Scribd
Upload
30 views7 pages

Manjaro Security

Uploaded by

Byomkesh Bakshi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
30 views7 pages

Manjaro Security

Uploaded by

Byomkesh Bakshi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Welcome, Guest.

Cup of Linux » Tutorials » HOW TO: User submissions » Manjaro - more secure

See, you not only have to be a good coder to create a system like Linux, you have to be a sneaky bastard too. --Linus Torvalds

« previous next »
Pages: [1] Go Down Print

Author Topic: Manjaro - more secure (Read 4450 times)

michael_christoph Manjaro - more secure


« on: October 31, 2015, 08:43:40 PM »
Supporter
WikiClub
How to get Manjaro Linux more secure !
....or.....
How to harden Manjaro Linux while putting
no limits on its functionality !
Posts: 37
Country:
Here are my suggestions:

[1]
After successful installation, do a full systemupdate

sudo pacman -Syu

[2]
Install and enable the personal firewall ( yes, even
if you are behind a router )

sudo pacman -S ufw


sudo systemctl enable ufw.service
sudo systemctl start ufw

now it is started, implement the two standard rules

sudo ufw default deny incoming


sudo ufw default allow outgoing

These two rules are sufficient if you are facing a


standalone client without any network except the
internet.

[3]
Install some tools, that are usefull to defend against
software doing harm

sudo pacman -S rkhunter unhide checksec

rkhunter looks for rootkits, unhide reveals hidden processes


and checksec is a tool to test installed procs if they are
providing hardened code ( NX bit, Canary , Full/Partial RELRO )
you can run/automate rkhunter on a daily basis

cd /etc/cron.daily
sudo touch rkhunter
sudo chmod +x rkhunter

now edit the file rkhunter

sudo nano rkhunter

and fill in

15 15 * * * /usr/bin/rkhunter --cronjob --update --quiet

of run it by hand

sudo /usr/bin/rkhunter --update


sudo /usr/bin/rkhunter --propupd
sudo /usr/bin/rkhunter -c -enable all --disable none --rwo

save the file and keep track of the log file

/var/log/rkhunter.log

[4]
Set the umask value to 077

sudo nano /etc/login.defs

change umask from 022 to 077

Do the same in /etc/profile

Change the values of password aging controls in


/etc/login.defs

sudo nano /etc/login.defs

change the value --> PASS_MAX_DAYS


from 99999 to 365
change the value --> PASS_MIN_DAYS
from 0 to 345
change the value --> PASS_WARN_AGE
from 7 to 20

The values 365,345,20 are free to you - choose


your own.

Some words on password security:

Passwords will become irrelevant in the future


because of upcoming quantum computing.
Nevertheless your password should meet the
usual requirements ( min. 8 characters, lower- and
uppercase letter, numbers, special characters ).
The more different characters a password contains the
harder it is to crack because every character that
is different increases the so called entropy by one
bit. Entropy is a measure of how much effort a hacker
must drive to crack a password.

[5]
Do some hardening on the installed kernel.
Change to

/etc/sysctl.d

and edit the conf file there

sudo nano 100-manjaro.conf

Paste the following lines in there

vm.swappiness = 1
net.ipv4.tcp_rfc1337 = 1
kernel.kptr_restrict = 1
kernel.core_uses_pid = 1
kernel.sysrq = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.enp3s0.log_martians = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.enp3s0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.enp3s0.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.enp3s0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
kernel.dmesg_restrict = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1

# IPv6 Options
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

Save the file and type

sysctl -p 100-manjaro.conf
to apply all the settings. Alternatively reboot.
If you are presented with errors, look closer
at the lines the errors occur. You may have to
uncomment some lines or to change the name of
the network adapter from enp3s0 ( in my case )
to the one yours is called.

ip link show

shows you the name ( 1:lo ; 2:[name of your ethernet adapter] )

[6]
To protect not only the kernel but also the system a bit
more, you can protect your system against forkbombs, which
will open as much processes as possible until your system
becomes unresponsible. Forkbombs are annoying because they
ddos a system in matter of seconds.

To prevent such a game go the directory

cd /etc/security

edit the file

sudo nano limits.conf

add two lines at the bottom

* soft nproc 100


* hard nproc 200

which limits the authenticated user to 100 active processes, unless


the someone uses the ulimit command to raise his maximum to 200.

[7]
After hardened the kernel a bit, now we harden the grub menu
by make it asking for username and password at startup.
So the system will not boot without authentication.

To do so open a terminal and do

sudo grub-mkpasswd-pbkdf2

it asks you for a password which can ( or should )be different


to your system password. Repeat the password and
press enter

the output is a very long hash beginning with

grub.pbkdf2.sha512.10000........

copy the hole hash value, open a second terminal


and go to

cd /etc/grub.d

there, edit the file


sudo nano 40_custom

add these two lines

set superusers="yourusername"
password_pbkdf2 yourusername <password>

where the string <password> has to be replaced with the


prior copied hash. Example of mine:

set superusers="michael"
password_pbkdf2 michael grub.pbkdf2.sha512.A4C5.....

Save the file and rewrite the grub configuration by

sudo grub-mkconfig -o /boot/grub/grub.cfg

Reboot....

[8]
To further heighten the security of your system, your
user account can be locked after a specified number of
failed login attempts. In order to do this you have to
edit the file

sudo nano /etc/pam.d/system-login

and edit the first line

auth required pam_tally.so onerr=succeed file=/var/log/faillog

change this line to

auth required pam_tally.so deny=3 unlock_time=120 onerr=succeed file=/var/log/faillog

which will lock your account after 3 failed logon attempts for two minutes.

[9]
These days attacking the user is carried out through the browser.
The same way your privacy is attacked, violated and adds,spam and
other crap is knocking at your browser while surfing the internt.
To mitigate this harm, let's have a look at firefox browser and
what can be done here.

First step:
Install four usefull addons

https everywhere
privacy badger
ublock
flashblock
no_script ( if you like to do spend time on its configuration )

https everywhere sits in between your browser and the website and
calls the hosting server to encrypt the session

privacy badger/ublock you get rid of all these adds and crapy windows
flashblock no popping up and self playing flash-advertising-videos

no_script a lot of content is loaded by scripts. In fact not all


the content you see on a website is really located there.
Scripts are nothing bad but are widely used to put malicious
trojans on your system. No_script stops all the script
allowing only scripts on those sites you granted. As it is
working on whitelist, you have to spend a lot of effort
on it. But it is good once you have conditioned it.

Second step:
Disable the fallen crypto algorithm RC4 completly.
In your firefox address line type

about:config

confirm the security warning you get and type in the


appearing search field

RC4

you should immediatly see five entries in the list.


Go and double click every one of them so all the
VALUE's change from TRUE to FALSE.

as an example this entry


security.ssl3.rsa_rc4_128_sha user set bolean true

should change to
security.ssl3.rsa_rc4_128_sha user set bolean false

Now your security has risen from 68 to 84 in an average


audit tool, which is quite a bit. A total secure system is
nothing moore than inoperable - therefore this tutorial ends
up here.

Two additions:

1.) Host.conf

Edit the host.conf file:

sudo nano /etc/host.conf

Add the following line:

nospoof on

Save your change and close the editor.

2.) Fstab

open the fstab file:

sudo nano /etc/fstab

locate the line that begins with --> tmpfs


change the line to look like this example

tmpfs /tmp tpmpfs defaults,noatime,nosuid,noexec,mode=1777 0 0

I'm ready, thanks for reading

Michael Christoph

« Last Edit: July 08, 2016, 06:02:45 AM by michael_christoph »


Logged

"...videtur autem ut verum sit omnino idem quod ens..."

vstarsteve Re: Manjaro - more secure


« Reply #1 on: December 03, 2016, 02:39:11 PM »
Jr. Member

WOW! Thanks for the tutorial i'm working with it.


Logged

Posts: 89
Country:
unreformed distrohopper asus z77
sabertooth i7

Pages: [1] Go Up Print

« previous next »

Cup of Linux » Tutorials » HOW TO: User submissions » Manjaro - more secure

You might also like