14 KiB
14 KiB
Security Hardening Guide
Complete guide for hardening the Gentoo workstation with firewall, intrusion prevention, and SSH security.
Overview
This guide covers comprehensive security hardening for a single-user Gentoo development workstation with a focus on practical security without over-engineering.
Table of Contents
- Security Philosophy
- Threat Model
- Components
- Installation
- Firewall Configuration
- Intrusion Prevention
- SSH Hardening
- Additional Security
- Monitoring
- Troubleshooting
Security Philosophy
Pragmatic security approach:
- Defense in Depth: Multiple layers of security
- Minimal Attack Surface: Only expose what's necessary
- Fail Securely: Default deny policies
- Logging and Monitoring: Track security events
- Maintainability: Keep it simple and documented
Threat Model
Primary Threats
- Network attacks: Port scanning, brute force, exploits
- SSH brute force: Automated login attempts
- Malware: Trojans, backdoors from compromised packages
- Physical access: Limited concern (personal workstation)
Out of Scope
- Advanced persistent threats (APTs)
- Nation-state actors
- Physical security (trusted environment)
- Multi-user system hardening (single user)
Components
1. nftables Firewall
Modern Linux firewall with:
- Default deny incoming policy
- Allow established connections
- Rate limiting for services
- Connection tracking
- Docker support
2. fail2ban
Intrusion prevention system that:
- Monitors SSH login attempts
- Automatically bans malicious IPs
- Integrates with nftables
- Configurable ban times and thresholds
3. SSH Hardening
Secure SSH configuration:
- Modern ciphers only
- Key-based authentication
- No root login
- Connection limits
- Logging and monitoring
Installation
Prerequisites
# Install required packages
emerge -av net-firewall/nftables
emerge -av net-analyzer/fail2ban
emerge -av net-misc/openssh
# Ensure SSH is configured and working
rc-service sshd status
Install Security Components
cd ~/repository/git.hinrichs.dev/alexander/claude/lenovo-gentoo/scripts/security-setup
sudo ./INSTALL.sh
⚠️ CRITICAL: Keep your current SSH session open until you verify everything works!
Installation Steps
The script will:
- ✅ Install nftables firewall configuration
- ✅ Install fail2ban jail configuration
- ✅ Install SSH hardening configuration
- ✅ Backup all existing configs
- ✅ Enable services in OpenRC
Firewall Configuration
Overview
The nftables firewall uses a default deny policy with explicit allow rules.
Location: /etc/nftables.conf
Default Rules
INPUT chain (incoming):
- DROP everything by default
- ACCEPT established/related connections
- ACCEPT loopback traffic
- ACCEPT ICMP (rate limited)
- ACCEPT SSH (rate limited, LAN only)
- ACCEPT mDNS (local network discovery)
FORWARD chain:
- DROP everything by default
- ACCEPT established/related (for Docker if needed)
OUTPUT chain:
- ACCEPT everything (workstation outgoing)
Key Features
1. SSH Rate Limiting
Prevents brute force attacks:
# Max 3 SSH connections per minute per IP
tcp dport 22 ct state new \
add @ratelimit_ssh { ip saddr limit rate 3/minute } accept
2. ICMP Rate Limiting
Prevents ping floods:
# Max 5 pings per second
ip protocol icmp icmp type echo-request limit rate 5/second accept
3. Connection Tracking
Tracks connection state for efficient filtering:
# Allow responses to outgoing connections
ct state established,related accept
# Drop invalid packets
ct state invalid drop
Testing Firewall
# Test configuration syntax
sudo nft -f /etc/nftables.conf
# View current rules
sudo nft list ruleset
# Start firewall
sudo rc-service nftables start
# Check status
sudo rc-service nftables status
Enable at Boot
sudo rc-update add nftables default
Customization
Allow Additional Ports
Edit /etc/nftables.conf and add rules in the input chain:
# Allow HTTP/HTTPS
tcp dport { 80, 443 } accept
# Allow custom application
tcp dport 8080 accept
Docker Integration
Uncomment Docker rules if using Docker:
# In forward chain:
iifname "docker0" accept
oifname "docker0" accept
# In nat table:
oifname $lan_interface masquerade
Block Specific IPs
# At top of input chain:
ip saddr 1.2.3.4 drop
ip saddr 5.6.7.0/24 drop
Intrusion Prevention
fail2ban Overview
fail2ban monitors log files and bans IPs with malicious behavior.
Location: /etc/fail2ban/jail.local
Default Configuration
[DEFAULT]
bantime = 1h # Ban duration
findtime = 10m # Time window for maxretry
maxretry = 3 # Failed attempts before ban
[sshd]
enabled = true
port = ssh
maxretry = 3
bantime = 1h
Starting fail2ban
# Start service
sudo rc-service fail2ban start
# Check status
sudo fail2ban-client status
# Check SSH jail
sudo fail2ban-client status sshd
# Enable at boot
sudo rc-update add fail2ban default
Monitoring
# View banned IPs
sudo fail2ban-client status sshd
# Unban an IP
sudo fail2ban-client set sshd unbanip 1.2.3.4
# View fail2ban log
sudo tail -f /var/log/fail2ban.log
Customization
Adjust Ban Times
Edit /etc/fail2ban/jail.local:
[sshd]
maxretry = 5 # More lenient
bantime = 24h # Longer ban
findtime = 1h # Longer time window
Add Email Notifications
[DEFAULT]
destemail = your.email@example.com
sendername = Fail2Ban
action = %(action_mwl)s # Mail with logs
Whitelist IPs
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
192.168.1.0/24
10.0.0.0/8
SSH Hardening
Overview
Hardened SSH configuration with modern ciphers and security best practices.
Location: /etc/ssh/sshd_config.d/hardening.conf
Key Security Features
1. Modern Cryptography
# Strong key exchange algorithms
KexAlgorithms curve25519-sha256,diffie-hellman-group-exchange-sha256
# Strong ciphers
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
# Strong MACs
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
2. Authentication Security
PermitRootLogin no # No root login
PasswordAuthentication no # Keys only
MaxAuthTries 3 # Limit attempts
LoginGraceTime 30 # Quick timeout
3. Connection Limits
MaxSessions 5 # Max concurrent sessions
ClientAliveInterval 300 # 5 min keepalive
ClientAliveCountMax 2 # 2 missed keepalives = disconnect
4. Disable Insecure Features
X11Forwarding no # No X11
PermitUserEnvironment no # No env manipulation
HostbasedAuthentication no # No host-based auth
IgnoreRhosts yes # Ignore .rhosts
Testing SSH Configuration
# Test configuration syntax
sudo sshd -t
# Test connection (from another terminal)
ssh alexander@localhost
# View active SSH sessions
who
# View SSH logs
sudo tail -f /var/log/auth.log
Apply SSH Changes
# Restart SSH service
sudo rc-service sshd restart
# Or reload configuration
sudo kill -HUP $(cat /var/run/sshd.pid)
SSH Key Setup
If not already using SSH keys:
# Generate ED25519 key (modern, secure)
ssh-keygen -t ed25519 -C "alexander@lenovo-gentoo"
# Or RSA 4096 (wider compatibility)
ssh-keygen -t rsa -b 4096 -C "alexander@lenovo-gentoo"
# Copy to remote host
ssh-copy-id user@remote-host
# Test key-based login
ssh user@remote-host
Additional Security
1. System Updates
Keep system updated:
# Update package database
emerge --sync
# Check for updates
emerge -uDNp @world
# Install updates
emerge -uDN @world
# Check for security advisories
glsa-check -l
2. Audit Logging
Enable system auditing:
# Install audit daemon
emerge -av sys-process/audit
# Enable service
rc-update add auditd default
rc-service auditd start
# View audit logs
ausearch -m avc
3. File Integrity Monitoring
Use AIDE for file integrity:
# Install AIDE
emerge -av app-forensics/aide
# Initialize database
aide --init
# Check for changes
aide --check
4. Kernel Hardening
Enable kernel security features in /etc/sysctl.conf:
# Prevent IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Ignore source routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Enable SYN cookies
net.ipv4.tcp_syncookies = 1
# Log martian packets
net.ipv4.conf.all.log_martians = 1
# Disable IPv6 if not needed
# net.ipv6.conf.all.disable_ipv6 = 1
Apply changes:
sudo sysctl -p
5. Automatic Updates (Optional)
Note: Not recommended for Gentoo due to compilation time and potential breakage. Manual updates preferred.
Monitoring
Security Event Monitoring
1. Check SSH Login Attempts
# Recent successful logins
last -10
# Failed login attempts
sudo grep "Failed password" /var/log/auth.log | tail -20
# All SSH activity today
sudo grep "$(date +%b\ %d)" /var/log/auth.log | grep sshd
2. Check Firewall Drops
# View dropped packets in dmesg
sudo dmesg | grep "nftables-drop"
# View nftables statistics
sudo nft list ruleset -a
3. Check fail2ban Bans
# Current bans
sudo fail2ban-client status sshd
# Ban history
sudo zgrep "Ban " /var/log/fail2ban.log*
4. Check Open Ports
# Listening ports
sudo ss -tlnp
# Or with netstat
sudo netstat -tlnp
Automated Monitoring Script
Create ~/bin/security-check:
#!/bin/sh
# Daily security check script
echo "Security Status Report - $(date)"
echo "======================================"
echo ""
echo "SSH Failed Logins (last 24h):"
sudo grep "Failed password" /var/log/auth.log | \
grep "$(date +%b\ %d)" | wc -l
echo ""
echo "fail2ban Banned IPs:"
sudo fail2ban-client status sshd | grep "Banned IP list"
echo ""
echo "Open Ports:"
sudo ss -tlnp | grep LISTEN
echo ""
echo "Firewall Status:"
sudo rc-service nftables status
echo ""
echo "Last 5 Logins:"
last -5
Make executable:
chmod +x ~/bin/security-check
Run daily:
# Add to crontab
crontab -e
# Daily at 9 AM
0 9 * * * ~/bin/security-check | mail -s "Security Report" root
Troubleshooting
Firewall Blocks Legitimate Traffic
Problem: Cannot access services after enabling firewall
Solution: Add rules for required services
# Temporarily stop firewall for testing
sudo rc-service nftables stop
# Test service
# If it works, firewall is blocking it
# Add rule to /etc/nftables.conf
# Restart firewall
sudo rc-service nftables start
Locked Out of SSH
Problem: Cannot SSH after hardening
⚠️ Prevention: Always keep a session open when testing SSH changes!
Solution (requires physical/console access):
# Via console/physical access
sudo rc-service sshd stop
# Restore backup
sudo cp /etc/ssh/sshd_config.backup.* /etc/ssh/sshd_config
# Start SSH
sudo rc-service sshd start
fail2ban Not Banning
Problem: fail2ban doesn't ban attackers
Check logs:
sudo tail -f /var/log/fail2ban.log
Common issues:
-
Wrong log path in jail.local:
# Find SSH log location grep "sshd" /var/log/* 2>/dev/null -
Regex doesn't match log format:
# Test regex sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf -
Service not running:
sudo rc-service fail2ban restart
False Positives
Problem: Legitimate IPs getting banned
Solution: Add to whitelist in /etc/fail2ban/jail.local:
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
192.168.2.0/24
10.0.0.0/8
Performance Issues
Problem: Firewall causing lag
Check rules:
# Count rules
sudo nft list ruleset | grep -c "rule"
# Check for expensive operations
sudo nft list ruleset -a
Solution: Optimize rules, reduce logging
Security Checklist
Daily/Weekly tasks:
- Check SSH login attempts
- Review fail2ban bans
- Check firewall logs
- Verify services are running
- Review open ports
Monthly tasks:
- Update system packages
- Review firewall rules
- Check for security advisories
- Review user accounts
- Test backup restoration
- Review logs for anomalies
Best Practices
- Keep Software Updated: Regular updates prevent exploits
- Minimal Services: Only run what you need
- Strong Authentication: Use keys, not passwords
- Monitor Logs: Regular log review catches issues early
- Test Changes: Always test in safe environment
- Document Everything: Keep notes on configuration changes
- Backup Configs: Before making changes
- Defense in Depth: Multiple security layers
- Principle of Least Privilege: Minimal permissions needed
- Stay Informed: Follow security news and advisories
See Also
- Backup-Setup.md - Backup system guide
- USER-GUIDE.md - Quick reference guide
- CLAUDE.md - System overview
/etc/nftables.conf- Firewall configuration/etc/fail2ban/jail.local- fail2ban configuration/etc/ssh/sshd_config.d/hardening.conf- SSH hardening