System Hardening

We could have a malware scanner preinstalled such as chkrootkit or rkhunter.
We could have the package “lockdown” preinstalled which exists in Debian https://packages.debian.org/bullseye/lockdown.

We could disable ICMP and TCP timestamps with some kernel hardening and some iptables.
As for kernel hardening we could implement a lot of stuff without affectng the system’s performance.

TCP timestamps provide protection against wrapped sequence numbers.

The downside of TCP timestamps is adversaries can remotely calculate the system uptime and boot time of the machine and the host’s clock down to millisecond precision. These calculated uptimes and boot times can also help to detect hidden network-enabled operating systems, as well as link spoofed IP and MAC addresses together and more. [1]

The Internet Control Message Protocol (ICMP) is used by network devices, including routers, to send operational information and error messages such as whether a service is available or if a host/router cannot be reached. Unlike TCP and UDP, it is a network level, not transport layer protocol. Commonly network utilities are based on ICMP messages, such as traceroute and ping . [2]

The ICMP protocol includes timestamps for time synchronization, with the originating timestamp being set to the time (in milliseconds since midnight) since the sender last touched the packet. A timestamp reply is also generated, consisting of the originating timestamp (sent by the sender) as well as a “receive timestamp”, which captures when the timestamp was received and a reply sent. [3]

To prevent this information leaking to an adversary, it is recommended to disable TCP timestamps on any operating systems in use. The less information available to attackers, the better the security.

The rule to block ICMP timestamps should be " ipchains -p icmp -s $INTIP/0 13 -i $INTIF -j DENY and ipchains -p icmp -s 0.0.0.0/0 14 -i $EXTIF -j DENY"

Setting “net.ipv4.tcp_timestamps = 0” or become root with the command “sudo su” and run {echo 0 > /proc/sys/net/ipv4/tcp_timestamps" to permanently disable TCP timestamps.

Setting “net.ipv4.tcp_syncookies=1” helps protect against SYN flood attacks [4] which is a form of denial of service attack where an attacker sends a lot of SYN requests in an attempt to consume enough resources to make the system unresponsive to legitimate traffic. [5]

Setting “kernel.kexec_load_disabled=1” will disable kexec [6] which can be used to replace the running kernel. [7]

Setting “net.ipv4.tcp_rfc1337=1” protects against time-wait assassination. It drops RST packets for sockets in the time-wait state. [8]

Setting "net.ipv4.conf.default.rp_filter=1 and “net.ipv4.conf.all.rp_filter=1” enables source validation of packets and protects against IP spoofing methods in which an attacker can send a packet with a fake IP address. [9]

Setting

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0  

disables ICMP redirect acceptance. [10] If these aren’t set then an attacker can redirect an ICMP request to wherever they want.

Setting “net.ipv4.tcp_timestamps=0” disables TCP timestamps which can be used to can remotely calculate the system uptime and boot time of the machine and the host’s clock down to millisecond precision. This is more information an adversary can use to deanonymize you. If using a server then you should not do this as TCP timestamps provide protection against wrapped sequence numbers. This may also decrease performance. [11]

Setting “kernel.sysrq=0” disables the SysRq key which can make the kernel run certain commands regardless of whatever it is currently doing. Some of these commands are usually needed to be run as root but the SysRq key allows them to be run as anyone.

Setting “kernel.unprivileged_users_clone=0” disables unprivileged user namespaces. User namespaces add a lot of attack surface for privilege escalation so it’s best to restrict them to root only. This may break some sandboxing programs such as bubblewrap. These can be fixed by making the sandbox binaries setuid.

Setting “net.ipv4.tcp_sack=0” disables TCP SACK. SACK is commonly exploited and not needed for many circumstances so it should be disabled if you don’t need it. To learn if SACK is needed for you or not, see https://serverfault.com/questions/10955/when-to-turn-tcp-sack-off.

Setting “net.ipv4.conf.all.send_redirects=0” and “net.ipv4.conf.default.send_redirects=0” disable ICMP redirect sending. [12]

Setting “net.ipv4.icmp_echo_ignore_all=1” makes your system ignore ICMP requests. [13]

Setting “kernel.yama.ptrace_scope=2” restricts the use of ptrace to root. Ptrace allows a program to alter and inspect a running process.

Setting “kernel.kptr_restrict=2” hides kernel symbols in /proc/kallsyms. Alternatively you can add “kernel.kptr_restrict=1” but this only hides kernel symbols for users other than the root user. [14]makes kernel symbols in /proc/kallsyms only accessible to root which can make it more difficult for a kernel exploit to resolve addresses/symbols. Setting it to 2 hides the symbols regardless of privileges.

Setting “kernel.dmesg_restrict=1” This blocks users other than root from being able to see the kernel logs. [15] The kernel logs can give an attacker information about what to exploit in your system.

Setting “kernel.unprivileged_bpf_disabled=1” and “net.core.bpf_jit_harden=2” This makes it so that only root can use the BPF JIT compiler and to harden it. [16] A JIT compiler opens up the possibility for an attacker to exploit many vulnerabilities. This does come with a performance decrease and probably shouldn’t be used on servers

Setting “vm.mmap_rnd_bits=32” and “vm.mmap_rnd_compat_bits=16” improves KASLR effectiveness for mmap. 1 This may break some things that do not expect to be shoved high into memory.

Setting " kernel.yama.ptrace_scope=2 " makes only root able to use ptrace. [17] Ptrace is a system call that allows a program to alter and inspect a running process. [18] By default it is restricted to allowing the user to only restrict their own process so this may be unnecessary.

These can all be set in files in /etc/sysctl.d

Adding “slab_nomerge” as a boot parameter may also be useful. slab_nomerge disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit.

Mounting /proc with hidepid=2 in /etc/fstab will hide other users’ processes from unprivileged users. This makes it a lot harder for an attacker to get information about other running processes

We could also add jitterentropy-rngd or haveged for better Linux entropy.

All of the above and more are being tested for more than a week now with no apparent problems.
I will post more soon.

2 Likes

Another good hardening option is adding hidepid to /proc mount point. /proc contains information about all process running on the system. [19] By default this is accessible to all users. This can allow an attacker to get information about what services to attack. To restrict this information to the root account add this to /etc/fstab. [20]

proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=proc 0 0

For user sessions to work correctly add this to /etc/systemd/system/systemd-logind.service.d/hidepid.conf

[Service]
SupplementaryGroups=proc

Another kernel hardening opton is to disable Netfilter’s connection tracking helper. Netfilter’s automatic conntrack helper assignment is dangerous as it enables a lot of code in the kernel that parses incoming network packets which is potentially unsafe.

To disable this, create /etc/modprobe.d/no-conntrack-helper.conf and add

options nf_conntrack nf_conntrack_helper=0

3 Likes

do you (or someone else) plan to implement this or is this the beginning of a nice “how to hardening the system” tuto? :slight_smile:

This is not a tutorial no.And i dont think it will be.These settings will be implemented.And even more settings.All of these are tested by me and i had no issues.People are welcome to test these as wel and give feedback.If you have any ideas for system hardening i invite you to post them here.

1 Like

ok,nice!
will test it when i have time!

1 Like

Another nice kernel hardening method is using Boot Parameters.Boot parameters pass settings to the kernel at boot using your bootloader. Some settings can be used to increase security. If using GRUB then edit /etc/default/grub and add your parameters at “GRUB_CMDLINE_LINUX_DEFAULT=”. If using Syslinux then edit /boot/syslinux/syslinux.cfg and add them to the ‘APPEND’ line.

Add “slab_nomerge” and “slub_debug=FZP”.
slab_nomerge disables the merging of slabs of similar sizes. Many times some obscure slab will be used in a vulnerable way, allowing an attacker to mess with it more or less arbitrarily. Most slabs are not usable even when exploited, so this isn’t too big of a deal. Unfortunately the kernel will merge similar slabs to save a tiny bit of space, and if a vulnerable and useless slab is merged with a safe but useful slab, an attacker can leverage that aliasing to do far more harm than they could have otherwise. In effect, this reduces kernel attack surface area by isolating slabs from each other. The trade-off is a very slight increase in kernel memory utilization. slabinfo -a can be used to tell what the memory footprint increase would be on a given system… Sometimes a slab can be used in a vulnerable way which an attacker can exploit. [20] [21]

slub_debug=FZP enables sanity checks (F), redzoning (Z) and poisoning §. Sanity checks make sure that a claim is true. Redzoning adds extra areas around slabs that detect when a slab is overwritten past its real size, which can help detect overflows. Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. [22] [23]

Add “mce=0”. Mostly useful for systems with ECC memory, setting mce to 0 will cause the kernel to panic on any uncorrectable errors detected by the machine check exception system. Corrected errors will just be logged. The default is mce=1 , which will SIGBUS on many uncorrected errors. Unfortunately this means malicious processes which try to exploit hardware bugginess (such as rowhammer) will be able to try over and over, suffering only a SIGBUS at failure. Setting mce=0 should have no impact. Any hardware which regularly triggers a memory-based MCE is unlikely to even boot, and the default is 1 only for long-lived servers.[24]

Add “page_poison=1”. This makes the kernel overwrite freed memory so it can’t leak. [25] [26]

Add “pti=on”. This enables Kernel Page Table Isolation which mitigates Meltdown and prevents some KASLR bypasses. Linux kASLR is known as not being particularly strong, but one has to start somewhere. See self-protection.txt for details.

kASLR is enabled by default in the Debian kernel since 4.7~rc7-1~exp1 ( CONFIG_RANDOMIZE_BASE and CONFIG_RANDOMIZE_MEMORY ) so there is no need to enable it with a specific kernel parameter.

Add “mds=full,nosmt” to enable all mitigations for the MDS vulnerability and disable SMT. [27] [28] This may have a significant performance decrease as it disables hyperthreading.

Add “module.sig_enforce=1”. This only allows kernel modules signed with a valid key to be loaded which increases security by making it harder to load a malicious module. This prevents all out-of-tree kernel modules from being loaded. This includes modules such as the virtualbox modules, wireguard and nvidia drivers which may not be wanted depending on your setup.

Optionally add “ipv6.disable=1” to disable the whole IPv6 stack [28] which may have some privacy issues depending on your setup as it uses your MAC address to create an IPv6 address which can be used to track you. This can be solved with IPv6 privacy extensions rather than disabling it entirely. This also reduces attack surface so its best to disable it if not needed.

IPv6 addresses are generated through your computer’s MAC address. This makes every IPv6 address completely unique and tied directly to your computer. [29] Since this can be used to track you, you should either use IPv6 privacy extensions or disable IPv6 entirely. As to not lose the benefits of IPv6 you could use privacy extensions rather than disabling it. Privacy extensions generate a random IPv6 address out of your original one to prevent you from being tracked by it. [30]

To enable these create /etc/sysctl/ipv6_privacy.conf and add [31]

net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.eth0.use_tempaddr = 2
net.ipv6.conf.wlan0.use_tempaddr = 2

Replace “eth0” and “wlan0” with your network interfaces. You can find these by running

ip a

NetworkManager does not use these settings and still uses your original IPv6 address. To enable privacy extensions for NetworkManager, add these lines to /etc/NetworkManager/NetworkManager.conf [32]

[connection]
ipv6.ip6-privacy=2

systemd-networkd also does not use these settings and will still use your original IPv6 address. To enable privacy extensions for systemd-networkd, create /etc/systemd/network/ipv6.conf and add [33]

[Network]
IPv6PrivacyExtensions=kernel

The above are some tested parameters that help securing the system by kernel hardening.

Tails kernel boot parameters. (source )

AMNESIA_APPEND=“live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 union=aufs”

Another nice option for system security is blacklisting uncommon network protocols. There are a few network protocols that are very rarely used and may have unknown security vulnerabilites in them. Some of them have also have had bad security holes before so it would be best to blacklist these incase there are more. [34] [35] Create /etc/modprobe.d/uncommon-network-protocols.conf and add

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install n-hdlc /bin/true
install ax25 /bin/true
install netrom /bin/true
install x25 /bin/true
install rose /bin/true
install decnet /bin/true
install econet /bin/true
install af_802154 /bin/true
install ipx /bin/true
install appletalk /bin/true
install psnap /bin/true
install p8023 /bin/true
install llc /bin/true
install p8022 /bin/true

This will blacklist:

  • DCCP
  • SCTP
  • RDS
  • TIPC
  • HDLC
  • AX25
  • NetRom
  • X25
  • ROSE
  • DECnet
  • Econet
  • af_802154
  • IPX
  • AppleTalk
  • PSNAP
  • p8023
  • LLC
  • p8022

“install” tells modprobe to run a command instead of loading the module as normal. [36] /bin/true is a command that returns 0 which will do nothing. [37] Both of these together tells the kernel to run /bin/true instead of loading the module which will prevent the module from being loaded.

1 Like

I think the biggest challenge is to figure out if all of the parrot tools works well with the hardening settings. :slight_smile:
Not sure if I should test it in a vm or on a physical system.
A small group of beta testers would be fine…

Almost none of those will affect the tools.They are kernel options you see.If they are going to affet something then that will be vis9ible for the whole system.It might have a small performance decrease.Just might.

1 Like

Everything will be tested both in a VM and physical hardware to check for issues before it is packaged.

1 Like