🌟
z's
  • Hello
  • Cheatsheets
    • 🍂Docker Compose Services
    • 🌿Git
    • ▶️ Golang
      • Gotchas
    • ⛑️Helm
    • ☸️ Kubernetes Management
    • ☸️ Kubernetes Resources
    • ☸️Kubernetes Snippets
    • 🔨Tools Quicklinks
    • Tools and Useful Stuff
    • 🟠Using Ubuntu
    • Reference/Template Dockerfiles
  • How-Tos
    • Use Ubuntu
    • Use VSCode
    • Use AWS
    • Use Git
    • Use GPG keys
    • Use Digital Ocean
  • About Me
    • Want to work with me?
    • How to work with me
  • Useful Tools
    • Collaboration
      • Miro
    • Documentation
      • Gitbook
      • Notion
  • On Growing People
    • Ontological Coaching
    • Organization Development (OD)
    • Speech Acts
    • Books & Other Resources
  • On Creating Software
    • Product
    • Design
    • Development Environments
      • Introduction
      • Visual Studio Code/Codium
      • Public Key Infrastructure (PKI) Setup & Usage
    • Patterns
      • API Authentication
      • User Authentication
    • Languages/Formats
      • JavaScript
      • Golang
      • HTML
      • CSS
      • SQL
      • JSON
      • YAML
    • Code Logistics
    • Data Persistence
      • Cassandra
    • Software Architecture
    • System Observability
    • Cool Tools
    • Kubernetes
      • Resource Cheatsheet
      • 1/ Kubernetes in 5 Minutes
      • 2/ Setting up Kubernetes locally
      • 3/ Handling long-running workloads
      • 4/ Handling run-once workloads
Powered by GitBook
On this page
  • Initial hardening
  • Encrypt your hard-drive
  • Setup Antivirus
  • Setup Firewall
  • Secure `sysctl`
  • Secure `/proc`
  • Secure the kernel
  • Add some blocklists to `/etc/hosts` if you want
  • Albert Task Launcher
  • Troubleshooting

Was this helpful?

  1. Cheatsheets

Using Ubuntu

All about using

PreviousTools and Useful StuffNextReference/Template Dockerfiles

Last updated 3 years ago

Was this helpful?

Initial hardening

References for some of these steps are at . It's pasted here for my convenience.

Encrypt your hard-drive

THIS IS ONLY DOABLE WHEN YOU INSTALL UBUNTU

On the installation page where you have to select your partition, opt to erase the disk and then select "Use LVM..." option and encrypt it using Linux Unified Key System (LUKS)

Setup Antivirus

Install and Bootstrap ClamAV

# install clamav
sudo apt install clamav clamav-freshclam;

# bootstrap clamav
sudo systemctl stop clamav-freshclam;
sudo freshclam;
sudo systemctl start clamav-freshclam;

# enable clamav to run at startup
sudo systemctl enable clamav-freshclam;

Setup ClamAV to run daily

Create the log file:

sudo touch /var/log/clamav/clamscan.log;

Use cron to setup a daily job:

sudo vim /etc/cron.daily/clamav;

Paste in the following contents:

#!/bin/sh

MYLOG=/var/log/clamav/clamscan.log
echo "Scanning for viruses at `date`" >> $MYLOG
clamscan --recursive --infected --max-filesize=100M --max-scansize=100M --exclude=/boot / >> $MYLOG 2>&1

Setup Firewall

Confirm that `ufw` is installed

ufw --version;

Setup base rules for `ufw`

sudo ufw default deny incoming;

# common ports
sudo ufw deny ssh;
sudo ufw deny ftp;
sudo ufw deny smtp;
sudo ufw deny cups;
sudo ufw deny 69;
sudo ufw deny 514;

# samba
sudo ufw deny 137;
sudo ufw deny 138;
sudo ufw deny 139;
sudo ufw deny 445;

Enable `ufw`

If not already done, enable ufw:

sudo ufw enable;

Enable `ufw` to run at startup

sudo systemctl enable ufw;

Secure `sysctl`

# make an archive of the configuration file
sudo cp --archive /etc/sysctl.conf /etc/sysctl.conf-COPY-$(date +"%Y%m%d%H%M%S");

# edit the configuration file
sudo vim /etc/sysctl.conf;

Paste in the following contents:

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1

Finally, enable it:

sudo sysctl -p;

Secure `/proc`

Make a backup of the configuration file and then open it:

sudo cp --preserve /etc/fstab /etc/fstab-COPY-$(date +"%Y%m%d%H%M%S");

sudo vim /etc/fstab;

Paste the following line at the end of the file:

proc    /proc   proc    defaults,hidepid=2  0   0

Reload the configuration by remounting /proc:

sudo mount -o remount,hidepid=2 /proc;

Secure the kernel

Backup the configuration file:

sudo cp --archive /etc/modprobe.d/blacklist.conf /etc/modprobe.d/blacklist.conf-COPY-$(date +"%Y%m%d%H%M%S")

Open the configuration file:

sudo vim /etc/modprobe.d/blacklist.conf

Add the following lines at the end:

# Instruct modprobe to force inactive modules to always fail loading
install cramfs /bin/false
install freevxfs /bin/false
install hfs /bin/false
install hfsplus /bin/false
install jffs2 /bin/false
install udf /bin/false

Add some blocklists to `/etc/hosts` if you want

  1. Copy and paste the blocklists as needed into your /etc/hosts file

Albert Task Launcher

Troubleshooting

Task exits after hiding launcher

Open Albert by running albert in the CLI.

Trigger Albert using the hotkey, and hide the application again.

The albert task should have exited with the following error:

[fatal:default] SQL ERROR: INSERT INTO execution (query_id, handler_id, runtime) VALUES (:query_id, :handler_id, :runtime); UNIQUE constraint failed: execution.query_id, execution.handler_id Unable to fetch row  --  [(null)]

To resolve this, run:

rm ~/.config/albert/core.db

Checkout the repository at

Reference:

🟠
https://github.com/jmdugan/blocklists
https://github.com/albertlauncher/albert/issues/1033
⚠️
⚠️
⚠️
⚠️
⚠️
⚠️
this site
Source:
https://jumpcloud.com/blog/how-to-enable-full-disk-encryption-on-an-ubuntu-20-04-desktop