Initial hardening
References for some of these steps are at
Encrypt your hard-drive
THIS IS ONLY DOABLE WHEN YOU INSTALL UBUNTU
On the installation page where you have to select your partition, opt to erase the disk and then select "Use LVM... " option and encrypt it using Linux Unified Key System (LUKS)
Setup Antivirus
Install and Bootstrap ClamAV
Copy # install clamav
sudo apt install clamav clamav-freshclam;
# bootstrap clamav
sudo systemctl stop clamav-freshclam;
sudo freshclam;
sudo systemctl start clamav-freshclam;
# enable clamav to run at startup
sudo systemctl enable clamav-freshclam; Setup ClamAV to run daily
Create the log file:
Copy sudo touch /var/log/clamav/clamscan.log; Use cron to setup a daily job:
Copy sudo vim /etc/cron.daily/clamav; Paste in the following contents:
Copy #!/bin/sh
MYLOG=/var/log/clamav/clamscan.log
echo "Scanning for viruses at `date`" >> $MYLOG
clamscan --recursive --infected --max-filesize=100M --max-scansize=100M --exclude=/boot / >> $MYLOG 2>&1 Setup Firewall
Confirm that `ufw` is installed
Setup base rules for `ufw`
Copy sudo ufw default deny incoming;
# common ports
sudo ufw deny ssh;
sudo ufw deny ftp;
sudo ufw deny smtp;
sudo ufw deny cups;
sudo ufw deny 69;
sudo ufw deny 514;
# samba
sudo ufw deny 137;
sudo ufw deny 138;
sudo ufw deny 139;
sudo ufw deny 445; Enable `ufw`
If not already done, enable ufw:
Enable `ufw` to run at startup
Copy sudo systemctl enable ufw; Secure `sysctl`
Copy # make an archive of the configuration file
sudo cp --archive /etc/sysctl.conf /etc/sysctl.conf-COPY-$(date +"%Y%m%d%H%M%S");
# edit the configuration file
sudo vim /etc/sysctl.conf; Paste in the following contents:
Copy # IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1 Finally, enable it:
Secure `/proc`
Make a backup of the configuration file and then open it:
Copy sudo cp --preserve /etc/fstab /etc/fstab-COPY-$(date +"%Y%m%d%H%M%S");
sudo vim /etc/fstab; Paste the following line at the end of the file:
Copy proc /proc proc defaults,hidepid=2 0 0 Reload the configuration by remounting /proc:
Copy sudo mount -o remount,hidepid=2 /proc; Secure the kernel
Backup the configuration file:
Copy sudo cp --archive /etc/modprobe.d/blacklist.conf /etc/modprobe.d/blacklist.conf-COPY-$(date +"%Y%m%d%H%M%S") Open the configuration file:
Copy sudo vim /etc/modprobe.d/blacklist.conf Add the following lines at the end:
Copy # Instruct modprobe to force inactive modules to always fail loading
install cramfs /bin/false
install freevxfs /bin/false
install hfs /bin/false
install hfsplus /bin/false
install jffs2 /bin/false
install udf /bin/false
Add some blocklists to `/etc/hosts` if you want
Copy and paste the blocklists as needed into your /etc/hosts file
Albert Task Launcher
Troubleshooting
Open Albert by running albert in the CLI.
Trigger Albert using the hotkey, and hide the application again.
The albert task should have exited with the following error:
Copy [fatal:default] SQL ERROR: INSERT INTO execution (query_id, handler_id, runtime) VALUES (:query_id, :handler_id, :runtime); UNIQUE constraint failed: execution.query_id, execution.handler_id Unable to fetch row -- [(null)] To resolve this, run:
Copy rm ~/.config/albert/core.db 