Skip to content

Warning: Targeted Cyber Attacks on Users — How to Protect Your Linux OS #272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
+302 −0
Closed

Warning: Targeted Cyber Attacks on Users — How to Protect Your Linux OS #272

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
302 changes: 302 additions & 0 deletions hardening_linux.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,302 @@
Warning: Targeted Cyber Attacks on Users — How to Protect Your Linux System
Cybersecurity Measures Against Targeted Attacks

This guide is based on personal experience with targeted attacks originating from state-sponsored actors associated with a totalitarian regime. The goal is to help users strengthen the security posture of Linux systems against advanced persistent threats.

Since 2011 (for over 14 years), I have been targeted by a complex set of attacks that include system intrusions, surveillance, psychological pressure, and blackmail based on personal data obtained through such surveillance.

Attackers can gain full control over a PC and steal personal information, often leaving almost no traces. Occasionally, such activity manifests as sudden cursor movements, system slowdowns, or unexplained network activity.

They also monitor Internet traffic and can compromise passwords when those passwords are weak or when two-factor authentication is not enabled.

Please note that such targeted attacks against individuals — both within and outside of authoritarian states — are a real and growing threat. What I describe is not speculation, but the result of many years of firsthand experience resisting cyberattacks and attempted extortion.

Since early 2025, I have fully switched to Linux, using the Debian distribution. I am writing here because, among Linux users, it is possible to discuss real protective measures and digital independence.

At the same time, please share this information with Windows users, explaining how vulnerable Windows systems are to hacking and why switching to Ubuntu or another Linux distribution is a much safer choice.

However, installing Debian or any other Linux distribution alone does not guarantee protection from surveillance — proper configuration is essential.

Below, I share methods for configuring Debian 12 (and other Linux systems) to strengthen protection against hacking and unauthorized access. Apply the most secure configurations available, especially if you store sensitive personal or professional information.

Kali Linux is installed on my PC as a secondary system. I am currently actively studying how to use its potential for defending against hackers. I am also continuing to work on the configuration of my primary system — Debian 12 — which contains all my private information.

Linux system hardening recommendations:

1. If the OS is installed on a desktop that does not serve as a server, disable and remove all remote access services. They should be not merely password-protected or disabled, but completely removed from the system. If you do need a remote-access service, use strong passwords of 16–20 characters.

2. Configure a system-wide VPN (for example, ProtonVPN) so that all system traffic goes through it — not only browser traffic or that of specific applications. Use the “killswitch” mode and disable it only when necessary, re-enabling it immediately afterwards.

3. Where possible, move away from the Google ecosystem and switch to more privacy-focused alternatives (for example, proton.me and other security-oriented services). Keep in mind that many Google services send telemetry to the cloud that can be intercepted by an attacker.

4. Use application confinement tools such as AppArmor; even better — switch to SELinux. If you have difficulties configuring SELinux, seek help from specialists or use AI-based tools.
My SELinux config is attached below.

5. Use advanced network filtering settings: iptables or nftables, or a commercial firewall.
My nftables config is attached below.

6. Configure kernel parameters for maximum security (sysctl hardening).
My 99-protect.conf config is attached below.

7. Test the system for vulnerabilities using scanners (for example, LUNIS, Nessus). Test results can be analyzed using tools and, if necessary, AI — provide the logs for review.

8. Periodically capture traffic with tcpdump, Wireshark, and Zeek. Logs can be sent to specialists or AI tools for analysis.

These measures will significantly complicate a hacker’s task and make the unnoticed collection of personal data more difficult.

And most importantly — give up the illusion of complete security. We live in conditions of a severe information war, and everyone must make efforts so that malicious actors cannot freely spy on desktops and servers of citizens and organizations that refuse to live and work under totalitarianism.

SELinux config:

```console
root@user:/home/user# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
root@user:/home/user# sestatus -v
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/sbin/agetty system_u:system_r:getty_t:s0

File contexts:
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:unlabeled_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0
```

nftables config:

```bash
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
chain input {
type filter hook input priority 0;
policy drop;

# 🌀 Allow loopback interface (internal processes)
iif "lo" accept

# 🔁 Allow established and related connections
ct state established,related accept

# 🔒 Limit new connections from a single IP (anti-DDoS)
ip saddr 0.0.0.0/0 ct state new limit rate 5/second accept
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop

# 🛡️ Limit pings
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop

# 🚫 Block SSDP and mDNS (local broadcast protocols)
ip daddr 239.255.255.250 udp dport 1900 drop # ❌ SSDP (UPnP/device discovery)
ip daddr 224.0.0.251 udp dport 5353 drop # ❌ mDNS (Bonjour, Avahi)

# 🛑 Block NetBIOS and LLMNR (Windows/systemd LAN protocols)
udp dport 137 drop # ❌ NetBIOS Name Service (Windows network names)
udp dport 138 drop # ❌ NetBIOS Datagram Service (LAN recognition)
udp dport 5355 drop # ❌ LLMNR (Link-Local Multicast Name Resolution)

# 🧱 Block known botnets and proxies
ip saddr {
45.9.20.0/24,
89.248.160.0/19,
185.220.100.0/22,
198.96.155.0/24,
185.107.56.0/24,
185.129.62.0/23
} log prefix "🔥 BAN: known bots " flags all
ip saddr {
45.9.20.0/24,
89.248.160.0/19,
185.220.100.0/22,
198.96.155.0/24,
185.107.56.0/24,
185.129.62.0/23
} drop

# 🚫 Block strange TCP flags (XMAS, NULL scan, etc.)
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan

# 🚫 Block fragmented packets — often used to bypass filters
ip frag-off & 0x1fff != 0 drop

# 🔒 Block packets with fake IPs (spoofing)
ip saddr 127.0.0.0/8 drop # localhost
ip saddr 10.0.0.0/8 drop # private network
ip saddr 172.16.0.0/12 drop # private network
ip saddr 192.168.0.0/16 drop # private network
ip saddr 169.254.0.0/16 drop # APIPA
ip saddr 0.0.0.0/8 drop # invalid address
ip saddr 224.0.0.0/4 drop # multicast
ip saddr 240.0.0.0/5 drop # reserved
}

chain forward {
type filter hook forward priority 0;
policy accept;

# 🔒 Limit new connections from a single IP (anti-DDoS)
ip saddr 0.0.0.0/0 ct state new limit rate 5/second accept
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop

# 🛡️ Limit pings
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop

tcp dport {80, 443, 53} accept

# 🛑 Privileged ports
tcp dport {1-1023} drop

# 🚫 Suspicious outgoing
tcp dport {
22, 23, 21, 137, 138, 139, 445, 3389, 5900,
4444, 8080, 3306, 1433, 1434, 1900, 9200,
5555, 1337, 9001, 1234
} drop
tcp dport {5000-5999, 7000-7999, 9000-9999} drop

# ⚠️ Scanner ports
tcp dport {1080, 3128, 8000, 8080, 8888, 10000} drop
udp dport {161, 162} drop

# 🕷️ Suspicious IPs
ip saddr {
185.0.0.0/8, 37.0.0.0/8, 88.0.0.0/8,
77.0.0.0/8, 91.0.0.0/8
} drop
}

chain output {
type filter hook output priority 0;
policy accept;

# 🔒 Limit new connections from a single IP (anti-DDoS)
ip saddr 0.0.0.0/0 ct state new limit rate 5/second accept
ip saddr 0.0.0.0/0 ct state new log prefix "🔥 BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop

# 🛡️ Limit pings
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop

tcp dport {80, 443, 53} accept

tcp dport {1-1023} drop

tcp dport {
22, 23, 21, 137, 138, 139, 445, 3389, 5900,
4444, 8080, 3306, 1433, 1434, 1900, 9200,
5555, 1337, 9001, 1234
} drop
tcp dport {5000-5999, 7000-7999, 9000-9999} drop

tcp dport {1080, 3128, 8000, 8080, 8888, 10000} drop
udp dport {161, 162} drop

ip saddr {
185.0.0.0/8, 37.0.0.0/8, 88.0.0.0/8,
77.0.0.0/8, 91.0.0.0/8
} drop
}
}
```

sysctl config
kernel parameters configuration

/etc/sysctl.d/99-protect.conf

```bash
# 1 Ignore ICMP on interfaces
net.ipv4.icmp_echo_ignore_all = 1

# 2 Do not respond to ICMP broadcast (against Smurf attacks)
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 3 Enable SYN backlog reduction
net.ipv4.tcp_syncookies = 1

# 4 Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# 5 Log packets with incorrect routing
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# 6 Disable ICMP Redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# 7 Disable packet forwarding
net.ipv4.ip_forward = 0

# 8 Disable IPv6 support
net.ipv4.conf.all.disable_ipv6 = 1
net.ipv4.conf.default.disable_ipv6 = 1

# 9 Prevent sending TCP segments with null windows
net.ipv4.tcp_rfc1337 = 1

# 10 Disable ARP filtering for automatic routing
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.default.arp_filter = 1

# 11 Limit the maximum size of the incoming TCP window
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 65536 4194304

# 12 Drop packets with incorrect checksums
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1

# 13 Disable IPv6 forwarding
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# 14 Limit the maximum number of SYN packet retries
net.ipv4.tcp_synack_retries = 2

# 15 Increase routing cache lifetime
net.ipv4.route.max_size = 32768
```

If you can suggest improvements to these configurations or other system settings, and provide any advice on enhancing security in my situation, please give me feedback.