Security Machine Tutorial for HARDN-Hardened Debian

This tutorial builds upon the HARDN project’s baseline hardening, then layers in encryption, network obfuscation, kernel and runtime hardening, advanced authentication, secure boot, logging, intrusion detection, application isolation, supply chain security, and comprehensive incident response. Follow each section carefully for the Ultimate Security Machine Tutorial for HARDN.

Prerequisites of the Security Machine Tutorial for HARDN

• Operating System: Debian 12 (or similar)
• User Privileges: Root or sudo-level access
• Baseline: HARDN installed (refer to HARDN GitHub)
• Backups: Ensure you have current backups of critical data before proceeding

1. Disk & Filesystem Security

A. Full-Disk & Partition Encryption with LUKS

Install Cryptsetup:

sudo apt update
sudo apt install cryptsetup

Encrypt a Non-Root Partition:

1. Identify your partition:

lsblk

2. Initialize LUKS (replace /dev/sdX1 with your partition):

sudo cryptsetup luksFormat /dev/sdX1

3. Open the encrypted partition:

sudo cryptsetup open /dev/sdX1 secure_partition

4. Format the partition (ext4 example):

sudo mkfs.ext4 /dev/mapper/secure_partition

5. Mount the partition:

sudo mkdir -p /mnt/secure sudo mount /dev/mapper/secure_partition /mnt/secure

6. Automate on Boot:
Update /etc/crypttab:

secure_partition   /dev/sdX1   none   luks

And add the mount point to /etc/fstab:

/dev/mapper/secure_partition   /mnt/secure   ext4   defaults   0   2

B. Immutable System Files

Prevent unauthorized modifications:

sudo chattr +i /etc/passwd /etc/shadow /etc/group

To modify these files later, remove immutability with chattr -i.

2. Secure Boot Process & TPM Integration

A. Enable UEFI Secure Boot & Configure GRUB Password

Enable UEFI Secure Boot:
Check your BIOS/UEFI settings and enable Secure Boot. Ensure only signed bootloaders/kernels run.

Configure GRUB Password:

• Generate a password hash:

grub-mkpasswd-pbkdf2

Copy the generated hash.

• Edit /etc/grub.d/40_custom:

sudo nano /etc/grub.d/40_custom

Add:

set superusers="admin" password_pbkdf2 admin <generated-hash>

• Update GRUB:

sudo update-grub

B. TPM Integration

For additional boot integrity, integrate TPM to store encryption keys or verify boot integrity:

• Install TPM tools:

sudo apt install trousers tpm-tools

• Configure TPM-based key management:
  Refer to TPM documentation for advanced setups.

3. Network Hardening: Port Knocking & Traffic Obfuscation

A. Port Knocking with knockd

Install knockd:

sudo apt update
sudo apt install knockd

Configure /etc/knockd.conf:

[options]
    UseSyslog

[openSSH]
    sequence    = 7000,8000,9000
    seq_timeout = 10
    command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22000 -j ACCEPT
    tcpflags    = syn

[closeSSH]
    sequence    = 9000,8000,7000
    seq_timeout = 10
    command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22000 -j ACCEPT
    tcpflags    = syn

Enable and start knockd:

sudo systemctl enable knockd
sudo systemctl start knockd

Test the knock sequence from a remote client:

for port in 7000 8000 9000; do
  nc -vz your.server.ip $port
done

B. Traffic Obfuscation with Obfsproxy

Install Obfsproxy:

sudo apt update
sudo apt install obfsproxy

Run Obfsproxy to obfuscate SSH traffic:

obfsproxy obfs3 --dest=127.0.0.1:22000 server 0.0.0.0:12345

This command wraps SSH (running on port 22000) behind Obfsproxy on port 12345. Configure your client similarly.

C. Enhanced VPN with WireGuard

Install WireGuard:

sudo apt update
sudo apt install wireguard

Configure WireGuard per your network design. Consider adding obfuscation plugins or additional firewall rules to mask VPN traffic.

4. Kernel Hardening & Exploit Mitigation

A. Enable ASLR & Ptrace Restrictions

Edit /etc/sysctl.conf:

sudo nano /etc/sysctl.conf

Add:

# Full ASLR
kernel.randomize_va_space = 2

# Restrict ptrace to prevent process memory snooping
kernel.yama.ptrace_scope = 2

Apply changes:

sudo sysctl -p

B. Disable Unused Kernel Modules

Blacklist modules (example for USB storage):

sudo nano /etc/modprobe.d/blacklist.conf

Add:

install usb-storage /bin/false

Update initramfs:

sudo update-initramfs -u

C. Implement Integrity Measurement Architecture (IMA)

Install IMA tools:

sudo apt install ima-evm-utils

Configure IMA policies to measure and appraise critical files. Refer to the IMA documentation for custom policy creation.

5. Strengthening System Access & Authentication

A. Passwordless SSH with Hardware Keys

Generate a hardware-backed SSH key (if supported):

ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_sk

Copy the key to your server:

ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub [email protected]

Disable password authentication:
Edit /etc/ssh/sshd_config:

PasswordAuthentication no

Restart SSH:

sudo systemctl restart sshd

B. Enforce Multi-Factor Authentication (MFA)

Install Google Authenticator PAM module:

sudo apt update
sudo apt install libpam-google-authenticator

Configure MFA for your user:

google-authenticator

Follow the prompts to generate secret keys and emergency codes.

Edit /etc/pam.d/sshd:
Add near the top:

auth required pam_google_authenticator.so nullok

Ensure in /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes

Restart SSH:

sudo systemctl restart sshd

C. Additional Measures for the Security Machine Tutorial for HARDN

• Time-Based Login Restrictions: Configure /etc/security/time.conf to limit login times.
• Account Lockout Policies: Use PAM modules (e.g., pam_tally2) to lock accounts after several failed attempts.

6. Enhanced Logging, Auditing & Intrusion Detection

A. Deploy Auditd for System Monitoring

Install and enable Auditd:

sudo apt update
sudo apt install auditd
sudo systemctl enable auditd
sudo systemctl start auditd

Add custom audit rules in /etc/audit/rules.d/audit.rules:

-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes

Restart Auditd:

sudo systemctl restart auditd

B. Centralize Logging with rsyslog

Edit or create a config file (e.g., /etc/rsyslog.d/50-default.conf) and add:

*.* @logserver.example.com:514

Restart rsyslog:

sudo systemctl restart rsyslog

C. Host-Based IDS & Automated Blocking

Install Fail2Ban:

sudo apt update
sudo apt install fail2ban

Copy default configuration:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Customize settings for SSH and other services; then restart:

sudo systemctl restart fail2ban

Consider deploying additional HIDS such as OSSEC/Wazuh or real-time behavioral monitoring with Falco.

7. Application Isolation & Deception Tactics

A. Sandboxing & Containerization

• Use Containers or VMs:
  Deploy sensitive applications in Docker, Podman, or lightweight VMs to minimize lateral impact in case of compromise.
• Enforce Mandatory Access Controls (MAC):
  Strengthen AppArmor or SELinux profiles for each application.

B. Deception and Honeypots

Deploy an SSH Honeypot (Cowrie):

Install prerequisites:

sudo apt update sudo apt install git python3-virtualenv

Clone Cowrie repository:

git clone https://github.com/cowrie/cowrie.git cd cowrie

Create virtual environment and install dependencies:

virtualenv cowrie-env source cowrie-env/bin/activate pip install --upgrade pip pip install -r requirements.txt

Configure and start Cowrie:

./bin/cowrie start

Cowrie will log and analyze attack attempts for further intelligence.

8. Secure Software Supply Chain & Regular Audits

A. Strict Package Verification

• Verify package signatures:
  Ensure that your APT repositories use signed packages. Use apt-secure and inspect checksums for third-party downloads.
• Integrate Sigstore:
  Explore Sigstore or similar tools to verify the integrity of software downloads.

B. Air-Gapped Update Channels

For critical systems, consider:

• Downloading updates in an isolated environment, verifying them manually, and then applying them on the secure system.

C. Automated Vulnerability Scanning & Penetration Testing

• Schedule regular scans with tools like Lynis, OpenVAS, or Nessus.
• Perform periodic penetration tests to identify and remediate vulnerabilities.

9. Incident Response & Forensic Readiness

A. Develop an Incident Response Plan

• Document procedures:
  Include detection, analysis, containment, eradication, and recovery steps.
• Define roles and contacts:
  Maintain an up-to-date list of responsible personnel.

B. Centralized SIEM & Forensics

• Integrate logs from all security systems into a SIEM platform (e.g., ELK, Graylog, Splunk) for real-time correlation.
• Prepare forensic snapshots:
  Regularly create tamper-evident logs and filesystem snapshots using tools like dd and file integrity monitoring systems.

10. Final Considerations & Ongoing Maintenance

• Continuous Monitoring:
  Ensure that all systems are monitored 24/7 using automated alerts.
• Regular Updates & Reviews:
  Frequently review configurations, update systems, and adapt policies to emerging threats.
• Automation:
  Consider using Ansible or custom scripts to automate these security measures and maintain consistency across multiple systems.

Conclusion on the Security Machine Tutorial for HARDN

By following this tutorial, you combine multiple layers of defense—from disk encryption and secure boot to advanced kernel hardening, network obfuscation, strict authentication, and continuous monitoring—resulting in an “ultimate security machine” designed to meet the highest security standards. This defense-in-depth approach minimizes the attack surface and enhances resilience even against sophisticated adversaries.

More on Basic Security