Security (Buster)

From Hexwiki
Jump to: navigation, search

Security is a process, not a state. On the plus side, a lot of stuff from my earlier documentation on this has become the default in Wheezy. It is certainly made easier by not being the only one doing it.

Not all of this is strictly 'security', per se, at least from a 'keep bad people from doing bad things to you' perspective. Some elements are more about ensuring a smoother-running system.

/etc/fstab

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sda3 during installation
UUID=longstringissomewhatlongbutnotverylong /               ext4    noatime,errors=remount-ro 0       1
# /boot was on /dev/sda1 during installation
UUID=longstringissomewhatlongbutnotverylong  /boot           ext4    noatime         0       2
# /home was on /dev/sda2 during installation
UUID=longstringissomewhatlongbutnotverylong  /home           ext4    noatime,nodev,nosuid 0       2
# /innodb was on /dev/sdd1 during installation
UUID=longstringissomewhatlongbutnotverylong  /innodb         ext4    noatime,nodev,nosuid,noexec 0       2
# /srv was on /dev/sdc1 during installation
UUID=longstringissomewhatlongbutnotverylong  /srv            ext4    noatime,nodev,nosuid,noexec 0       2
# /storage was on /dev/sdd2 during installation
UUID=longstringissomewhatlongbutnotverylong  /storage        ext4    noatime,nodev,nosuid,noexec 0       2
# /var was on /dev/sdb2 during installation
UUID=longstringissomewhatlongbutnotverylong  /var            ext4    noatime,nodev,nosuid 0       2
# swap was on /dev/sdb1 during installation
UUID=longstringissomewhatlongbutnotverylong  none            swap    sw              0       0
tmpfs           /tmp            tmpfs       rw,noatime,nodev,nosuid,mode=1777,size=8g 0       0

The main thing here is the tmpfs and nodev,nosuid /tmp.

/boot is a silly thing to stick on its own partition these days, it's just habit, and can actually causes more headache than the benefit it supposedly provided. Necessary if you encrypt your root partition, however.

noatime goes on all the things, except the swap partition.

Speaking of swap partitions, they are still useful, but I would not make them too large. I generally set it to about 4gb, and with the configuration I have described, between half a gig and a gig may end up being used without impacting performance - there is a bit of room your server can squeeze out to generally make good use of the RAM inside.

nodev, nosuid is good for anything that doesn't need those abilities - / and /boot.

Be careful about throwing noexec around. Debian likes to execute some things out of /var and /tmp.

/innodb is a partition that holds nothing but InnoDB's double buffer and other logs. Since it represents half of an InnoDB database's I/O, this ends up being about 40% faster than an equivalent RAID 0 or 10 configuration.

To enable fstrim properly, you will want to enable the timer service:

systemctl enable fstrim.timer

And make an override to switch it to daily:

mkdir /etc/systemd/system/fstrim.timer.d
touch /etc/systemd/system/fstrim.timer.d/override.conf
  • /etc/systemd/system/fstrim.timer.d/override.conf
[Timer]
OnCalendar=
OnCalendar=daily

The double declarations are intentional, to first delete the previously set OnCalendar value.

/etc/crontab

# /etc/crontab: system-wide crontab
# Your values may of course differ. I just prefer to spread them out
# So they don't all hit at the same time usually.
# Key is to know when your user activity is the lowest, of course.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=""
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 5    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 4    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

/etc/securetty

# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
# I end up deleting the vast majority of these, leaving only the ones below.
console
# Virtual consoles
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
tty12

/etc/security/limits.conf

#<domain>      <type>  <item>         <value>
# The main thing to note here are the core dumps
# and mysql's memory access. The latter is a
# legacy element.
#
# 1048576 is currently the limit for nofile.
*               soft    core            0
*               hard    core            -
*               -       maxlogins       5
*               -       memlock         2048
*               -       nofile          65536
*               -       nproc           256
mysql           -       maxlogins       0
mysql           -       memlock         134217728
mysql           -       nofile          1048576
root            -       nofile          1048576
root            -       maxlogins       -
root            -       memlock         134217728
root            -       nproc           -

/etc/host.conf

Read hosts first, then try a domain lookup if that fails. I am far more likely to be trying to override something when I put something in my hosts file.

This file is largely obsolete.

order hosts,bind
multi on

/etc/login.defs

  • LOG_OK_LOGINS yes
  • SULOG_FILE /var/log/sulog
  • CHFN_RESTRICT frwh
    • Don't ask me why I bother with this, I could not tell you : p
  • SHA_CRYPT_MIN_ROUNDS 500000
    • Or higher. Just remember what you are setting it to.

PAM

  1. Be sure you have the wheel group: addgroup --gid 70 wheel
  2. usermod -a -G wheel root
  3. usermod -a -G wheel adminuser
  4. Install the libpam-tmpdir package, if you have not already (lately has been autoinstalled).
  5. /etc/pam.d/common-auth
    1. Remove nullok_secure from the auth line
  6. /etc/pam.d/su
    1. Uncomment and add group=wheel:
    2. auth required pam_wheel.so group=wheel
    3. Make sure root is part of the wheel group as precaution
  7. /etc/pam.d/common-password
    1. add 'rounds=500000' to the password line:
    2. password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=500000
  8. Regenerate root, administrator passwords

Directory and file Permissions

mkdir /etc/certs
chmod 700 /etc/certs

Put and protect a certificate directory somewhere.

find / -perm -2000 -group 0

This should only return directories. /var/cache/man in older versions of Debian.

chmod 0700 /root /lost+found

The above should already be the case.

chmod 0751 /etc /home /etc/ssh/
chmod 0750 /mnt /boot /etc/rsyslog.d/ /etc/cron.d/ /etc/cron.hourly/ /etc/cron.daily/ /etc/cron.weekly/ /etc/cron.monthly/
chmod 0750 /storage /innodb

Or whatever you choose your database/general directories to be. I dislike /opt and /srv, at least for things that I will be dedicating entire hard drives to (or most of them).

chgrp staff /storage

Or whatever again.

chmod 0640 /etc/crontab /etc/fstab /etc/securetty /etc/ssh/sshd_config /etc/rsyslog.conf

Clear out unnecessary setuid binaries:

find / -perm -4000 -user 0

Only /bin/su is absolutely necessary.

  • /sbin/pam-tmpdir-helper is needed if you are using the pam tmpdir module above
  • /usr/lib/dbus-1.0/dbus-daemon-launch-helper is needed by dbus which systemd requires.
  • suexec if you are still using Apache
  • sudo if you use that. Since this is a server, I find the idea of typing 'sudo' before a million commands highly annoying, personally. That said it is still useful for launching processes as a separate user for various tasks.

On a default Buster install:

chmod u-s /usr/bin/passwd /usr/bin/chsh /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/chfn /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /bin/mount /bin/umount

No reason for anyone to be running any of these outside sudo/root on a server.

chmod u-s /sbin/mount.nfs

If using nfs

Remove sound support

This is less security and more of a misc issue. Still, my server is in a secure building thousands of miles away, it shouldn't be making noise I can hear.

To get sound modules:

lsmod | grep snd 
lsmod | grep sound 
lsmod | grep spkr

Blacklist these, along with pcspkr, in a file like /etc/modprobe.d/blacklist.conf:

# /etc/modprobe.d/sound-blacklist.conf
# Hear no evil.
blacklist pcspkr
blacklist snd_hda_codec_realtek
blacklist snd_hda_codec_generic
blacklist snd_hda_intel
blacklist snd_hda_codec
blacklist snd_hda_core
blacklist snd_hwdep
blacklist snd_pcm
blacklist snd_timer
blacklist snd_page_alloc
blacklist snd
blacklist snd-pcsp
blacklist soundcore