lenovo-gentoo/Security-Hardening.md

# Security Hardening Guide

Complete guide for hardening the Gentoo workstation with firewall, intrusion
prevention, and SSH security.

## Overview

This guide covers comprehensive security hardening for a single-user Gentoo
development workstation with a focus on practical security without
over-engineering.

## Table of Contents

- [Security Philosophy](#security-philosophy)
- [Threat Model](#threat-model)
- [Components](#components)
- [Installation](#installation)
- [Firewall Configuration](#firewall-configuration)
- [Intrusion Prevention](#intrusion-prevention)
- [SSH Hardening](#ssh-hardening)
- [Additional Security](#additional-security)
- [Monitoring](#monitoring)
- [Troubleshooting](#troubleshooting)

## Security Philosophy

**Pragmatic security approach**:

1. **Defense in Depth**: Multiple layers of security
2. **Minimal Attack Surface**: Only expose what's necessary
3. **Fail Securely**: Default deny policies
4. **Logging and Monitoring**: Track security events
5. **Maintainability**: Keep it simple and documented

## Threat Model

### Primary Threats

1. **Network attacks**: Port scanning, brute force, exploits
2. **SSH brute force**: Automated login attempts
3. **Malware**: Trojans, backdoors from compromised packages
4. **Physical access**: Limited concern (personal workstation)

### Out of Scope

- Advanced persistent threats (APTs)
- Nation-state actors
- Physical security (trusted environment)
- Multi-user system hardening (single user)

## Components

### 1. nftables Firewall

Modern Linux firewall with:
- Default deny incoming policy
- Allow established connections
- Rate limiting for services
- Connection tracking
- Docker support

### 2. fail2ban

Intrusion prevention system that:
- Monitors SSH login attempts
- Automatically bans malicious IPs
- Integrates with nftables
- Configurable ban times and thresholds

### 3. SSH Hardening

Secure SSH configuration:
- Modern ciphers only
- Key-based authentication
- No root login
- Connection limits
- Logging and monitoring

## Installation

### Prerequisites

```bash
# Install required packages
emerge -av net-firewall/nftables
emerge -av net-analyzer/fail2ban
emerge -av net-misc/openssh

# Ensure SSH is configured and working
rc-service sshd status
```

### Install Security Components

```bash
cd ~/repository/git.hinrichs.dev/alexander/claude/lenovo-gentoo/scripts/security-setup
sudo ./INSTALL.sh
```

**⚠️ CRITICAL**: Keep your current SSH session open until you verify everything
works!

### Installation Steps

The script will:

1. ✅ Install nftables firewall configuration
2. ✅ Install fail2ban jail configuration
3. ✅ Install SSH hardening configuration
4. ✅ Backup all existing configs
5. ✅ Enable services in OpenRC

## Firewall Configuration

### Overview

The nftables firewall uses a default deny policy with explicit allow rules.

**Location**: `/etc/nftables.conf`

### Default Rules

```
INPUT chain (incoming):
- DROP everything by default
- ACCEPT established/related connections
- ACCEPT loopback traffic
- ACCEPT ICMP (rate limited)
- ACCEPT SSH (rate limited, LAN only)
- ACCEPT mDNS (local network discovery)

FORWARD chain:
- DROP everything by default
- ACCEPT established/related (for Docker if needed)

OUTPUT chain:
- ACCEPT everything (workstation outgoing)
```

### Key Features

#### 1. SSH Rate Limiting

Prevents brute force attacks:

```nft
# Max 3 SSH connections per minute per IP
tcp dport 22 ct state new \
  add @ratelimit_ssh { ip saddr limit rate 3/minute } accept
```

#### 2. ICMP Rate Limiting

Prevents ping floods:

```nft
# Max 5 pings per second
ip protocol icmp icmp type echo-request limit rate 5/second accept
```

#### 3. Connection Tracking

Tracks connection state for efficient filtering:

```nft
# Allow responses to outgoing connections
ct state established,related accept

# Drop invalid packets
ct state invalid drop
```

### Testing Firewall

```bash
# Test configuration syntax
sudo nft -f /etc/nftables.conf

# View current rules
sudo nft list ruleset

# Start firewall
sudo rc-service nftables start

# Check status
sudo rc-service nftables status
```

### Enable at Boot

```bash
sudo rc-update add nftables default
```

### Customization

#### Allow Additional Ports

Edit `/etc/nftables.conf` and add rules in the `input` chain:

```nft
# Allow HTTP/HTTPS
tcp dport { 80, 443 } accept

# Allow custom application
tcp dport 8080 accept
```

#### Docker Integration

Uncomment Docker rules if using Docker:

```nft
# In forward chain:
iifname "docker0" accept
oifname "docker0" accept

# In nat table:
oifname $lan_interface masquerade
```

#### Block Specific IPs

```nft
# At top of input chain:
ip saddr 1.2.3.4 drop
ip saddr 5.6.7.0/24 drop
```

## Intrusion Prevention

### fail2ban Overview

fail2ban monitors log files and bans IPs with malicious behavior.

**Location**: `/etc/fail2ban/jail.local`

### Default Configuration

```ini
[DEFAULT]
bantime  = 1h      # Ban duration
findtime = 10m     # Time window for maxretry
maxretry = 3       # Failed attempts before ban

[sshd]
enabled = true
port    = ssh
maxretry = 3
bantime = 1h
```

### Starting fail2ban

```bash
# Start service
sudo rc-service fail2ban start

# Check status
sudo fail2ban-client status

# Check SSH jail
sudo fail2ban-client status sshd

# Enable at boot
sudo rc-update add fail2ban default
```

### Monitoring

```bash
# View banned IPs
sudo fail2ban-client status sshd

# Unban an IP
sudo fail2ban-client set sshd unbanip 1.2.3.4

# View fail2ban log
sudo tail -f /var/log/fail2ban.log
```

### Customization

#### Adjust Ban Times

Edit `/etc/fail2ban/jail.local`:

```ini
[sshd]
maxretry = 5      # More lenient
bantime = 24h     # Longer ban
findtime = 1h     # Longer time window
```

#### Add Email Notifications

```ini
[DEFAULT]
destemail = your.email@example.com
sendername = Fail2Ban
action = %(action_mwl)s  # Mail with logs
```

#### Whitelist IPs

```ini
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
           192.168.1.0/24
           10.0.0.0/8
```

## SSH Hardening

### Overview

Hardened SSH configuration with modern ciphers and security best practices.

**Location**: `/etc/ssh/sshd_config.d/hardening.conf`

### Key Security Features

#### 1. Modern Cryptography

```
# Strong key exchange algorithms
KexAlgorithms curve25519-sha256,diffie-hellman-group-exchange-sha256

# Strong ciphers
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com

# Strong MACs
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
```

#### 2. Authentication Security

```
PermitRootLogin no              # No root login
PasswordAuthentication no       # Keys only
MaxAuthTries 3                  # Limit attempts
LoginGraceTime 30               # Quick timeout
```

#### 3. Connection Limits

```
MaxSessions 5                   # Max concurrent sessions
ClientAliveInterval 300         # 5 min keepalive
ClientAliveCountMax 2           # 2 missed keepalives = disconnect
```

#### 4. Disable Insecure Features

```
X11Forwarding no                # No X11
PermitUserEnvironment no        # No env manipulation
HostbasedAuthentication no      # No host-based auth
IgnoreRhosts yes                # Ignore .rhosts
```

### Testing SSH Configuration

```bash
# Test configuration syntax
sudo sshd -t

# Test connection (from another terminal)
ssh alexander@localhost

# View active SSH sessions
who

# View SSH logs
sudo tail -f /var/log/auth.log
```

### Apply SSH Changes

```bash
# Restart SSH service
sudo rc-service sshd restart

# Or reload configuration
sudo kill -HUP $(cat /var/run/sshd.pid)
```

### SSH Key Setup

If not already using SSH keys:

```bash
# Generate ED25519 key (modern, secure)
ssh-keygen -t ed25519 -C "alexander@lenovo-gentoo"

# Or RSA 4096 (wider compatibility)
ssh-keygen -t rsa -b 4096 -C "alexander@lenovo-gentoo"

# Copy to remote host
ssh-copy-id user@remote-host

# Test key-based login
ssh user@remote-host
```

## Additional Security

### 1. System Updates

Keep system updated:

```bash
# Update package database
emerge --sync

# Check for updates
emerge -uDNp @world

# Install updates
emerge -uDN @world

# Check for security advisories
glsa-check -l
```

### 2. Audit Logging

Enable system auditing:

```bash
# Install audit daemon
emerge -av sys-process/audit

# Enable service
rc-update add auditd default
rc-service auditd start

# View audit logs
ausearch -m avc
```

### 3. File Integrity Monitoring

Use AIDE for file integrity:

```bash
# Install AIDE
emerge -av app-forensics/aide

# Initialize database
aide --init

# Check for changes
aide --check
```

### 4. Kernel Hardening

Enable kernel security features in `/etc/sysctl.conf`:

```conf
# Prevent IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Ignore source routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Enable SYN cookies
net.ipv4.tcp_syncookies = 1

# Log martian packets
net.ipv4.conf.all.log_martians = 1

# Disable IPv6 if not needed
# net.ipv6.conf.all.disable_ipv6 = 1
```

Apply changes:
```bash
sudo sysctl -p
```

### 5. Automatic Updates (Optional)

**Note**: Not recommended for Gentoo due to compilation time and potential
breakage. Manual updates preferred.

## Monitoring

### Security Event Monitoring

#### 1. Check SSH Login Attempts

```bash
# Recent successful logins
last -10

# Failed login attempts
sudo grep "Failed password" /var/log/auth.log | tail -20

# All SSH activity today
sudo grep "$(date +%b\ %d)" /var/log/auth.log | grep sshd
```

#### 2. Check Firewall Drops

```bash
# View dropped packets in dmesg
sudo dmesg | grep "nftables-drop"

# View nftables statistics
sudo nft list ruleset -a
```

#### 3. Check fail2ban Bans

```bash
# Current bans
sudo fail2ban-client status sshd

# Ban history
sudo zgrep "Ban " /var/log/fail2ban.log*
```

#### 4. Check Open Ports

```bash
# Listening ports
sudo ss -tlnp

# Or with netstat
sudo netstat -tlnp
```

### Automated Monitoring Script

Create `~/bin/security-check`:

```bash
#!/bin/sh
# Daily security check script

echo "Security Status Report - $(date)"
echo "======================================"
echo ""

echo "SSH Failed Logins (last 24h):"
sudo grep "Failed password" /var/log/auth.log | \
  grep "$(date +%b\ %d)" | wc -l
echo ""

echo "fail2ban Banned IPs:"
sudo fail2ban-client status sshd | grep "Banned IP list"
echo ""

echo "Open Ports:"
sudo ss -tlnp | grep LISTEN
echo ""

echo "Firewall Status:"
sudo rc-service nftables status
echo ""

echo "Last 5 Logins:"
last -5
```

Make executable:
```bash
chmod +x ~/bin/security-check
```

Run daily:
```bash
# Add to crontab
crontab -e

# Daily at 9 AM
0 9 * * * ~/bin/security-check | mail -s "Security Report" root
```

## Troubleshooting

### Firewall Blocks Legitimate Traffic

**Problem**: Cannot access services after enabling firewall

**Solution**: Add rules for required services

```bash
# Temporarily stop firewall for testing
sudo rc-service nftables stop

# Test service
# If it works, firewall is blocking it

# Add rule to /etc/nftables.conf
# Restart firewall
sudo rc-service nftables start
```

### Locked Out of SSH

**Problem**: Cannot SSH after hardening

**⚠️ Prevention**: Always keep a session open when testing SSH changes!

**Solution** (requires physical/console access):

```bash
# Via console/physical access
sudo rc-service sshd stop

# Restore backup
sudo cp /etc/ssh/sshd_config.backup.* /etc/ssh/sshd_config

# Start SSH
sudo rc-service sshd start
```

### fail2ban Not Banning

**Problem**: fail2ban doesn't ban attackers

**Check logs**:
```bash
sudo tail -f /var/log/fail2ban.log
```

**Common issues**:

1. Wrong log path in jail.local:
   ```bash
   # Find SSH log location
   grep "sshd" /var/log/* 2>/dev/null
   ```

2. Regex doesn't match log format:
   ```bash
   # Test regex
   sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
   ```

3. Service not running:
   ```bash
   sudo rc-service fail2ban restart
   ```

### False Positives

**Problem**: Legitimate IPs getting banned

**Solution**: Add to whitelist in `/etc/fail2ban/jail.local`:

```ini
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
           192.168.2.0/24
           10.0.0.0/8
```

### Performance Issues

**Problem**: Firewall causing lag

**Check rules**:
```bash
# Count rules
sudo nft list ruleset | grep -c "rule"

# Check for expensive operations
sudo nft list ruleset -a
```

**Solution**: Optimize rules, reduce logging

## Security Checklist

Daily/Weekly tasks:

- [ ] Check SSH login attempts
- [ ] Review fail2ban bans
- [ ] Check firewall logs
- [ ] Verify services are running
- [ ] Review open ports

Monthly tasks:

- [ ] Update system packages
- [ ] Review firewall rules
- [ ] Check for security advisories
- [ ] Review user accounts
- [ ] Test backup restoration
- [ ] Review logs for anomalies

## Best Practices

1. **Keep Software Updated**: Regular updates prevent exploits
2. **Minimal Services**: Only run what you need
3. **Strong Authentication**: Use keys, not passwords
4. **Monitor Logs**: Regular log review catches issues early
5. **Test Changes**: Always test in safe environment
6. **Document Everything**: Keep notes on configuration changes
7. **Backup Configs**: Before making changes
8. **Defense in Depth**: Multiple security layers
9. **Principle of Least Privilege**: Minimal permissions needed
10. **Stay Informed**: Follow security news and advisories

## See Also

- [Backup-Setup.md](Backup-Setup.md) - Backup system guide
- [USER-GUIDE.md](USER-GUIDE.md) - Quick reference guide
- [CLAUDE.md](CLAUDE.md) - System overview
- `/etc/nftables.conf` - Firewall configuration
- `/etc/fail2ban/jail.local` - fail2ban configuration
- `/etc/ssh/sshd_config.d/hardening.conf` - SSH hardening