The fact about security is you have to have a threat model. If not, you will be protecting wildly against mostly paranoia. So, it is good to think of what you want to protect against. We will be covering a few ways to protect your system, as Arch Linux is so minimal, it comes with no deliberate protections. So ask yourself, “what is the most likely scenario for my station in life?” Do you have a system, network, web, or physical threat model? There are probably many more models that have to do with people of high status like CEOs or government officials. The fact is you need to see your situation accurately to optimize your threat model.
So, we will start with going over how to install the hardened Kernel on Arch installation and also after the fact. The next thing to do is set up a firewall, since Arch is so minimal, there is not one included. Finally, that brings us to limiting your root user. You might want to use a few of these methods or all depending on your presumed threat assessment. Let’s get right into it!
With Arch Linux, you can use one of the official kernels with security right out of the box. The Hardened Kernel is a security-focused Linux kernel that applies a set of hardening patches to mitigate kernel and user-space exploits. You can find a list of supported and unsupported kernels here. To install the hardened kernel during installation, you need to specify the kernel used. You can do this when using the pacstrap command like so.
pacstrap /mnt base base-devel linux-hardened linux-firmware vim
You can find this command with the regular kernel in our blog about installing Arch for newbies here. You can find it in the 3rd section down. This would help you out from the start. What if you already have an installation with some other kernel, and you want to switch to the hardened kernel? No problem! You can install any officially supported kernel without too much trouble. That is as easy as using our friend Pacman.
sudo pacman -S linux-hardened linux-hardened-headers
We now need to make a new Grub configuration file to add the additional hardened kernel to the boot sequence.
sudo grub-mkconfig -o /boot/grub/grub.cfg
Now we have to look at some choices when rebooting. We will want to select the hardened kernel during boot by selecting the “Advanced option for Arch Linux” option.
Then we will be presented our newly installed hardened kernel as a choice to boot from. it should be first, but you can select it if not.
Once you select the hardened kernel your system should boot up just like before. Now we can open a terminal and check to see what kernel we are running.
Now you should be able to choose between kernels without any issues.
The cool thing about Arch is that is comes with no over baring software opinions. This means that you need to install your own firewall and enable it yourself. We can expect this on some other distributions to prevent SSH and other unwanted connections. You can SSH into an Arch installer to install your system onto another computer. Making it a pretty cool feature at this stage. We might not want someone to be able to try and SSH into our system in a coffee shop for instance. So let’s set those entrances a blaze!
sudo pacman -S ufw
Now all we have to do is enable UFW and start the service.
sudo systemctl enable ufw && sudo systemctl start ufw && sudo systemctl status ufw
You should get a green light in your UFW status printout. We do not have to make any further configuration changes unless you want to, as UFW blocks incoming traffic and allows outgoing traffic. You can decide if you want to be able to SSH from a particular computer at a particular IP address to mitigate the dangers of opening up your computer to SSH. For most people this is not needed. So make rules with caution. Focus on restrictions rather than opening up your Arch installation to malicious individuals or state actors.
We can limit root access with a few different mitigations. We can even lock the root user as to make it not possible to log into. Thus removing a sure username that can be brute forced if a password is available. You would first need to make sure your root access was set up as we describe in 5 Things to immediately do after installing Arch Linux, which can be found here. Then you are free to limit your root user. This can be accomplished like so.
sudo passwd --lock root
You see here that you have to run this command as root. Then we call
passwd just like when creating a password. We pass the
--lock option in and then the root user. You can do this with other users as well. Rather than removing access we can also just limit access like so.
sudo vim /etc/security/access.conf
Just type a to edit. Here you can see we are allowing local root users to log in but not all. Next we can also try something like adding configurations for the wheel group which is used for root privileges often, as well as a user.
Here you can see similar to the previous edit we added the wheel group a user and removed all other access. So feel free to play with the configuration. We can go ahead and hit Esc to finish editing, then type :wq to write then quit the file. To remove SSH access for your root user, since it is actually wide open by default, we can attack it similar to how you would on a server. We will edit the SSHD configuration file to accomplish this.
sudo vim /etc/ssh/sshd_config
Here you will want to find the PermitRootLogin and uncomment the line. Then you can just use no or use prohibit-password as we did, as it was already there and sounded like a great option. There are so many ways to think about security. Here we have talked about securing your kernel, fire walling your network access, and limiting root access. Leaving open stuff like physical possession of your device or account security. So, we will get deeper into stuff like encryption since it will take up an entire blog to itself. Then there is user accounts from your system level to your web accounts and they all have different amounts of security involved. Therefore, keep looking out for ways to improve your security while using Arch. Thanks for reading.
This post first appeared on Linuxman Tech, please read the originial post: here