2023-03-14
The installation page goes through the process of setting it up.
For Fedora users it's as simple as:
sudo dnf install usbguard
Make sure any USB you want to allow through is connected to a port. Then generate an initial ruleset:
# You might need to switch to root to run this
sudo usbguard generate-policy > /etc/usbguard/rules.conf
Enable the service on startup:
sudo systemctl start usbguard
sudo systemctl enable usbguard
Allowing a new USB device is as simple as:
# Plug in a new device and find it using
sudo usbguard list-devices
New devices should be automatically blocked and appear as
22: block id 08...
To allow the device simply run:
# Note that this won't make it permanent.
sudo usbguard allow-device 22
To allow the device permanently run:
sudo usbguard allow-device 22 -p
Network Time Protocol allows your device to synchronize its time with highly accurate atomic clock servers. However, it's very old and abused for DDoS amplification attacks.
NTS extends NTP by adding encrypted cookies that authenticate that the time data has not been tampered with. This cookie is recomputed every exchange of client/server to prevent linkability.
NTS also provides a unique identifier to detect spoofed packets.
As well as an AHEAD algorithm used to encrypt the cookie.
Here's the full draft.
Chrony can be easily configured for NTS as follows:
Edit /etc/chrony.conf (make sure it's installed first)
# List of NTS servers:
server nts.netnod.se iburst nts
server nts.time.nl iburst nts
server ptbtime1.ptb.de iburst nts
server ptbtime2.ptb.de iburst nts
server ptbtime3.ptb.de iburst nts
# NTS cookie jar to minimise NTS-KE requests upon chronyd restart
ntsdumpdir /var/lib/chrony
then restart chrony
sudo systemctl restart chronyd
ICMP is another protocol that can be abused by an attacker to exfiltrate private data. It can also be abused as a DDoS attack.
In Fedora ICMP's echo request/ echo reply can be disabled with the firwall:
# first check if they're already disabled
firewall-cmd --query-icmp-block=echo-request
firewall-cmd --query-icmp-block=echo-reply
# if they both say not then disable them
sudo firewall-cmd --add-icmp-block=echo-request
sudo firewall-cmd --add-icmp-block=echo-reply
I won't cover firewalls in this small guide as they should each be configured to the user's needs as well as the specific OS.
Blocking ICMP pings is generally seen as bad practice. Better would be using whitelist filters in the firewall, instead of blocking them all.
The simplest way to pass arguments to the kernel is with sysctl.
Simply edit /etc/sysctl.conf
# blocks kernel pointers from being exposed to an attacker
kernel.kptr_restrict=2
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
# avoid kernel memory address exposures
kernel.dmesg_restrict=1
# disallow kernel/cpu profiling from non root
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=3
# disallow kernel swapping while running
kernel.kexec_load_disabled=1
# Avoid non-ancestor ptrace access to running processes and their credentials.
kernel.yama.ptrace_scope=1
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
user.max_user_namespaces=0
# Turn off unprivileged eBPF access.
kernel.unprivileged_bpf_disabled=1
# harden BPF JIT
net.core.bpf_jit_harden=2
Then make the changes without rebooting:
sudo sysctl -p /etc/sysctl.conf