Linux Network and Security Controls


Derived from Ubuntu Security Podcast episode 83 7/2020:
LSM == Linux Security Module inside the kernel.

Stacking == using multiple security modules in same system.

As of 5.8 kernel, stacking is limited, but this is being changed.

Current (5.8) stacking rules:
Major modules (SELinux, AppArmor, Smack): can't stack with another major module, because they all try to attach their security data blobs to the same hooks inside the kernel.
Minor modules (TOMOYO, Yama, LoadPin): can stack.
Some modules might be allowed to stack but not make sense to stack on each other, they conflict or duplicate.

Wikipedia's "Linux Security Modules"

Network Control and Firewalls

This section is for tools that generally run unattended. For tools used by a person, see the Network Monitoring section.

Some terms:

Ubuntu's "DoINeedAFirewall"
Adrian Grigorof's "Open Source Security Controls"

You can change your MAC address to any value, either for Wi-Fi or for wired Ethernet, via Mint's Network application or Ubuntu's Network Manager application.

List of Open Source IDS Tools
Daniel Berman's "6 Open Source SIEM Tools"

Application Control and Security

My evaluation:
The mainstream solutions (at least, in Mint) seem to be Firejail and AppArmor.

My opinion: firewalls / app control / security is a bit of a mess:

Firejail, AppArmor, SELinux, Yama, iptables, ip6tables, nftables, bpf, ufw, gufw, firewalld, netfilter, VPN, IDS, IPS, etc. Why can't we have one integrated solution, with a body of rules that can do filesystem and network access and syscall access and service and app and login control, and take user ID, app ID, MAC address, IP address, IP port, etc as input to the rules ?

Examples: I think today Firejail and AppArmor already mix some of this. You can set filesystem, syscall and network permissions in a Firejail profile or an AppArmor profile, I think. But Firejail and AppArmor settings are hard to share across many apps, and iptables rules know nothing about applications/processes. Iptables has a module that allows rules based on connection state, but I don't think Firejail and AppArmor have anything like that.

System Hardware Monitoring and Control

Use Mint's "Disks" app, or install "GSmartControl" app through Software Manager, to test hard disk and see SMART info.
Thomas-Krenn's "SMART tests with smartctl"

Software Resource Monitoring

Network Monitoring

This section is for tools used by a person. For tools that generally run unattended, see the Network Control section.

Some terms:

Mehedi Hasan's "Linux Monitoring Tools For SysAdmin"
Hayden James' "Linux Networking commands and scripts"
Martin Bruchanov's "Linux Network Administration"

Monitor the traffic in/out of your LAN. Best ways probably are custom software in your router, and a Pi-hole doing DNS filtering. From Security in Five Podcast - Episode 746, investigation of traffic volume exceeding data cap found that iCloud was uploading/downloading the entire collection any time one thing was added, and after that was fixed almost 50% of all traffic was due to blockable scripts (ads, trackers).

Security Testing and Penetration Testing

Tightening Security

Really, it seems that 95% of the vulnerabilities are eliminated if you just don't run a web server on your machine. Also don't run SSH or FTP or other login-type services, and keep software updated, and you're above 99%.

From older version of Easy Linux tips project's "Security in Linux Mint: an explanation and some tips":
"Don't install Windows emulators such as Wine, PlayOnLinux and CrossOver, or the Mono infrastructure, in your Linux, because they make your Linux partially vulnerable to Windows malware. Mono is present by default in Linux Mint; run 'sudo apt-get remove mono-runtime-common' to get rid of Mono."
[First run 'sudo apt-get --simulate remove mono-runtime-common' to see what else you'd lose.]

Ask Ubuntu's "What are PPAs and how do I use them?"
But: "One thing to keep in mind about using PPAs (Personal Package Archives) is that when you add a PPA to your Software Sources, you're giving Administrative access (root) to everyone that can upload to that PPA. Packages in PPAs have access to your entire system as they get installed (just like a regular package from the main Ubuntu Archive), so always decide if you trust a PPA before you add it to your system."

It's a good idea to get CLI mail working, and check it regularly, since various services and packages will send failure or security notices to root's email. See "Getting Linux local CLI mail working" section.

Easy Linux tips project's "Security in Linux Mint: an explanation and some tips"
The Empire's "An Ubuntu Hardening Guide"
lfit's "Linux workstation security checklist"
blakkheim's "Linux Security Hardening and Other Tweaks"
Maybe likely to break things:
SK's "How To Password Protect GRUB Bootloader In Linux"
[But that doesn't protect against booting from USB drive.]

See Anti-Virus and Malware Scanners section of my "Using Linux" page.

See Application Control and Security section.

Tightening Privacy


Run "sudo more /etc/shadow". Any account with password field (2nd field) set to a single character such as "*" or "!" or "x" is blocked from login: no possible password can be typed to log into that account.

My understanding of accounts:

Ubuntu's "RootSudo"

Some command-line ways to list all users: "getent passwd", "compgen -u", "cat /etc/passwd".

List users with no password set: "sudo awk -F: '($2 == "") {print}' /etc/shadow"

List users with UID set to 0 (superuser): "sudo awk -F: '($3 == "0") {print}' /etc/passwd"

List info about a user: "id user1"

Set limits on users or groups: /etc/security/limits.conf

Login security can be defeated if attacker has physical access:
Alarming article about (a hole in) account security:
Abhishek Prakash's "How to Reset Ubuntu Password in 2 Minutes" (boot into Recovery mode)
Maybe there is some way to password-protect GRUB, or maybe this doesn't work if /home is encrypted ?
SK's "How To Password Protect GRUB Bootloader In Linux"

Another way to change passwords if you have physical access: boot the machine from a Live system on USB or CD, do "sudo -i", do chroot to the main system disk, do "passwd $username".

Ask Ubuntu's "How do I reset a lost administrative password?" (boot into Recovery mode)
SK's "How To Reset Root User Password In Linux"

Not sure, but I think these methods work even if user's home is encrypted. Access to the disk encryption passphrase is controlled by the user permissions, so once you login as the user (with any or empty password), software can decrypt the user's home.

PAM (Pluggable Authentication Modules):
Files in /etc/pam.d directory.
"apt list | grep libpam | more"
Mokhtar Ebrahim's "Configure and Use Linux-PAM"

To enable TOTP on desktop logins:
If you're going to enable this, I would save a copy of "/etc/pam.d/lightdm", then create another user account, login to that account, and enable TOTP on that account, to make sure everything works.

Chris Hoffman's "How to Log In To Your Linux Desktop With Google Authenticator"
Daniel Pellarini's "How To Configure Multi-Factor Authentication on Ubuntu 18.04"
nixCraft's "Secure Your Linux Desktop and SSH Login Using Two Factor Google Authenticator"

"sudo apt-get install libpam-google-authenticator".
"man google-authenticator".

Types of keys and certificates:

From "man ssh":
"The idea is that each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. ssh implements public key authentication protocol automatically ..." and "A variation on public key authentication is available in the form of certificate authentication: instead of a set of public/private keys, signed certificates are used. This has the advantage that a single trusted certification authority can be used in place of many public/private keys."
Also relevant "man ssh-keygen".

Steve Cope's "SSL and SSL Certificates Explained For Beginners"

Keyring / GnomeKeyring / ksecretservice:
setevoy's "What is: Linux keyring, gnome-keyring, Secret Service, and D-Bus" (also here)
GNOME Keyring
Keyrings(7) man page
Arch Wiki's "GNOME/Keyring"
Nurdletech's "Gnome Keyring"

There is a Linux kernel keyring (see "man 7 keyrings"), and a GNOME Keyring (GNOME Keyring).

Is integrated with ssh, sftp, scp, PAM, Chrome, chromium. Can be integrated with Git, GnuPG, Firefox.
swick / mozilla-gnome-keyring (extension for Firefox and Thunderbird)
From Gnome Keyring - Security FAQ:
"Gnome Keyring is integrated with PAM, so that the 'login' keyring can be unlocked when the user logs in.".
LZone's "Using Linux keyring secrets from your scripts"

On CLI, do "cat /proc/keys" to see some of the keys in the Linux kernel keyring.
On CLI, do "man keyctl".

GNOME keyring stored under ~/.local/share/keyrings

Mint's "Passwords and Keys" application (AKA "Seahorse"):
Accesses GNOME Keyring.
AKA Seahorse

Under Passwords - Logins, it seems to have a bunch of placeholder entries for web sites, and a couple of things for apps (Chrome, Skype). There's nothing (for me) under Certificates (I do have certs installed in FF, Chrome, Thunderbird, but they don't show up here), and under Secure Shell (OpenSSH = ~/.ssh). But there are several keys under PGP Keys (maybe stored under ~/.gnupg directory ?). Hover mouse over each item to see tooltips.

SSH logins:
Ubuntu's "SSH / OpenSSH / Installing Configuring Testing"
Chris Hoffman's "How to Secure SSH with Google Authenticator’s Two-Factor Authentication"
Linuxaria's "Add security to your ssh daemon with PAM module"
nixCraft's "Top 20 OpenSSH Server Best Security Practices"

From Ravi Saive's ""How to Setup Two-Factor Authentication (Google Authenticator) for SSH Logins:
"Important: The two-factor authentication works with password based SSH login. If you are using any private/public key SSH session, it will ignore two-factor authentication and log you in directly."

SK's "How To Configure SSH Key-based Authentication In Linux"
Alistair Ross's "How To Set Up SSH Keys"
Carla Schroder's "5 SSH Hardening Tips"

Testing your SSH from outside:
InfoByIp's "SSH server connectivity test"
Rebex SSH Check
But really you need to try to connect from an outside machine and see what happens.

Jesus Vigo's "How to join a Linux computer to an Active Directory domain"

Trusted certificate stores:
Security certificates can be stored in a number of places ?
From someone on Stack Exchange:
Most distros put their certificates soft-link in system-wide location at /etc/ssl/certs. Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates to update /etc/ssl/certs lists.

From someone on reddit 11/2019:
Applications that utilize the system cert store: Chrome on macOS/windows. Safari on macOS. Edge on windows. Linux support depends on the distribution. RHEL is probably better than others.

Firefox uses it's own key store ...

Java applications will vary in support. It really depends on the implementer.

[Certs can be stored in a hardware device:] A Yubikey with certs provisioned acts as a pkcs#11 device which is an industry standard interface to cryptographic devices. It has good support for all applications that utilize the system cert store. There are plugins to utilize pkcs11 devices for Firefox.

Amit N. Bhagat's "Digital Certificates Explained"
Federal Public Key Infrastructure Guides' "Trust Stores"

Places passwords are stored:
GNOME networking passwords are stored in plaintext in files in /etc/NetworkManager/system-connections

MEGA password discussion
MEGAchat: Technical Security Primer

libsecret-based clients via the secret storage DBus API ?
KeePassXC 2.5.x can be used as a vault service by libsecret: KeePassXC as "secret service"

KeePassXC password manager can supply SSH keys to an SSH agent: KeePassXC and SSH.

Run "ssh-add -l" or "ssh-add -L" to see all keys available through ssh-agent.
Run "ssh-add -s filename.pkcs11" to add a digital certificate to ssh-agent.

"nmap --script ssl-cert localhost" gives me one cert used by port 25 SMTP, called "mint" or "DNS:Mint".

"nmap --script ssl-enum-ciphers localhost" gives me TLS ciphers used by port 25 SMTP, port 631 CUPS.

Security Test / Audit

David Mytton's "80+ Linux Monitoring Tools for SysAdmins"
Daniel Miessler's "A tcpdump Tutorial and Primer with Examples"
"sudo tcpdump -i lo -A | grep Host:"
netstat: "sudo netstat -atupl"
lsof: "sudo lsof -i" to see established connections.
ss: "sudo ss -lptu".
NixCraft's "ss command: Display Linux TCP / UDP Network/Socket Information"
NixCraft's "Linux: 25 Iptables Netfilter Firewall Examples For New SysAdmins" (see "27. Testing Your Firewall")
nethogs: install from Mint's Software Manager, and then "sudo nethogs"

CERT's "Intruder Detection Checklist"

See the "Port scanning and router testing" section of my "Computer Security and Privacy" page.

SEI's "Steps for Recovering from a UNIX or NT System Compromise" (PDF)


Throttling network bandwidth, for testing purposes:
"sudo tc qdisc add dev enp19s0 root tbf rate 32kbit latency 50ms burst 770"
"sudo tc qdisc delete dev enp19s0 root"

Search my site