Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Network security guide
#1
This is going to be a general post regarding some relatively basic security measures to ensure greater opsec on your system. This is targeted at linux, though some of these steps could be possibly reproduced on one of the BSDs.

1) Configure a stateful firewall. This is so critical for proper security. If you're on a recent linux system, nftables is the way to go as it has succeeded iptables. For FreeBS and OpenBSD, pf is arguably the best firewall solution out there. An example configuration for a workstation using nftables might look like this:

Code:
flush ruleset

table inet filter {
       chain input {
               type filter hook input priority 0;

               # accept any localhost traffic
               iif lo accept

               # accept traffic originated from us
               ct state established,related accept

        # accept ICMP & IGMP
        ip6 nexthdr icmpv6 icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
        ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
        ip protocol igmp accept

               # activate the following line to accept common local services
               #tcp dport { 22, 80, 443 } ct state new accept

               # count and drop any other traffic
               counter drop
       }
}


OpenBSD has superlative documentation regarding pf. I'll assume that if you can use OpenBSD, you're probably capable of reading the documentation and creating your own ruleset. If you're looking to make a network wide firewall, set up a raspberry pi with OpenBSD and pf.
     a) Its also wise to use Sshguard in conjunction with your firewall. To use it with nftables,
    
Code:
/etc/sshguard.conf

BACKEND="/usr/lib/sshguard/sshg-fw-nft-sets"


2)  Sysctl flags. This is completely irrelevant for OpenBSD as it is "secure by default", but for FreeBSD and linux, there are a number of optimizations that can be made in regards to security. For linux, the changes I make are
Code:
/etc/sysctl.conf

# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

# enable TCP/IP SYN cookies
net.ipv4.tcp_syncookies=1

# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0

# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Log Martian Packets
net.ipv4.conf.all.log_martians = 1

kernel.kptr_restrict = 1
kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2
net.ipv4.tcp_rfc1337 = 1
net.ipv4.icmp_echo_igonore_broadcasts=1


FreeBSD uses similar sysctl flags and the Handbook has more information.

3) SSH tweaks: Besides Sshguard, make the following changes to ssh configuration if you have sshd enabled:

Code:
/etc/ssh/sshd_config

PermitRootLogin no
PasswordAuthentication no

4) Use a router running open source firmware like dd-wrt or openwrt. The vast majority of rotuers are extremely vulnerable to attack and the vault 7 leaks revealed that the CIA heavily exploited them. OpenBSD can also make a really good router as pf is plenty flexible for the task.

5) For those with laptops, spoof your mac address with macchanger. For those using a systemd based distro, one can easily configure a service:

Code:
/etc/systemd/system/macspoof@.service

[Unit]
Description=macchanger on %I
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
ExecStart=/usr/bin/macchanger -e %I
Type=oneshot

[Install]
WantedBy=multi-user.target


6) Sandbox network facing applications with firejail: Firejail is a lightwieght SUID sandbox that uses linux namespaces and seccomp to isolate applications' access to kernel resources. Its very easy to use and ships with profiles, so that applications such as firefox, mumble, and gajim automatically run with it. Its also wise to use on things like filemanagers, video players, and pdf viewers.

7) Keep your system up to date: This is probably one of the most obvious and important things to do, but a surprising amount of people neglect to do this consistently.

Let me know if I should add anything. Keep in mind this is pertinent to network security, so I left out full disk encryption, system auditing, and mandatory access control.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)