Brandon J. L.

Privacy Freak // Hacker // Website-Haver

Linux Security 101: Hardening Your System for The Common Geek

Last Updated: August 13, 2018

Table of Contents

Intro

This guide will be a beginner-friendly walthrough of hardening your Linux system. This does not have to be done all at once. Feel free to ease into it–or take it even further as I’ll also be providing recommendations for more advanced users throughout. Just go at your own pace, crank up some music, and makeit your own.

My goals for this guide:

  • Demonstrate how to achieve excellent security without impeding usability
  • Introduce newbies to Linux security basics
  • Provide plenty of information for more seasoned Linux users
  • Make the hardening process smooth and streamlined

Also, to give credit where it’s due, much of the information here came from a guide written by Dave Wescott, which was made freely available via The Complete Privacy & Security Podcast. My goal here is not to echo this guide, but to take it a step further with more information and include my own personal tweaks and suggestions. That said, it did serve as a fantastic base and I want to thank Mr. Wescott for taking the time to create it and share it freely.

Pro Tip: If you’re virtual machine savvy, try new concepts out in a VM. Take a snapshot first so mistakes won’t be quite so painful.

Recommended Linux Distributions:

These are only my personal recommendations. There are many excellent distros out there. Feel free to branch out and use whatever you’re comfortable with, as any flavor of Linux you like will be applicable here; however, I’ll only be supplying terminal commands for Debian-based distros. Here are the ones I recommend for beginners and enthusiasts alike:

  • Pop!_OS (Most beginner-friendly option, great looking UI, ideal for PCs with Nvidia GPUs)
  • Debian (Widely used among security-minded folk, multiple desktop environments to choose from)
  • Ubuntu (Big community and well-supported, but does collect some anonymized data by default)

If you’re not into these, feel free to try another distro, but be warned that you may have to adjust the terminal commands accordingly on your own. If you’re cool with that, here are some others I’d recommend:

Prerequisites:

1 – Basic Knowledge of Linux/The Terminal

Most likely, you’re here because you’re either new to certain security concepts or just new to Linux. Either way, this guide is tailored to beginners–though I do recommend you get the hang of some Linux basics before diving in head first. At the very least, play around with the terminal. Get a feel for it, try out some simple commands. It will also be helpful to know a bit about the Linux file structure.

2 – A Linux Installation to Secure

If you have not yet installed Linux: Pick your favorite distro, download the ISO, verify the checksum of the installer image to make sure it all got to you in one piece (and wasn’t tampered with in transit!), and run through the installation process whether it be a clean install (in which case I recommend setting up an encrypted LVM) or dual-booting alongside another system. A fresh install is recommended here, but you can follow along with the guide on your weather-worn system, too.

When installing, you may see a number of options depending on the distro you picked. The idea here is to keep the installation minimal. Install just what you need: the basics and a desktop environment such as Gnome, KDE, or MATE. If you chose an Ubuntu-based distro such as Lubuntu, Kubuntu, or Ubuntu itself (with the exception of Pop!_OS), it is recommended you do not select any servers, creative suites, or desktops apart from your chosen DE. If you find you really needed something, you can always install it later.

Locking-Down Linux

This part of the guide assumes you are through with installation, you’ve created a user account, and you’re booted to the desktop.

1. Preparing The System

One of the most important things you can do for your security is to ensure your sytem and installed software are updated to their latest versions. This is something that should be done fairly regularly, maybe once every week or two. Fire up the terminal (Win+T on Pop!_OS, CTRL+ALT+T on most others) and enter the following command:

$ sudo apt-get update -y && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y && sudo apt-get clean -y

You will be prompted to enter your password, but then it will do its own thing for a while. Once it’s finished, we need to install some packages. While not directly security-related, the following are several lines of terminal commands to get you started with some very basics you’ll need later on.

$ sudo apt install build-essential -y
$ sudo apt install git -y
$ sudo apt install python python-dev python-setuptools -y
$ sudo apt install python-pip
$ sudo apt install apt-transport-https software-properties-common

Finally, take a moment to browse through your privacy settings. Disable anonymous data sharing, turn off location data, etc.

2. GnuPG

GnuPG is an invaluable tool for signing and encrypting all kinds of data, including everything from emails to application packages. GnuPG is likely already included in your linux distro, but we’re going to remove what’s there currently and reimplement it completely with the latest components.

$ sudo apt remove gnupg:i386 --purge
$ sudo apt remove gnupg1 --purge

Now we’ll install a few dependencies.

$ sudo apt install zlib1g-dev gtk2.0 libgtk2.0-dev libgpgme11

For the rest of the components we need, we’ll go to: https://www.gnupg.org/download/index.html

Download and extract the following components:

  1. libgpg-error
  2. libgcrypt
  3. libksba
  4. ntbtls
  5. npth
  6. libassuan
  7. gnupg-2
  8. gpgme
  9. gpa

Now that they’re extracted, go through each one in the order listed above, enter the directory you extracted from the tarballs (i.e. cd libgpg-error), and install them with this command:

$ ./configure && make && sudo make install

After you’ve installed all 9 packages, we’ll run one last command:

$ gpgconf --kill all

3. AppArmor

AppArmor is a Linux kernel security module that enables users to write simple guidelines (called “profiles”) to restrict individual applications from doing things beyond what we need them to do. This protects us from compromised applications accessing sensitive data in other places on the sytem or in other apps.

Profiles are stored in /etc/apparmor.d/ and can be created and edited for any app, but for our purposes, we’re going to install a bunch of pre-made profiles for some important apps and some common apps to make our lives easier.

Pro Tip: More advanced users might prefer the more robust SELinux. While it’s more complex, it also offers more granular control. AppArmor, on the other hand, is plenty powerful with a significantly shorter learning curve. If you’re up for the challenge, experiment with both and see what works for you. (Though I do recommend newbies stick to AppArmor!)

AppArmor already comes with Ubuntu and many other distros, so we don’t need to install it. All we need to do is give it some instruction and let it loose.

$ sudo apt install apparmor-profiles-extra apparmor-profiles apparmor-notify apparmor-easyprof-ubuntu apparmor-utils

This command will provide AppArmor with tons of pre-made profiles for common apps and important parts of your system, as well as the ability to notify you when an app is trying to access something that it’s not allowed.

Next, we’ll take all of the profiles we have and put them into “enforce” mode.

$ sudo aa-enforce /etc/apparmor.d/*

There are two basic modes in AppArmor: enforce and complain. In enforce mode, it will use the rules of the profile to actually block any non-whitelisted activity. In complain mode, it won’t block the activity, but it will report it to you. If it is not in either of these two modes, it is disabled. Normally the mode is set for each individual profile, though the command above will set all available profiles to enforce mode at once.

Pro Tip: Firefox, which is among the profiles we’re adding, can get a little “noisy” with notifications when you have a lot of extensions. It can also block some legitimate processes you may want. I would suggest learning a bit about editing profiles and reworking the Firefox profile (/etc/apparmor.d/usr.bin.firefox) to suit your needs. If you’re brand new to this and it’s really impeding your usability, you can delete or disable the profile, though I don’t recommend it.

4. Firejail

Firejail is a tool for sandboxing applications. While it may seem similar to AppArmor, it is quite different. AppArmor is a Mandatory Access Control (MAC) system, which provides extended access controls beyond what is offered by simple file permissions. Firejail is an additional layer of security, utilizing seperate technologies to isolate an application from the system as much as possible while maintaining functionality. When used together with AppArmor or SELinux, it creates an exceptional level of security.

In essence, you’ll be able to easily launch apps in their own, self-contained sandbox for privacy and security protection.

We’re also going to install Firetools, which will serve as a nifty little GUI for Firejail.

To get started, we’ll need to install some dependencies.

$ sudo apt install qt4-qmake
$ sudo apt install libqt4-dev

With that out of the way, we’ll need to download the latest version of Firejail from SourceForge: https://sourceforge.net/projects/firejail/files/firejail

We’ll also want to snag the latest version of Firetools GUI from SourceForge: https://sourceforge.net/projects/firejail/files/firetools

After downloading both of those .tar.xz archives, we’ll get started installing them. Let’s start with Firejail.

$ cd /Downloads/
$ tar -xf firejail-{version}.tar.xz
$ cd firejail-{version}.tar.xz
$ ./configure
$ make && sudo make install

Now we’ll repeat the same process with Firetools.

$ cd /Downloads/
$ tar -xf firetools-{version}.tar.xz
$ cd firetools-{version}.tar.xz
$ ./configure
$ make && sudo make install

That’s all! Firetools is now ready to use. To open a program in Firetools, all you have to do is fire up a terminal and enter firetools {program}. For example, if you wanted to run Firefox:

$ firetools firefox

5. Uncomplicated Firewall (UFW)

UFW is a firewall solution that prioritizes ease of use without sacrificing security. UFW is already included in Ubuntu, so we’ll just be installing Gufw, which adds a handy little GUI. If your using something other than Pop!_OS, Ubuntu, Kubuntu, etc., you may need to install UFW before proceeding.

Pro Tip: Advanced users may want to opt for something like IPTables instead of UFW. Much like the difference between SELinux and AppArmor, IPTables simply offers a greater level of control and capability.

Installation is a cinch.

$ sudo apt-get install gufw

You should now see “Firewall Configuration” in your apps list. If you’re in plain vanilla Ubuntu, you can also access the GUI from the menu at System -> Administration -> Firewall Configuration. You will then see a small window like this:

Switch the “Status” toggle on to enable the service, as seen above.

For most people, setting Incoming to “Deny” and Outgoing to “Allow” is enough. This blocks outsiders from being able to connect to your machine through any port at all, but allows you to make connections on any port you may need to.

If, however, you need to make some rules because you play online games, host a Plex server, or need to SSH into your machine remotely, you can do that easily. Simply go to the Rules tab and press the + button to add a new rule. You’ll be able to choose from some preconfigured options, make simple rules (“allow incoming traffic on port 22”), or make more advanced rules (specifying interface, IPs, and more).

For more information, see here.

6. ARP Handler Inspection (ArpON)

ARP Spoofing/Poisoning is a network attack that allows an attacker to redirect network traffic meant for another user to their own machine. Most people are not going to see this on their home network, but if your machine is at your office or travels with you regularly, you’ll want the security of knowing your ARP handler is under careful inspection by ArpON.

$ sudo apt install arpon

After installation, we’re going to harden ArpON by tweaking it’s configuration. You’ll want to use your favorite terminal-based text editor here. In this example, I’ll use Nano, but feel free to use VIM or whatever you’d like.

$ sudo nano /etc/default/arpon

We’re going to uncomment the line <code>DAEMON_ARGS=”–darpi”</code> by removing the ‘#’ preceding it. We also need to recomment the default choice (SARPI). When you’re done, your file should look like this:

Press CTRL + X to exit. press Y to confirm you’d like to save your changes, and hit Enter to confirm the name of the file.

Finally, we’ll jump back into our terminal and run two simple commands:

$ sudo systemctl enable arpon
$ sudo systemctl restart arpon

Now we’re done and ArpON is working it’s magic in the background!

7. Secure Shared Memory

This one is very simple. All we need to do is hop back into our terminal and make a small tweak to a file.

$ sudo nano /etc/fstab

Once open, use your down arrow key to navigate to the very bottom. Add the following line: tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

That’s it! Easy, right?

8. OpenVPN

I cannot sing enough praises for good, reliable VPN services. If you do not have one already, I  strongly encourage you to invest. This is the only part of the guide that will cost you any money, and it may just be the most important thing. I will soon make a post about VPNs and why they are so amazing, but for now, I’ll redirect you to my VPN recommendations on my Resources Page. The one thing I will say is this: DO NOT USE A FREE VPN. VPNs are expensive to run, and they need to turn a profit somehow. In cases like that, if you are not paying for the product, you usually are the product. Caveat emptor.

With that noise out of the way, let’s setup our VPN service with OpenVPN. You’ll need to find setup instructions for your specific VPN provider. Here are some handy links if you happen to choose any of my recommended VPNs:

If you have a different service, usually searching for “{company name} linux openvpn setup” will get you the guide you need.

Pro Tip: You can setup your VPN to autoconnect when you connect with a familiar network. In your terminal, run <code>nm-connection-editor</code>, select your connection and click “Edit…”, then check the box that says “Automatically connect to VPN when using this connection.” You can also select the specific server you’d like to use.

9. DNSCrypt

In short, DNSCrypt encrypts DNS traffic, securng it against Man-in-The-Middle attacks. It is a terrific tool for both privacy and security, and a must-have if you’ll be browsing the internet at all.

We’ll begin by downloading the most recent release of the DNSCrypt client from: https://github.com/jedisct1/dnscrypt-proxy/releases/

You’ll also want to download “mybase.txt” from here: https://download.dnscrypt.info/blacklists/domains/mybase.txt

Scroll down until you find dnscrypt-proy-linux_x86_64-{version}.tar.gz and download it. Then you will need to extract and install it.

$ cd /Downloads/
$ tar -xzvf dnscrypt-proxy-linux_x86_64-{version}.tar.gz
$ mv linux-x86_64 dnscrypt-proxy
$ mv mybase.txt ~/Downloads/dnscrypt-proxy/
$ mv dnscrypt-proxy ~/Tools/ {or /opt/, really any directory}
$ cd ~/Tools/dnscrypt-proxy
$ cp example-dnscrypt-proxy.toml dnscrypt-proxy_backup.toml
$ mv example-dnscrypt-proxy.toml dnscrypt-proxy.toml
$ sudo ./dnscrypt-proxy -service enable
$ sudo nano dnscrypt-proxy.toml

At this point, you’re going to go through the text and change the value of three parameters:

  • require_nofilter = true
  • ignore_system_dns = true
  • blacklist_file = `mybase.txt`

Once you’ve saved your changes, we need to start the service.

$ sudo ./dnscrypt-proxy -service start

The service is running now and will continue to run in the background until we tell it to stop (even after reboots), but we still have to set the proxy as our DNS server. To do so, we’ll head to Settings -> Network. Click the edit button on the network of your choice and click over to the IPV4 tab.

We want our DNS server address to point back to our localhost, so we enter 127.0.0.1. We also want to make sure we’re using the DHCP method. Click Apply to keep these settings, and repeat for any other networks you may have (including VPN connections).

Back to Top

10. Additional Software

At this point, we’ve got a damn secure system. If you’ve just come over from Windows, you are already far ahead of the curve. Go you! But if we wanna take it even further, there are a few programs we can add. They are completely optional, though. I won’t go into as much detail here as I have above, but I’ll try to include a brief description of what each one does and the commands you need to get it running.

ClamAV (Official Website)

A free and open-source antivirus engine.

$ sudo apt install clamav clamav-unofficial-sigs clamtk -y

Bleachbit (Official Website)

Open-source alternative to CCleaner; disk cleaner and privacy manager.

$ sudo apt-get install bleachbit

KeePassXC (Official Website)

The best offline password manager money can buy (and it’s free!).

$ sudo add-apt-repository ppa:phoerious/keepassxc
$ sudo apt update
$ sudo apt install keepassxc

VeraCrypt (Official Website)

Tool for creating encrypted drives and “containers”. Newbies may prefer Cryptomator instead.

$ sudo apt-get install veracrypt

Privoxy (Official Website)

Non-caching web proxy with some awesome privacy features.

$ sudo apt install privoxy

OpenSnitch (Official Website)

Linux port of Little Snitch for OSX; application firewall. For advanced users.

$ git clone https://github.com/evilsocket/opensnitch.git
$ sudo apt install build-essential libcap-dev libnetfilter-queue-dev libnfnetlink-dev python3-dbus python3-dev python3-
gi python3-pyinotify python3-pyqt5 python3-setuptools
$ export XTABLES_LIBDIR=/usr/lib/x86_64-linux-gnu/xtables/
$ sudo -HE opensnitchd
$ Opensnitch-qt

Wireshark (Official Website)

An absurdly feature-slathered packet inspection tool for monitoring network traffic. For advanced users.

$ sudo apt install wireshark
{You'll be asked if non-superusers should be able to capture packets -- Enter "yes"}
$ sudo usermod -a -G wireshark {your username}

Audit Daemon (Official Website)

For writing audit records to the disk. Here is a helpful guide. For advanced users.

sudo apt install auditd audispd-plugins

Tor Browser Bundle (Official Website)

Not just for crooks! You know what this is.

$ sudo nano /etc/apt/sources.list
{Add these sources}
deb http://deb.torproject.org/torproject.org bionic main
deb-src http://deb.torproject.org/torproject.org bionic main

$ gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
$ gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

$ sudo apt install tor deb.torproject.org-keyring
$ sudo -H pip install nyx

{Check for latest version first!}
$ wget https://www.torproject.org/dist/torbrowser/7.5.6/tor-browser-linux64-7.5.6_en-US.tar.xz 
$ mkdir ~/Tools/tor {Or any directory you want to keep it in}
$ tar -xf tor-browser-linux64-7.5.6_en-US.tar.xz
$ mv tor-browser_en-US/ ../Tools/tor/

$ cd ~/Tools/tor/tor-browser_en-US
$ ./start-tor-browser.desktop

After the first startup, set the Tor Browser Security Settings to “Safest”.

I also recommend using a custom torrc file with Creatorrc.

Back to Top

Further Reading

If you’d like to know more about Linux security (and privacy), I can certainly recommend a few solid resources:

  • The Complete Privacy and Security Podcast had a great 4-part series on switching to Linux that covered hardware, software, and much more. I highly recommend giving it a listen if you’re just making the switch now.
  • This wiki article on the installation and configuration of Grsecurity, a set of security patches for the Linux kernel. Be warned that there may be some compatability issues with a Grsecurity patched kernel and system updates, so do your homework before patching. You may also need to patch yur Nvidia drivers, if you use an Nvidia card. For these reasons, I felt it might be out of the scope of this guide. That said, it’s an excellent ‘next step.’
  • NixTutor’s 9 Ways to Make Linux More Secure, which provides a nice, brief introduction to advanced topcs I didn’t cover here, such as Snort (IDS), Port Knocking, and more.
  • The Surveliance Self-Defense Guide from the EFF.
  • Reddit is your friend! Come say hi in /r/linux, /r/privacy, and /r/asknetsec, all very welcoming communties.
  • Get recommendations on free and open-source software from PrivacyTools.io and PrismBreak.
Back to Top

Closing Thoughts

If you made it through this whole guide, congrats! It was dense. I hope you enjoy your newly hardened Linux system. You’ve taken a huge step toward a more private and secure digital life.

If you have any questions or concerns about the content of this guide, I’d love to hear from you. Please feel free to contact me via any of the means on my Contact Page. I will also update this guide occasionally, so check back once in a while. In the meantime, I’ll be posting plenty of other articles on personal privacy and security, so keep an eye out for those, too.

Back to Top
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,