94 lines
2.3 KiB
Text
94 lines
2.3 KiB
Text
#Install fail2ban
|
|
|
|
doas pacman -S fail2ban fail2ban-runit
|
|
|
|
doas ln -s /etc/runit/sv/fail2ban /run/runit/service/
|
|
|
|
doas cp ~/Documents/notes/jail.local /etc/fail2ban/
|
|
|
|
doas sv start fail2ban
|
|
|
|
#Set up apparmor (basic security measure)
|
|
|
|
doas pacman -S apparmor apparmor-runit audit audit-runit python-notify2 python-psutil
|
|
|
|
doas ln -s /etc/runit/sv/auditd /run/runit/service/
|
|
|
|
doas sv start auditd
|
|
|
|
Create an audit group, add $USER to it, and add audit group to /etc/audit/auditd.conf:
|
|
|
|
doas groupadd -r audit
|
|
doas gpasswd -a $USER audit
|
|
|
|
/etc/audit/auditd.conf
|
|
|
|
log_group = audit
|
|
|
|
In /etc/rc/apparmor.conf, uncomment enforce mode
|
|
|
|
In /etc/default/grub, rewrite the line at CMDLINE as such (be exact and careful here):
|
|
|
|
GRUB_CMDLINE_LINUX="lsm=landlock,lockdown,yama,apparmor,bpf net.ifnames=0"
|
|
|
|
grub-mkconfig -o /boot/grub/grub.cfg
|
|
|
|
reboot
|
|
|
|
If all went well run aa-enabled, which should yield "Yes"
|
|
|
|
aa-enabled
|
|
|
|
Now load simple defaults:
|
|
|
|
doas apparmor_parser /usr/share/apparmor/extra-profiles/
|
|
|
|
And reboot again, you should have some sane security defaults now.
|
|
|
|
Setup Device Level DNS Resolver:
|
|
|
|
Install stubby and dnsmasq-runit:
|
|
doas pacman -S stubby stubby-runit dnsmasq-runit
|
|
doas ln -s /etc/runit/sv/stubby /run/runit/service/
|
|
doas ln -s /etc/runit/sv/dnsmasq/ /run/runit/service/
|
|
|
|
Adjust stubby init script to:
|
|
exec chpst -U stubby stubby
|
|
|
|
Adjust stubby config file:
|
|
doas nvim /etc/stubby/stubby.yml
|
|
Adjust the listen_addresses field:
|
|
listen_addresses:
|
|
- 127.0.0.1@54
|
|
- 0::1@54
|
|
Comment out all DEFAULT UPSTREAM and add Mullvad upstream_recursive_servers:
|
|
- address_data: 194.242.2.4
|
|
tls_auth_name: "base.dns.mullvad.net"
|
|
- address_data: 2a07:e340::4
|
|
tls_auth_name: "base.dns.mullvad.net"
|
|
Be aware of yaml's needs for proper indentation (copy and paste from DEFAULT UPSTREAM to be sure)
|
|
|
|
Adjust dnsmasq config file:
|
|
doas nvim /etc/dnsmasq.conf
|
|
Ensure default port is 53:
|
|
port=53
|
|
Adjust listening server:
|
|
server=127.0.0.1#54
|
|
listen-address=127.0.0.1
|
|
Uncomment no-resolv:
|
|
no-resolv
|
|
|
|
Edit /etc/resolv.conf to have the following:
|
|
nameserver ::1
|
|
nameserver 127.0.0.1
|
|
options trust-ad
|
|
|
|
And make resolv.conf immutable:
|
|
doas chattr +i /etc/resolv.conf
|
|
|
|
Start stubby and dnsmasq:
|
|
doas sv start stubby && doas sv start dnsmasq
|
|
You may have to kill port 53 before this will work.
|
|
|
|
Test, visit (with browser with no DNS on):
|
|
https://mullvad.net/en/check
|