https://archive.forums.debian.net/api.php?action=feedcontributions&feedformat=atom&user=Blackcat568Archive Debian Forums - User contributions [en]2026-04-28T01:26:50ZUser contributionsMediaWiki 1.45.1https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=213Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-04-04T01:05:14Z<p>Blackcat568: /* Main Aspects of System Hardening */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to use long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. If you have difficulty configuring AppArmor, seek help from specialists or use AI-based tools. <br />
<br />
The use of mandatory access control mechanisms represents an important layer of system protection. Without proper configuration, even a system with a correctly configured firewall may remain vulnerable to various types of attacks.<blockquote>'''Warning:''' AppArmor, SELinux and other Mandatory Access Control (MAC) mechanisms may cause system malfunction if misconfigured. Errors in profiles or policies can result in service failures, boot issues, user session lockout, or restricted access to system resources. In some cases, system recovery may be difficult even when using recovery mode, a chroot environment, or booting from a Live/Rescue medium.<br />
</blockquote> <br />
<br />
It is recommended to perform testing and development of complex and/or custom policies and profiles in an isolated environment (for example, in a virtual machine). It is advisable to retain change logs and terminal output for subsequent analysis.<br />
<br />
Configuration changes should be applied to the host system '''only after confirming correct and stable operation in the test environment.'''<br />
<br />
<br />
Additional recommendations:<br />
<br />
* When restricting potentially vulnerable system services and daemons, use AppArmor profiles with the minimum required permissions (principle of least privilege).<br />
* For potentially vulnerable user applications (browsers, messengers, database managers), prioritize isolation using sandboxing solutions (e.g., Flatpak, Firejail). Use AppArmor as an additional layer or in cases where sandboxing is not available.<br />
* This approach creates an architecture where applications are isolated from each other and from the system. In the event that a sandboxed application is compromised, its access to other applications and the system as a whole will be maximally restricted, which significantly hinders further actions by an attacker.<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
<br />
In addition to blocking all unnecessary incoming connections (on most home workstations, you can block all incoming traffic), be sure to also restrict outgoing connections — block all ports and ranges that are not required by the system and applications. This reduces the attack surface. <br />
<br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
In addition to iptables/nftables, it is strongly recommended to use [https://www.tecmint.com/opensnitch-linux-application-firewall/| OpenSnitch] — '''an interactive firewall''' that shows in real time the IP, process, PID, and port for each connection. OpenSnitch allows you to flexibly block suspicious activity, which, combined with nftables, provides significantly more robust protection.<br />
<br />
OpenSnitch operates on top of nftables/iptables. Instead of merely showing "traffic on a port," it reveals exactly which process is trying to connect to where. The project is not widely known, yet it is extremely useful, actively developed, and deserves the community's attention and support.<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
<blockquote><br />
Master the syntax and policies of nftables, AppArmor, and sysctl. These are native Linux kernel mechanisms for traffic filtering, mandatory access control (MAC), and system parameter restrictions. Deep proficiency in configuring them is critically useful for building secure systems.<br />
</blockquote><br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. <br />
<br />
In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
15. Use desktop environments based on Wayland.<br />
<br />
Wayland is a modern display server protocol that provides stronger application isolation. Unlike Xorg, where any client application can potentially intercept input (keyboard, mouse) and observe other windows, Wayland implements a model in which applications do not have direct access to each other or to global input; all input handling is mediated by the compositor.<br />
<br />
This significantly reduces the impact of a single application compromise: even if an application is exploited, it cannot transparently monitor user activity in other programs.<br />
<br />
Wayland is supported by modern desktop environments such as GNOME (the default in Debian 13), KDE Plasma, and others.<br />
<br />
Xorg is considered outdated from a security perspective due to its architecture, which lacks proper client isolation.<br />
<br />
It is recommended to verify that your desktop environment is actually running on Wayland rather than Xorg (for example, by checking the XDG_SESSION_TYPE environment variable).<br />
<br />
If the GNOME interface feels unfamiliar, it can be extensively customized using extensions and system settings, allowing you to adapt window behavior and panels to your preferred workflow.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. <br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including: <br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<blockquote>'''Note:''' Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.</blockquote><br />
<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. Hardware Firewall<br />
<br />
If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.<br />
<br />
Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:<br />
<br />
* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).<br />
* You have well-founded suspicions that you or your organization could be the target of a directed attack.<br />
<br />
Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.<br />
<br />
However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:<br />
<br />
* Configuring the basic security of your router.<br />
* Using a software firewall and antivirus on your PC.<br />
* Timely updating your operating system and applications.<br />
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).<br />
<br />
A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.<br />
<br />
<blockquote>'''Note:''' Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.</blockquote><br />
<br />
<br />
8. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/psychological-suppression-by-security-forces.html| Psychological Suppression via the Disbelief Effect] — The Disbelief Effect is a subtle, systemic tactic aimed at depriving a person of support, discrediting their testimony, and thereby weakening their ability to resist. When doubt, ridicule, and neglect become the social norm surrounding a particular individual, it functions as a form of psychological weapon: isolation, humiliation, loss of control over one’s own reality. This article provides a detailed analysis of the nature of the Disbelief Effect, its mechanisms, consequences, and practical recommendations: what must never be done and what can effectively be done under such pressure.<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
[[Category:Security]]<br />
[[Category:Administration]]<br />
[[Category:Guides]]<br />
[[Category:Full Paper]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=212Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-04-03T07:56:08Z<p>Blackcat568: /* Main Aspects of System Hardening */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to use long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. If you have difficulty configuring AppArmor, seek help from specialists or use AI-based tools. <br />
<br />
The use of mandatory access control mechanisms represents an important layer of system protection. Without proper configuration, even a system with a correctly configured firewall may remain vulnerable to various types of attacks.<blockquote>'''Warning:''' AppArmor, SELinux and other Mandatory Access Control (MAC) mechanisms may cause system malfunction if misconfigured. Errors in profiles or policies can result in service failures, boot issues, user session lockout, or restricted access to system resources. In some cases, system recovery may be difficult even when using recovery mode, a chroot environment, or booting from a Live/Rescue medium.<br />
</blockquote> <br />
<br />
It is recommended to perform testing and development of complex and/or custom policies and profiles in an isolated environment (for example, in a virtual machine). It is advisable to retain change logs and terminal output for subsequent analysis.<br />
<br />
Configuration changes should be applied to the host system '''only after confirming correct and stable operation in the test environment.'''<br />
<br />
<br />
Additional recommendations:<br />
<br />
* When restricting potentially vulnerable system services and daemons, use AppArmor profiles with the minimum required permissions (principle of least privilege).<br />
* For potentially vulnerable user applications (browsers, messengers, database managers), prioritize isolation using sandboxing solutions (e.g., Flatpak, Firejail). Use AppArmor as an additional layer or in cases where sandboxing is not available.<br />
* This approach creates an architecture where applications are isolated from each other and from the system. In the event that a sandboxed application is compromised, its access to other applications and the system as a whole will be maximally restricted, which significantly hinders further actions by an attacker.<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
<br />
In addition to blocking all unnecessary incoming connections (on most home workstations, you can block all incoming traffic), be sure to also restrict outgoing connections — block all ports and ranges that are not required by the system and applications. This reduces the attack surface. <br />
<br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
In addition to iptables/nftables, it is strongly recommended to use [https://www.tecmint.com/opensnitch-linux-application-firewall/| OpenSnitch] — '''an interactive firewall''' that shows in real time the IP, process, PID, and port for each connection. OpenSnitch allows you to flexibly block suspicious activity, which, combined with nftables, provides significantly more robust protection.<br />
<br />
OpenSnitch operates on top of nftables/iptables. Instead of merely showing "traffic on a port," it reveals exactly which process is trying to connect to where. The project is not widely known, yet it is extremely useful, actively developed, and deserves the community's attention and support.<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. <br />
<br />
In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
15. Use desktop environments based on Wayland.<br />
<br />
Wayland is a modern display server protocol that provides stronger application isolation. Unlike Xorg, where any client application can potentially intercept input (keyboard, mouse) and observe other windows, Wayland implements a model in which applications do not have direct access to each other or to global input; all input handling is mediated by the compositor.<br />
<br />
This significantly reduces the impact of a single application compromise: even if an application is exploited, it cannot transparently monitor user activity in other programs.<br />
<br />
Wayland is supported by modern desktop environments such as GNOME (the default in Debian 13), KDE Plasma, and others.<br />
<br />
Xorg is considered outdated from a security perspective due to its architecture, which lacks proper client isolation.<br />
<br />
It is recommended to verify that your desktop environment is actually running on Wayland rather than Xorg (for example, by checking the XDG_SESSION_TYPE environment variable).<br />
<br />
If the GNOME interface feels unfamiliar, it can be extensively customized using extensions and system settings, allowing you to adapt window behavior and panels to your preferred workflow.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. <br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including: <br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<blockquote>'''Note:''' Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.</blockquote><br />
<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. Hardware Firewall<br />
<br />
If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.<br />
<br />
Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:<br />
<br />
* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).<br />
* You have well-founded suspicions that you or your organization could be the target of a directed attack.<br />
<br />
Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.<br />
<br />
However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:<br />
<br />
* Configuring the basic security of your router.<br />
* Using a software firewall and antivirus on your PC.<br />
* Timely updating your operating system and applications.<br />
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).<br />
<br />
A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.<br />
<br />
<blockquote>'''Note:''' Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.</blockquote><br />
<br />
<br />
8. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/psychological-suppression-by-security-forces.html| Psychological Suppression via the Disbelief Effect] — The Disbelief Effect is a subtle, systemic tactic aimed at depriving a person of support, discrediting their testimony, and thereby weakening their ability to resist. When doubt, ridicule, and neglect become the social norm surrounding a particular individual, it functions as a form of psychological weapon: isolation, humiliation, loss of control over one’s own reality. This article provides a detailed analysis of the nature of the Disbelief Effect, its mechanisms, consequences, and practical recommendations: what must never be done and what can effectively be done under such pressure.<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
[[Category:Security]]<br />
[[Category:Administration]]<br />
[[Category:Guides]]<br />
[[Category:Full Paper]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=211Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-04-01T18:20:20Z<p>Blackcat568: /* Related Aspects of Internet Security */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to use long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. If you have difficulty configuring AppArmor, seek help from specialists or use AI-based tools. <br />
<br />
The use of mandatory access control mechanisms represents an important layer of system protection. Without proper configuration, even a system with a correctly configured firewall may remain vulnerable to various types of attacks.<blockquote>'''Warning:''' AppArmor, SELinux and other Mandatory Access Control (MAC) mechanisms may cause system malfunction if misconfigured. Errors in profiles or policies can result in service failures, boot issues, user session lockout, or restricted access to system resources. In some cases, system recovery may be difficult even when using recovery mode, a chroot environment, or booting from a Live/Rescue medium.<br />
</blockquote> <br />
<br />
It is recommended to perform testing and development of complex and/or custom policies and profiles in an isolated environment (for example, in a virtual machine). It is advisable to retain change logs and terminal output for subsequent analysis.<br />
<br />
Configuration changes should be applied to the host system '''only after confirming correct and stable operation in the test environment.'''<br />
<br />
<br />
Additional recommendations:<br />
<br />
* When restricting potentially vulnerable system services and daemons, use AppArmor profiles with the minimum required permissions (principle of least privilege).<br />
* For potentially vulnerable user applications (browsers, messengers, database managers), prioritize isolation using sandboxing solutions (e.g., Flatpak, Firejail). Use AppArmor as an additional layer or in cases where sandboxing is not available.<br />
* This approach creates an architecture where applications are isolated from each other and from the system. In the event that a sandboxed application is compromised, its access to other applications and the system as a whole will be maximally restricted, which significantly hinders further actions by an attacker.<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
<br />
In addition to blocking all unnecessary incoming connections (on most home workstations, you can block all incoming traffic), be sure to also restrict outgoing connections — block all ports and ranges that are not required by the system and applications. This reduces the attack surface. <br />
<br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
In addition to iptables/nftables, it is strongly recommended to use [https://www.tecmint.com/opensnitch-linux-application-firewall/| OpenSnitch] — '''an interactive firewall''' that shows in real time the IP, process, PID, and port for each connection. OpenSnitch allows you to flexibly block suspicious activity, which, combined with nftables, provides significantly more robust protection.<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. <br />
<br />
In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
15. Use desktop environments based on Wayland.<br />
<br />
Wayland is a modern display server protocol that provides stronger application isolation. Unlike Xorg, where any client application can potentially intercept input (keyboard, mouse) and observe other windows, Wayland implements a model in which applications do not have direct access to each other or to global input; all input handling is mediated by the compositor.<br />
<br />
This significantly reduces the impact of a single application compromise: even if an application is exploited, it cannot transparently monitor user activity in other programs.<br />
<br />
Wayland is supported by modern desktop environments such as GNOME (the default in Debian 13), KDE Plasma, and others.<br />
<br />
Xorg is considered outdated from a security perspective due to its architecture, which lacks proper client isolation.<br />
<br />
It is recommended to verify that your desktop environment is actually running on Wayland rather than Xorg (for example, by checking the XDG_SESSION_TYPE environment variable).<br />
<br />
If the GNOME interface feels unfamiliar, it can be extensively customized using extensions and system settings, allowing you to adapt window behavior and panels to your preferred workflow.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. <br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including: <br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<blockquote>'''Note:''' Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.</blockquote><br />
<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. Hardware Firewall<br />
<br />
If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.<br />
<br />
Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:<br />
<br />
* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).<br />
* You have well-founded suspicions that you or your organization could be the target of a directed attack.<br />
<br />
Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.<br />
<br />
However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:<br />
<br />
* Configuring the basic security of your router.<br />
* Using a software firewall and antivirus on your PC.<br />
* Timely updating your operating system and applications.<br />
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).<br />
<br />
A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.<br />
<br />
<blockquote>'''Note:''' Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.</blockquote><br />
<br />
<br />
8. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/psychological-suppression-by-security-forces.html| Psychological Suppression via the Disbelief Effect] — The Disbelief Effect is a subtle, systemic tactic aimed at depriving a person of support, discrediting their testimony, and thereby weakening their ability to resist. When doubt, ridicule, and neglect become the social norm surrounding a particular individual, it functions as a form of psychological weapon: isolation, humiliation, loss of control over one’s own reality. This article provides a detailed analysis of the nature of the Disbelief Effect, its mechanisms, consequences, and practical recommendations: what must never be done and what can effectively be done under such pressure.<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
[[Category:Security]]<br />
[[Category:Administration]]<br />
[[Category:Guides]]<br />
[[Category:Full Paper]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=210Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-04-01T18:19:13Z<p>Blackcat568: /* Main Aspects of System Hardening */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to use long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. If you have difficulty configuring AppArmor, seek help from specialists or use AI-based tools. <br />
<br />
The use of mandatory access control mechanisms represents an important layer of system protection. Without proper configuration, even a system with a correctly configured firewall may remain vulnerable to various types of attacks.<blockquote>'''Warning:''' AppArmor, SELinux and other Mandatory Access Control (MAC) mechanisms may cause system malfunction if misconfigured. Errors in profiles or policies can result in service failures, boot issues, user session lockout, or restricted access to system resources. In some cases, system recovery may be difficult even when using recovery mode, a chroot environment, or booting from a Live/Rescue medium.<br />
</blockquote> <br />
<br />
It is recommended to perform testing and development of complex and/or custom policies and profiles in an isolated environment (for example, in a virtual machine). It is advisable to retain change logs and terminal output for subsequent analysis.<br />
<br />
Configuration changes should be applied to the host system '''only after confirming correct and stable operation in the test environment.'''<br />
<br />
<br />
Additional recommendations:<br />
<br />
* When restricting potentially vulnerable system services and daemons, use AppArmor profiles with the minimum required permissions (principle of least privilege).<br />
* For potentially vulnerable user applications (browsers, messengers, database managers), prioritize isolation using sandboxing solutions (e.g., Flatpak, Firejail). Use AppArmor as an additional layer or in cases where sandboxing is not available.<br />
* This approach creates an architecture where applications are isolated from each other and from the system. In the event that a sandboxed application is compromised, its access to other applications and the system as a whole will be maximally restricted, which significantly hinders further actions by an attacker.<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
<br />
In addition to blocking all unnecessary incoming connections (on most home workstations, you can block all incoming traffic), be sure to also restrict outgoing connections — block all ports and ranges that are not required by the system and applications. This reduces the attack surface. <br />
<br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
In addition to iptables/nftables, it is strongly recommended to use [https://www.tecmint.com/opensnitch-linux-application-firewall/| OpenSnitch] — '''an interactive firewall''' that shows in real time the IP, process, PID, and port for each connection. OpenSnitch allows you to flexibly block suspicious activity, which, combined with nftables, provides significantly more robust protection.<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. <br />
<br />
In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
15. Use desktop environments based on Wayland.<br />
<br />
Wayland is a modern display server protocol that provides stronger application isolation. Unlike Xorg, where any client application can potentially intercept input (keyboard, mouse) and observe other windows, Wayland implements a model in which applications do not have direct access to each other or to global input; all input handling is mediated by the compositor.<br />
<br />
This significantly reduces the impact of a single application compromise: even if an application is exploited, it cannot transparently monitor user activity in other programs.<br />
<br />
Wayland is supported by modern desktop environments such as GNOME (the default in Debian 13), KDE Plasma, and others.<br />
<br />
Xorg is considered outdated from a security perspective due to its architecture, which lacks proper client isolation.<br />
<br />
It is recommended to verify that your desktop environment is actually running on Wayland rather than Xorg (for example, by checking the XDG_SESSION_TYPE environment variable).<br />
<br />
If the GNOME interface feels unfamiliar, it can be extensively customized using extensions and system settings, allowing you to adapt window behavior and panels to your preferred workflow.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<blockquote>'''Note:''' Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.</blockquote><br />
<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. Hardware Firewall<br />
<br />
If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.<br />
<br />
Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:<br />
<br />
* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).<br />
* You have well-founded suspicions that you or your organization could be the target of a directed attack.<br />
<br />
Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.<br />
<br />
However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:<br />
<br />
* Configuring the basic security of your router.<br />
* Using a software firewall and antivirus on your PC.<br />
* Timely updating your operating system and applications.<br />
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).<br />
<br />
A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.<br />
<br />
<blockquote>'''Note:''' Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.</blockquote><br />
<br />
<br />
8. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/psychological-suppression-by-security-forces.html| Psychological Suppression via the Disbelief Effect] — The Disbelief Effect is a subtle, systemic tactic aimed at depriving a person of support, discrediting their testimony, and thereby weakening their ability to resist. When doubt, ridicule, and neglect become the social norm surrounding a particular individual, it functions as a form of psychological weapon: isolation, humiliation, loss of control over one’s own reality. This article provides a detailed analysis of the nature of the Disbelief Effect, its mechanisms, consequences, and practical recommendations: what must never be done and what can effectively be done under such pressure.<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
[[Category:Security]]<br />
[[Category:Administration]]<br />
[[Category:Guides]]<br />
[[Category:Full Paper]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=188Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-02-19T20:32:40Z<p>Blackcat568: /* Main Aspects of System Hardening */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to use long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. If you have difficulty configuring AppArmor, seek help from specialists or use AI-based tools. <br />
<br />
The use of mandatory access control mechanisms represents an important layer of system protection. Without proper configuration, even a system with a correctly configured firewall may remain vulnerable to various types of attacks.<blockquote>'''Warning:''' AppArmor, SELinux and other Mandatory Access Control (MAC) mechanisms may cause system malfunction if misconfigured. Errors in profiles or policies can result in service failures, boot issues, user session lockout, or restricted access to system resources. In some cases, system recovery may be difficult even when using recovery mode, a chroot environment, or booting from a Live/Rescue medium.<br />
</blockquote> <br />
<br />
It is recommended to perform testing and development of complex and/or custom policies and profiles in an isolated environment (for example, in a virtual machine). It is advisable to retain change logs and terminal output for subsequent analysis.<br />
<br />
Configuration changes should be applied to the host system '''only after confirming correct and stable operation in the test environment.'''<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<blockquote>'''Note:''' Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.</blockquote><br />
<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. Hardware Firewall<br />
<br />
If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.<br />
<br />
Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:<br />
<br />
* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).<br />
* You have well-founded suspicions that you or your organization could be the target of a directed attack.<br />
<br />
Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.<br />
<br />
However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:<br />
<br />
* Configuring the basic security of your router.<br />
* Using a software firewall and antivirus on your PC.<br />
* Timely updating your operating system and applications.<br />
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).<br />
<br />
A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.<br />
<br />
<blockquote>'''Note:''' Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.</blockquote><br />
<br />
<br />
8. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/psychological-suppression-by-security-forces.html| Psychological Suppression via the Disbelief Effect] — The Disbelief Effect is a subtle, systemic tactic aimed at depriving a person of support, discrediting their testimony, and thereby weakening their ability to resist. When doubt, ridicule, and neglect become the social norm surrounding a particular individual, it functions as a form of psychological weapon: isolation, humiliation, loss of control over one’s own reality. This article provides a detailed analysis of the nature of the Disbelief Effect, its mechanisms, consequences, and practical recommendations: what must never be done and what can effectively be done under such pressure.<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[Category:Security]]<br />
[[Category:Administration]]<br />
[[Category:Guides]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=187Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-02-16T14:30:51Z<p>Blackcat568: /* Additional articles on the author's site: */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. If you have difficulty configuring AppArmor, seek help from specialists or use AI-based tools. <br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<blockquote>'''Note:''' Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.</blockquote><br />
<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. Hardware Firewall<br />
<br />
If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.<br />
<br />
Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:<br />
<br />
* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).<br />
* You have well-founded suspicions that you or your organization could be the target of a directed attack.<br />
<br />
Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.<br />
<br />
However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:<br />
<br />
* Configuring the basic security of your router.<br />
* Using a software firewall and antivirus on your PC.<br />
* Timely updating your operating system and applications.<br />
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).<br />
<br />
A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.<br />
<br />
<blockquote>'''Note:''' Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.</blockquote><br />
<br />
<br />
8. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/psychological-suppression-by-security-forces.html| Psychological Suppression via the Disbelief Effect] — The Disbelief Effect is a subtle, systemic tactic aimed at depriving a person of support, discrediting their testimony, and thereby weakening their ability to resist. When doubt, ridicule, and neglect become the social norm surrounding a particular individual, it functions as a form of psychological weapon: isolation, humiliation, loss of control over one’s own reality. This article provides a detailed analysis of the nature of the Disbelief Effect, its mechanisms, consequences, and practical recommendations: what must never be done and what can effectively be done under such pressure.<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[Category:Security]]<br />
[[Category:Administration]]<br />
[[Category:Guides]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=186Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-02-16T14:28:35Z<p>Blackcat568: /* External Resources */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. If you have difficulty configuring AppArmor, seek help from specialists or use AI-based tools. <br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<blockquote>'''Note:''' Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.</blockquote><br />
<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. Hardware Firewall<br />
<br />
If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.<br />
<br />
Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:<br />
<br />
* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).<br />
* You have well-founded suspicions that you or your organization could be the target of a directed attack.<br />
<br />
Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.<br />
<br />
However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:<br />
<br />
* Configuring the basic security of your router.<br />
* Using a software firewall and antivirus on your PC.<br />
* Timely updating your operating system and applications.<br />
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).<br />
<br />
A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.<br />
<br />
<blockquote>'''Note:''' Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.</blockquote><br />
<br />
<br />
8. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[Category:Security]]<br />
[[Category:Administration]]<br />
[[Category:Guides]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=185Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-02-16T14:27:49Z<p>Blackcat568: /* Examples of Deep Custom Security Configurations */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. If you have difficulty configuring AppArmor, seek help from specialists or use AI-based tools. <br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<blockquote>'''Note:''' Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.</blockquote><br />
<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. Hardware Firewall<br />
<br />
If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.<br />
<br />
Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:<br />
<br />
* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).<br />
* You have well-founded suspicions that you or your organization could be the target of a directed attack.<br />
<br />
Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.<br />
<br />
However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:<br />
<br />
* Configuring the basic security of your router.<br />
* Using a software firewall and antivirus on your PC.<br />
* Timely updating your operating system and applications.<br />
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).<br />
<br />
A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.<br />
<br />
<blockquote>'''Note:''' Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.</blockquote><br />
<br />
<br />
8. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[Category:Security]]<br />
[[Category:Administration]]<br />
[[Category:Guides]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=184Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-02-16T14:24:54Z<p>Blackcat568: /* Main Aspects of System Hardening */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. If you have difficulty configuring AppArmor, seek help from specialists or use AI-based tools. <br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<blockquote>'''Note:''' Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.</blockquote><br />
<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. Hardware Firewall<br />
<br />
If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.<br />
<br />
Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:<br />
<br />
* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).<br />
* You have well-founded suspicions that you or your organization could be the target of a directed attack.<br />
<br />
Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.<br />
<br />
However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:<br />
<br />
* Configuring the basic security of your router.<br />
* Using a software firewall and antivirus on your PC.<br />
* Timely updating your operating system and applications.<br />
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).<br />
<br />
A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.<br />
<br />
<blockquote>'''Note:''' Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.</blockquote><br />
<br />
<br />
8. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[Category:Security]]<br />
[[Category:Administration]]<br />
[[Category:Guides]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=155Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-01-29T01:47:06Z<p>Blackcat568: /* Security Hardening for Debian Users: Protecting Against Targeted Attacks */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<blockquote>'''Note:''' Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.</blockquote><br />
<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. Hardware Firewall<br />
<br />
If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.<br />
<br />
Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:<br />
<br />
* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).<br />
* You have well-founded suspicions that you or your organization could be the target of a directed attack.<br />
<br />
Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.<br />
<br />
However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:<br />
<br />
* Configuring the basic security of your router.<br />
* Using a software firewall and antivirus on your PC.<br />
* Timely updating your operating system and applications.<br />
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).<br />
<br />
A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.<br />
<br />
<blockquote>'''Note:''' Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.</blockquote><br />
<br />
<br />
8. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=154Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-01-29T01:43:37Z<p>Blackcat568: /* Related Aspects of Internet Security */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
''Note: Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. Hardware Firewall<br />
<br />
If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.<br />
<br />
Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:<br />
<br />
* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).<br />
* You have well-founded suspicions that you or your organization could be the target of a directed attack.<br />
<br />
Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.<br />
<br />
However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:<br />
<br />
* Configuring the basic security of your router.<br />
* Using a software firewall and antivirus on your PC.<br />
* Timely updating your operating system and applications.<br />
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).<br />
<br />
A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
<br />
8. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=153Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-01-29T01:40:20Z<p>Blackcat568: /* Related Aspects of Internet Security */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
''Note: Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. Hardware Firewall<br />
<br />
If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.<br />
<br />
Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:<br />
<br />
* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).<br />
* You have well-founded suspicions that you or your organization could be the target of a directed attack.<br />
<br />
Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.<br />
<br />
However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:<br />
<br />
* Configuring the basic security of your router.<br />
* Using a software firewall and antivirus on your PC.<br />
* Timely updating your operating system and applications.<br />
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).<br />
<br />
A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
<br />
8. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=152Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-01-29T01:38:53Z<p>Blackcat568: /* Related Aspects of Internet Security */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
Note: Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. Hardware Firewall<br />
<br />
If you handle confidential information on your computer and are in a high-risk zone for cyberattacks, consider using an additional layer of protection such as a '''hardware firewall'''.<br />
<br />
Important note on cost: In addition to the one-time cost of the device (starting from approximately $55), an annual paid subscription is required for threat intelligence updates. Therefore, this solution is economically justified primarily in two cases:<br />
<br />
* You work with critically important information whose leakage is unacceptable (e.g., trade secrets, client personal data, unique developments, or if your professional activities involve sensitive data in fields such as law enforcement, military, legal practice, journalism, healthcare, and so on).<br />
* You have well-founded suspicions that you or your organization could be the target of a directed attack.<br />
<br />
Attackers often rely on direct interaction with your devices. The presence of a dedicated, subscription-updated hardware firewall creates a significant obstacle for them. It acts as an independent filter, analyzing all incoming and outgoing traffic before it reaches your end devices. This substantially increases the cost and complexity of an attack for the malicious actor, reducing its effectiveness.<br />
<br />
However, this should not be viewed as a panacea. '''It is an additional, not the sole, layer of defense.''' Its presence does not negate the necessity of:<br />
<br />
* Configuring the basic security of your router.<br />
* Using a software firewall and antivirus on your PC.<br />
* Timely updating your operating system and applications.<br />
* Practicing good cyber hygiene (e.g., using a password manager, being cautious of phishing).<br />
<br />
A hardware firewall should be seamlessly integrated into your overall security architecture, forming a '''multi-layered (defense-in-depth) protection system.''' It is precisely such a system, where breaching one barrier does not lead to the compromise of the entire network, that poses the most serious challenge for attackers.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
<br />
8. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=151Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-01-28T13:40:15Z<p>Blackcat568: /* Additional articles on the author's site: */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
{{{#!wiki note<br />
Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
}}}<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks] - The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC] - This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=150Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-01-28T13:27:37Z<p>Blackcat568: /* Additional articles on the author's site: */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
{{{#!wiki note<br />
Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
}}}<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
*'''Comprehensive analysis of targeted attacks''' <br />
<br />
The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks]<br />
<br />
*'''Information and Behavioral Hygiene for Working with a PC'''<br />
<br />
This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC]<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=149Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-01-28T13:24:29Z<p>Blackcat568: </p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
{{{#!wiki note<br />
Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
}}}<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== Additional articles on the author's site: ====<br />
<br />
<blockquote>'''Note:''' The following materials are provided for '''awareness, defensive, and educational purposes only'''. They are intended to help users recognize threats and build their own security. All personal data and identifiers have been anonymized.</blockquote> <br />
<br />
===== Comprehensive analysis of targeted attacks =====<br />
<br />
The author provides an analysis of complex targeted attack that was used against him, including social‑engineering and psychological components, as well as cyber attack vectors and defensive measures. <br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/targeted-attack-analysis.html| Author's analysis of targeted attacks]<br />
<br />
===== Information and Behavioral Hygiene for Working with a PC =====<br />
<br />
This is an extensive popular-science essay dedicated to comprehensive digital hygiene. Drawing on years of personal (and often bitter) experience in working with PCs, observing user behavior, working in the security sector, as well as experience in countering scammers and manipulators online, the author formulates a system of practical principles for conscious, safe, and productive work with a PC and on the Internet.<br />
<br />
[https://blackcat568.github.io/CyberSecurityAndSocialEngineering/information-and-behavioral-hygiene-for-working-with-a-pc.html| Information and Behavioral Hygiene for Working with a PC]<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=148Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-01-14T18:11:20Z<p>Blackcat568: /* Main Aspects of System Hardening */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs#| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
{{{#!wiki note<br />
Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
}}}<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=147Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-01-14T17:50:37Z<p>Blackcat568: /* Main Aspects of System Hardening */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| here].<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. <br />
My nftables config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| here].<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). <br />
My 99-protect.conf config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| here].<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). <br />
My auditd config can be viewed [https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| here].<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
{{{#!wiki note<br />
Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
}}}<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=146Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-01-14T01:37:55Z<p>Blackcat568: /* Main Aspects of System Hardening */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or ''sudo'' without a clear necessity — and never execute arbitrary scripts with ''sudo''. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of ''sudo'' and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the ''sudo'' group. The ''sudo'' privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via ''sudo''. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., ''www-data'', ''postgres,'' ''nobody'') '''do not have sudo access by default'''. Programs installed using ''sudo'' by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with ''sudo'' unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]])<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
{{{#!wiki note<br />
Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
}}}<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=145Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-01-14T01:34:27Z<p>Blackcat568: /* Main Aspects of System Hardening */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Follow a server-style access model <br />
<br />
Do not add regular users to the `sudo` group. The `sudo` privilege should be reserved exclusively for the superuser (root). Regular users '''should not''' have the ability to execute commands as root via `sudo`. <br />
<br />
Yes, this can introduce some inconvenience in system administration, but this model provides a more secure configuration and reduces the risk of accidental or intentional security breaches.<blockquote>'''Note:''' system users created by the kernel or services (e.g., `www-data`, `postgres`, `nobody`) '''do not have sudo access by default'''.<br />
Programs installed using `sudo` by the root user '''do not automatically grant sudo privileges to users created by those programs'''. Any virtual or service accounts remain unable to run commands with sudo unless explicitly added to the sudo-enabled group.</blockquote> <br />
<br />
6. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
<br />
7. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
<br />
8. Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
<br />
9. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
<br />
10. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
11 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
12. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
13. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
14. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
{{{#!wiki note<br />
Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
}}}<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=143Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-01-04T18:27:37Z<p>Blackcat568: /* External Resources */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
<br />
6. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
<br />
7. Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
<br />
8. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
<br />
9. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
10 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
11. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
12. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
13. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
{{{#!wiki note<br />
Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
}}}<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html| Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c| The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/| iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf| SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf| Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices| CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=142Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-01-04T18:24:37Z<p>Blackcat568: /* UsefulPrograms */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
<br />
6. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
<br />
7. Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
<br />
8. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
<br />
9. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
10 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
11. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
12. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
13. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
{{{#!wiki note<br />
Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
}}}<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms| Useful programs reviewed by the article author (DebianWiki)]<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=141Security Hardening for Debian Users: Protecting Against Targeted Attacks2026-01-04T18:14:21Z<p>Blackcat568: /* Examples of Deep Custom Security Configurations */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
<br />
6. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
<br />
7. Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
<br />
8. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
<br />
9. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
10 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
11. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
12. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
13. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
{{{#!wiki note<br />
Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
}}}<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
[https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/SecurityConfigsAndLogs| Examples of Deep Custom Security Configurations (DebianWiki)]<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=140Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-28T23:01:37Z<p>Blackcat568: added paragraph about using routers with nftables function</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
<br />
6. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
<br />
7. Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
<br />
8. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
<br />
9. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
10 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
11. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
12. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
13. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
{{{#!wiki note<br />
Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
}}}<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
6. Use a Wi-Fi router that supports nftables or an equivalent modern packet-filtering framework.<br />
<br />
It is not recommended to rely on the cheapest consumer-grade routers that lack built-in security mechanisms and fine-grained traffic filtering capabilities. A router should be treated as an integral part of the overall security architecture, not as an element that increases the attack surface.<br />
<br />
Deploying an additional network filtering layer at the entry point of a home network significantly complicates an attacker’s ability to build an effective attack configuration and increases the overall cost of an attack. Configure strict and well-defined filtering rules on the router’s nftables firewall, including inbound connection restrictions, outbound traffic control, and network segmentation where appropriate.<br />
<br />
Access to the router’s administrative interface must be protected with a strong, unique password. Whenever possible, management access should be restricted to trusted networks or limited to wired interfaces only.<br />
<br />
Such a configuration provides an additional layer of protection not only for the primary workstation, but also for other devices connected to the network (for example, Android-based mobile devices), which often lack the technical capability to use host-level packet filtering mechanisms such as iptables or nftables.<br />
<br />
7. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=139Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-18T19:30:47Z<p>Blackcat568: /* Related Aspects of Internet Security */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
<br />
6. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
<br />
7. Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
<br />
8. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
<br />
9. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
10 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
11. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
12. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
13. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations: <blockquote>A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).</blockquote><br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
{{{#!wiki note<br />
Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
}}}<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=138Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-18T19:16:14Z<p>Blackcat568: /* Related Aspects of Internet Security */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
<br />
6. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
<br />
7. Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
<br />
8. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
<br />
9. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
10 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
11. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
12. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
13. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, [https://keepassxc.org/ KeePassXC]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).<br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [https://en.wikipedia.org/wiki/Authenticator_app Authenticator app]), or a hardware security key such as a [https://en.wikipedia.org/wiki/YubiKey YubiKey]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html using TLS authentication (tls-auth / tls-crypt)] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
{{{#!wiki note<br />
Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
}}}<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=137Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-18T19:12:14Z<p>Blackcat568: </p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
<br />
2. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
<br />
3. Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
<br />
4. Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
* Always read a script fully before running it (less script.sh, cat script.sh).<br />
* Never paste commands from untrusted or unverified sources into the terminal.<br />
* Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
* Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
<br />
5. Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
<br />
6. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
<br />
7. Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
<br />
8. Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
<br />
9. Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
<br />
10 If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
<br />
11. Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
* If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
* If you are certain you will never use it, remove it completely from the system.<br />
* This practice reduces potential attack vectors and strengthens overall system security.<br />
* Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
* Always create a full system backup before making any significant configuration changes or modifications.<br />
<br />
12. Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
<br />
13. Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight><br />
<br />
Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, [[https://keepassxc.org/%7CKeePassXC]]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).<br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[https://en.wikipedia.org/wiki/Authenticator_app|Authenticator app]]), or a hardware security key such as a [[https://en.wikipedia.org/wiki/YubiKey|YubiKey]]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
* ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
* ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN [[https://openvpn.net/as-docs/tutorials/tutorial--change-tls-control-channel-security.html|using TLS authentication (tls-auth / tls-crypt)]] and unique client certificates instead of passwords.<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
{{{#!wiki note<br />
Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.<br />
In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.<br />
}}}<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Note: Artificial intelligence tools, YubiKey, and other tools not directly related to Debian/Linux are mentioned here as optional technical aids, not as an endorsement of any specific service, vendor, or product. The author does not engage in commercial promotion of any software, hardware, or services, but merely provides optional recommendations for measures that directly or indirectly enhance the security of operating system usage.''<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable '''to perform a hardware-level assessment''' as well, including verification of device firmware integrity and configuration.<br />
<br />
'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''<br />
<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=136Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-18T18:57:22Z<p>Blackcat568: /* Related Aspects of Internet Security */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
# Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
## Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
# Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, [[https://keepassxc.org/%7CKeePassXC]]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).<br />
<br />
# Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[https://en.wikipedia.org/wiki/Authenticator_app|Authenticator app]]), or a hardware security key such as a [[https://en.wikipedia.org/wiki/YubiKey|YubiKey]]. <br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites. <br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised. <br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. <br />
<br />
For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=135Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-18T18:56:16Z<p>Blackcat568: /* Related Aspects of Internet Security */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
# Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
## Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
# Store passwords in a reliable password manager. '''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, [[https://keepassxc.org/%7CKeePassXC]]) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes).<br />
<br />
#<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=134Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-18T18:50:30Z<p>Blackcat568: </p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
# Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
## Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
Store passwords in a reliable password manager.<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
relying on human memory, with the risk of forgetting or confusing credentials;<br />
storing passwords on paper media, which can be damaged, lost, or stolen;<br />
saving passwords in web browsers in unencrypted form;<br />
keeping passwords in plain text files on the desktop or in other directories without encryption; <br />
and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
Additional Practical Recommendations:<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
Using VPN to improve privacy and security<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<blockquote>''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''</blockquote><br />
It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=133Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-18T18:43:59Z<p>Blackcat568: </p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
# Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
## Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
# Store passwords in a reliable password manager.<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
## relying on human memory, with the risk of forgetting or confusing credentials;<br />
## storing passwords on paper media, which can be damaged, lost, or stolen;<br />
## saving passwords in web browsers in unencrypted form;<br />
## keeping passwords in plain text files on the desktop or in other directories without encryption; <br />
and similar approaches.<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
## Regularly create up-to-date backups of the ''encrypted'' password database.<br />
## Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
Additional Practical Recommendations:<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
# Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
## YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
## It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
## Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
# Using VPN to improve privacy and security<br />
## ''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
## ''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
# Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
# If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<blockquote>''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''</blockquote><br />
# It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=132Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-18T16:59:09Z<p>Blackcat568: </p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
====== Main Aspects of System Hardening ======<br />
<br />
<br />
# Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible <blockquote>'''Important:''' Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.</blockquote><br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. <br />
## Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
====== Related Aspects of Internet Security ======<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
# Store passwords in a reliable password manager.<br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
## relying on human memory, with the risk of forgetting or confusing credentials;<br />
## storing passwords on paper media, which can be damaged, lost, or stolen;<br />
## saving passwords in web browsers in unencrypted form;<br />
## keeping passwords in plain text files on the desktop or in other directories without encryption; <br />
and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
* Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
* Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
<br />
<br />
# Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
# Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
# Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
# If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
# It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
===== Examples of Deep Custom Security Configurations =====<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=131Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T17:56:30Z<p>Blackcat568: /* Countermeasures */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
''Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build).''<br />
<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
1. Store passwords in a reliable password manager.<br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
* Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
* Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
<br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=130Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T17:52:50Z<p>Blackcat568: /* Source */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
1. Store passwords in a reliable password manager.<br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
* Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
* Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
<br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
==== Provenance ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=129Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T17:50:36Z<p>Blackcat568: added new chapter ==== Source ====</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
1. Store passwords in a reliable password manager.<br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
* Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
* Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
<br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
==== Source ====<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131<br />
<br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=128Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T17:41:39Z<p>Blackcat568: /* External Resources */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
1. Store passwords in a reliable password manager.<br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
* Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
* Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
<br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home AppArmor] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, <br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=127Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T17:39:48Z<p>Blackcat568: /* Linux system hardening recommendations: */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or [https://en.wikipedia.org/wiki/Occam's_razor Occam's Razor]) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
1. Store passwords in a reliable password manager.<br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
* Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
* Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
<br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
https://gitlab.com/apparmor/apparmor/-/wikis/home <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, <br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=126Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T17:30:58Z<p>Blackcat568: /* External Resources */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
1. Store passwords in a reliable password manager.<br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
* Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
* Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
<br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
https://gitlab.com/apparmor/apparmor/-/wikis/home <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, <br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=125Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T17:28:21Z<p>Blackcat568: /* UsefulPrograms */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
1. Store passwords in a reliable password manager.<br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
* Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
* Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
<br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home|AppArmor.] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, <br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=124Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T17:27:35Z<p>Blackcat568: added list with the literature and link to the list with useful programs</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
1. Store passwords in a reliable password manager.<br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
* Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
* Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
<br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight><br />
<br />
<br />
==== UsefulPrograms ====<br />
<br />
Here is the list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion). <br />
<br />
https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks/UsefulPrograms#preview<br />
<br />
<br />
==== External Resources ====<br />
<br />
[https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html|Securing Debian Manual 3.19 — Javier Fernández-Sanguino Peña.] <br />
This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. <br />
<br />
[https://medium.com/%40ihouelecaurcy/the-complete-nftables-guide-modern-linux-firewall-mastery-79fb86894d5c|The Complete nftables Guide: Modern Linux Firewall Mastery — Ihouele Caurcy] <br />
The definitive guide to nftables — the modern replacement for iptables, ip6tables, arptables, and ebtables. From basic concepts to enterprise-level configurations. <br />
<br />
[https://notes.suhaib.in/docs/tech/utilities/iptables-nftables-and-you-a-friendly-guide-to-traffic-rules/|iptables, nftables, and You A Friendly Guide to Traffic Rules]<br />
A friendly guide to iptables and nftables in Linux: explains Netfilter architecture, tables, chains and rules, with configuration examples (SSH, IP blocking, port forwarding). Covers differences between iptables and nftables, migration, and compatibility with modern firewall tools. Useful for understanding the iptables→nftables transition and practical examples. <br />
<br />
[https://public.jdstone1.com/books_and_magazines/Computer_Books/Operating_Systems/SELinux%20System%20Administration%20(3rd%20ed).pdf|SELinux System Administration Third Edition — Sven Vermeulen.] <br />
Implement mandatory access control to secure applications, users, and information flows on Linux. <br />
<br />
[https://gitlab.com/apparmor/apparmor/-/wikis/home|AppArmor.] <br />
The official wiki for the AppArmor security project on Linux. Provides guidance for users and developers, instructions for creating and managing security profiles, example access policies for applications, and best practices to protect the operating system. <br />
<br />
[https://nallino.net/stockage/security/Linux_Mint_Security.pdf|Security, Privacy and Anonymity in Linux Mint — Michel Nallino.] <br />
A good and comprehensive work on Linux Mint security that can also be useful for other Linux distributions. <br />
<br />
[https://www.cisa.gov/topics/cybersecurity-best-practices|CISA — Cybersecurity Best Practices] <br />
CISA (Certified Information Systems Auditor) provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.<br />
<br />
<br />
This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, <br />
it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=123Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T17:02:40Z<p>Blackcat568: </p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
1. Store passwords in a reliable password manager.<br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
* Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
* Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
<br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight>This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=122Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T16:02:23Z<p>Blackcat568: /* Security Hardening for Debian Users: Protecting Against Targeted Attacks */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
1. Store passwords in a reliable password manager.<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
* Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
* Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
<br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight>This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=121Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T15:59:05Z<p>Blackcat568: </p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
1. Store passwords in a reliable password manager.<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
<br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight>This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=120Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T15:56:50Z<p>Blackcat568: /* Security Hardening for Debian Users: Protecting Against Targeted Attacks */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
<br />
1. Store passwords in a reliable password manager.<br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight>This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=119Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T15:55:01Z<p>Blackcat568: /* Security Hardening for Debian Users: Protecting Against Targeted Attacks */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to use long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, Suricata, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager.<br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight>This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=118Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T14:38:36Z<p>Blackcat568: /* nftables config: */</p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager.<br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# = ICMP protocol restrictions =<br />
<br />
# == 🛡️ Ping limitation ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == Critically important ICMP for network ==<br />
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept <br />
<br />
# == Important ICMPv6 for IPv6 ==<br />
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept<br />
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA<br />
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA<br />
<br />
# == Drop all other ICMP and ICMPv6 ==<br />
ip protocol icmp drop # drop all other ICMP<br />
ip6 nexthdr icmpv6 drop # drop all other ICMPv6<br />
<br />
<br />
# = SCTP protocol blocking =<br />
# 99.9% of desktop systems do not use SCTP at all<br />
meta l4proto sctp drop <br />
<br />
<br />
# = DCCP — Datagram Congestion Control Protocol blocking =<br />
# Not used by any mainstream desktop applications<br />
meta l4proto dccp drop <br />
<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight>This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=117Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T14:20:07Z<p>Blackcat568: </p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to type long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
1. Store passwords in a reliable password manager.<br />
<br />
'''Outdated and insecure''' practices for storing passwords are still commonly encountered, including:<br />
<br />
* relying on human memory, with the risk of forgetting or confusing credentials;<br />
* storing passwords on paper media, which can be damaged, lost, or stolen;<br />
* saving passwords in web browsers in unencrypted form;<br />
* keeping passwords in plain text files on the desktop or in other directories without encryption;<br />
* and similar approaches.<br />
<br />
Such outdated practices should be abandoned in favor of using a modern, reliable password manager that provides proper encryption and access control.<br />
<br />
A password manager encrypts the password database, and access to it is possible only after entering a master password, which should be memorized.<br />
<br />
Regularly create up-to-date backups of the ''encrypted'' password database.<br />
<br />
Do not rely on memory to remember all passwords: strong, attack-resistant passwords are difficult to memorize, while passwords that are easy to remember are generally ''not resistant to compromise''.<br />
<br />
Additional Practical Recommendations<br />
<br />
A password manager (for example, KeePassXC) can be configured to automatically enter the superuser password into a terminal window. It is strongly recommended to '''strictly bind this automatic input to a specific terminal window''' in order to prevent accidental password entry into another field or application. This approach makes it possible to safely use long, cryptographically strong passwords for privileged operations.<br />
<br />
In addition, individual account entries within a password manager can store attached encrypted data, such as text files containing access codes, GPG keys, or passphrases. All such information is stored in encrypted form within a single protected database.<br />
<br />
It is essential to use a '''strong master password''' and never share it with others. The password database should not be kept unlocked continuously. After completing the required operations, the database should be closed, or automatic locking should be configured based on specific conditions (such as screen locking or laptop closure) and/or after a defined period of inactivity (for example, 15–30 minutes). <br />
<br />
2. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
3. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
4. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
5. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
6. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Limiting ping requests ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight>This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568https://archive.forums.debian.net/index.php?title=Security_Hardening_for_Debian_Users:_Protecting_Against_Targeted_Attacks&diff=116Security Hardening for Debian Users: Protecting Against Targeted Attacks2025-12-16T14:09:17Z<p>Blackcat568: </p>
<hr />
<div>== Security Hardening for Debian Users: Protecting Against Targeted Attacks ==<br />
<br />
==== Cybersecurity Measures Against Targeted Attacks ====<br />
<br />
* This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime.<br />
<br />
* The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.<br />
* This article is intended for private users, owners of laptops and desktop computers, as well as administrators of small private servers. Corporate network security topics are not covered here.<br />
* Likewise, this article does not address social engineering, psychological, legal, physical, or other important aspects of targeted attacks. It focuses exclusively on the cybersecurity aspects of Linux-based systems.<br />
<br />
==== Description of the Threat ====<br />
Since 2011 (for over 14 years), the author has been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.<br />
<br />
Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.<br />
<br />
They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.<br />
<br />
Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What author describes is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.<br />
<br />
There is a widespread belief that targeted cyberattacks affect only a very small fraction of users — around 0.01% or even less — and that for the overwhelming majority of people such risks are not a real concern. However, events of recent years demonstrate that the level of cyber threats is significantly higher than commonly assumed and is often underestimated by both professionals and ordinary users.<br />
<br />
The author, as a citizen of a country that has become a zone of increased interest from external actors employing a wide range of means — from traditional instruments of influence to cyber technologies aimed at compromising and monitoring private devices and servers — considers it necessary to draw the attention of the international community to this issue.<br />
<br />
Raising awareness about cyber threats and improving the understanding of modern attack methods are essential steps toward strengthening digital security, protecting personal data, and maintaining trust in open-source infrastructure.<br />
<br />
==== Countermeasures ====<br />
<br />
===== Tested environment: Debian 12 (Bookworm), kernel 6.1.0-34-amd64 (April 2025 build). =====<br />
Since early 2025, the author has fully switched to Linux, using the Debian distribution. The author is writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.<br />
<br />
At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.<br />
<br />
Linux, due to its modular architecture and open-source nature, enables deeper and more flexible security configurations.<br />
<br />
Another significant risk factor is the practice of installing Windows, Microsoft Office, or other user applications from pirated sources. Such unofficial builds '''may contain embedded backdoors, trojans, rootkits, or other forms of malware''', which substantially weaken the security of a Windows system and make various types of attacks easier for an adversary.<br />
<br />
Debian and most Linux distributions (Ubuntu, Linux Mint, Mageia, Fedora, etc.) are distributed free of charge and rely on official repositories for downloading and installing software. Packages in these repositories undergo strict verification, which greatly reduces the likelihood of malicious code and provides a more predictable and transparent security model.<br />
<br />
However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.<br />
<br />
The adversary type described in this article is '''experienced and resourceful'''. Such actors develop software capable of bypassing default configurations of operating systems — both Linux and Windows. This is profitable: a successful "universal key" or exploit that works against many default deployments can grant stealthy access to a large number of machines.<br />
<br />
At the same time, creating such a universal key for systems with complex, individualized security configurations is substantially harder and often impractical: each machine will have a different set of rules, profiles and policies, and the exploit must be adapted per configuration. That significantly raises the attacker's cost.<blockquote>'''Conclusion: do not leave a freshly installed system with default security settings. Apply deliberate, deep, and individualized hardening — least-privilege policies, properly configured access control mechanisms (AppArmor/SELinux), strict firewall rules, verified update policies and monitoring. This increases the attacker's cost and complexity and makes automated widespread exploitation much harder.'''</blockquote><br />
<br />
<br />
<br />
Carefully and conscientiously harden your system security settings. Prepare the system not only to withstand common, predictable attacks (for example, unauthorized access to a banking account), but also to detect and mitigate non-standard attacks (like those described in this article) '''so they do not catch you off guard'''.<br />
<br />
Apply the most secure configurations available, especially if you store sensitive personal or professional information.<br />
<br />
Below, the author shares methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access.<br />
<br />
This article is written both as a security recommendation and as a request for advice on improving system configuration.<br />
<br />
If you have suggestions for enhancing the existing configurations or additional cybersecurity recommendations that may not have been considered in this message, the author would greatly appreciate your expertise and feedback.<br />
<br />
==== Practical Instructions ====<br />
<br />
===== Linux system hardening recommendations: =====<br />
<br />
# 1. Use full-disk encryption. If your PC or laptop is stolen, the attacker will face significant difficulties in gaining access to any private data stored on your hard drive.<br />
# If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should not merely be password-protected or disabled — completely remove them from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. Also, use complex passwords for both the regular user session and the superuser account — at least 16 characters for the user and at least 20 for the superuser.<blockquote>'''Important''': Do not hesitate to use long passwords. Apply them even if your PC or server is physically isolated. If access to the user or superuser session is not protected by strong, lengthy passwords, the entire Linux security architecture becomes meaningless.</blockquote><br />
# Use only official repositories of your distribution to install software. Whenever possible, install packages via the package manager (apt/apt-get in Debian) from official repositories — this ensures automatic security updates and integrity verification of packages. If you connect a third-party repository, make sure it is trustworthy: check who maintains it, whether packages are signed with a GPG key, if it is available via HTTPS, and whenever possible, import and verify trusted keys manually. When installing software manually (downloading .deb packages, binaries, or source code), always verify the source: compare checksums (SHA256), verify digital signatures, and follow official installation instructions from the software provider.<br />
# Avoid using the superuser account or sudo without a clear necessity — and never execute arbitrary scripts with sudo. Always carefully review commands before running them in the terminal. The terminal is a powerful administrative tool, but in inexperienced hands it can cause serious system damage or compromise. Practical recommendations:<br />
## Always read a script fully before running it (less script.sh, cat script.sh).<br />
## Never paste commands from untrusted or unverified sources into the terminal.<br />
## Use sudo only when truly necessary; consider using sudoedit for editing configuration files.<br />
## Follow the principle of least privilege — create separate user accounts and limit access rights where possible Important: Improper or careless use of sudo and manual installation of software from untrusted sources are common causes of data leaks, data loss, and system compromise. Always test any configuration changes in an isolated environment before applying them on a production machine.<br />
# Use application confinement tools such as AppArmor; do not leave profiles at their defaults — customize and harden profiles to match your actual workflows. You may also consider switching to SELinux. If you have difficulty configuring AppArmor or SELinux, seek help from specialists or use AI-based tools. My SELinux configuration is attached below (I use SELinux on Debian 12 — it works reliably).<br />
# Use advanced network filtering settings: iptables or nftables, or a commercial firewall. (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#nftables config:|nftables config]]<br />
# Configure kernel parameters for maximum security (sysctl hardening). (''sample'' [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#sysctl config:|sysctl config]])<br />
# Use IDS/IPS systems — intrusion detection and prevention systems (examples: audit, OSSES, Wazus, AIDE). These tools can detect and log attacker activity within your system or network, as well as block malicious actions (logging each blocking event). (sample [[Security Hardening for Debian Users: Protecting Against Targeted Attacks#auditd rules config:|auditd rules config]]<br />
# Test the system for vulnerabilities using scanners (for example, DebPkg:lynis, OpenVAS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.<br />
# If you suspect that you are being targeted by a focused or targeted attack, start periodically capturing network traffic using tools such as tcpdump, Wireshark, or Zeek. The collected logs can then be sent to security specialists or AI-based analysis tools for further investigation. These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.<br />
# Follow the principle of Attack Surface Reduction (or Occam's_razor) — disable all unnecessary daemons, services, and processes that are not required for your workflow.<br />
## If there is a possibility you might need a service, daemon, or process in the future, disable it and remove it from autostart.<br />
## If you are certain you will never use it, remove it completely from the system.<br />
## This practice reduces potential attack vectors and strengthens overall system security.<br />
## Before removing unnecessary daemons, services, or applications, make sure that their removal will not break dependencies with other system components or applications. Always create a full system backup before making any significant configuration changes or modifications.<br />
# Perform regular antivirus and anti-rootkit scans of the system. In targeted attacks, adversaries typically rely on passive or covert methods — such as data interception, monitoring, traffic analysis, and minimal system interference that leaves few or no traces. Nevertheless, periodic antivirus and anti-rootkit scanning remains a valuable preventive measure, helping to detect known threats in time and maintain the overall security posture of the system.<br />
# Always record every change you make in system and application configuration files. Add the note as a comment directly in the configuration file — either above the modified line or after it. Format: # YYYY-MM-DD HH:MM, short description of the change, reason Example: Editing `sshd_config` to disable root login via SSH:<br />
<syntaxhighlight lang="bash"><br />
bash<br />
<br />
PermitRootLogin no<br />
# 2025-11-09 14:35, root login via SSH disabled, system security enhancement<br />
</syntaxhighlight>Why it matters:<br />
<br />
* Allows you to quickly understand when and why a change was made.<br />
* Helps troubleshoot future issues — you can easily identify which change may have caused a failure or conflict.<br />
* Simplifies system audits and security reviews.<br />
<br />
'''Related Aspects of Internet Security'''<br />
<br />
<br />
<br />
There are aspects of Internet security which, if neglected, can significantly reduce or completely nullify all your efforts in configuring and securing your operating system.<br />
<br />
<br />
<br />
1. Enable two-factor authentication (2FA) on all your online accounts (email, social networks, etc.) — this means confirming your login through a phone call, SMS, a one-time code in a mobile authenticator app (see [[wikipedia:Authenticator_app|Authenticator_app]]), or a hardware security key such as a [[wikipedia:YubiKey|YubiKey]].<br />
<br />
This is a critical cybersecurity measure — neglecting it can completely undermine all your efforts in configuring a secure Linux system.<br />
<br />
The YubiKey hardware authenticator (USB/NFC key) offers the following advantages:<br />
<br />
* YubiKey helps protect against phishing because the device verifies the website domain and will not work on fake or look-alike sites.<br />
* It is virtually impossible to hack remotely or over the network, unlike apps, if your phone or backup password is compromised.<br />
* Additionally, YubiKey is not vulnerable to SIM-swap attacks like SMS-based 2FA, as it is not tied to a phone number. For now, it is one of the most reliable hardware-based options for two-factor authentication.<br />
<br />
<br />
<br />
2. Using VPN to improve privacy and security<br />
<br />
''If you are a private user'', you can also configure a system-wide VPN (for example, ProtonVPN) so that all device traffic is routed through it — not only browser traffic or traffic from specific applications.<br />
<br />
Enable the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.<br />
<br />
It is also recommended to periodically change VPN servers, doing so at different and unpredictable intervals.<br />
<br />
Using a VPN increases your privacy: all of your traffic will be encrypted from observers on your local network and from your internet service provider. This makes it more difficult for an attacker to apply certain social-engineering methods based on traffic analysis, and it also helps protect your privacy in the event that your provider’s infrastructure is compromised.<br />
<br />
''If you own a server'' and want access to it to be available only to trusted private or legal entities, while also increasing its protection against unauthorized access, you can configure the server so that SSH and other internal services are accessible exclusively through OpenVPN using TLS authentication (tls-auth / tls-crypt) and unique client certificates instead of passwords.<br />
<br />
<br />
<br />
3. Actively study and apply artificial intelligence to improve security configurations in Debian and other Linux distributions, as well as to address related cybersecurity tasks. A lack of knowledge often becomes the weakest link; AI can provide accurate, structured recommendations interactively and help automate repetitive or complex operations.<br />
<br />
<br />
<br />
4. If privacy is a priority, consider reducing reliance on the Google ecosystem and switching to more privacy-focused alternatives (for example, proton.me and similar services). Google provides very strong security, but its services collect extensive telemetry for analysis. While this data is encrypted and not accessible to attackers, it may still be undesirable for users who value strict privacy.<br />
<br />
''Always verify AI-generated recommendations before applying them in production environments. Test any changes in an isolated system, review generated commands or configurations, and ensure that suggestions align with your threat model and security architecture.''<br />
<br />
''In practice, users who effectively leverage AI tools are significantly better prepared, and the adoption of such technologies makes malicious activity considerably more difficult for attackers.''<br />
<br />
'''''Note:''' Artificial intelligence tools are mentioned here as optional technical aids, not as an endorsement of any specific service or vendor.''<br />
<br />
<br />
<br />
5. It is also important to consider the possibility of hardware-level attacks.<br />
<br />
Although such attacks are significantly less common and typically require more resources than software-based attacks, they remain a potential threat. In certain scenarios, an adversary may exploit vulnerabilities in device firmware or conduct a combined attack targeting both software and hardware layers. Examples include remote injection of malicious code into the firmware of a motherboard, router, optical modem, or other hardware components.<br />
<br />
If, after a thorough software-level audit, a security issue remains unresolved, it is advisable <nowiki>'''</nowiki>to perform a hardware-level assessment<nowiki>'''</nowiki> as well, including verification of device firmware integrity and configuration.<br />
<br />
<blockquote>'''And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers.'''</blockquote><br />
<br />
<br />
<br />
'''Examples of Deep Custom Security Configurations'''<br />
<br />
Below are examples of strong, individualized configurations for '''SELinux''', '''nftables''', '''sysctl''' and '''auditd'''.<br />
<br />
These are not universal templates, but references illustrating advanced system hardening.<br />
<br />
====== SELinux config: ======<br />
<syntaxhighlight lang="terminfo"><br />
root@user:/home/user# sestatus<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
root@user:/home/user# sestatus -v<br />
SELinux status: enabled<br />
SELinuxfs mount: /sys/fs/selinux<br />
SELinux root directory: /etc/selinux<br />
Loaded policy name: default<br />
Current mode: enforcing<br />
Mode from config file: enforcing<br />
Policy MLS status: enabled<br />
Policy deny_unknown status: allowed<br />
Memory protection checking: actual (secure)<br />
Max kernel policy version: 33<br />
<br />
Process contexts:<br />
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br />
Init context: system_u:system_r:init_t:s0<br />
/sbin/agetty system_u:system_r:getty_t:s0<br />
<br />
File contexts:<br />
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0<br />
/etc/passwd system_u:object_r:etc_t:s0<br />
/etc/shadow system_u:object_r:unlabeled_t:s0<br />
/bin/bash system_u:object_r:shell_exec_t:s0<br />
/bin/login system_u:object_r:login_exec_t:s0<br />
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0<br />
/sbin/agetty system_u:object_r:getty_exec_t:s0<br />
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0<br />
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0<br />
</syntaxhighlight><br />
<br />
====== nftables config: ======<br />
<syntaxhighlight lang="bash"><br />
#!/usr/sbin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
<br />
# = Main chain policy =<br />
chain input {<br />
type filter hook input priority 0;<br />
policy drop;<br />
<br />
# = Common rule set =<br />
# 🌀 Allow loopback interface (internal system processes)<br />
iif "lo" accept<br />
<br />
# == 🔁 Allow established and related connections ==<br />
ct state established,related accept<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# == 🔒 Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==<br />
# If you experience issues with slow or failed page loads in your browser,<br />
# try increasing the limit, for example:<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# == 🚫 Blocking SSDP and mDNS (local broadcast discovery protocols) ==<br />
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)<br />
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)<br />
<br />
# == 🛑 Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==<br />
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)<br />
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN name discovery)<br />
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)<br />
<br />
# = Set of blocked IP addresses and ranges =<br />
<br />
# == 🧱 Blocking known botnets and proxy networks ==<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} log prefix "🔥 BAN: known bots " flags all<br />
ip saddr {<br />
45.9.20.0/24,<br />
89.248.160.0/19,<br />
185.220.100.0/22,<br />
198.96.155.0/24,<br />
185.107.56.0/24,<br />
185.129.62.0/23<br />
} drop<br />
<br />
# == 🚫 Blocking strange TCP flags (XMAS, NULL scans and others) ==<br />
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan<br />
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan<br />
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan<br />
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan<br />
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan<br />
<br />
# == 🚫 Blocking fragmented packets — commonly used in filter evasion ==<br />
ip frag-off & 0x1fff != 0 drop<br />
<br />
# == 🔒 Blocking spoofed IP packets ==<br />
ip saddr 127.0.0.0/8 drop # localhost<br />
ip saddr 10.0.0.0/8 drop # private network<br />
ip saddr 172.16.0.0/12 drop # private network<br />
ip saddr 192.168.0.0/16 drop # private network<br />
ip saddr 169.254.0.0/16 drop # APIPA<br />
ip saddr 0.0.0.0/8 drop # invalid address<br />
ip saddr 224.0.0.0/4 drop # multicast<br />
ip saddr 240.0.0.0/5 drop # reserved<br />
}<br />
<br />
# = Main chain policy =<br />
chain forward {<br />
type filter hook forward priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
# Required in chain forward only if Docker or Oracle VirtualBox is present.<br />
# If needed — uncomment.<br />
<br />
# == 🔒 Limiting new connections from one IP (anti-DDoS) ==<br />
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
# ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
# ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Ping rate limiting ==<br />
# ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
# ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
# ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports required for application operation ==<br />
tcp dport {<br />
53, # DNS — needed for domain name resolution<br />
80, # HTTP — web traffic, updates and resource loading<br />
443, # HTTPS — secure web traffic, VPN, browser<br />
12043, # Custom 3D Application — specific client port<br />
13000-13050 # Custom 3D Application — dynamic client port range<br />
} accept<br />
<br />
# == Allow UDP ports required for application operation ==<br />
udp dport {<br />
53, # DNS — needed for domain name resolution<br />
443, # HTTPS via QUIC/HTTP3, browser protocols<br />
3478, # STUN/TURN — WebRTC and video calls<br />
3479-3481 # STUN/TURN — WebRTC and video calls<br />
} accept<br />
<br />
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =<br />
<br />
# These blocklists are intended for a DESKTOP / workstation.<br />
# They block remote access, outdated services, proxies, DBs, IoT, and ports<br />
# often used by malware, scanners, and C2 infrastructures.<br />
#<br />
# ⚠ If you use the system as a SERVER, enable IP forwarding,<br />
# or run services with internal routing<br />
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),<br />
# carefully review the blocked ports/ranges in the forward chain —<br />
# these services may need extra ports.<br />
# Adjust or comment out required items if necessary.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high risk) ===<br />
22, # SSH — common brute-force target<br />
23, # Telnet — outdated, no encryption<br />
3389, # RDP — Windows remote desktop<br />
5900, # VNC — remote access, frequent vulnerabilities<br />
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===<br />
21, # FTP — insecure protocol<br />
137, # NetBIOS Name Service<br />
138, # NetBIOS Datagram<br />
139, # NetBIOS Session<br />
445, # SMB/CIFS — common exploit target<br />
# === Databases (NEVER expose to the Internet) ===<br />
3306, # MySQL/MariaDB<br />
1433, # MS SQL Server<br />
1434, # MS SQL Browser<br />
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===<br />
8080, # HTTP proxy / web interfaces — often exposed accidentally<br />
9200, # Elasticsearch API — full remote data access<br />
# === UPnP/IoT (insecure by design) ===<br />
1900, # SSDP / UPnP<br />
# === Common for malware (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell<br />
5555, # Android ADB / IoT botnets<br />
9001, # Tor transport (used by malware)<br />
1234, # Netcat / reverse connections<br />
1337, # Common C2 port used by malware<br />
# === ⚠️ Scanner ports and potentially vulnerable services === <br />
1080, # SOCKS proxy — used to bypass filtering<br />
3128, # Squid proxy — may be abused as open proxy<br />
8000, # Alternative HTTP ports, dev servers<br />
8888, # Web interfaces, proxies, dev tools<br />
10000 # Webmin — remote admin panel, frequent attacks<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; abused by attackers<br />
162 # SNMP Trap — also potentially vulnerable<br />
} drop<br />
<br />
# Attention! Blocking wide port ranges — be careful!<br />
# Do not break system or application functionality!<br />
<br />
# == TCP port ranges not used by a workstation during transit routing ==<br />
# Blocked to prevent unwanted forwarding, hidden tunnels,<br />
# NAT evasion, parasitic flows, and potential forward-path attacks.<br />
<br />
tcp dport {<br />
1024-2047, # System/legacy services; rarely needed in forward<br />
2048-4095, # Proprietary daemons; NFS (2049) — check if used<br />
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop<br />
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed<br />
12288-16383, # Media/VoIP (TCP fallback); may break calls<br />
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed<br />
24576-32767, # Dynamic ranges for games/VPN; may cause issues<br />
32768-49151, # Registered/ephemeral; risky — may break NAT, Docker, VM<br />
49152-65535 # High ephemeral; widely used by modern apps<br />
} drop<br />
<br />
<br />
# == 🚫 Blocking UDP ports — high and dynamic ranges ==<br />
udp dport {<br />
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN<br />
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker<br />
} drop<br />
<br />
<br />
# = 🕷️ Suspicious IPs — large ranges often used by botnets, spam nets, and scanners =<br />
ip saddr {<br />
185.0.0.0/8, # abused hosting and proxy networks<br />
37.0.0.0/8, # cheap VPS, frequent scanning sources<br />
88.0.0.0/8, # common brute-force and scanner range<br />
77.0.0.0/8, # TOR/proxy nodes<br />
91.0.0.0/8 # botnets and “grey-zone” hosting<br />
} drop<br />
}<br />
<br />
chain output {<br />
# = Main chain policy =<br />
type filter hook output priority 0;<br />
policy accept;<br />
<br />
# = Blocking various types of attacks =<br />
<br />
# == 🔒 Limiting new connections from a single IP (anti-DDoS) ==<br />
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept<br />
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all<br />
ip saddr 0.0.0.0/0 ct state new drop<br />
<br />
# == 🛡️ Limiting ping requests ==<br />
ip protocol icmp icmp type echo-request limit rate 1/second accept<br />
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all<br />
ip protocol icmp icmp type echo-request drop<br />
<br />
# = Allowing required TCP/UDP ports and ranges =<br />
<br />
# == Allow TCP ports and ranges required for application functionality ==<br />
tcp dport {<br />
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).<br />
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.<br />
443, # HTTPS. Main port for all encrypted web traffic — browsers, API, VPN, updates.<br />
3306, # MySQL client. Needed if you connect to MySQL.<br />
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.<br />
3000, # Node.js dev servers. Needed for development.<br />
3690, # SVN. If you work with an old repository.<br />
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.<br />
12043, # Required for Custom 3D Application.<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept<br />
<br />
# == Allow UDP ports and ranges required for applications ==<br />
udp dport {<br />
443, # Required for fast and stable operation of modern websites <br />
# (Google, YouTube, ChatGPT, Cloudflare)<br />
13000-13050 # Required for Custom 3D Application.<br />
} accept <br />
<br />
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =<br />
<br />
# These blocks are intended for a DESKTOP / workstation.<br />
# ⚠ If you use the system as a SERVER —<br />
# adjust or comment out the required ports/ranges as needed.<br />
<br />
# == Blocking various suspicious TCP ports ==<br />
tcp dport {<br />
# === Remote access (high-risk) ===<br />
22, # SSH — target of brute-force attacks.<br />
23, # Telnet — outdated, unencrypted.<br />
3389, # RDP — Windows remote access.<br />
5900, # VNC — remote access, often vulnerable.<br />
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===<br />
21, # FTP — insecure protocol.<br />
137, # NetBIOS Name Service.<br />
138, # NetBIOS Datagram.<br />
139, # NetBIOS Session.<br />
445, # SMB/CIFS — frequent exploitation target.<br />
# === Databases (NEVER open to the Internet) ===<br />
3306, # MySQL/MariaDB.<br />
1433, # MS SQL Server.<br />
1434, # MS SQL Browser.<br />
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===<br />
8080, # HTTP proxy / web interfaces — often exposed test interfaces.<br />
9200, # Elasticsearch API — full remote access to data.<br />
# === UPnP/IoT (vulnerable by design) ===<br />
1900, # SSDP / UPnP.<br />
# === Common malware ports (RAT, C2, reverse shells) ===<br />
4444, # Metasploit reverse shell.<br />
5555, # Android ADB / IoT botnets.<br />
9001, # Tor transport (used by malware).<br />
1234, # Netcat / reverse connections.<br />
1337, # Common C2 malware port.<br />
# === ⚠️ Ports of scanners and potentially vulnerable services === <br />
1080, # SOCKS proxy — often abused for bypassing filters.<br />
3128, # Squid HTTP proxy — can be used as open proxy.<br />
8000, # Alternative HTTP ports, web services — potentially vulnerable.<br />
8888, # Alternative web interfaces — test and proxy ports.<br />
10000 # Webmin — web admin panel, target of attacks.<br />
} drop<br />
<br />
# == Blocking various suspicious UDP ports ==<br />
udp dport {<br />
161, # SNMP — network monitoring; can be abused by attackers.<br />
162 # SNMP Trap — same, potential vulnerability.<br />
} drop<br />
<br />
<br />
# Warning! ⚠️ Be careful blocking wide port ranges! ⚠️<br />
# Do not break system or application functionality!<br />
# If you need a range — uncomment.<br />
# If you don’t — comment out.<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary TCP port ranges ==<br />
tcp dport {<br />
1-1023, # 🛑 Privileged ports.<br />
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.<br />
2048-3071, # Rare proprietary protocols and middleware.<br />
3072-4999, # Mostly ports of legacy, server, corporate apps; <br />
# rarely needed on workstations.<br />
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.<br />
7000-7999, # Alternative/test ports, often used by trojans.<br />
9000-9999, # Web services, proxies, possible backdoor ports.<br />
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,<br />
# but not needed by most desktop services.<br />
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,<br />
# but system services rarely use them.<br />
} drop<br />
<br />
<br />
# == Blocking “dangerous” and desktop-unnecessary UDP port ranges ==<br />
udp dport {<br />
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.<br />
# Usually safe to block.<br />
2048-4095, # Rarely used standard ports, proprietary services.<br />
# Usually safe to block.<br />
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.<br />
# Can block, but cautiously: may affect VPN/apps.<br />
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.<br />
# Might cause side effects; better test first.<br />
12288-16383, # Old RTP/VoIP ranges and media streams.<br />
# Can block, but might break video calls.<br />
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.<br />
# ❗ Do not block if you need video calls/WebRTC/VPN.<br />
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.<br />
# ❗ May break VPN or some apps.<br />
} drop<br />
<br />
# == 🕷️ Blocking suspicious IPs —<br />
# large ranges often used by botnets, spam networks, and scanners ==<br />
ip saddr {<br />
185.0.0.0/8, # Abused hosting and proxy networks.<br />
37.0.0.0/8, # Cheap VPS, scanning sources.<br />
88.0.0.0/8, # Frequent brute-force and scanners.<br />
77.0.0.0/8, # Massive TOR/proxy nodes.<br />
91.0.0.0/8 # Botnets and “grey” hosting.<br />
} drop<br />
}<br />
}<br />
<br />
</syntaxhighlight><br />
<br />
====== sysctl config: ======<br />
kernel parameters configuration<br />
<br />
/etc/sysctl.d/99-protect.conf<syntaxhighlight lang="bash"><br />
# 1 Ignore ICMP on interfaces<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
# 2 Do not respond to ICMP broadcast (against Smurf attacks)<br />
net.ipv4.icmp_echo_ignore_broadcasts = 1<br />
<br />
# 3 Enable SYN backlog reduction<br />
net.ipv4.tcp_syncookies = 1<br />
<br />
# 4 Disable source routing<br />
net.ipv4.conf.all.accept_source_route = 0<br />
net.ipv4.conf.default.accept_source_route = 0<br />
<br />
# 5 Log packets with incorrect routing<br />
net.ipv4.conf.all.log_martians = 1<br />
net.ipv4.conf.default.log_martians = 1<br />
<br />
# 6 Disable ICMP Redirects<br />
net.ipv4.conf.all.accept_redirects = 0<br />
net.ipv4.conf.default.accept_redirects = 0<br />
<br />
# 7 Disable packet forwarding<br />
net.ipv4.ip_forward = 0<br />
<br />
# 8 Disable IPv6 support<br />
net.ipv4.conf.all.disable_ipv6 = 1<br />
net.ipv4.conf.default.disable_ipv6 = 1<br />
<br />
# 9 Prevent sending TCP segments with null windows<br />
net.ipv4.tcp_rfc1337 = 1<br />
<br />
# 10 Disable ARP filtering for automatic routing<br />
net.ipv4.conf.all.arp_filter = 1<br />
net.ipv4.conf.default.arp_filter = 1<br />
<br />
# 11 Limit the maximum size of the incoming TCP window<br />
net.ipv4.tcp_rmem = 4096 87380 4194304<br />
net.ipv4.tcp_wmem = 4096 65536 4194304<br />
<br />
# 12 Drop packets with incorrect checksums<br />
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1<br />
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1<br />
<br />
# 13 Disable IPv6 forwarding<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1<br />
<br />
# 14 Limit the maximum number of SYN packet retries<br />
net.ipv4.tcp_synack_retries = 2<br />
<br />
# 15 Increase routing cache lifetime<br />
net.ipv4.route.max_size = 32768<br />
</syntaxhighlight><br />
<br />
====== auditd rules config: ======<br />
/etc/audit/rules.d/audit.rules<br />
<br />
<syntaxhighlight lang="bash"><br />
## Flush rules<br />
-D<br />
<br />
## Buffers<br />
-b 8192<br />
--backlog_wait_time 60000<br />
-f 1<br />
<br />
## Network audit<br />
-a always,exit -F arch=b64 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept<br />
-a always,exit -F arch=b32 -S connect -F success=1 -k network_connect<br />
-a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept<br />
<br />
## Logging execve commands<br />
-a always,exit -F arch=b64 -S execve -F key=exec_log<br />
<br />
## Audit logins and sessions<br />
-w /var/log/faillog -p wa -k logins<br />
-w /var/log/lastlog -p wa -k logins<br />
-w /var/run/utmp -p wa -k session<br />
-w /var/log/wtmp -p wa -k session<br />
-w /var/log/btmp -p wa -k session<br />
<br />
## sudo / su<br />
-w /etc/sudoers -p wa -k sudo<br />
-w /etc/sudoers.d/ -p wa -k sudo<br />
-w /bin/su -p x -k su_cmd<br />
<br />
## Account and configuration changes<br />
-w /etc/passwd -p wa -k identity<br />
-w /etc/group -p wa -k identity<br />
-w /etc/shadow -p wa -k identity<br />
-w /etc/gshadow -p wa -k identity<br />
-w /etc/hosts -p wa -k system_conf<br />
-w /etc/hostname -p wa -k system_conf<br />
-w /etc/resolv.conf -p wa -k system_conf<br />
-w /etc/issue -p wa -k system_conf<br />
-w /etc/network/ -p wa -k system_conf<br />
<br />
## Time changes<br />
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change<br />
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change<br />
<br />
## Audit SSH connections and changes<br />
-w /etc/ssh/sshd_config -p wa -k ssh_config_change<br />
-w /var/log/auth.log -p wa -k ssh_login<br />
<br />
## Audit usage of remote tools (e.g., SSH, netcat)<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process<br />
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process<br />
<br />
## Audit privileged access<br />
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation<br />
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation<br />
-w /etc/sudoers -p wa -k sudoers_changes<br />
-w /etc/sudoers.d/ -p wa -k sudoers_changes<br />
-w /bin/sudo -p x -k sudo_command<br />
<br />
## Monitor credential changes<br />
#-w /root/.ssh/ -p wa -k ssh_keys<br />
#-w /home/*/.ssh/ -p wa -k ssh_keys<br />
<br />
## Audit use of remote network services<br />
-a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect<br />
-a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect<br />
<br />
# Log package installation and removal via dpkg<br />
-w /usr/bin/dpkg -p x<br />
-w /usr/sbin/apt-get -p x<br />
-w /usr/bin/apt -p x<br />
</syntaxhighlight>This article was written by blackcat568 on the forums: https://forums.debian.net/viewtopic.php?t=164131, it is initially shared on the Debian Wiki: https://wiki.debian.org/Security/ProtectingAgainstTargetedAttacks<br />
[[index.php?title=Category:Security]]<br />
[[index.php?title=Category:Hardening]]</div>Blackcat568