9.6 KiB
9.6 KiB
Your document is already well-organized, but here are some suggestions to make it even better:
Structural Improvements:
-
Split Into Multiple Files:
- Consider separating the "Hardening Guide" and "PCIe Passthrough Guide" into two distinct files
- Create a
docs/directory with:docs/ ├── hardening/ │ ├── services.md │ ├── network.md │ └── kernel.md ├── virtualization/ │ ├── pcie-passthrough.md │ └── kvm-optimization.md └── README.md (main index)
-
Enhanced Navigation:
Quick Links
Content Improvements:
-
Add Risk Indicators:
⚠️ Extreme Measures (Potential Breakage)
sudo apt purge --auto-remove -y snapd lxd # [!DANGER]Legend:
[!NOTE] - Safe
[!WARNING] - May affect functionality
[!DANGER] - High breakage risk -
Version Compatibility:
Compatibility Matrix
Debian Version Kernel Min Recommended Bookworm (12) 6.1.x 6.5+ Trixie (13) 6.6.x 6.8+
Automation Enhancements:
-
Add Verification Scripts:
#!/bin/bash # verify_hardening.sh echo "=== Service Check ===" systemctl list-units --type=service --state=running --no-pager | head -n 5 echo "=== Immutable Files Check ===" lsattr /etc/passwd /etc/shadow | grep "----i" -
Include Rollback Procedures:
Rollback Changes
Revert SSH Hardening
sudo sed -i 's/^PermitRootLogin no/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
Visual Improvements:
-
Add ASCII Diagrams:
Network Flow
[Internet] -> [nftables] -> (DROP) └─[tcp dport 2222] -> [SSH] -
Include Hardware-Specific Notes:
i7-4790 Specifics
- Avoid assigning all cores to VM + Keep at least 1 physical core for host
Documentation Hygiene:
- Add Change Log:
## Revision History | Date | Version | Changes | |------------|---------|-----------------------| | 2024-06-01 | 1.1 | Added i350 NIC notes |
Example Improved Section:
⚙️ Kernel Protections [!RECOMMENDED]
Priority Settings
# /etc/sysctl.d/99-hardening.conf
#
# Kernel pointer restrictions (1=hidden, 2=hidden+log)
kernel.kptr_restrict=2
# Disable unprivileged namespace creation
kernel.unprivileged_userns_clone=0
Performance Impact: <5% CPU overhead on synthetic benchmarks
Would you like me to:
- Generate a complete revised version with these improvements?
- Create template files for the suggested directory structure?
- Focus on enhancing a specific section (e.g., PCIe passthrough)?
Next-Level Debian Hardening & Minimalism
For power users who want maximum control, security, and performance from their Debian system.
Table of Contents
- Service Hardening
- Network Lockdown
- Kernel Protections
- Filesystem Hardening
- User Environment
- Extreme Minimalism
Service Hardening
Disable Non-Essential Services
# List running services
sudo systemctl list-units --type=service --state=running
# Disable cron (if unused)
sudo systemctl disable --now cron.service
# Disable iperf3 (if not benchmarking)
sudo systemctl disable --now iperf3.service
# Disable systemd-logind (headless only)
sudo systemctl mask --now systemd-logind.service
Harden SSH
sudo sed -i -E \
-e 's/^#?PermitRootLogin .*/PermitRootLogin no/' \
-e 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' \
-e 's/^#?ClientAliveInterval .*/ClientAliveInterval 300/' \
-e 's/^#?MaxAuthTries .*/MaxAuthTries 3/' \
/etc/ssh/sshd_config
sudo systemctl restart ssh
Restrict DBus
sudo mkdir -p /etc/systemd/system/dbus.service.d/
echo '[Service]
RestrictRealtime=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
' | sudo tee /etc/systemd/system/dbus.service.d/harden.conf
sudo systemctl daemon-reload
Network Lockdown
nftables Firewall (Drop All Inbound Except SSH)
sudo nft flush ruleset
sudo nft -f - <<EOF
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
iif lo accept
ip protocol icmp accept
tcp dport 2222 accept
}
chain forward { policy drop; }
chain output { policy accept; }
}
EOF
sudo nft list ruleset | sudo tee /etc/nftables.conf
Kernel Protections
/etc/sysctl.d/99-hardening.conf
echo "
kernel.kptr_restrict=2
kernel.unprivileged_userns_clone=0
vm.unprivileged_userfaultfd=0
net.core.bpf_jit_harden=2
" | sudo tee /etc/sysctl.d/99-hardening.conf
sudo sysctl -p /etc/sysctl.d/99-hardening.conf
Filesystem Hardening
Immutable Critical Files
sudo chattr +i /etc/passwd /etc/shadow /etc/group /etc/sudoers
Disable SUID Binaries (Except Essentials)
find / -type f -perm /4000 -not -path '/usr/bin/sudo' \
-not -path '/usr/bin/passwd' -exec chmod u-s {} \;
User Environment
Secure ~/.bashrc
echo '
umask 077
alias ports="ss -tulnp | grep -vE '\''127.0.0.1|::1'\''"
' >> ~/.bashrc
Extreme Minimalism
Purge All Bloat
sudo apt purge --auto-remove -y \
snapd lxd lxcfs cloud-init unattended-upgrades \
apparmor policykit-1 popularity-contest
sudo apt autoremove -y --purge
Replace journald with socklog
sudo apt install socklog-void
sudo systemctl disable --now systemd-journald
sudo systemctl enable --now socklog-unix
Verification
# Check running services (should be < 5)
sudo systemctl list-units --type=service --state=running
# Check installed packages (should be < 150)
dpkg -l | wc -l
Note: Adjust based on your needs. This is a starting point, not dogma.
# Check running processes (should be < 20)
ps aux | wc -l
# Check installed packages (should be < 150)
dpkg -l | wc -l
### How to Use This Document
1. **Copy-paste** sections as needed
2. **Comment out** lines you don't need
3. **Add your own** customizations
---
Here's a **no-nonsense PCIe passthrough guide** for your Debian system, optimized for your **Intel i7-4790 + Intel I350 NIC** hardware:
---
# PCIe Passthrough Guide for Debian (VT-d Enabled Systems)
## Prerequisites
1. **BIOS Settings**:
- Enable `VT-d` (Intel) or `AMD-Vi` (AMD)
- Disable `CSM` (Legacy Boot)
- Enable `Above 4G Decoding` if available
2. **Verify IOMMU Groups**:
```bash
sudo apt install -y iommu-tools
sudo dmesg | grep -i iommu # Should show "DMAR: IOMMU enabled"
for g in $(find /sys/kernel/iommu_groups/* -maxdepth 0 | sort -V); do
echo "IOMMU Group ${g##*/}:"
for d in $g/devices/*; do
echo -e "\t$(lspci -nns ${d##*/})"
done
done
Step 1: Configure Kernel for Passthrough
Edit /etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt pcie_acs_override=downstream,multifunction nofb nomodeset video=vesafb:off,efifb:off"
Then update GRUB:
sudo update-grub
Step 2: Isolate Target Devices
For your Intel I350 NIC (03:00.0 - 03:00.3):
echo "options vfio-pci ids=8086:1521 disable_vga=1" | sudo tee /etc/modprobe.d/vfio.conf
echo "softdep igb pre: vfio-pci" | sudo tee /etc/modproprobe.d/igb.conf
Step 3: Load Required Kernel Modules
echo "vfio
vfio_iommu_type1
vfio_pci
vfio_virqfd" | sudo tee /etc/modules-load.d/vfio.conf
sudo update-initramfs -u
Step 4: Verify Device Isolation
Reboot, then check:
lspci -nnk -d 8086:1521 # Should show "Kernel driver in use: vfio-pci"
Step 5: KVM/QEMU Setup
Install minimal virtualization stack:
sudo apt install -y --no-install-recommends qemu-system-x86 libvirt-daemon-system virt-manager
sudo usermod -aG kvm,input,libvirt $USER
Create VM XML (for NIC passthrough):
<hostdev mode='subsystem' type='pci' managed='yes'>
<source>
<address domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
</source>
</hostdev>
(Repeat for each NIC function 0x0-0x3)
Step 6: Performance Tweaks
CPU Pinning (for your 4C/8T i7-4790):
<cputune>
<vcpupin vcpu='0' cpuset='0'/>
<vcpupin vcpu='1' cpuset='4'/>
<vcpupin vcpu='2' cpuset='1'/>
<vcpupin vcpu='3' cpuset='5'/>
</cputune>
Hugepages (1GB):
echo "vm.nr_hugepages = 8" | sudo tee /etc/sysctl.d/10-hugepages.conf
sudo sysctl -p
Troubleshooting
-
Error 43 (AMD GPU): Use hidden state and vendor_id:
<kvm> <hidden state='on'/> </kvm> <hyperv> <vendor_id state='on' value='1234567890ab'/> </hyperv> -
IOMMU Group Issues: Try:
sudo virsh nodedev-detach pci_0000_03_00_0 -
Performance Checks:
sudo perf stat -e 'kvm:*' -a sleep 1
Final Notes
- Your I350 NIC is ideal for pfSense/OPNsense VMs
- Consider CPU isolation for real-time workloads:
sudo systemctl set-property --runtime -- user.slice AllowedCPUs=0,4
Want me to adapt this for a specific VM (e.g., networking appliance/gaming VM)?