Security Hardening Linux OS


These are some extra steps that you can implement to harden a Linux system.

USBGuard prevents unauthorized USB devices from connecting.

The installation page goes through the process of setting it up.

For Fedora users it's as simple as:

sudo dnf install usbguard

Make sure any USB you want to allow through is connected to a port. Then generate an initial ruleset:

# You might need to switch to root to run this 
sudo usbguard generate-policy > /etc/usbguard/rules.conf

Enable the service on startup:

sudo systemctl start usbguard
sudo systemctl enable usbguard

Allowing a new USB device is as simple as:

# Plug in a new device and find it using
sudo usbguard list-devices

New devices should be automatically blocked and appear as

22: block id 08...

To allow the device simply run:

# Note that this won't make it permanent.
sudo usbguard allow-device 22 

To allow the device permanently run:

sudo usbguard allow-device 22 -p

NTS over NTP

Network Time Protocol allows your device to synchronize its time with highly accurate atomic clock servers. However, it's very old and abused for DDoS amplification attacks.

NTS extends NTP by adding encrypted cookies that authenticate that the time data has not been tampered with. This cookie is recomputed every exchange of client/server to prevent linkability.

NTS also provides a unique identifier to detect spoofed packets.

As well as an AHEAD algorithm used to encrypt the cookie.

Here's the full draft.

Chrony can be easily configured for NTS as follows:

Edit /etc/chrony.conf (make sure it's installed first)

# List of NTS servers:

server       iburst nts

server         iburst nts

server     iburst nts
server     iburst nts
server     iburst nts

# NTS cookie jar to minimise NTS-KE requests upon chronyd restart
ntsdumpdir /var/lib/chrony

then restart chrony

sudo systemctl restart chronyd

ICMP tunneling

ICMP is another protocol that can be abused by an attacker to exfiltrate private data. It can also be abused as a DDoS attack.

In Fedora ICMP's echo request/ echo reply can be disabled with the firwall:

# first check if they're already disabled 
firewall-cmd --query-icmp-block=echo-request
firewall-cmd --query-icmp-block=echo-reply

# if they both say not then disable them
sudo firewall-cmd --add-icmp-block=echo-request
sudo firewall-cmd --add-icmp-block=echo-reply

I won't cover firewalls in this small guide as they should each be configured to the user's needs as well as the specific OS.

Blocking ICMP pings is generally seen as bad practice. Better would be using whitelist filters in the firewall, instead of blocking them all.

Hardening the Kernel

The simplest way to pass arguments to the kernel is with sysctl.

Simply edit /etc/sysctl.conf

# blocks kernel pointers from being exposed to an attacker

# avoid kernel memory address exposures

# disallow kernel/cpu profiling from non root

# disallow kernel swapping while running

# Avoid non-ancestor ptrace access to running processes and their credentials.

# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.

# Turn off unprivileged eBPF access.
# harden BPF JIT

Then make the changes without rebooting:

sudo sysctl -p /etc/sysctl.conf

More hardening parameters can be found here and also here.