How to secure Arch

randomxusr · 2021-08-30 20:31:56

I'm trying to identify a sensible way to secure my Arch install.

What are the pros and cons of using the Linux Hardened Kernel?

Should I use AppArmor or SELinux?

What resources would you recommend, beyond the Wiki to learn about these options?

My goal is to setup a fairly vanilla security profile and limit vulnerabilities while maintaining a useful system.

cloverskull · 2021-08-30 21:09:27

I use AppArmor, configuration is fairly straightforward. I also use UFW to manage an _extremely_ simple firewall (deny incoming, allow outgoing), have a periodic job to run rkhunter and alert me of any issues, and I also use UEFI with secure boot and my own keys.

I use dnsmasq as well and a VPN (nordvpn) whenever I'm on a network that isn't my own.

All of this was pretty easy to configure and set up, I suggest reading each of these topics if they're of interest to you. I'm happy to explain a bit more but would rather not give steps to follow as I believe you should probably invest the time in educating yourself on this more than just typing commands without understanding them.

ewaller · 2021-08-30 21:47:02

What are you protecting?
And from who?
What is your attack surface (Are they physically at your machine? On your LAN? On the Internet? What ports are open?)

Last edited by ewaller (2021-08-30 21:47:54)

randomxusr · 2021-08-30 22:42:26

1) Protecting my Files and would like to disable unnecessary or unused ports
2) From anyone that has bad intentions
3) Internet, not physically at the machine. Need to check the ports.

Would you recommend SELinux over Apparmor? And is it worthwhile to use the Hardened kernel? Is anything known to break with that?

ewaller · 2021-08-31 01:13:34

I recommend a good router that manages a private LAN, including a DHCP server that issues non-routable (private) addresses. Open no ports on the Internet side of the router. Ensure the router is configured to not permit administation from the public Internet side.

Do not enable sshd, telnetd, ftpd, or smb (samba) if you worry about ports being open on your LAN and need to block other computers on your router. If you are paranoid, turn off your WiFi on the router and use only wired connections. If you are really, really paranoid, set up a vlan between the router and your computer. do not permit other local traffic on the vlan.

Notice that I am not really answering your questions. I don't really care for any of your answers for a simple home noetwork.

>> From anyone that has bad intentions.
Aye, there's the rub.

fukawi2 · 2021-08-31 07:21:31

I've heard @ewaller has bad intentions... But here you are taking advice on how to secure your system from him. My point being is that you need to understand your own threat vectors, then research, understand and implement your own mitigations from those threats.

seth · 2021-08-31 15:09:49

Context? Is this a server or a desktop, what's its use-case?
The single biggest attack vector against the masses is still to leverage the idiot (click for boner pillz…) and your biggest concern itr. is your browser.
The most exploitable thing in the browser is typically ECMA so if you're worried itr. look at something like the noscript addon (though many browsers will allow you to enable javascript per webpage)

If you're behind a consumer router, it'll block inbound traffic by default anyway - you have to explicitly open and forward ports.
On a direct connection, you want a firewall. If you're using iptables, nf-tables, ufw, firewalld… is close to irrelevant, because they all operate on the same netfilter stack in the kernel.
You probably want to deny all inbound traffic, iirc the wiki has examples for that (simple stateful firewall)

If you want to open ssh to the interwebz, the single most important thing is to deny password logins. Those are *only* good for a friendly LAN.

If this is a server that decidedly opens something™ to the mean world outside, you need to specify what that is and what you're willing to do to secure it - there is no generic "make my system secure" button.
Security is not a state, it's war

solskog · 2021-09-01 12:14:56

An desktop VM with GPU/USB pass through on periodical snapshots.
Until Wayland is ready, using one-time random generated auto-login user who shares X11 session with an regular admin user.

           |-login(302)---startx(420,bcd63ae4455c33b395)---xinit(554)-+-dwm(565)-+-bash(3745)              
           |                                                                       |           |-urxvt(12169)---bash(12170)
           |                                                                       |           `-urxvt(12216)---bash(12217)
           |                                                                       `-Xorg(555)-+-{Xorg}(556)
           |                                                                                   |-{Xorg}(562)
           |                                                                                   `-{Xorg}(563)
           |-urxvt(655,admin)---bash(656)---vi(25824)
           |-urxvt(739,admin)---bash(740)-+-less(28311)
           |                         `-pstree(28310)

seth · 2021-09-01 14:00:46

@solskog, are you and randomxusr the same person?

solskog · 2021-09-02 00:50:57

seth wrote:

@solskog, are you and randomxusr the same person?

No, I am NOT! But, I did asked same question a year ago though (https://bbs.archlinux.org/viewtopic.php?id=259005). Since Archlinux has became more popular (highest average rating among all distros on distrowatch.com) and more people using it, I understand why these kind of question pop up again from another user.

Last edited by solskog (2021-09-02 01:17:58)

dogknowsnx · 2021-09-02 07:29:28

randomxusr wrote:

1) Protecting my Files and would like to disable unnecessary or unused ports
2) From anyone that has bad intentions
3) Internet, not physically at the machine. Need to check the ports.
Would you recommend SELinux over Apparmor? And is it worthwhile to use the Hardened kernel? Is anything known to break with that?

In addition to what @seth already said:
1) Use encryption and make backups.
2) Don't install 3rd party stuff, avoid p o r n sites and the like.
3) Learn how to manually configure your firewall. Use a sandbox (e. g. firejail) and learn how to harden it.

SELinux? I wouldn't trust anything the c i a invented. Linux-hardened allows for usbctl to be used, for example - see here for issues that have been reported for the current release.

EDIT: In short, use common sense and enjoy living in a house with windows (NOT the OS from hell) despite the fact that there are harder objects out there.

Last edited by dogknowsnx (2021-09-02 08:02:40)

sabroad · 2021-09-02 08:40:29

> 1) Protecting my Files

This one is hard- any executable run as/by $USER gets to slurp all of $HOME unless some sort of sandboxing is implemented.

Protecting against all attack vectors is an arduous journey, so start with a shortlist of scenarios important for you and go from there, eg. hotels and borders.

Last edited by sabroad (2021-09-02 08:41:44)

solskog · 2021-09-03 00:59:55

User privilege separation as much as you are comfortable with. run firefox, chromium, vlc, obs, discord etc on separate user with lowest privilege. preferably one-time random-named password-locked non-login user.
If dbus is required for application level communication e.g: firefox and pulseaudio. use an dedicated dbus-session and pulseaudio for each instance of firefox/chromium of each user. Here comes a illustration, the real username are random.

|-login(275)---startx(413,one-time-login-user)---xinit(534)-+-dwm(545)
           |                                            `-Xorg(535)-+-{Xorg}(536)
           |-dbus-daemon(556,one-time-login-user)
           |
           |-dbus-daemon(33786,one-time-firefox-user)                           
           |-pulseaudio(36676,one-time-firefox-user)
           |-firefox-bin(35017,one-time-firefox-user)
           |
           |-urxvt(635,regular-admin-user)---bash(636)-+-less(37220)
           |                              `-pstree(37219)                              |

nbd · 2021-09-04 19:57:45

seth wrote:

your biggest concern itr. is your browser.

You can use sandboxing approach to make your browser more safe:

https://firejail.wordpress.com/document … fox-guide/

Gregosky · 2021-09-06 12:31:05

If you are afraid of your browser then this might help a bit https://github.com/grzegorzk/ff_in_podman

note - X session is shared so there is still some risk (which I personally accept)

rsmarples · 2021-09-07 08:07:27

If you use a dhcp client, then use dhcpcd - it's the only dhcp client on linux to feature privilege separation and kernel level sandboxing.

Arch Linux

#1 2021-08-30 20:31:56

How to secure Arch

#2 2021-08-30 21:09:27

Re: How to secure Arch

#3 2021-08-30 21:47:02

Re: How to secure Arch

#4 2021-08-30 22:42:26

Re: How to secure Arch

#5 2021-08-31 01:13:34

Re: How to secure Arch

#6 2021-08-31 07:21:31

Re: How to secure Arch

#7 2021-08-31 15:09:49

Re: How to secure Arch

#8 2021-09-01 12:14:56

Re: How to secure Arch

#9 2021-09-01 14:00:46

Re: How to secure Arch

#10 2021-09-02 00:50:57

Re: How to secure Arch

#11 2021-09-02 07:29:28

Re: How to secure Arch

#12 2021-09-02 08:40:29

Re: How to secure Arch

#13 2021-09-03 00:59:55

Re: How to secure Arch

#14 2021-09-04 19:57:45

Re: How to secure Arch

#15 2021-09-06 12:31:05

Re: How to secure Arch

#16 2021-09-07 08:07:27

Re: How to secure Arch

Board footer