# Security Hardening Guide Complete guide for hardening the Gentoo workstation with firewall, intrusion prevention, and SSH security. ## Overview This guide covers comprehensive security hardening for a single-user Gentoo development workstation with a focus on practical security without over-engineering. ## Table of Contents - [Security Philosophy](#security-philosophy) - [Threat Model](#threat-model) - [Components](#components) - [Installation](#installation) - [Firewall Configuration](#firewall-configuration) - [Intrusion Prevention](#intrusion-prevention) - [SSH Hardening](#ssh-hardening) - [Additional Security](#additional-security) - [Monitoring](#monitoring) - [Troubleshooting](#troubleshooting) ## Security Philosophy **Pragmatic security approach**: 1. **Defense in Depth**: Multiple layers of security 2. **Minimal Attack Surface**: Only expose what's necessary 3. **Fail Securely**: Default deny policies 4. **Logging and Monitoring**: Track security events 5. **Maintainability**: Keep it simple and documented ## Threat Model ### Primary Threats 1. **Network attacks**: Port scanning, brute force, exploits 2. **SSH brute force**: Automated login attempts 3. **Malware**: Trojans, backdoors from compromised packages 4. **Physical access**: Limited concern (personal workstation) ### Out of Scope - Advanced persistent threats (APTs) - Nation-state actors - Physical security (trusted environment) - Multi-user system hardening (single user) ## Components ### 1. nftables Firewall Modern Linux firewall with: - Default deny incoming policy - Allow established connections - Rate limiting for services - Connection tracking - Docker support ### 2. fail2ban Intrusion prevention system that: - Monitors SSH login attempts - Automatically bans malicious IPs - Integrates with nftables - Configurable ban times and thresholds ### 3. SSH Hardening Secure SSH configuration: - Modern ciphers only - Key-based authentication - No root login - Connection limits - Logging and monitoring ## Installation ### Prerequisites ```bash # Install required packages emerge -av net-firewall/nftables emerge -av net-analyzer/fail2ban emerge -av net-misc/openssh # Ensure SSH is configured and working rc-service sshd status ``` ### Install Security Components ```bash cd ~/repository/git.hinrichs.dev/alexander/claude/lenovo-gentoo/scripts/security-setup sudo ./INSTALL.sh ``` **⚠️ CRITICAL**: Keep your current SSH session open until you verify everything works! ### Installation Steps The script will: 1. ✅ Install nftables firewall configuration 2. ✅ Install fail2ban jail configuration 3. ✅ Install SSH hardening configuration 4. ✅ Backup all existing configs 5. ✅ Enable services in OpenRC ## Firewall Configuration ### Overview The nftables firewall uses a default deny policy with explicit allow rules. **Location**: `/etc/nftables.conf` ### Default Rules ``` INPUT chain (incoming): - DROP everything by default - ACCEPT established/related connections - ACCEPT loopback traffic - ACCEPT ICMP (rate limited) - ACCEPT SSH (rate limited, LAN only) - ACCEPT mDNS (local network discovery) FORWARD chain: - DROP everything by default - ACCEPT established/related (for Docker if needed) OUTPUT chain: - ACCEPT everything (workstation outgoing) ``` ### Key Features #### 1. SSH Rate Limiting Prevents brute force attacks: ```nft # Max 3 SSH connections per minute per IP tcp dport 22 ct state new \ add @ratelimit_ssh { ip saddr limit rate 3/minute } accept ``` #### 2. ICMP Rate Limiting Prevents ping floods: ```nft # Max 5 pings per second ip protocol icmp icmp type echo-request limit rate 5/second accept ``` #### 3. Connection Tracking Tracks connection state for efficient filtering: ```nft # Allow responses to outgoing connections ct state established,related accept # Drop invalid packets ct state invalid drop ``` ### Testing Firewall ```bash # Test configuration syntax sudo nft -f /etc/nftables.conf # View current rules sudo nft list ruleset # Start firewall sudo rc-service nftables start # Check status sudo rc-service nftables status ``` ### Enable at Boot ```bash sudo rc-update add nftables default ``` ### Customization #### Allow Additional Ports Edit `/etc/nftables.conf` and add rules in the `input` chain: ```nft # Allow HTTP/HTTPS tcp dport { 80, 443 } accept # Allow custom application tcp dport 8080 accept ``` #### Docker Integration Uncomment Docker rules if using Docker: ```nft # In forward chain: iifname "docker0" accept oifname "docker0" accept # In nat table: oifname $lan_interface masquerade ``` #### Block Specific IPs ```nft # At top of input chain: ip saddr 1.2.3.4 drop ip saddr 5.6.7.0/24 drop ``` ## Intrusion Prevention ### fail2ban Overview fail2ban monitors log files and bans IPs with malicious behavior. **Location**: `/etc/fail2ban/jail.local` ### Default Configuration ```ini [DEFAULT] bantime = 1h # Ban duration findtime = 10m # Time window for maxretry maxretry = 3 # Failed attempts before ban [sshd] enabled = true port = ssh maxretry = 3 bantime = 1h ``` ### Starting fail2ban ```bash # Start service sudo rc-service fail2ban start # Check status sudo fail2ban-client status # Check SSH jail sudo fail2ban-client status sshd # Enable at boot sudo rc-update add fail2ban default ``` ### Monitoring ```bash # View banned IPs sudo fail2ban-client status sshd # Unban an IP sudo fail2ban-client set sshd unbanip 1.2.3.4 # View fail2ban log sudo tail -f /var/log/fail2ban.log ``` ### Customization #### Adjust Ban Times Edit `/etc/fail2ban/jail.local`: ```ini [sshd] maxretry = 5 # More lenient bantime = 24h # Longer ban findtime = 1h # Longer time window ``` #### Add Email Notifications ```ini [DEFAULT] destemail = your.email@example.com sendername = Fail2Ban action = %(action_mwl)s # Mail with logs ``` #### Whitelist IPs ```ini [DEFAULT] ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 10.0.0.0/8 ``` ## SSH Hardening ### Overview Hardened SSH configuration with modern ciphers and security best practices. **Location**: `/etc/ssh/sshd_config.d/hardening.conf` ### Key Security Features #### 1. Modern Cryptography ``` # Strong key exchange algorithms KexAlgorithms curve25519-sha256,diffie-hellman-group-exchange-sha256 # Strong ciphers Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Strong MACs MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com ``` #### 2. Authentication Security ``` PermitRootLogin no # No root login PasswordAuthentication no # Keys only MaxAuthTries 3 # Limit attempts LoginGraceTime 30 # Quick timeout ``` #### 3. Connection Limits ``` MaxSessions 5 # Max concurrent sessions ClientAliveInterval 300 # 5 min keepalive ClientAliveCountMax 2 # 2 missed keepalives = disconnect ``` #### 4. Disable Insecure Features ``` X11Forwarding no # No X11 PermitUserEnvironment no # No env manipulation HostbasedAuthentication no # No host-based auth IgnoreRhosts yes # Ignore .rhosts ``` ### Testing SSH Configuration ```bash # Test configuration syntax sudo sshd -t # Test connection (from another terminal) ssh alexander@localhost # View active SSH sessions who # View SSH logs sudo tail -f /var/log/auth.log ``` ### Apply SSH Changes ```bash # Restart SSH service sudo rc-service sshd restart # Or reload configuration sudo kill -HUP $(cat /var/run/sshd.pid) ``` ### SSH Key Setup If not already using SSH keys: ```bash # Generate ED25519 key (modern, secure) ssh-keygen -t ed25519 -C "alexander@lenovo-gentoo" # Or RSA 4096 (wider compatibility) ssh-keygen -t rsa -b 4096 -C "alexander@lenovo-gentoo" # Copy to remote host ssh-copy-id user@remote-host # Test key-based login ssh user@remote-host ``` ## Additional Security ### 1. System Updates Keep system updated: ```bash # Update package database emerge --sync # Check for updates emerge -uDNp @world # Install updates emerge -uDN @world # Check for security advisories glsa-check -l ``` ### 2. Audit Logging Enable system auditing: ```bash # Install audit daemon emerge -av sys-process/audit # Enable service rc-update add auditd default rc-service auditd start # View audit logs ausearch -m avc ``` ### 3. File Integrity Monitoring Use AIDE for file integrity: ```bash # Install AIDE emerge -av app-forensics/aide # Initialize database aide --init # Check for changes aide --check ``` ### 4. Kernel Hardening Enable kernel security features in `/etc/sysctl.conf`: ```conf # Prevent IP spoofing net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Ignore ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 # Ignore source routed packets net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 # Enable SYN cookies net.ipv4.tcp_syncookies = 1 # Log martian packets net.ipv4.conf.all.log_martians = 1 # Disable IPv6 if not needed # net.ipv6.conf.all.disable_ipv6 = 1 ``` Apply changes: ```bash sudo sysctl -p ``` ### 5. Automatic Updates (Optional) **Note**: Not recommended for Gentoo due to compilation time and potential breakage. Manual updates preferred. ## Monitoring ### Security Event Monitoring #### 1. Check SSH Login Attempts ```bash # Recent successful logins last -10 # Failed login attempts sudo grep "Failed password" /var/log/auth.log | tail -20 # All SSH activity today sudo grep "$(date +%b\ %d)" /var/log/auth.log | grep sshd ``` #### 2. Check Firewall Drops ```bash # View dropped packets in dmesg sudo dmesg | grep "nftables-drop" # View nftables statistics sudo nft list ruleset -a ``` #### 3. Check fail2ban Bans ```bash # Current bans sudo fail2ban-client status sshd # Ban history sudo zgrep "Ban " /var/log/fail2ban.log* ``` #### 4. Check Open Ports ```bash # Listening ports sudo ss -tlnp # Or with netstat sudo netstat -tlnp ``` ### Automated Monitoring Script Create `~/bin/security-check`: ```bash #!/bin/sh # Daily security check script echo "Security Status Report - $(date)" echo "======================================" echo "" echo "SSH Failed Logins (last 24h):" sudo grep "Failed password" /var/log/auth.log | \ grep "$(date +%b\ %d)" | wc -l echo "" echo "fail2ban Banned IPs:" sudo fail2ban-client status sshd | grep "Banned IP list" echo "" echo "Open Ports:" sudo ss -tlnp | grep LISTEN echo "" echo "Firewall Status:" sudo rc-service nftables status echo "" echo "Last 5 Logins:" last -5 ``` Make executable: ```bash chmod +x ~/bin/security-check ``` Run daily: ```bash # Add to crontab crontab -e # Daily at 9 AM 0 9 * * * ~/bin/security-check | mail -s "Security Report" root ``` ## Troubleshooting ### Firewall Blocks Legitimate Traffic **Problem**: Cannot access services after enabling firewall **Solution**: Add rules for required services ```bash # Temporarily stop firewall for testing sudo rc-service nftables stop # Test service # If it works, firewall is blocking it # Add rule to /etc/nftables.conf # Restart firewall sudo rc-service nftables start ``` ### Locked Out of SSH **Problem**: Cannot SSH after hardening **⚠️ Prevention**: Always keep a session open when testing SSH changes! **Solution** (requires physical/console access): ```bash # Via console/physical access sudo rc-service sshd stop # Restore backup sudo cp /etc/ssh/sshd_config.backup.* /etc/ssh/sshd_config # Start SSH sudo rc-service sshd start ``` ### fail2ban Not Banning **Problem**: fail2ban doesn't ban attackers **Check logs**: ```bash sudo tail -f /var/log/fail2ban.log ``` **Common issues**: 1. Wrong log path in jail.local: ```bash # Find SSH log location grep "sshd" /var/log/* 2>/dev/null ``` 2. Regex doesn't match log format: ```bash # Test regex sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf ``` 3. Service not running: ```bash sudo rc-service fail2ban restart ``` ### False Positives **Problem**: Legitimate IPs getting banned **Solution**: Add to whitelist in `/etc/fail2ban/jail.local`: ```ini [DEFAULT] ignoreip = 127.0.0.1/8 ::1 192.168.2.0/24 10.0.0.0/8 ``` ### Performance Issues **Problem**: Firewall causing lag **Check rules**: ```bash # Count rules sudo nft list ruleset | grep -c "rule" # Check for expensive operations sudo nft list ruleset -a ``` **Solution**: Optimize rules, reduce logging ## Security Checklist Daily/Weekly tasks: - [ ] Check SSH login attempts - [ ] Review fail2ban bans - [ ] Check firewall logs - [ ] Verify services are running - [ ] Review open ports Monthly tasks: - [ ] Update system packages - [ ] Review firewall rules - [ ] Check for security advisories - [ ] Review user accounts - [ ] Test backup restoration - [ ] Review logs for anomalies ## Best Practices 1. **Keep Software Updated**: Regular updates prevent exploits 2. **Minimal Services**: Only run what you need 3. **Strong Authentication**: Use keys, not passwords 4. **Monitor Logs**: Regular log review catches issues early 5. **Test Changes**: Always test in safe environment 6. **Document Everything**: Keep notes on configuration changes 7. **Backup Configs**: Before making changes 8. **Defense in Depth**: Multiple security layers 9. **Principle of Least Privilege**: Minimal permissions needed 10. **Stay Informed**: Follow security news and advisories ## See Also - [Backup-Setup.md](Backup-Setup.md) - Backup system guide - [USER-GUIDE.md](USER-GUIDE.md) - Quick reference guide - [CLAUDE.md](CLAUDE.md) - System overview - `/etc/nftables.conf` - Firewall configuration - `/etc/fail2ban/jail.local` - fail2ban configuration - `/etc/ssh/sshd_config.d/hardening.conf` - SSH hardening