Tinfoil Hat Project 2014

So this is extremely old, out of date and obsolete. It’s a very old wiki Article I wrote back then. Thought it would be fun to keep it around for archive purposes. Most of it is probably not really relevant today anymore. And I didn’t know much about anything back then. So don’t actually use this as some documentation or tutorial or something. Check official sources

The Tinfoil Hat Project 2014

So this weekend I had a little time
and had a kind of paranoid attack
so I decided to make a little project to make a Laptop as secure as possible
So i wrote together some guidlines on how to harden an Arch Linux Box

This site mostly functions as a little documentation
I will edit and add things , to have a document for securing future installs from the beginning.

date : 2014-02-23
moved to wiki : 2014-03-31
piefge.homelinux.org

prerequisites

Bios settings

First of all I disabled everything not essentially needed inside the bios as far as possible.
For example : I don’t need a smart card reader or bluetooth so it can be disabled.
And I set a Bios boot password.

System installation

I’m a long time arch user, so I decided to go with an arch installation
It’s highly costumizable and allows me to keep the system minimal in terms of installed packages.
I made a full disk encryption with luks and dm_crypt
https://wiki.archlinux.org/index.php/Encryption
After a pretty straight forward standard installation process,
I went with a Kernel with grsecurity and PaX patches.
The easiest way for this is to use the linux-grsec package which can be found in the AUR.
I hadn’t had time to make a costum kernel config yet so in the meantime i disable uneeded modules in /etc/modprobe.d/ .

Partitions

If a Partition is used for data only i can be mounted with nosuid,nodev,noexec .
For my home partition however I still needed to exec cronjobs and scripts so here it only is nosuid,nodev .

basic system configuration

permissions

I set the default umask to 077 in /etc/profile ,
which makes new files not readable by users other than the owner.
I also checked which directorys can be locked down to deny normal users. ( for example chmod 700 /boot )
to make a list with Files and Folders which are world and group writable run the following

sh -c "find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \; 2>/dev/null \ 
| grep -v '/proc/' | grep -v '/sys/devices/' | grep -v '/sys/fs/'" > files_rw.txt 


sh -c "find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \; 2>/dev/null | grep -v '/tmp/'" > directorys_rw.txt

then run chmod o-w on the files you wish to secure further.

Also find suid/sgid files with :

find / -type f \( -perm -004000 -o -perm -002000 \) -exec ls -lg {} \; 2>/dev/null >suidfiles.txt

and remove the bit if it’s not needed with : chmod -s
a few examples : rsh, mount, umount , mount.cifs, rcp, chfn, ksu, rlogin

sysctl security

I configured sysctl with the settings shown in the arch wiki.
TCP/IP stack hardening
hide kernel symbol addresses
Magic SysRq Key can be disabled with kernel.sysrq = 0

user setup

I created a user with a strong password,
and configured pam to lockout the user after a certain number of failed login attempts.
Lockout_user_after_three_failed_login_attempts
I made sure every File and Folder under $HOME has the minimum possible permissions ( for example 700 for folders and 600 for normal files )
after the user was set up and working i disabled root login completly,
which can be accomplished by putting a ! in place of the hashed password in the /etc/shadow file.
To only allow my main user to use cronjobs , i put him in /etc/cron.allow and deleted /etc/cron.deny.

logging

I’m okay with journalctl , but it’s nice to have plain text logfiles arround too, so i installed syslog-ng

DNS

I put my own Gateway and a couple of secure DNS Servers in /etc/resolv.conf
and executed chattr +i on the file,
so it can’t be overwritten by dhcpcd or anything else, to make sure i only query dns servers i trust.

xorg, window manager, shell, mail

I start X automatically after login,
so I had to manually put the -nolisten tcp option in /usr/bin/startx .
I put this n a script which runs at boot ( in case X was updated ) :

sed -i.bak 's/^serverargs=""$/serverargs=\"-nolisten tcp\"/g' /usr/bin/startx

For my default shell I’m using zsh ( see zsh config at piefge.homelinux.org )
I went with awesome WM for the window manager , since it’s minimal and
i tend to think , the lesser stuff running , the better.
I installed xscreensaver and configured it to lock the screen at inactivity.
For my default Mail program i went with mutt
and GnuPG for mail encryption and signing

installed security tools

exim and cron

I’m running exim and put my email address in all cron files.
So my machine can send out mails and i imidiatly get a notification if something is happening.
This is also essential for the following steps …

arpon

Arpon is a tool to detect ARP spoofing and protect against attacks.
You can put your gateway Mac Addresses in the config file.
Arpon can be found in the AUR.

logwatch

Logwatch is awesome for a daily log overview.
since my system can send out mails , i get a daily logwatch mail.

aide

AIDE is a tool for checking the integrity of files.
I put a aide script in my daily cronjobs, so everyday i get an email which files have changed, have been added or have been removed.
After it ran a few times I found a few files to exclude and add
I always run an automatic script at startup with ensures some file and folder permissions after boot.
These files i set from NORMAL mode to DATAONLY mode to ignore the timestamps.
After that I included some files from my $HOME directory :
examples : .zshrc, .muttrc, .msmtprc, .Xresources, .zprofile and the .ssh/ folder
That way I can see immidiatly if something tampered with important $USER config files.

rkhunter

I put rkhunter into the weekly cronjobs
with something like :

/usr/bin/rkhunter -c --sk --nocolors

It makes a weekly scan for known rootkits and weird files
unhide is also good to have on the system so rkhunter checks for hidden processes and hidden tcp connections.

lostfiles

lostfiles is a little script for arch which can be found in the aur.
It’s not a exactly a security tool but it shows the files on the system which aren’t owned by any package.

sandboxing and browsers

Firefox as a seperate user

to put firefox in a sandbox i created a dedicated user and went with the following:

# groupadd firefox 
# useradd -m -g firefox -G audio,video -s /bin/zsh firefox

then put export DISPLAY=”:0.0″ in the firefox user’s .zshrc/.bashrc
add somthing like this to the sudoers file :

paranoidpi ALL=(firefox) NOPASSWD:/usr/bin/firefox

and finally add the following line to your own .zshrc or .bashrc

firefox='xhost +local: && sudo -u firefox /usr/bin/firefox'

Now Firefox runs as a completly different user and can’t access my main user’s $HOME folder.

DWB

I also use dwb for casual browsing
So i took the same steps with dwb as i did with firefox.
Dwb can be used with an adblocker extension, too.
it also can be configured to disable scripts in the config file.

Firefox addons

I don’t want to get into detail about browser addons so here’s just a list of what I’m using :

  • noscript
  • adblockplus
    • List : Social Blocking List
    • List : Easy Privacy List
    • List : Malware Domains
  • perspectives
  • https everywhere
  • pentadactyl
  • cipherfox
  • request policy
  • sync policy

TOR

TOR

long story short I’m using TOR on this box
I wasn’t able to get tor running in a chroot jail yet , but will have a second look at it in the future.

TOR browser bundle

I installed the tor-browser which is available in the aur
And to make it more secure , I again created a dedicated user for this like I already mentioned in the firefox section.
So whenever I feel like it , I can just launch a Tor-Browser in a sandbox.
with which I of course use the same addons as mentioned above.

dedicated tor user

I created a special user specificly for using tor
I nat all traffic for this user to TOR like this :

iptables -t nat -A OUTPUT -m owner --uid-owner toruser -j REDIRECT --to 9095

So whenever i want all my traffic going through TOR , I just can switch to the user.

iptables

description

I locked everything down in iptables and only allow whitelisted traffic

iptables rules

*filter 
:INPUT DROP [0:0] 
:FORWARD DROP [0:0] 
:OUTPUT DROP [0:0] 
#INPUT TRAFFIC 
#DROP PING 
-A INPUT -p icmp --icmp-type echo-request -j DROP 
#RELATED AND LOOPBACK 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
#OUTPUT TRAFFIC 
#ALLOW PING 
-A OUTPUT -p icmp -j ACCEPT 
#ALLOW WEB TRAFFIC 
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT 
#ALLOW DNS 
-A OUTPUT -p udp -m udp --dport 53 -d 10.0.0.1 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 53 -d 213.73.91.35 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 53 -j DROP 
#IRC 
-A OUTPUT -p tcp -m tcp --dport 6667 -d 10.0.0.7 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 6667 -d piefge.homelinux.org -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 6667 -d kornbluth.freenode.net -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 6667 -d irc.freenode.net -j ACCEPT 
#GIT 
-A OUTPUT -p tcp -m tcp --dport 9814 -d github.com -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 9814 -d git.gitorious.com -j ACCEPT 
#GMAIL 
-A OUTPUT -p tcp -m tcp --dport 143 -d imap.gmail.com -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 993 -d imap.gmail.com -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 25 -d smtp.gmail.com -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 465 -d smtp.gmail.com -j ACCEPT 
#SSH 
-A OUTPUT -p tcp -m tcp --dport 22 -d 10.4.0.1 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 22 -d 10.0.0.1 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 22 -d 10.1.0.1 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 22 -d 10.0.0.4 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 22 -d 10.0.0.7 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 22 -d 10.0.0.102 -j ACCEPT 
#WEBADMIN 
-A OUTPUT -p tcp -m tcp --dport 4444 -d 10.1.0.1 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 4444 -d 10.0.0.1 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 4444 -d 10.8.0.1 -j ACCEPT 
#PROXYPORT 
-A OUTPUT -p tcp -m tcp --dport 8080 -d 10.2.0.2 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 8080 -d 10.0.0.2 -j ACCEPT 
#NTP 
-A OUTPUT -p udp -m udp --dport 123 -d 10.0.0.1 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 123 -d 10.1.0.1 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 123 -d pool.ntp.org -j ACCEPT 
#TOR 
-A OUTPUT -o lo -p tcp --dport 9050 -j ACCEPT 
-A OUTPUT -o lo -p tcp --dport 9150 -j ACCEPT 
-A OUTPUT -o lo -p tcp --dport 9151 -j ACCEPT 
#ALLOW RELATED 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
COMMIT

ipv6 iptables rules

*filter 
:INPUT DROP [0:0] 
:FORWARD DROP [0:0] 
:OUTPUT DROP [0:0] 
#INPUT RULES 
#drop ping 
-A INPUT -p icmpv6 -j DROP 
-A INPUT -p tcp -m tcp --dport 22 -j DROP 
#ALLOW RELATED AND LOOPBACK 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
#OUTPUT TRAFFIC 
#ALLOW PING 
-A OUTPUT -p icmpv6 -j ACCEPT 
#ALLOW WEB TRAFFIC 
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT 
#ALLOW DNS 
-A OUTPUT -p udp -m udp --dport 53 -d fd::00 -j ACCEPT 
#ALLOW RELATED 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
COMMIT

restrict access to rules

# chmod 700 /etc/iptables 
# chmod 600 /etc/iptables/*

misc

Password management

I’m using keepassx2-git from the AUR to manage my passwords

Dropbox

I’m still using Dropbox ( haven’t gotten to owncloud yet )
I store a bunch of config files and notes in my Dropbox
and monitor them over the server.
On the server , every 10 minutes a script is executed which md5sums the important files in my Dropbox
If anything changes , the script makes a diff and sends me an email about it.
Through this i get alerted when someone gets access to my Dropbox and tampers with the files.
Also Dropbox makes files world write or readable sometimes when syncing ,
so have a script executed at reboot which uses find to identify common file extensions and chmods them accordingly
and then chmods 700 all Folders inside Dropbox.

VPN

There’s not much to say ,
I’m using openvpn to connect to my home network and route all traffic through the tunnel
if I’m somewhere else.

The home network

DDWRT

for WiFi I’m using a standard router and flashed it with dd-wrt
The Password is like 50 characters long
and MAC-Address Filtering i do through an iptables-script
If the mac doesn’t match , the traffic gets redirected to a honeypot and a static website.
The access point connects to my local home network.

UTM/ASG

For my Gateway I have Sophos UTM and have similiar rules like on the paranoid machine.
Git goes to git servers , jabber goes to jabber servers , irc goes to irc….
Only http/https traffic is allowed to go anywhere.
It also runs snort and a webproxy and uses dnssec
Network and Wifi for guests are completly seperated from the private network

additional links

Protecting a Laptop from Simple and Sophisticated Attacks
I stumbled upon this awesome Blog
This guy takes a really intresting approach, but focuses more on the physical site
It is in any case an awesome read , sometimes ‘a little over the top’ but that’s exactly what i like.

old Tinfoil Hat Project Page
The old html version of this Page