty or blank value. /etc/ssh/sshd_config --- PermitEmptyPasswords no --- i particularly find it interesting to disable X11 forwarding. the last thing you want is for a malicious user to easily view sensitive information via gui. /etc/ssh/sshd_config --- X11Forwarding no --- turn off ipv6 ============= if you are not using an ipv6 protocol, you should disable it as most applications or policies do not require the protocol and it is currently not needed on the server. /etc/sysconfig/network --- NETWORKING_IPV6=no IPV6INIT=no --- keep /boot as read-only ======================= the linux kernel and its related files are in the /boot directory, which is by default read-write. changing it to read-only reduces the risk of unauthorized modification of critical boot files. /etc/fstab --- LABEL=/boot /boot ext4 defaults,ro 1 2 --- hardening xorg ============== some distributions run xorg with root user by default. this is a problem as xorg contains a lot of old and complicated code that adds a large attack surface and makes it more likely that there will be exploits that can gain root privileges. /etc/X11/Xwrapper.config --- needs_root_rights = no --- you can also migrate to wayland (but this is considered harmful by kill-9.xyz). kernel ====== today i won't cover anything about the kernel, but i'll leave a great article on the subject. https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel bye === i think that's enough, i covered a lot of content in a relatively short article. but that's it, until the next friend... source ====== https://wiki.debian.org/TransparentEncryptionForHomeFolder https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-18-04