We could have a malware scanner preinstalled such as chkrootkit or rkhunter.
We could have the package “lockdown” preinstalled which exists in Debian https://packages.debian.org/bullseye/lockdown.
We could disable ICMP and TCP timestamps with some kernel hardening and some iptables.
As for kernel hardening we could implement a lot of stuff without affectng the system’s performance.
TCP timestamps provide protection against wrapped sequence numbers.
The downside of TCP timestamps is adversaries can remotely calculate the system uptime and boot time of the machine and the host’s clock down to millisecond precision. These calculated uptimes and boot times can also help to detect hidden network-enabled operating systems, as well as link spoofed IP and MAC addresses together and more. [1]
The Internet Control Message Protocol (ICMP) is used by network devices, including routers, to send operational information and error messages such as whether a service is available or if a host/router cannot be reached. Unlike TCP and UDP, it is a network level, not transport layer protocol. Commonly network utilities are based on ICMP messages, such as traceroute and ping . [2]
The ICMP protocol includes timestamps for time synchronization, with the originating timestamp being set to the time (in milliseconds since midnight) since the sender last touched the packet. A timestamp reply is also generated, consisting of the originating timestamp (sent by the sender) as well as a “receive timestamp”, which captures when the timestamp was received and a reply sent. [3]
To prevent this information leaking to an adversary, it is recommended to disable TCP timestamps on any operating systems in use. The less information available to attackers, the better the security.
The rule to block ICMP timestamps should be " ipchains -p icmp -s $INTIP/0 13 -i $INTIF -j DENY and ipchains -p icmp -s 0.0.0.0/0 14 -i $EXTIF -j DENY"
Setting “net.ipv4.tcp_timestamps = 0” or become root with the command “sudo su” and run {echo 0 > /proc/sys/net/ipv4/tcp_timestamps" to permanently disable TCP timestamps.
Setting “net.ipv4.tcp_syncookies=1” helps protect against SYN flood attacks [4] which is a form of denial of service attack where an attacker sends a lot of SYN requests in an attempt to consume enough resources to make the system unresponsive to legitimate traffic. [5]
Setting “kernel.kexec_load_disabled=1” will disable kexec [6] which can be used to replace the running kernel. [7]
Setting “net.ipv4.tcp_rfc1337=1” protects against time-wait assassination. It drops RST packets for sockets in the time-wait state. [8]
Setting "net.ipv4.conf.default.rp_filter=1 and “net.ipv4.conf.all.rp_filter=1” enables source validation of packets and protects against IP spoofing methods in which an attacker can send a packet with a fake IP address. [9]
Setting
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
disables ICMP redirect acceptance. [10] If these aren’t set then an attacker can redirect an ICMP request to wherever they want.
Setting “net.ipv4.tcp_timestamps=0” disables TCP timestamps which can be used to can remotely calculate the system uptime and boot time of the machine and the host’s clock down to millisecond precision. This is more information an adversary can use to deanonymize you. If using a server then you should not do this as TCP timestamps provide protection against wrapped sequence numbers. This may also decrease performance. [11]
Setting “kernel.sysrq=0” disables the SysRq key which can make the kernel run certain commands regardless of whatever it is currently doing. Some of these commands are usually needed to be run as root but the SysRq key allows them to be run as anyone.
Setting “kernel.unprivileged_users_clone=0” disables unprivileged user namespaces. User namespaces add a lot of attack surface for privilege escalation so it’s best to restrict them to root only. This may break some sandboxing programs such as bubblewrap. These can be fixed by making the sandbox binaries setuid.
Setting “net.ipv4.tcp_sack=0” disables TCP SACK. SACK is commonly exploited and not needed for many circumstances so it should be disabled if you don’t need it. To learn if SACK is needed for you or not, see https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off.
Setting “net.ipv4.conf.all.send_redirects=0” and “net.ipv4.conf.default.send_redirects=0” disable ICMP redirect sending. [12]
Setting “net.ipv4.icmp_echo_ignore_all=1” makes your system ignore ICMP requests. [13]
Setting “kernel.yama.ptrace_scope=2” restricts the use of ptrace to root. Ptrace allows a program to alter and inspect a running process.
Setting “kernel.kptr_restrict=2” hides kernel symbols in /proc/kallsyms. Alternatively you can add “kernel.kptr_restrict=1” but this only hides kernel symbols for users other than the root user. [14]makes kernel symbols in /proc/kallsyms only accessible to root which can make it more difficult for a kernel exploit to resolve addresses/symbols. Setting it to 2 hides the symbols regardless of privileges.
Setting “kernel.dmesg_restrict=1” This blocks users other than root from being able to see the kernel logs. [15] The kernel logs can give an attacker information about what to exploit in your system.
Setting “kernel.unprivileged_bpf_disabled=1” and “net.core.bpf_jit_harden=2” This makes it so that only root can use the BPF JIT compiler and to harden it. [16] A JIT compiler opens up the possibility for an attacker to exploit many vulnerabilities. This does come with a performance decrease and probably shouldn’t be used on servers
Setting “vm.mmap_rnd_bits=32” and “vm.mmap_rnd_compat_bits=16” improves KASLR effectiveness for mmap. 1 This may break some things that do not expect to be shoved high into memory.
Setting " kernel.yama.ptrace_scope=2 " makes only root able to use ptrace. [17] Ptrace is a system call that allows a program to alter and inspect a running process. [18] By default it is restricted to allowing the user to only restrict their own process so this may be unnecessary.
These can all be set in files in /etc/sysctl.d
Adding “slab_nomerge” as a boot parameter may also be useful. slab_nomerge disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
Mounting /proc with hidepid=2 in /etc/fstab will hide other users’ processes from unprivileged users. This makes it a lot harder for an attacker to get information about other running processes
We could also add jitterentropy-rngd or haveged for better Linux entropy.
All of the above and more are being tested for more than a week now with no apparent problems.
I will post more soon.
