This chapter is not enough. This is minimum security.
However, at least you should do it, just after you install the system.
Rev12
Title tweaked.
Add some security notes and network workaround, and NIC name memo command tweak (from 2nd).
APT setups
Include/confirm the security line for APT.
Warning
If it is a server, exclude contrib and non-free, since the security team does not cover them.
Now we can use deb.debian.org CDN.
root# nano /etc/apt/sources.list
deb http://deb.debian.org/debian stretch main
deb http://deb.debian.org/debian stretch-updates main
deb http://security.debian.org/ stretch/updates main
codename or stable/testing
tier1.jp recommends to use codename such as stretch.
If you use stable instead, some day you suddenly upgrade your system drastically.
Read the release note of the next Debian version first.
APT with /tmp noexec (optional)
In short, let apt use ephemeral tmpfs.
As a result, it will be fast to install and/or upgrade, provided you have plenty DRAM.
Warning
This is necessary if you use /tmp with noexec.
This also require enough DRAM and/or swap area.
Note
You can abuse this method if you want fast APT operations.
4GB DRAM can handle GNOME install (gnome-core.)
root# mkdir -p /srv/apt/temp # this mountpoint is an example.
root# nano /etc/apt/apt.conf.d/01-tempdir
APT::ExtractTemplates::TempDir "/srv/apt/temp";
DPkg {
Pre-Invoke { "mount -t tmpfs tmpfs /srv/apt/temp" };
Post-Invoke { "umount /srv/apt/temp" };
};
Find and choose your NIC
root# ls /sys/class/net # check your NIC name(s),
enpX lo
root# basename /sys/class/net/enpX >> /etc/network/interfaces # and memo it
Now, assume enpX as the main NIC.
Setup the network
tier1.jp uses static IPs for a desktop PCs, workstations, and local servers.
DHCP is used for mobile devices (under DHCP range limit by the router.)
Say, we are on our localnet, under the router 192.168.1.1.
Static IP case: An example
root# nano /etc/network/interfaces # edit it with the memo above
allow-hotplug enpX
iface enpX inet static
address 192.168.1.X/24
gateway 192.168.1.1
dns-nameservers 192.168.1.1
DHCP case: An example
root# nano /etc/network/interfaces
allow-hotplug enpX
iface enpX inet dhcp
DNS setup: An example
root# nano /etc/resolv.conf
nameserver 192.168.1.1
Before you connect,
You should check some security settings before you connect to the Internet.
However, the methods we use are not ordinal. Many people use sudo and/or su (wheel related).
- We restrict securetty.
- We don't use sudo or must provide restricted sudoers.
- We don't use su with so called wheel system group.
The reason why is simple; restrict root privilege local.
In the 2nd edition we assume these settings to be our default.
Restrict securetty (optional)
Caution!
You need a physical root console access under this setting.
NEVER DO THIS FOR REMOTE MACHINES WITHOUT KNOWING WHAT YOU DO.
First, re-login from your "securetty". Let us assume it is tty5.
root# exit
(change to tty5 and login as root)
root# w # make sure which tty you are using now.
(time) up (uptime), 1 user, load average: (loads)
USER TTY FROM LOGIN@ ...
root tty5 - (time) ...
Then, tweak the securetty.
root# mv /etc/securetty /etc/securetty.orig
root# nano /etc/securetty
#tty1 # on desktop, used by gdm3, etc.
#tty2 # on desktop, tends to be used by users' xsessions tty2-4
#tty3
#tty4
tty5
tty6 # and more and/or other ttys such as ttyS0, if you want.
Restrict su by PAM (optional)
You can restrict users' su commands not to become them the super user.
root# nano /etc/pam.d/su
auth required pam_wheel.so # uncomment this
Caution!
Combined with the securetty above, you only can have root privilege from physical securetty.
Finalize
Reboot the box.
root# reboot -n
Check everything okay
root# journalctl
You can ignore "kvm disabled" error if you disabled virtualization on BIOS.
If you choose securetty and PAM restrictions, let's check it now.
Assuming we only have tty5 in securetty and PAM su restrictions,
Debian GNU/Linux 9 hostname ttyN (N != 5)
hostname login: root
Login incorrect
securetty works. No password prompt, simple failure.
Change the console to tty5 by hitting Ctrl+Alt+F5.
Debian GNU/Linux 9 hostname tty5
hostname login: root
password: (enter it)
(motd shown)
root@hostname:~#
securetty confirmed.
Next, PAM su restriction.
Debian GNU/Linux 9 hostname ttyX
hostname login: user
password: (enter it)
user@hostname:~$ su -
Password: (enter root password)
su: Permission denied
PAM works fine. The password is correct but rejected by permission.
You can confirm it in the syslog.
root# journalctl
...
date hostname login[PID]: pam_securetty(login:auth) access denied: tty `...` is not secure !
...
date hostname su[PID]: pam_authenticate: Permission denied
date hostname su[PID]: FAILED su for root by user
In this scenario, you only can have root login on tty5, and nobody can be root by su even if it knows the root password.
Warning
If you install sudo and add some user into sudo group, they can do anything. Never do it.
Edit sudoer if you install sudo. Allow least commands; NO ALL.
First connection
Now, attach network cable.
We configured the network "hotplugable", so both reboot and ifup should not be required.
If your NIC is not brought up, then,
root# ip address # shows enpX has no address, then
root# ifup enpX
This would be the first connection to the localnet (and the Internet.)
Order matters
Never connect any network devices before these security settings.
Update the system
root# apt update
root# apt upgrade
A goal
At this moment, the system is ready to use.
Congratulation.
You may add some more security settings such as below, or take a rest.
Baseline security check (optional)
root# apt install chkrootkit clamav
root# chkrootkit | more # check nothing infected
root# dpkg-reconfigure clamav-freshclam # read and answer
Note
If you do not use clamd, answer "No" to "clamd be notified after update?"
This setting does not provide on-access-scan.
You have to do it manually.
To scan recursively and make it report only infected files,
user$ clamscan -i -r SOMEPATH
Firewall
Firewall is difficult. The basic is DROP all, explicitly ACCEPT what you need, using conntrack and hashlimit.
root# apt install iptables-persistent
Note
This package just provides persistent firewall setting scripts. You need to write rules.
Firewall varies and can be complicated; not covered in this guide.
APT consistency
There are many other system consistency check software such as tripwire, debsums is an easy way.
First, you need to initialize.
root# apt install debsums
root# debsums_init
And sometimes, run a system check command.
root# debsums -s
SELinux or AppArmor
Warning
This guide is not enough. At least install SELinux or AppArmor.
tier1.jp recommends AppArmor.
Debian buster chose AppArmor and enabled it by default, but anyway we should do more to make it practical.
Note
If you create and/or edit your AppArmor profiles, you should have at least 2GB /var/log, since it produces tons of audit logs.
Also, you should set maxsize logrotate setting.
AppArmor Setup Example
The Debian Administrator's Handbook is a little bit long and tricky.
Here is short and simple summary.
Install AppArmor packages
root# apt install apparmor{,-utils,-profiles,-profiles-extra}
root# nano /etc/default/grub # add apparmor parameters
GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"
root# update-grub && reboot -n
Check AppArmor status
After (root) login,
root# aa-enabled
YES (it works now.)
Going further
AppArmor profiles are not so much provided. It's very difficult to create some universal profiles.
You should consider creating your own.
Tip
If you create your own AppArmor profile, you'd better to do it one by one.
Also, consider executing logrotate -f YOURCONFIG before you create another profile.
tier1.jp will write about it in the future, but not in this guide.
A milestone
You can stop using this guide on this stage.
- You now have a small secure Debian GNU/Linux base system.
- If you are interested, keep going "Next".
Thank you for reading this. Have a nice day.