DOCSLIB.ORG

Hardening Debian Against Common Surveillance and Security Threats V18.11.10

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Hardening Debian Against Common Surveillance and Security Threats V18.11.10 Hardening Debian Against Common Surveillance and Security Threats v18.11.10 Table of Contents Introduction...........................................................................................................................................2 Design Philosophy................................................................................................................................3 Threat Model.........................................................................................................................................5 Download and Verify Installation Image Signatures............................................................................8 Write Verified Image to Installation Media........................................................................................12 Protect Motherboard Firmware...........................................................................................................13 Operating System Installation Configuration.....................................................................................15 Default Deny Firewall.........................................................................................................................18 Kernel and Network Hardening..........................................................................................................21 Routing Package Management through Tor........................................................................................24 Minimizing your Software Attack Surface.........................................................................................26 Routing DNS Traffic through Tor.......................................................................................................27 Blacklisting Domains with Hosts........................................................................................................30 Configuring Mandatory Access Control.............................................................................................33 Firewalling USB Interfaces.................................................................................................................38 Locking the Bootloader.......................................................................................................................42 Automating Security Scans.................................................................................................................45 Running Security Audits.....................................................................................................................51 Configuring a System-Wide VPN.......................................................................................................55 Hardening the Web Browser...............................................................................................................60 Keeping Computing Local..................................................................................................................72 File and Backup Encryption................................................................................................................76 Testing Your Configuration.................................................................................................................81 Closing Thoughts................................................................................................................................87 Useful Links and References..............................................................................................................89 1 Introduction What happened to the Internet? We were sold a promise that it would be a space entrusted to freely explore information and to be a bastion of digital liberty. So why does it seem as though every online entity is maliciously trying to harvest our information and control every aspect of our digital presence? Why are industries and governments so driven to weaponize our own data against us? When I think about the state of the modern web, I cannot help but to recall an old comic shared circa 2008: It depicts the web as a hellscape requiring a metaphorical armored tank of a web browser simply to interact with any site. The image of a battlefield certainly embellishes the situation although it is not entirely inaccurate. In fact, in 2016 NATO ha d officially declared the Internet to be a warzone. I would not consider one to be foolish for treating every bit of information entering their computer as a potential assault on their digital well-being. That is why, in this walk-through, we will look at strengthening every weak point and plugging as many holes as practicable with a Debian installation. We want to ensure that only you are the absolute authority who has the final say as to what does and does not get to access your computer. 2 Design Philosophy The aim of this document is to deliver instructions in a dense and hopefully easy to understand manner. The instructions are presented in a CLI terminal format whenever applicable. Followed beginning to end, in order, this document outlines a way to configure a trustworthy, strong foundation on which to construct your own secure and privacy oriented computer. This document assumes the reader has already heeded introductory guides. Resources which emphasize migrating away from products and services of known surveillance state collaborators. Here, we focus instead on changes and additions which can be made to your security strategy. While many of these methods are described as applied to Debian, most should readily translate to Debian derivatives and other GNU/Linux distributions. 3 We assume no trust beyond the NIC. Some approaches to securing your privacy enjoy the benefits provided by router hardening. Here, the local machine is considered our only sanctuary. This also focuses on building out a system from a fresh installation, although nothing should prevent readers from individually adopting some of the outlined practices on an existing installation. Some of the details surrounding the instructions presented in this document are left intentionally vague. This is done for a few reasons. 1) To keep the guide general and applicable beyond strictly Debian GNU/Linux. 2) To encourage readers to fine tune these configurations to suit their own specific needs. 3) To encourage readers to research beyond what is presented in this guide. We will focus heavily on free-libre software since, w hile free software does not guarantee security, it is a hard prerequisite to constructing a trusted computing environment. Indeed, there exists commercial proprietary security software available for GNU/Linux however we cannot place trust in a program to do only what it claims if nobody is allowed to truly investigate its inner workings. 4 Threat Model This document addresses the threat faced by most of us, automated dragnet surveillance. Whistle blowers, activists and political dissidents may encounter targeted advanced persistent threats. The other 99.9% of us should instead be concerned with wider pervasive monitoring. We will also cover protecting your system against snooping roommates/coworkers/etc who may have physical access to your hardware. And while the methods outlined here cannot guarantee protection to dissidents, whistle blowers or journalists, they may still be helpful as smaller components in a related security strategy. What we are attempting to defend against: 1) Bulk data collection. 2) Surveillance capitalism. 3) Common adware, malware and spyware. 4) “Evil maid” unauthorized access. What we are not attempting to defend against: 1) Targeted law enforcement operations. 2) Targeted nation state operations. 3) Other advanced persistent threats. Below is a rough conceptual model of what we will be building. It enforces most input (abstracted for network packets, web objects, USB peripherals, and others) to traverse a 3 ½ tiered defensive structure. Line one represents the default deny firewalls which will ultimately make up our outer perimeter. Much of it permits incoming data only at the user’s explicit discretion. And, since all users are prone to error, line two provides a second opinion based on pre-established blacklists by third parties. If 5 the inbound data matches any of these items it will be automatically rejected, unless otherwise authorized by the user. Line three depicts a layer of various confinement strategies which restrict the potential damage that can be unleashed by a malicious program which may have evaded lines one and two. Line three, and the system as a whole, will be monitored by a number of malware and intrusion detection programs. The user is responsible for the remediation of any true positives that are discovered. The entire system, as well as incoming and outgoing data, will be encapsulated in a layer of encryption as much as is practicable. And, in an effort to truly limit outgoing data as much as possible, any processing that can be done inside of the perimeter will be done locally. 6 7 Download and Verify Installation Image Signatures To ensure that the installation image has not been tampered with or modified between you and the packagers, we want to check published hash sums against our own hash sum of the image. Download the Debian netinst ISO (substituting the latest release version) for your architecture and its hash sums: wget --https-only --no-cookies https://cdimage.debian.org/debian- cd/current/amd64/iso-cd/debian-9. 5.0-amd64-netinst.iso wget --https-only --no-cookies https://cdimage.debian.org/debian- cd/current/amd64/iso-cd/SHA512SUMS
Load more

Recommended publications
  • Linux-Professional-Institute-LPI-303
    LPIC-3: Linux Enterprise Professional Certification LPIC-3 303: Security LPIC-3 is a professional certification program program that covers enterprise Linux specialties. LPIC-3 303 covers administering Linux enterprise-wide with an emphasis on Security. To become LPIC-3 certified, a candidate with an active LPIC-1 and LPIC-2 certification must pass at least one of the following specialty exams. Upon successful completion of the requirements, they will be entitled to the specialty designation: LPIC-3 Specialty Name. For example, LPIC-3 Virtualization & High Availability. Specialties: • 300: Mixed Environment • 303: Security • 304: Virtualization and High Availability TOPIC 325: CRYPTOGRAPHY • Configure Apache HTTPD with mod_ssl to that performs DNSSEC validation on behalf of 325.1 X.509 Certificates and Public Key provide HTTPS service, including SNI and its clients Infrastructures (5) HSTS • Key Signing Key, Zone Signing Key, Key Tag Candidates should understand X.509 certificates • Configure Apache HTTPD with mod_ssl to • Key generation, key storage, key management and public key infrastructures. They should know authenticate users using certificates and key rollover how to configure and use OpenSSL to implement • Configure Apache HTTPD with mod_ssl to • Maintenance and re-signing of zones certification authorities and issue SSL certificates provide OCSP stapling • Use DANE to publish X.509 certificate for various purposes. • Use OpenSSL for SSL/TLS client and server information in DNS Key knowledge areas: tests • Use TSIG for secure communication with BIND • Understand X.509 certificates, X.509 certificate 325.3 Encrypted File Systems (3) TOPIC 326: HOST SECURITY lifecycle, X.509 certificate fields and X.509v3 Candidates should be able to setup and 326.1 Host Hardening (3) certificate extensions configure encrypted file systems.
    [Show full text]
  • Linuks I Maliciozni Programi
    [0] Intro * Napomena: Ako pri čitanju članka nai ñete na neke nepoznate pojmove, preporu čujem čitanje Malog Re čnika Zaštite (http://www.mycity.rs/Zastita/Mali-recnik-zastite.html) kako bi se informisali o tim pojmovima ili možda rešili neke nedoumice po pitanju razgrani čavanja pojmova. Rešio sam da malo prou čim kakvo je stanje na Linuksu po pitanju malicioznih programa ( malware -a) i da ovim člankom utvrdim " malware scenu" Linuksa. Da bih to istražio morao sam da pose ćujem razli čite underground sajtove na kojima sam mogao da na ñem razne maliciozne programe. Kao što znamo, Linuks generalno važi za bezbedan operativni sistem, ali ipak nije u potpunosti imun na malware . U članku će biti opisani razlozi zašto je to tako, na čini zaštite, inficiranje u realnom vremenu, pokušaj dezinfekcije i neki generalni saveti i utisci. Kod pojedinih stvari će biti napravljena paralela sa operativnim sistemom Windows . Bobby me je, tako ñe, snabdeo sa razli čitim uzorcima malware -a za Linuks u vidu ELF datoteka, shell i perl skripti koje sam testirao na virtualnoj mašini, a neke na fizi čkoj mašini (testirani malware ne ću da imenujem, ve ć ću ga pomenuti u generi čkom smislu). Za svaki operativni sistem je mogu će napraviti malware koji će uništiti, tj. onesposobiti taj operativni sistem. Me ñutim, moderni malware ima tendenciju da preuzme kontrolu nad ra čunarom (tj. da napravi zombija) kako bi poslužio nekoj svrsi tvorcima malware-a ili kako bi se pokrali neki podaci. Što se ti če onesposobljavanja operativnog sistema, najlakše ga je onesposobiti tako što mu se zauzmu resursi.
    [Show full text]
  • Geek Guide > Self-Audit
    GEEK GUIDE SELF-AUDIT: CHECKING ASSUMPTIONS AT THE DOOR Table of Contents About the Sponsor .......................................................... 4 Introduction .................................................................... 5 Two Steps Necessary for Security ................................. 7 Verify Configurations ...................................................... 9 Assume Security Has Been Compromised .................. 10 Tools to Scan for Malware ............................................ 11 rkhunter �������������������������������������������������������������������������������������������������12 chkrootkit ����������������������������������������������������������������������������������������������13 LMD�������������������������������������������������������������������������������������������������������14 lynis �������������������������������������������������������������������������������������������������������19 Checking for Stealth Ports ........................................... 22 lsof ��������������������������������������������������������������������������������������������������������23 unhide ���������������������������������������������������������������������������������������������������24 Rootkits ......................................................................... 25 Conclusion .................................................................... 27 GREG BLEDSOE is VP of Operations at Personal, Inc. (http://www.personal.com). He is CEH and CPT certified and has 20 years of hard-fought experience
    [Show full text]
  • Blue Team Field Manual.Pdf
    BTFM Blue Team Field Manual ALAN WHITE BEN (LARK Version 1 Hacked to PDF by: 0E800 (2/13/2017) 1 BTFM. Copyright© 2017 by Alan White and Ben Clark All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, without prior written permission of the copyright owner. ISBN-13: 978-1541016361 ISBN-10: 154101636X Technical Editor: Matt Hulse Product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, the author uses the names only in an editorial fashion, with no intention of infringement of the trademark. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. The information in this book is distributed "as is". While every precaution was taken to ensure the accuracy of the material, the author assumes no responsibility or liability for errors or omissions, or for damages resulting from the use of the information contained herein. 2 PREFACE BTFM Command-Line Syntax: Notation Description Generic Linux/*nux shell prompt, sudo may also be used with $ Windows Prompt, may C:\> require Administrator CMD prompt PS C:\> Windows PowerShell > Generic prompt, multi OS <IP ADDRESS>, <PORT>, Requires user determined input and remove <> <USER>, <PASSWORD>, etc. brackets Caution use of copy/paste with dash/hyphens. - - en/em/dash I I hyphen - Ensure you check spaces spaces and no spaces in commands. Updates, Edits and Supplement Material: Ref. http://www.blueteamfieldmanual.com BTFM is based on the NIST Cybersecurity Framework: Ref.
    [Show full text]
  • Towards Non-Intrusive Software Introspection and Beyond
    Towards Non-Intrusive Software Introspection and Beyond Apoorve Mohan∗, Shripad Nadgowdaz, Bhautik Pipaliya∗, Sona Varma∗, Sahil Sunejaz, Canturk Isciz, Gene Cooperman∗, Peter Desnoyers∗, Orran Kriegery, Ata Turkx ∗Northeastern University, yBoston University, zIBM T.J. Watson Research Center xState Street Corporation Abstract—Continuous verification and security analysis of IAAS CLOUD Performance-Sensitive Interference Introspection Send Health software systems are of paramount importance to many orga- Workload Program Report Tenant A nizations. The state-of-the-art for such operations implements e.g. Apache Http Server e.g. Amazon Inspector Malicious Introspect Software Stack agent-based approaches to inspect the provisioned software stack Program Influence Provider-Controlled Tenant B for security and compliance issues. However, this approach, which e.g. User-Mode Rootkit Analysis Monitoring System Software Packages and Configurations runs agents on the systems being analyzed, is vulnerable to Software Tenant C At-Scale INTROSPECTED Stack some attacks, can incur substantial performance impact, and Operating System Introspection INSTANCE } can introduce significant complexity. In this paper, we present the design and prototype implementation of a general-purpose approach for Non-intrusive Software Introspection (NSI). By Fig. 1: Visualizing agent-based introspection. adhering to NSI, organizations hosting in the cloud can as well control the software introspection workflow with reduced trust in the provider. Experimental analysis of real-world applica- environment with 64 virtual machines per host would require tions demonstrates that NSI presents a lightweight and scalable 640K such agents. Third, while performing periodic security approach, and has a negligible impact on the performance of inspection, these agents consume system resources (e.g., CPU applications running on the instance being introspected.
    [Show full text]
  • Mastering Linux Security and Hardening
    Mastering Linux Security and Hardening Secure your Linux server and protect it from intruders, malware attacks, and other external threats Donald A. Tevault BIRMINGHAM - MUMBAI Mastering Linux Security and Hardening Copyright © 2018 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Vijin Boricha Acquisition Editor: Rohit Rajkumar Content Development Editor: Devika Battike Technical Editor: Mohd Riyan Khan Copy Editors: Safis Editing, Dipti Mankame Project Coordinator: Judie Jose Proofreader: Safis Editing Indexer: Pratik Shirodkar Graphics: Tania Dutta Production Coordinator: Deepika Naik First published: January 2018 Production reference: 1090118 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78862-030-7 www.packtpub.com mapt.io Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career.
    [Show full text]
  • Effectiveness of Linux Rootkit Detection Tools
    Effectiveness of Linux Rootkit Detection Tools University of Oulu Faculty of Information Technology and Electrical Engineering Degree Programme in Information Processing Sciences Master’s Thesis Juho Junnila 27.3.2020 2 Abstract Rootkits – a type of software that specializes in hiding entities in computer systems while enabling continuous control or access to it – are particularly difficult to detect compared to other kinds of software. Various tools exist for detecting rootkits, utilizing a wide variety of detection techniques and mechanisms. However, the effectiveness of such tools is not well established, especially in contemporary academic research and in the context of the Linux operating system. This study carried out an empirical evaluation of the effectiveness of five tools with capabilities to detect Linux rootkits: OSSEC, AIDE, Rootkit Hunter, Chkrootkit and LKRG. The effectiveness of each tool was tested by injecting 15 publicly available rootkits in individual detection tests in virtual machines running Ubuntu 16.04, executing the detection tool and capturing its results for analysis. A total of 75 detection tests were performed. The results showed that only 37.3% of the detection tests provided any indication of a rootkit infection or suspicious system behaviour, with the rest failing to provide any signs of anomalous behaviour. However, combining the findings of multiple detection tools increased the overall detection rate to 93.3%, as all but a single rootkit were discovered by at least one tool. Variation was observed in the effectiveness of the detection tools, with detection rates ranging from 13.3% to 53.3%. Variation in detection effectiveness was also found between categories of rootkits, as the overall detection rate was 46.7% for user mode rootkits and 31.1% for kernel mode rootkits.
    [Show full text]
  • How to Response Against Web Security Incident
    How to Response Against Web Security Incident Digit Oktavianto digit dot oktavianto at gmail dot com http://digitoktavianto.web.id BSSN – 11th August 2018 Agenda Incident Response Life Cycle Recap Incident Response Web Hacking PlayBook Incident Response Step for Web Hacking Security Incident What to Do After IR Step is Done. NIST SP 800-61rev2 Incident Response An event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt. Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, etc. computer security incident is a violation or imminent threat of violation1 of computer security policies, acceptable use policies, or standard security practices. Incident Response Life Cycle (NIST) IR Life Cycle Recap Preparation: get ready to handle the incident Identification: detect the incident Containment: limit the impact of the incident Eradication: remove the threat Recovery: recover to a normal stage Lesson Learned: draw up and improve the process Tips for Building Effective Incident Handling Plan (Cont’d) Improve vulnerability management Program Learn from past incidents and breaches Improve incident handling workflow process Building centralized monitoring system to protect the infrastructure Web Hacking IR PlayBook Root Cause Web Security Incident Most Common
    [Show full text]