Add tech_docs/linux/next_level_debian.md

2025-08-01 02:46:31 -05:00
parent 0e26dcba3b
commit 3f5f60c361
1 changed files with 280 additions and 0 deletions
--- a/tech_docs/linux/next_level_debian.md
+++ b/tech_docs/linux/next_level_debian.md
@@ -0,0 +1,280 @@
+Here's a **`next_level_debian.md`** document that captures all the hardcore optimizations we've discussed, organized for clarity and reuse:
+
+```markdown
+# Next-Level Debian Hardening & Minimalism
+
+For power users who want **maximum control, security, and performance** from their Debian system.
+
+## Table of Contents
+1. [Service Hardening](#service-hardening)
+2. [Network Lockdown](#network-lockdown)
+3. [Kernel Protections](#kernel-protections)
+4. [Filesystem Hardening](#filesystem-hardening)
+5. [User Environment](#user-environment)
+6. [Extreme Minimalism](#extreme-minimalism)
+
+---
+
+## Service Hardening
+
+### Disable Non-Essential Services
+```bash
+# List running services
+sudo systemctl list-units --type=service --state=running
+
+# Disable cron (if unused)
+sudo systemctl disable --now cron.service
+
+# Disable iperf3 (if not benchmarking)
+sudo systemctl disable --now iperf3.service
+
+# Disable systemd-logind (headless only)
+sudo systemctl mask --now systemd-logind.service
+```
+
+### Harden SSH
+```bash
+sudo sed -i -E \
+  -e 's/^#?PermitRootLogin .*/PermitRootLogin no/' \
+  -e 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' \
+  -e 's/^#?ClientAliveInterval .*/ClientAliveInterval 300/' \
+  -e 's/^#?MaxAuthTries .*/MaxAuthTries 3/' \
+  /etc/ssh/sshd_config
+sudo systemctl restart ssh
+```
+
+### Restrict DBus
+```bash
+sudo mkdir -p /etc/systemd/system/dbus.service.d/
+echo '[Service]
+RestrictRealtime=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+' | sudo tee /etc/systemd/system/dbus.service.d/harden.conf
+sudo systemctl daemon-reload
+```
+
+---
+
+## Network Lockdown
+
+### nftables Firewall (Drop All Inbound Except SSH)
+```bash
+sudo nft flush ruleset
+sudo nft -f - <<EOF
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop;
+    ct state established,related accept
+    iif lo accept
+    ip protocol icmp accept
+    tcp dport 2222 accept
+  }
+  chain forward { policy drop; }
+  chain output { policy accept; }
+}
+EOF
+sudo nft list ruleset | sudo tee /etc/nftables.conf
+```
+
+---
+
+## Kernel Protections
+
+### /etc/sysctl.d/99-hardening.conf
+```bash
+echo "
+kernel.kptr_restrict=2
+kernel.unprivileged_userns_clone=0
+vm.unprivileged_userfaultfd=0
+net.core.bpf_jit_harden=2
+" | sudo tee /etc/sysctl.d/99-hardening.conf
+sudo sysctl -p /etc/sysctl.d/99-hardening.conf
+```
+
+---
+
+## Filesystem Hardening
+
+### Immutable Critical Files
+```bash
+sudo chattr +i /etc/passwd /etc/shadow /etc/group /etc/sudoers
+```
+
+### Disable SUID Binaries (Except Essentials)
+```bash
+find / -type f -perm /4000 -not -path '/usr/bin/sudo' \
+  -not -path '/usr/bin/passwd' -exec chmod u-s {} \;
+```
+
+---
+
+## User Environment
+
+### Secure ~/.bashrc
+```bash
+echo '
+umask 077
+alias ports="ss -tulnp | grep -vE '\''127.0.0.1|::1'\''"
+' >> ~/.bashrc
+```
+
+---
+
+## Extreme Minimalism
+
+### Purge All Bloat
+```bash
+sudo apt purge --auto-remove -y \
+  snapd lxd lxcfs cloud-init unattended-upgrades \
+  apparmor policykit-1 popularity-contest
+sudo apt autoremove -y --purge
+```
+
+### Replace journald with socklog
+```bash
+sudo apt install socklog-void
+sudo systemctl disable --now systemd-journald
+sudo systemctl enable --now socklog-unix
+```
+
+---
+
+## Verification
+```bash
+# Check running services (should be < 5)
+sudo systemctl list-units --type=service --state=running
+
+# Check installed packages (should be < 150)
+dpkg -l | wc -l
+```
+
+> **Note:** Adjust based on your needs. This is a **starting point**, not dogma.
+```
+
+### How to Use This Document
+1. **Copy-paste** sections as needed
+2. **Comment out** lines you don't need
+3. **Add your own** customizations
+
+---
+
+Here's a **no-nonsense PCIe passthrough guide** for your Debian system, optimized for your **Intel i7-4790 + Intel I350 NIC** hardware:
+
+---
+
+# PCIe Passthrough Guide for Debian (VT-d Enabled Systems)
+
+## Prerequisites
+1. **BIOS Settings**:
+   - Enable `VT-d` (Intel) or `AMD-Vi` (AMD)
+   - Disable `CSM` (Legacy Boot)
+   - Enable `Above 4G Decoding` if available
+
+2. **Verify IOMMU Groups**:
+   ```bash
+   sudo apt install -y iommu-tools
+   sudo dmesg | grep -i iommu  # Should show "DMAR: IOMMU enabled"
+   for g in $(find /sys/kernel/iommu_groups/* -maxdepth 0 | sort -V); do
+     echo "IOMMU Group ${g##*/}:"
+     for d in $g/devices/*; do
+       echo -e "\t$(lspci -nns ${d##*/})"
+     done
+   done
+   ```
+
+## Step 1: Configure Kernel for Passthrough
+Edit `/etc/default/grub`:
+```bash
+GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt pcie_acs_override=downstream,multifunction nofb nomodeset video=vesafb:off,efifb:off"
+```
+Then update GRUB:
+```bash
+sudo update-grub
+```
+
+## Step 2: Isolate Target Devices
+### For your **Intel I350 NIC (03:00.0 - 03:00.3)**:
+```bash
+echo "options vfio-pci ids=8086:1521 disable_vga=1" | sudo tee /etc/modprobe.d/vfio.conf
+echo "softdep igb pre: vfio-pci" | sudo tee /etc/modproprobe.d/igb.conf
+```
+
+## Step 3: Load Required Kernel Modules
+```bash
+echo "vfio
+vfio_iommu_type1
+vfio_pci
+vfio_virqfd" | sudo tee /etc/modules-load.d/vfio.conf
+sudo update-initramfs -u
+```
+
+## Step 4: Verify Device Isolation
+Reboot, then check:
+```bash
+lspci -nnk -d 8086:1521  # Should show "Kernel driver in use: vfio-pci"
+```
+
+## Step 5: KVM/QEMU Setup
+### Install minimal virtualization stack:
+```bash
+sudo apt install -y --no-install-recommends qemu-system-x86 libvirt-daemon-system virt-manager
+sudo usermod -aG kvm,input,libvirt $USER
+```
+
+### Create VM XML (for NIC passthrough):
+```xml
+<hostdev mode='subsystem' type='pci' managed='yes'>
+  <source>
+    <address domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
+  </source>
+</hostdev>
+```
+(Repeat for each NIC function 0x0-0x3)
+
+## Step 6: Performance Tweaks
+### CPU Pinning (for your 4C/8T i7-4790):
+```xml
+<cputune>
+  <vcpupin vcpu='0' cpuset='0'/>
+  <vcpupin vcpu='1' cpuset='4'/>
+  <vcpupin vcpu='2' cpuset='1'/>
+  <vcpupin vcpu='3' cpuset='5'/>
+</cputune>
+```
+
+### Hugepages (1GB):
+```bash
+echo "vm.nr_hugepages = 8" | sudo tee /etc/sysctl.d/10-hugepages.conf
+sudo sysctl -p
+```
+
+## Troubleshooting
+1. **Error 43 (AMD GPU)**: Use hidden state and vendor_id:
+   ```xml
+   <kvm>
+     <hidden state='on'/>
+   </kvm>
+   <hyperv>
+     <vendor_id state='on' value='1234567890ab'/>
+   </hyperv>
+   ```
+
+2. **IOMMU Group Issues**: Try:
+   ```bash
+   sudo virsh nodedev-detach pci_0000_03_00_0
+   ```
+
+3. **Performance Checks**:
+   ```bash
+   sudo perf stat -e 'kvm:*' -a sleep 1
+   ```
+
+## Final Notes
+- Your **I350 NIC** is ideal for pfSense/OPNsense VMs
+- Consider **CPU isolation** for real-time workloads:
+  ```bash
+  sudo systemctl set-property --runtime -- user.slice AllowedCPUs=0,4
+  ```
+
+Want me to adapt this for a specific VM (e.g., networking appliance/gaming VM)?