Manjaro - more secure
Welcome, Guest.
“Theory and practice sometimes clash. And when that happens, theory loses. Every single time.” ― Linus Torvalds

Author Topic: Manjaro - more secure  (Read 5754 times)

Offline michael_christoph

  • Supporter
  • WikiClub
  • *******
  • Posts: 37
Manjaro - more secure
« on: October 31, 2015, 08:43:40 PM »
How to get Manjaro Linux more secure !
....or.....
How to harden Manjaro Linux while putting
no limits on its functionality !

Here are my suggestions:

[1]
After successful installation, do a full systemupdate

   sudo pacman -Syu

[2]
Install and enable the personal firewall ( yes, even
if you are behind a router )

   sudo pacman -S ufw
   sudo systemctl enable ufw.service
   sudo systemctl start ufw

now it is started, implement the two standard rules

   sudo ufw default deny incoming
   sudo ufw default allow outgoing

These two rules are sufficient if you are facing a
standalone client without any network except the
internet.

[3]
Install some tools, that are usefull to defend against
software doing harm

   sudo pacman -S rkhunter unhide checksec

rkhunter looks for rootkits, unhide reveals hidden processes
and checksec is a tool to test installed procs if they are
providing hardened code ( NX bit, Canary , Full/Partial RELRO )

you can run/automate rkhunter on a daily basis

   cd /etc/cron.daily
   sudo touch rkhunter
   sudo chmod +x rkhunter
   
now edit the file rkhunter

   sudo nano rkhunter

and fill in

   15 15 * * * /usr/bin/rkhunter --cronjob --update --quiet

of run it by hand

   sudo /usr/bin/rkhunter --update
   sudo /usr/bin/rkhunter --propupd
   sudo /usr/bin/rkhunter -c -enable all --disable none --rwo

save the file and keep track of the log file
   
   /var/log/rkhunter.log


[4]
Set the umask value to 077

   sudo nano /etc/login.defs
 
   change umask from 022 to 077

Do the same in /etc/profile

Change the values of password aging controls in
/etc/login.defs

   sudo nano /etc/login.defs

   change the value --> PASS_MAX_DAYS
   from 99999 to 365
   change the value --> PASS_MIN_DAYS
   from 0 to 345
   change the value --> PASS_WARN_AGE
   from 7 to 20

The values 365,345,20 are free to you - choose
your own.

Some words on password security:

Passwords will become irrelevant in the future
because of upcoming quantum computing.
Nevertheless your password should meet the
usual requirements ( min. 8 characters, lower- and
uppercase letter, numbers, special characters ).
The more different characters a password contains the
harder it is to crack because every character that
is different increases the so called entropy by one
bit. Entropy is a measure of how much effort a hacker
must drive to crack a password.

[5]
Do some hardening on the installed kernel.
Change to

   /etc/sysctl.d

and edit the conf file there

   sudo nano 100-manjaro.conf

Paste the following lines in there

vm.swappiness = 1
net.ipv4.tcp_rfc1337 = 1
kernel.kptr_restrict = 1
kernel.core_uses_pid = 1
kernel.sysrq = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.enp3s0.log_martians = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.enp3s0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.enp3s0.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.enp3s0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
kernel.dmesg_restrict = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1

# IPv6 Options
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

Save the file and type

   sysctl -p 100-manjaro.conf

to apply all the settings. Alternatively reboot.
If you are presented with errors, look closer
at the lines the errors occur. You may have to
uncomment some lines or to change the name of
the network adapter from enp3s0 ( in my case )
to the one yours is called.

   ip link show

shows you the name ( 1:lo ; 2:[name of your ethernet adapter] )

[6]
To protect not only the kernel but also the system a bit
more, you can protect your system against forkbombs, which
will open as much processes as possible until your system
becomes unresponsible. Forkbombs are annoying because they
ddos a system in matter of seconds.

To prevent such a game go the directory

   cd /etc/security

edit the file

   sudo nano limits.conf

add two lines at the bottom

   *    soft    nproc    100
   *    hard    nproc    200

which limits the authenticated user to 100 active processes, unless
the someone uses the ulimit command to raise his maximum to 200.


[7]
After hardened the kernel a bit, now we harden the grub menu
by make it asking for username and password at startup.
So the system will not boot without authentication.

To do so open a terminal and do

   sudo grub-mkpasswd-pbkdf2

it asks you for a password which can ( or should )be different
to your system password. Repeat the password and
press enter


the output is a very long hash beginning with

   grub.pbkdf2.sha512.10000........

copy the hole hash value, open a second terminal
and go to
   
   cd /etc/grub.d
   
there, edit the file

   sudo nano 40_custom

add these two lines

   set superusers="yourusername"
   password_pbkdf2 yourusername <password>

where the string <password> has to be replaced with the
prior copied hash. Example of mine:

   set superusers="michael"
   password_pbkdf2 michael grub.pbkdf2.sha512.A4C5.....

Save the file and rewrite the grub configuration by

   sudo grub-mkconfig -o /boot/grub/grub.cfg

Reboot....

[8]
To further heighten the security of your system, your
user account can be locked after a specified number of
failed login attempts. In order to do this you have to
edit the file

   sudo nano /etc/pam.d/system-login

and edit the first line

   auth required pam_tally.so onerr=succeed file=/var/log/faillog

change this line to

   auth required pam_tally.so deny=3 unlock_time=120 onerr=succeed file=/var/log/faillog
   
which will lock your account after 3 failed logon attempts for two minutes.

[9]
These days attacking the user is carried out through the browser.
The same way your privacy is attacked, violated and adds,spam and
other crap is knocking at your browser while surfing the internt.
To mitigate this harm, let's have a look at firefox browser and
what can be done here.

First step:
Install four usefull addons

   https everywhere
   privacy badger
   ublock
   flashblock
   no_script ( if you like to do spend time on its configuration )

https everywhere    sits in between your browser and the website and
           calls the hosting server to encrypt the session

privacy badger/ublock    you get rid of all these adds and crapy windows

flashblock        no popping up and self playing flash-advertising-videos

no_script        a lot of content is loaded by scripts. In fact not all
           the content you see on a website is really located there.
           Scripts are nothing bad but are widely used to put malicious
           trojans on your system. No_script stops all the script
           allowing only scripts on those sites you granted. As it is
           working on whitelist, you have to spend a lot of effort
           on it. But it is good once you have conditioned it.


Second step:
Disable the fallen crypto algorithm RC4 completly.
In your firefox address line type        

   about:config

confirm the security warning you get and type in the
appearing search field

   RC4

you should immediatly see five entries in the list.
Go and double click every one of them so all the
VALUE's change from TRUE to FALSE.

as an example this entry
security.ssl3.rsa_rc4_128_sha    user set bolean true

should change to
security.ssl3.rsa_rc4_128_sha    user set bolean false


Now your security has risen from 68 to 84 in an average
audit tool, which is quite a bit. A total secure system is
nothing moore than inoperable - therefore this tutorial ends
up here.

Two additions:

1.) Host.conf

Edit the host.conf file:

sudo nano /etc/host.conf

Add the following line:

nospoof on

Save your change and close the editor.

2.) Fstab

open the fstab file:

sudo nano /etc/fstab

locate the line that begins with  -->  tmpfs

change the line to look like this example

tmpfs     /tmp           tpmpfs  defaults,noatime,nosuid,noexec,mode=1777 0       0


I'm ready, thanks for reading


   Michael Christoph


« Last Edit: July 08, 2016, 06:02:45 AM by michael_christoph »
"...videtur autem ut verum sit omnino idem quod ens..."

Offline vstarsteve

  • Jr. Member
  • ***
  • Posts: 89
  • unreformed distrohopper asus z77 sabertooth i7
Re: Manjaro - more secure
« Reply #1 on: December 03, 2016, 02:39:11 PM »
WOW! Thanks for the tutorial i'm working with it.