🟠Using Ubuntu

All about using

Initial hardening

References for some of these steps are at this site. It's pasted here for my convenience.

Encrypt your hard-drive

⚠️⚠️⚠️ THIS IS ONLY DOABLE WHEN YOU INSTALL UBUNTU ⚠️⚠️⚠️

On the installation page where you have to select your partition, opt to erase the disk and then select "Use LVM..." option and encrypt it using Linux Unified Key System (LUKS)

Setup Antivirus

Install and Bootstrap ClamAV

# install clamav
sudo apt install clamav clamav-freshclam;

# bootstrap clamav
sudo systemctl stop clamav-freshclam;
sudo freshclam;
sudo systemctl start clamav-freshclam;

# enable clamav to run at startup
sudo systemctl enable clamav-freshclam;

Setup ClamAV to run daily

Create the log file:

sudo touch /var/log/clamav/clamscan.log;

Use cron to setup a daily job:

sudo vim /etc/cron.daily/clamav;

Paste in the following contents:

#!/bin/sh

MYLOG=/var/log/clamav/clamscan.log
echo "Scanning for viruses at `date`" >> $MYLOG
clamscan --recursive --infected --max-filesize=100M --max-scansize=100M --exclude=/boot / >> $MYLOG 2>&1

Setup Firewall

Confirm that `ufw` is installed

ufw --version;

Setup base rules for `ufw`

sudo ufw default deny incoming;

# common ports
sudo ufw deny ssh;
sudo ufw deny ftp;
sudo ufw deny smtp;
sudo ufw deny cups;
sudo ufw deny 69;
sudo ufw deny 514;

# samba
sudo ufw deny 137;
sudo ufw deny 138;
sudo ufw deny 139;
sudo ufw deny 445;

Enable `ufw`

If not already done, enable ufw:

sudo ufw enable;

Enable `ufw` to run at startup

sudo systemctl enable ufw;

Secure `sysctl`

# make an archive of the configuration file
sudo cp --archive /etc/sysctl.conf /etc/sysctl.conf-COPY-$(date +"%Y%m%d%H%M%S");

# edit the configuration file
sudo vim /etc/sysctl.conf;

Paste in the following contents:

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1

Finally, enable it:

sudo sysctl -p;

Secure `/proc`

Make a backup of the configuration file and then open it:

sudo cp --preserve /etc/fstab /etc/fstab-COPY-$(date +"%Y%m%d%H%M%S");

sudo vim /etc/fstab;

Paste the following line at the end of the file:

proc    /proc   proc    defaults,hidepid=2  0   0

Reload the configuration by remounting /proc:

sudo mount -o remount,hidepid=2 /proc;

Secure the kernel

Backup the configuration file:

sudo cp --archive /etc/modprobe.d/blacklist.conf /etc/modprobe.d/blacklist.conf-COPY-$(date +"%Y%m%d%H%M%S")

Open the configuration file:

sudo vim /etc/modprobe.d/blacklist.conf

Add the following lines at the end:

# Instruct modprobe to force inactive modules to always fail loading
install cramfs /bin/false
install freevxfs /bin/false
install hfs /bin/false
install hfsplus /bin/false
install jffs2 /bin/false
install udf /bin/false

Add some blocklists to `/etc/hosts` if you want

Checkout the repository at https://github.com/jmdugan/blocklists
Copy and paste the blocklists as needed into your /etc/hosts file

Albert Task Launcher

Troubleshooting

Task exits after hiding launcher

Open Albert by running albert in the CLI.

Trigger Albert using the hotkey, and hide the application again.

The albert task should have exited with the following error:

[fatal:default] SQL ERROR: INSERT INTO execution (query_id, handler_id, runtime) VALUES (:query_id, :handler_id, :runtime); UNIQUE constraint failed: execution.query_id, execution.handler_id Unable to fetch row  --  [(null)]

To resolve this, run:

rm ~/.config/albert/core.db

Reference: https://github.com/albertlauncher/albert/issues/1033

PreviousTools and Useful Stuff NextReference/Template Dockerfiles

Last updated 3 years ago

hashtagInitial hardening

hashtagEncrypt your hard-drive

hashtagSetup Antivirus

hashtagInstall and Bootstrap ClamAV

hashtagSetup ClamAV to run daily

hashtagSetup Firewall

hashtagConfirm that `ufw` is installed

hashtagSetup base rules for `ufw`

hashtagEnable `ufw`

hashtagEnable `ufw` to run at startup

hashtagSecure `sysctl`

hashtagSecure `/proc`

hashtagSecure the kernel

hashtagAdd some blocklists to `/etc/hosts` if you want

hashtagAlbert Task Launcher

hashtagTroubleshooting