注意:

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Difference between revisions of "Security"

From Funtoo
Jump to navigation Jump to search
(initial commit)
 
m (you're* :D)
 
(8 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Security is a complex topic, here we will try to make things easier to decipher and understand.  This page will go from zero to tin foil hat.
{{PageNeedsUpdates}}
Security is a complex topic, here we will try to make things easier to decipher, and understand.  This page will go from zero to tin foil hat.


Understanding the concept of nesting is essential when drawing up your security plan.  Disable all unnecessary services, uninstall all unnecessary software, disable all unnecessary kernel options, set useflags to -useflag to cut cruft down in sources, pass data through other servers performing specific functions like firewalling, or caching that will obfuscate the source of data.  Data integrity requires off site backups so floods, power outages, wars, etc do not compromise your datas existence.  Encrypt your drives so if they are physically taken your data is safe.  Sign messages with gpg, use ssh instead of telnet, create ssl certificates.  Do not use via/intel hwrng as /dev/random entropy sources.  Monitor logs for malicious activity.  If possible the last layer of security should be once all systems are broken and compromised, do not have anything of value or important going on with the system.  separating computing tasks in the network over several computers helps to this end.  corporations have email servers, www servers, routers, so on so forth.
Understanding the concept of nesting is essential when drawing up your security plan.  Disable all unnecessary services, uninstall all unnecessary software, disable all unnecessary kernel options, set useflags to -useflag to cut cruft down in sources, pass data through other servers performing specific functions like firewalling, or caching that will obfuscate the source of data.  Data integrity requires off site backups so floods, power outages, wars, etc do not compromise your datas existence.  Encrypt your drives so if they are physically taken your data is safe.  Sign messages with gpg, use ssh instead of telnet, create ssl certificates.  Monitor logs for malicious activity.  If possible the last layer of security should be once all systems are broken and compromised, do not have anything of value or important going on with the system.  separating computing tasks in the network over several computers helps to this end.  corporations have email servers, web servers, routers, so on so forth.


=== Physical Security ===
=== Physical Security ===
If someone can take your system, your going to have a bad day. anchor your system to permement structures, such as rack mounting. have security cameras, and locked doors.
If someone can take your system, you're going to have a bad day. anchor your system to permanent structures, such as rack mounting. have security cameras, and locked doors.
 


=== Software Security ===
=== Software Security ===
install sudo, make a wheel fake root user with an arbitrary name, and disable the root account with passwd -e -l
*install sudo, make a wheel fake root user with an arbitrary name, and disable the root account with 'passwd -e -l'.  Use {{c|sudo -i}} to access root, or even setup terminals to run sudo -i when they start, add the fake root user to the root group.  Attackers now have to guess the fake root user name also, not just the password.
install a syslog
*install a syslog
install nftables
*install nftables
install sshguard and have it watch logs for multiple failed login attempts, and block attackers.
*install sshguard and have it watch logs for multiple failed login attempts, and block attackers.


apparmor, tomoyo, and selinux are mandatory access control systems.
apparmor, tomoyo, and selinux are mandatory access control systems.


https://en.wikipedia.org/wiki/PaX
{{package|sys-auth/pambase}} has use flags for making private temporary directories on a per user basis.
https://grsecurity.net/
 
=== Random Number Generation ===
Random numbers are used for generating ssl keys, gpg keys, ssh keys etc.  Predictable numbers, even slightly predictable compromise security.  Do not use via or intel hwrngs as /dev/random entropy sources.
 
=== Password Security ===
Password cracking systems rely upon you not watching logs, and easily guessable passwords.  Use lower case, upper case, numbers, and symbols.  8 positions long takes less than a day to crack, where 16 takes thousands of years, 24 is probably impossible to break in a life time on a single computer.
 
The major thing to watch out for is that crackers don't use 1 computer, they use 100 concurrently hammering the attack surface in concert with each other.
 
===SSH daemon Security ===
{{c|sshd}} is a member of [[OpenRC_(Funtoo)|OpenRC]]'s default runlevel. It means that it is possible to connect to your host via SSH (with valid credentials). You should think about hardening security of your SSH server or even consider if it's really needed (e.g. for desktops).
 
Common practice is to disable root login and enable public key authentication. You can read more about securing SSH service in our [[Package:OpenSSH|wiki page about OpenSSH]] or in [https://wiki.gentoo.org/wiki/Security_Handbook/Securing_services#SSH Gentoo Security Handbook].
 
If you don't need to connect to your new Funtoo host run this:
{{console|body=
###i## rc-update del sshd default
}}
 
=== Network Security ===
==== Block pings ====
To block pings until reboot:
{{console|body=###i## echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all}}
To permanently block pings:
{{console|body=###i## echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf}}
 
==== Wifi ====
Absolutely never use WEP or WPS.  Disable them, they're compromised.  Make a WPA or WPA2 key that is not a word or easily guessable.  1337 speak is also counting as whole words.
 
*https://en.wikipedia.org/wiki/PaX
*https://grsecurity.net/
 
[[Category:HOWTO]]
[[Category:Official Documentation]]

Latest revision as of 16:28, March 15, 2021


Security is a complex topic, here we will try to make things easier to decipher, and understand. This page will go from zero to tin foil hat.

Understanding the concept of nesting is essential when drawing up your security plan. Disable all unnecessary services, uninstall all unnecessary software, disable all unnecessary kernel options, set useflags to -useflag to cut cruft down in sources, pass data through other servers performing specific functions like firewalling, or caching that will obfuscate the source of data. Data integrity requires off site backups so floods, power outages, wars, etc do not compromise your datas existence. Encrypt your drives so if they are physically taken your data is safe. Sign messages with gpg, use ssh instead of telnet, create ssl certificates. Monitor logs for malicious activity. If possible the last layer of security should be once all systems are broken and compromised, do not have anything of value or important going on with the system. separating computing tasks in the network over several computers helps to this end. corporations have email servers, web servers, routers, so on so forth.

Physical Security

If someone can take your system, you're going to have a bad day. anchor your system to permanent structures, such as rack mounting. have security cameras, and locked doors.

Software Security

  • install sudo, make a wheel fake root user with an arbitrary name, and disable the root account with 'passwd -e -l'. Use sudo -i to access root, or even setup terminals to run sudo -i when they start, add the fake root user to the root group. Attackers now have to guess the fake root user name also, not just the password.
  • install a syslog
  • install nftables
  • install sshguard and have it watch logs for multiple failed login attempts, and block attackers.

apparmor, tomoyo, and selinux are mandatory access control systems.

sys-auth/pambase has use flags for making private temporary directories on a per user basis.

Random Number Generation

Random numbers are used for generating ssl keys, gpg keys, ssh keys etc. Predictable numbers, even slightly predictable compromise security. Do not use via or intel hwrngs as /dev/random entropy sources.

Password Security

Password cracking systems rely upon you not watching logs, and easily guessable passwords. Use lower case, upper case, numbers, and symbols. 8 positions long takes less than a day to crack, where 16 takes thousands of years, 24 is probably impossible to break in a life time on a single computer.

The major thing to watch out for is that crackers don't use 1 computer, they use 100 concurrently hammering the attack surface in concert with each other.

SSH daemon Security

sshd is a member of OpenRC's default runlevel. It means that it is possible to connect to your host via SSH (with valid credentials). You should think about hardening security of your SSH server or even consider if it's really needed (e.g. for desktops).

Common practice is to disable root login and enable public key authentication. You can read more about securing SSH service in our wiki page about OpenSSH or in Gentoo Security Handbook.

If you don't need to connect to your new Funtoo host run this:

root # rc-update del sshd default

Network Security

Block pings

To block pings until reboot:

root # echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

To permanently block pings:

root # echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf

Wifi

Absolutely never use WEP or WPS. Disable them, they're compromised. Make a WPA or WPA2 key that is not a word or easily guessable. 1337 speak is also counting as whole words.