From afdc895301dadc6575fda08a2e9f077a561b14b1 Mon Sep 17 00:00:00 2001 From: blackcat568 Date: Mon, 27 Oct 2025 15:27:25 +0200 Subject: [PATCH] =?UTF-8?q?Warning:=20Targeted=20Cyber=20Attacks=20on=20Us?= =?UTF-8?q?ers=20=E2=80=94=20How=20to=20Protect=20Your=20Linux=20System?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime. The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats. --- hardening_linux.md | 302 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 302 insertions(+) create mode 100644 hardening_linux.md diff --git a/hardening_linux.md b/hardening_linux.md new file mode 100644 index 0000000..35e9ef9 --- /dev/null +++ b/hardening_linux.md @@ -0,0 +1,302 @@ +Warning: Targeted Cyber Attacks on Users — How to Protect Your Linux System +Cybersecurity Measures Against Targeted Attacks + +This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime. The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats. + +Since 2011 (for over 14 years), I have been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance. + +Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity. + +They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled. + +Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What I describe is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion. + +Since early 2025, I have fully switched to Linux, using the Debian distribution. I am writing here because, among Linux users, it is possible to discuss real protective measures and digital independence. + +At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice. + +However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential. + +Below, I share methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access. Apply the most secure configurations available, especially if you store sensitive personal or professional information. + +Kali Linux is installed on my PC as a secondary system. I am currently actively studying how to use its potential for defending against hackers. I am also continuing to work on the configuration of my primary system — Debian 12 — which contains all my private information. + +Linux system hardening recommendations: + +1. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should be not merely password-protected or disabled, but completely removed from the system. If you do need a remote-access service, use strong passwords of 16–20 characters. + +2. Configure a system-wide VPN (for example, ProtonVPN) so that all system traffic goes through it — not only browser traffic or that of specific applications. Use the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards. + +3. Where possible, move away from the Google ecosystem and switch to more privacy-focused alternatives (for example, proton.me and other security-oriented services). Keep in mind that many Google services send telemetry to the cloud that can be intercepted by an attacker. + +4. Use application confinement tools such as AppArmor; even better — switch to SELinux. If you have difficulties configuring SELinux, seek help from specialists or use AI-based tools. +My SELinux config is attached below. + +5. Use advanced network filtering settings: iptables or nftables, or a commercial firewall. +My nftables config is attached below. + +6. Configure kernel parameters for maximum security (sysctl hardening). +My 99-protect.conf config is attached below. + +7. Test the system for vulnerabilities using scanners (for example, LUNIS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review. + +8. Periodically capture traffic with tcpdump, Wireshark, and Zeek. Logs can be sent to specialists or AI tools for analysis. + +These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult. + +And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers of citizens and organizations that refuse to live and work under totalitarianism. + +SELinux config: + +```console +root@user:/home/user# sestatus +SELinux status: enabled +SELinuxfs mount: /sys/fs/selinux +SELinux root directory: /etc/selinux +Loaded policy name: default +Current mode: enforcing +Mode from config file: enforcing +Policy MLS status: enabled +Policy deny_unknown status: allowed +Memory protection checking: actual (secure) +Max kernel policy version: 33 +root@user:/home/user# sestatus -v +SELinux status: enabled +SELinuxfs mount: /sys/fs/selinux +SELinux root directory: /etc/selinux +Loaded policy name: default +Current mode: enforcing +Mode from config file: enforcing +Policy MLS status: enabled +Policy deny_unknown status: allowed +Memory protection checking: actual (secure) +Max kernel policy version: 33 + +Process contexts: +Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 +Init context: system_u:system_r:init_t:s0 +/sbin/agetty system_u:system_r:getty_t:s0 + +File contexts: +Controlling terminal: unconfined_u:object_r:user_devpts_t:s0 +/etc/passwd system_u:object_r:etc_t:s0 +/etc/shadow system_u:object_r:unlabeled_t:s0 +/bin/bash system_u:object_r:shell_exec_t:s0 +/bin/login system_u:object_r:login_exec_t:s0 +/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0 +/sbin/agetty system_u:object_r:getty_exec_t:s0 +/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0 +/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0 +``` + +nftables config: + +```bash +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; + policy drop; + + # 🌀 Allow loopback interface (internal processes) + iif "lo" accept + + # 🔁 Allow established and related connections + ct state established,related accept + + # 🔒 Limit new connections from a single IP (anti-DDoS) + ip saddr 0.0.0.0/0 ct state new limit rate 5/second accept + ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all + ip saddr 0.0.0.0/0 ct state new drop + + # 🛡️ Limit pings + ip protocol icmp icmp type echo-request limit rate 1/second accept + ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all + ip protocol icmp icmp type echo-request drop + + # 🚫 Block SSDP and mDNS (local broadcast protocols) + ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery) + ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi) + + # 🛑 Block NetBIOS and LLMNR (Windows/systemd LAN protocols) + udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names) + udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN recognition) + udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution) + + # 🧱 Block known botnets and proxies + ip saddr { + 45.9.20.0/24, + 89.248.160.0/19, + 185.220.100.0/22, + 198.96.155.0/24, + 185.107.56.0/24, + 185.129.62.0/23 + } log prefix "🔥 BAN: known bots " flags all + ip saddr { + 45.9.20.0/24, + 89.248.160.0/19, + 185.220.100.0/22, + 198.96.155.0/24, + 185.107.56.0/24, + 185.129.62.0/23 + } drop + + # 🚫 Block strange TCP flags (XMAS, NULL scan, etc.) + tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan + tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan + tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan + tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan + tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan + + # 🚫 Block fragmented packets — often used to bypass filters + ip frag-off & 0x1fff != 0 drop + + # 🔒 Block packets with fake IPs (spoofing) + ip saddr 127.0.0.0/8 drop # localhost + ip saddr 10.0.0.0/8 drop # private network + ip saddr 172.16.0.0/12 drop # private network + ip saddr 192.168.0.0/16 drop # private network + ip saddr 169.254.0.0/16 drop # APIPA + ip saddr 0.0.0.0/8 drop # invalid address + ip saddr 224.0.0.0/4 drop # multicast + ip saddr 240.0.0.0/5 drop # reserved + } + + chain forward { + type filter hook forward priority 0; + policy accept; + + # 🔒 Limit new connections from a single IP (anti-DDoS) + ip saddr 0.0.0.0/0 ct state new limit rate 5/second accept + ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all + ip saddr 0.0.0.0/0 ct state new drop + + # 🛡️ Limit pings + ip protocol icmp icmp type echo-request limit rate 1/second accept + ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all + ip protocol icmp icmp type echo-request drop + + tcp dport {80, 443, 53} accept + + # 🛑 Privileged ports + tcp dport {1-1023} drop + + # 🚫 Suspicious outgoing + tcp dport { + 22, 23, 21, 137, 138, 139, 445, 3389, 5900, + 4444, 8080, 3306, 1433, 1434, 1900, 9200, + 5555, 1337, 9001, 1234 + } drop + tcp dport {5000-5999, 7000-7999, 9000-9999} drop + + # ⚠️ Scanner ports + tcp dport {1080, 3128, 8000, 8080, 8888, 10000} drop + udp dport {161, 162} drop + + # 🕷️ Suspicious IPs + ip saddr { + 185.0.0.0/8, 37.0.0.0/8, 88.0.0.0/8, + 77.0.0.0/8, 91.0.0.0/8 + } drop + } + + chain output { + type filter hook output priority 0; + policy accept; + + # 🔒 Limit new connections from a single IP (anti-DDoS) + ip saddr 0.0.0.0/0 ct state new limit rate 5/second accept + ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all + ip saddr 0.0.0.0/0 ct state new drop + + # 🛡️ Limit pings + ip protocol icmp icmp type echo-request limit rate 1/second accept + ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all + ip protocol icmp icmp type echo-request drop + + tcp dport {80, 443, 53} accept + + tcp dport {1-1023} drop + + tcp dport { + 22, 23, 21, 137, 138, 139, 445, 3389, 5900, + 4444, 8080, 3306, 1433, 1434, 1900, 9200, + 5555, 1337, 9001, 1234 + } drop + tcp dport {5000-5999, 7000-7999, 9000-9999} drop + + tcp dport {1080, 3128, 8000, 8080, 8888, 10000} drop + udp dport {161, 162} drop + + ip saddr { + 185.0.0.0/8, 37.0.0.0/8, 88.0.0.0/8, + 77.0.0.0/8, 91.0.0.0/8 + } drop + } +} +``` + +sysctl config +kernel parameters configuration + +/etc/sysctl.d/99-protect.conf + +```bash +# 1 Ignore ICMP on interfaces +net.ipv4.icmp_echo_ignore_all = 1 + +# 2 Do not respond to ICMP broadcast (against Smurf attacks) +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +# 3 Enable SYN backlog reduction +net.ipv4.tcp_syncookies = 1 + +# 4 Disable source routing +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 + +# 5 Log packets with incorrect routing +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 + +# 6 Disable ICMP Redirects +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 + +# 7 Disable packet forwarding +net.ipv4.ip_forward = 0 + +# 8 Disable IPv6 support +net.ipv4.conf.all.disable_ipv6 = 1 +net.ipv4.conf.default.disable_ipv6 = 1 + +# 9 Prevent sending TCP segments with null windows +net.ipv4.tcp_rfc1337 = 1 + +# 10 Disable ARP filtering for automatic routing +net.ipv4.conf.all.arp_filter = 1 +net.ipv4.conf.default.arp_filter = 1 + +# 11 Limit the maximum size of the incoming TCP window +net.ipv4.tcp_rmem = 4096 87380 4194304 +net.ipv4.tcp_wmem = 4096 65536 4194304 + +# 12 Drop packets with incorrect checksums +net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1 +net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1 + +# 13 Disable IPv6 forwarding +net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.default.disable_ipv6 = 1 + +# 14 Limit the maximum number of SYN packet retries +net.ipv4.tcp_synack_retries = 2 + +# 15 Increase routing cache lifetime +net.ipv4.route.max_size = 32768 +``` + +If you can suggest improvements to these configurations or other system settings, and provide any advice on enhancing security in my situation, please give me feedback.