We have now "Read-Only filesystem small Debian".
In this stage, we will harden before we connect it to the Internet, to apt update && apt upgrade.
Rev2
Add notes for wheel.
Remount as rw
Now we are in read-only root filesystem world.
root# mount -o remount,rw /
We DO NEED to do this every time we modify /etc. Please don't forget.
Classical network hardening
This is from harden-doc Debian package.
root# nano /etc/sysctl.conf # Uncomment net.ipv{4,6} related.
... rpfilter = 1
... tcp_syncookies = 1
... accept_redirects = 0
... send_redirects = 0
... accept_source_route =0
... log_martians = 1
root# sysctl -p # and enable them, confirm them.
net.ipv4.conf.default.rp_filter = 1
...
Restrict securetty
Caution!
You need a physical root console access under this setting.
NEVER DO THIS FOR REMOTE MACHINES WITHOUT KNOWING WHAT YOU DO.
First, re-login from your "securetty". Let us assume it is tty5.
root# exit # change to tty5 (Hit Ctrl-Alt-F5) and re-login as root
root# w # make sure which tty you are using now.
(time) up (uptime), 1 user, load average: (loads)
USER TTY FROM LOGIN@ ...
root tty5 - (time) ...
Then, tweak the securetty.
root# mv /etc/securetty /etc/securetty.orig
root# nano /etc/securetty
#tty1 # on desktop, used by gdm3, etc.
#tty2 # on desktop, tends to be used by users' xsessions tty2-4
#tty3
#tty4
tty5
tty6 # and more and/or other ttys such as ttyS0, if you want.
Typically, Debian provides tty1~6.
Restrict su by PAM
You can restrict users' su commands not to become them the super user.
root# nano /etc/pam.d/su
auth required pam_wheel.so # uncomment this
Caution!
Combined with the securetty above, you only can have root privilege from physical securetty.
System Group "wheel"
As described in the comment of /etc/pam.d/su, you can add group option for it.
Typically adding wheel group and set group=wheel option, and add trusted user into wheel group.
We don't recommend to enable it.
Warning
NEVER include ordinal daily users into the wheel group.
On security threats, that user can be abused to intrude, since it penetrates securetty with standard Debian PAM settings.
Confirm security settings
Reboot the box.
root# reboot -n
Check everything okay
Assuming we only have tty5 in securetty and PAM su restrictions,
Debian GNU/Linux 9 hostname ttyN (where N != 5)
hostname login: root
Login incorrect
securetty works. No password prompt, simple failure.
Change the console to tty5 by hitting Ctrl+Alt+F5.
Debian GNU/Linux 9 hostname tty5
hostname login: root
password: (enter it)
(motd shown)
root@debian:~#
securetty confirmed.
root# systemctl # does not show any "fail"
root# journalctl # does not show any Error.
You can ignore "kvm disabled" error if you disabled virtualization on BIOS, and also ignore Intel DmC related firmware loading failure logs.
Next, PAM su restriction.
We need a normal user.
root# mount -o remount,rw / # DON'T FORGET!
root# adduser user
...
Enter new UNIX password: (enter it)
Retype new UNIX password: (enter it)
passwd: password updated successfully
... (those optional into are up to you.)
Full Name []:
...
then,
Debian GNU/Linux 9 hostname ttyX
hostname login: user
password: (enter it)
user@hostname:~$ su -
Password: (enter root password)
su: Permission denied
PAM works fine. The password is correct but rejected by permission.
You can confirm them in the syslog.
root# journalctl
...
date hostname login[PID]: pam_securetty(login:auth) access denied: tty `...` is not secure !
date hostname login[PID]: FAILED LOGIN (1) on '/dev/ttyX' FOR 'root', Authentication failure
...
date hostname su[PID]: pam_authenticate: Permission denied
date hostname su[PID]: FAILED su for root by USER
date hostname su[PID]: - /dev/ttyX USER:root
If you enabled "wheel" group PAM su module option, you should try this.
root# adduser user wheel
(then, from non-securetty)
user$ su -
Password: (type the root password)
root# journalctl # let see what happened
...
date hostname su[PID]: Successful su for root by user
Use "wheel" with extreme care.
Warning
If you install sudo and add some user into sudo group, they can do anything. Never do it.
Edit sudoer if you install sudo, at least.
Separating sudores from ordinal users is recommended; say, bob (normal user) and bob-apt (sudoer who can use apt, with sufficient /etc/sudoers).
Let's proceed network connection setting.