6.6 KiB
6.6 KiB
Here's a next_level_debian.md document that captures all the hardcore optimizations we've discussed, organized for clarity and reuse:
# Next-Level Debian Hardening & Minimalism
For power users who want **maximum control, security, and performance** from their Debian system.
## Table of Contents
1. [Service Hardening](#service-hardening)
2. [Network Lockdown](#network-lockdown)
3. [Kernel Protections](#kernel-protections)
4. [Filesystem Hardening](#filesystem-hardening)
5. [User Environment](#user-environment)
6. [Extreme Minimalism](#extreme-minimalism)
---
## Service Hardening
### Disable Non-Essential Services
```bash
# List running services
sudo systemctl list-units --type=service --state=running
# Disable cron (if unused)
sudo systemctl disable --now cron.service
# Disable iperf3 (if not benchmarking)
sudo systemctl disable --now iperf3.service
# Disable systemd-logind (headless only)
sudo systemctl mask --now systemd-logind.service
Harden SSH
sudo sed -i -E \
-e 's/^#?PermitRootLogin .*/PermitRootLogin no/' \
-e 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' \
-e 's/^#?ClientAliveInterval .*/ClientAliveInterval 300/' \
-e 's/^#?MaxAuthTries .*/MaxAuthTries 3/' \
/etc/ssh/sshd_config
sudo systemctl restart ssh
Restrict DBus
sudo mkdir -p /etc/systemd/system/dbus.service.d/
echo '[Service]
RestrictRealtime=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
' | sudo tee /etc/systemd/system/dbus.service.d/harden.conf
sudo systemctl daemon-reload
Network Lockdown
nftables Firewall (Drop All Inbound Except SSH)
sudo nft flush ruleset
sudo nft -f - <<EOF
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
iif lo accept
ip protocol icmp accept
tcp dport 2222 accept
}
chain forward { policy drop; }
chain output { policy accept; }
}
EOF
sudo nft list ruleset | sudo tee /etc/nftables.conf
Kernel Protections
/etc/sysctl.d/99-hardening.conf
echo "
kernel.kptr_restrict=2
kernel.unprivileged_userns_clone=0
vm.unprivileged_userfaultfd=0
net.core.bpf_jit_harden=2
" | sudo tee /etc/sysctl.d/99-hardening.conf
sudo sysctl -p /etc/sysctl.d/99-hardening.conf
Filesystem Hardening
Immutable Critical Files
sudo chattr +i /etc/passwd /etc/shadow /etc/group /etc/sudoers
Disable SUID Binaries (Except Essentials)
find / -type f -perm /4000 -not -path '/usr/bin/sudo' \
-not -path '/usr/bin/passwd' -exec chmod u-s {} \;
User Environment
Secure ~/.bashrc
echo '
umask 077
alias ports="ss -tulnp | grep -vE '\''127.0.0.1|::1'\''"
' >> ~/.bashrc
Extreme Minimalism
Purge All Bloat
sudo apt purge --auto-remove -y \
snapd lxd lxcfs cloud-init unattended-upgrades \
apparmor policykit-1 popularity-contest
sudo apt autoremove -y --purge
Replace journald with socklog
sudo apt install socklog-void
sudo systemctl disable --now systemd-journald
sudo systemctl enable --now socklog-unix
Verification
# Check running services (should be < 5)
sudo systemctl list-units --type=service --state=running
# Check installed packages (should be < 150)
dpkg -l | wc -l
Note: Adjust based on your needs. This is a starting point, not dogma.
# Check running processes (should be < 20)
ps aux | wc -l
# Check installed packages (should be < 150)
dpkg -l | wc -l
### How to Use This Document
1. **Copy-paste** sections as needed
2. **Comment out** lines you don't need
3. **Add your own** customizations
---
Here's a **no-nonsense PCIe passthrough guide** for your Debian system, optimized for your **Intel i7-4790 + Intel I350 NIC** hardware:
---
# PCIe Passthrough Guide for Debian (VT-d Enabled Systems)
## Prerequisites
1. **BIOS Settings**:
- Enable `VT-d` (Intel) or `AMD-Vi` (AMD)
- Disable `CSM` (Legacy Boot)
- Enable `Above 4G Decoding` if available
2. **Verify IOMMU Groups**:
```bash
sudo apt install -y iommu-tools
sudo dmesg | grep -i iommu # Should show "DMAR: IOMMU enabled"
for g in $(find /sys/kernel/iommu_groups/* -maxdepth 0 | sort -V); do
echo "IOMMU Group ${g##*/}:"
for d in $g/devices/*; do
echo -e "\t$(lspci -nns ${d##*/})"
done
done
Step 1: Configure Kernel for Passthrough
Edit /etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt pcie_acs_override=downstream,multifunction nofb nomodeset video=vesafb:off,efifb:off"
Then update GRUB:
sudo update-grub
Step 2: Isolate Target Devices
For your Intel I350 NIC (03:00.0 - 03:00.3):
echo "options vfio-pci ids=8086:1521 disable_vga=1" | sudo tee /etc/modprobe.d/vfio.conf
echo "softdep igb pre: vfio-pci" | sudo tee /etc/modproprobe.d/igb.conf
Step 3: Load Required Kernel Modules
echo "vfio
vfio_iommu_type1
vfio_pci
vfio_virqfd" | sudo tee /etc/modules-load.d/vfio.conf
sudo update-initramfs -u
Step 4: Verify Device Isolation
Reboot, then check:
lspci -nnk -d 8086:1521 # Should show "Kernel driver in use: vfio-pci"
Step 5: KVM/QEMU Setup
Install minimal virtualization stack:
sudo apt install -y --no-install-recommends qemu-system-x86 libvirt-daemon-system virt-manager
sudo usermod -aG kvm,input,libvirt $USER
Create VM XML (for NIC passthrough):
<hostdev mode='subsystem' type='pci' managed='yes'>
<source>
<address domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
</source>
</hostdev>
(Repeat for each NIC function 0x0-0x3)
Step 6: Performance Tweaks
CPU Pinning (for your 4C/8T i7-4790):
<cputune>
<vcpupin vcpu='0' cpuset='0'/>
<vcpupin vcpu='1' cpuset='4'/>
<vcpupin vcpu='2' cpuset='1'/>
<vcpupin vcpu='3' cpuset='5'/>
</cputune>
Hugepages (1GB):
echo "vm.nr_hugepages = 8" | sudo tee /etc/sysctl.d/10-hugepages.conf
sudo sysctl -p
Troubleshooting
-
Error 43 (AMD GPU): Use hidden state and vendor_id:
<kvm> <hidden state='on'/> </kvm> <hyperv> <vendor_id state='on' value='1234567890ab'/> </hyperv> -
IOMMU Group Issues: Try:
sudo virsh nodedev-detach pci_0000_03_00_0 -
Performance Checks:
sudo perf stat -e 'kvm:*' -a sleep 1
Final Notes
- Your I350 NIC is ideal for pfSense/OPNsense VMs
- Consider CPU isolation for real-time workloads:
sudo systemctl set-property --runtime -- user.slice AllowedCPUs=0,4
Want me to adapt this for a specific VM (e.g., networking appliance/gaming VM)?