From 0cad31f58dfb769e3b223d14de00ad30e75df86c Mon Sep 17 00:00:00 2001 From: Tommy Date: Sat, 5 Aug 2023 20:17:48 -0700 Subject: [PATCH 01/13] MTA-STS (#147) Signed-off-by: Thien Tran --- ...STS with a custom domain on Proton Mail.md | 94 +++++++++++++++++++ external-blogs.sh | 15 ++- 2 files changed, 107 insertions(+), 2 deletions(-) create mode 100644 content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md diff --git a/content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md b/content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md new file mode 100644 index 0000000..24581b2 --- /dev/null +++ b/content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md @@ -0,0 +1,94 @@ +--- +title: "Setting up MTA-STS with a custom domain on Proton Mail" +date: 2023-07-13T10:00:00Z +tags: ['Knowledge base', 'Security'] +author: Wonderfall +canonicalURL: https://wonderfall.dev/mta-sts/ +ShowCanonicalLink: true +--- + +To this date, [Proton Mail doesn't support MTA-STS for custom domains](https://old.reddit.com/r/ProtonMail/comments/y6q6g8/mtasts_for_custom_domains/). While DANE for SMTP is a much better solution to the same problem, MTA-STS exists for a reason: many providers are slow at adopting DNSSEC. DNSSEC is essential to enabling standards such as DANE or SSHFP. Notably, [Gmail still does not support DANE](https://www.hardenize.com/report/gmail.com/1689164394#email_dane) but has supported MTA-STS for years. + +Therefore, MTA-STS and DANE can complement each other, and you should ideally deploy both. + + +## Why bother? A tale of DANE... +Mail security is challenging and complex, and humanity might never get it right. Unfortunately, we still rely on this ancient technology for nearly everything. Attempts to make SMTP more resilient and secure have been made in the past, including opportunistic transport encryption (STARTTLS). One tricky issue is that implementing TLS alone in this case does not prevent man-in-the-middle or various downgrade attacks (such as STRIPTLS) from happening. + +**DANE for SMTP** ([RFC 7672](https://datatracker.ietf.org/doc/html/rfc7672)) is an elegant solution to address these issues. DANE relies on **DNSSEC** to protect **TLSA records** of the same DNS zone as the SMTP server. TLSA records indicate that TLS should be enforced for inbound mail, and basically contain information about the public keys that are allowed to be used. Let's briefly dig *(no pun intended)* into how Proton implements this: + +``` +$ dig +noall +answer mx protonmail.com +protonmail.com. 1138 IN MX 10 mailsec.protonmail.ch. +protonmail.com. 1138 IN MX 5 mail.protonmail.ch +``` + +``` +$ dig +noall +answer tlsa _25._tcp.mail.protonmail.ch +_25._tcp.mail.protonmail.ch. 915 IN TLSA 3 1 1 6111A5698D23C89E09C36FF833C1487EDC1B0C841F87C49DAE8F7A09 E11E979E +_25._tcp.mail.protonmail.ch. 915 IN TLSA 3 1 1 76BB66711DA416433CA890A5B2E5A0533C6006478F7D10A4469A947A CC8399E1 +``` + +I will skip the details since this post is not about how DANE works, but as you can see the TLSA records can be easily retrieved and we can verify those. Tools like [Hardenize](https://www.hardenize.com/) may help you in investigating which providers have DANE. + + +## MTA-STS to the rescue +Despite being a years-old standard, DANE for SMTP is not widely adopted. **MTA-STS** ([RFC 8461](https://datatracker.ietf.org/doc/html/rfc8461)) is an alternative solution which aims to prevent the same security issues, whilst not relying on DNSSEC. When MTA-STS is enabled, it effectively indicates to SMTP servers that TLS (1.2 or higher) should be used with valid certificates. + +In order to do that, MTA-STS relies on a **HTTPS web server** (and thus the WebPKI) to publish the policy at a specific subdomain (`mta-sts`) and address (`/.well-known/mta-sts.txt`). A **DNS TXT record** will also be needed to signal that a MTA-STS policy is available for the domain. Let's see how Proton implements that. + +If we navigate to https://mta-sts.protonmail.com/.well-known/mta-sts.txt, we will indeed find the MTA-STS policy published by Proton: + +```txt +version: STSv1 +mode: enforce +mx: mail.protonmail.ch +mx: mailsec.protonmail.ch +max_age: 604800 +``` + +The DNS "discovery" record should be defined at the `_mta-sts` subdomain: + +``` +$ dig +noall +answer txt _mta-sts.protonmail.com +_mta-sts.protonmail.com. 1114 IN CNAME _mta-sts.protonmail.ch. +_mta-sts.protonmail.ch. 1114 IN TXT "v=STSv1; id=190906205100Z;" +``` + +Everything is there as expected. + + +## Enable MTA-STS for custom domains +The challenge is that Proton does not offer an easy way to host a policy for custom domains. They could eventually offer this in the future, and I expect them to. In the meantime, we can enable MTA-STS ourselves as it should be somewhat straightforward. + +The main challenging part is really to find a way to host the policy. It's just a text file after all, so there are many ways to do that without going through the hassle of self-hosting a web server. [GitHub Pages](https://pages.github.com/) and [Netlify](https://www.netlify.com/) have free offerings to host static websites, and they should be enough to meet our needs here. I will use Netlify since you can host multiple websites with the same account; the only drawback is that you have a 100GB bandwidth limit per month, but it should be more than enough for a simple text file. + +First, you will need to create a GitHub repository - public or private, it doesn't matter. Then, you should push a directory named `.well-known` which contains a `mta-sts.txt` file. The latter will be our policy, and you may simply copy the policy from Proton: + +```txt +version: STSv1 +mode: enforce +mx: mail.protonmail.ch +mx: mailsec.protonmail.ch +max_age: 604800 +``` + +> If you're really not sure about what you're doing, setting `mode: testing` might be a conservative approach to avoid breaking things (a report will be sent if you've configured TLS-RPT, more on that later). You may also consider decreasing or increasing `max_age` which corresponds to a time in seconds, and 604800 for instance means that the policy will be cached for one week. + +Then, head to your Netlify account, add a new site, register your GitHub repository and voilĂ . Once it's done and that you can access your policy through your `netlify.app` address, it's a matter of publishing a few DNS records: + +- An `A` record for your Netlify-hosted policy. If your domain name from which you intend to send and receive mails is `@domain.tld` then you should make this `A` record for `mta-sts.domain.tld`. Netlify will tell you to use a CNAME record but I personnally caution against using CNAME to third parties in general. They have a universal load balancer IPv4 [you can use](https://docs.netlify.com/domains-https/custom-domains/configure-external-dns/), so you should use that. + +- A `TXT` record for MTA-STS discovery. The content should resemble to the following: `"v=STSv1; id=2023071200"`. `v=STSv1` declares the policy version, and `id=` is really just a random number you should increment to signal whenever your MTA-STS policy has been changed. If you're out of ideas you can use the Unix epoch time, or the YMD format followed by two numbers reserved for iterations (just like I do). + +- An *optional* `TXT` record for TLS-RPT so that the sending mail server will receive reports about successful and failed attempts at applying the MTA-STS policy. Since these reports can be very useful, I highly recommend you configure TLS-RPT. To do that, add the following TXT record to the `_smtp._tls` subdomain: `"v=TLSRPTv1; rua=mailto:reports@domain.tld"` where `rua=` should point to the mail address where you want to receive reports. + +> **Security tip :** since `mta-sts` is a subdomain with an A record, I strongly recommend defining a "reject all" SPF policy and a null MX record ([RFC 7505](https://www.rfc-editor.org/rfc/rfc7505)) for that subdomain. That is because even when an MX record does not exist, [A records can be used as a fallback](https://www.rfc-editor.org/rfc/rfc5321#section-5). + +Wait a bit for the DNS propagation to take place, then verify with [Hardenize](https://www.hardenize.com/) that MTA-STS is enabled. + + +## Conclusion +MTA-STS is far from perfect and suffers from multiple flaws in my opinion: it relies on **certificate authorities** (CA), and is inherently a ***trust on first use*** security policy akin to HSTS for HTTPS (the DNSSEC infrastructure is already trusted in the case of DANE). I also believe that MTA-STS is more tedious to deploy compared to the simplicity and robustness of DANE, DNSSEC deployment quirks aside. + +Nonetheless, I hope this article will prove somewhat useful to Proton Mail users who wish to use MTA-STS with their custom domains. diff --git a/external-blogs.sh b/external-blogs.sh index 9b16d0a..f88bb45 100755 --- a/external-blogs.sh +++ b/external-blogs.sh @@ -3,7 +3,7 @@ #Docker and OCI Hardening echo "Fetching and Modifying the Docker and OCI Hardening post" rm -rf './content/posts/linux/Docker and OCI Hardening.md' -curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/docker-hardening.md -o './content/posts/linux/Docker and OCI Hardening.md' +curl https://raw.githubusercontent.com/Wonderfall/wonderfall.dev/main/content/posts/docker-hardening.md -o './content/posts/linux/Docker and OCI Hardening.md' sed -i 's/title:.*/title: "Docker and OCI Hardening"/' './content/posts/linux/Docker and OCI Hardening.md' sed -i '/draft:.*/d' './content/posts/linux/Docker and OCI Hardening.md' sed -i "s/tags:.*/tags: ['Applications', 'Linux', 'Containers', 'Security']/" './content/posts/linux/Docker and OCI Hardening.md' @@ -14,7 +14,7 @@ sed -i '/^tags:.*/a author: Wonderfall' './content/posts/linux/Docker and OCI Ha #Securing OpenSSH with FIDO2 echo "Fetching and Modifying the OpenSSH with FIDO2 Hardening post" rm -rf './content/posts/linux/Securing OpenSSH with FIDO2.md' -curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/openssh-fido2.md -o './content/posts/linux/Securing OpenSSH with FIDO2.md' +curl https://raw.githubusercontent.com/Wonderfall/wonderfall.dev/main/content/posts/openssh-fido2.md -o './content/posts/linux/Securing OpenSSH with FIDO2.md' sed -i 's/title:.*/title: "Securing OpenSSH with FIDO2"/' './content/posts/linux/Securing OpenSSH with FIDO2.md' sed -i '/draft:.*/d' './content/posts/linux/Securing OpenSSH with FIDO2.md' sed -i "s/tags:.*/tags: ['Operating Systems', 'Linux', 'Security']/" './content/posts/linux/Securing OpenSSH with FIDO2.md' @@ -22,6 +22,17 @@ sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/posts/linux/Securing Ope sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/openssh-fido2/' './content/posts/linux/Securing OpenSSH with FIDO2.md' sed -i '/^tags:.*/a author: Wonderfall' './content/posts/linux/Securing OpenSSH with FIDO2.md' +#Setting up MTA-STS with a custom domain on Proton Mail +echo "Fetching and Modifying the Setting up MTA-STS with a custom domain on Proton Mail post" +rm -rf './content/posts/linux/Setting up MTA-STS with a custom domain on Proton Mail.md' +curl https://raw.githubusercontent.com/Wonderfall/wonderfall.dev/main/content/posts/mta-sts.md -o './content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md' +sed -i 's/title:.*/title: "Setting up MTA-STS with a custom domain on Proton Mail"/' './content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md' +sed -i '/draft:.*/d' './content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md' +sed -i "s/tags:.*/tags: ['Knowledge base', 'Security']/" './content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md' +sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md' +sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/mta-sts/' './content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md' +sed -i '/^tags:.*/a author: Wonderfall' './content/posts/knowledge/Setting up MTA-STS with a custom domain on Proton Mail.md' + # Blogs by Rohan Kumar (a.k.a Seirdy) currently need to be manually ported, as he uses a lot of HTML inside of the source instead of just markdown. # His GitHub repo: https://github.com/Seirdy/seirdy.one From c093406f9f6999c51297eb5a8d41b13bafcb83dd Mon Sep 17 00:00:00 2001 From: Tommy Date: Sat, 5 Aug 2023 20:25:56 -0700 Subject: [PATCH 02/13] Hugo v0.116.1 Signed-off-by: Tommy --- netlify.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netlify.toml b/netlify.toml index 0f2c2f2..ed03695 100644 --- a/netlify.toml +++ b/netlify.toml @@ -1,5 +1,5 @@ [build.environment] - HUGO_VERSION = "0.116.0" + HUGO_VERSION = "0.116.1" [context.deploy-preview] command = "sed -i 's/! Content-Security-Policy//g' static/_headers && hugo -b $DEPLOY_PRIME_URL" From 3315ea8a90c266e5472c8bd3e64aadf02f12a485 Mon Sep 17 00:00:00 2001 From: Tommy Date: Mon, 7 Aug 2023 18:01:26 -0700 Subject: [PATCH 03/13] Hugo v0.117.0 (#148) Signed-off-by: Tommy --- netlify.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netlify.toml b/netlify.toml index ed03695..a1735c5 100644 --- a/netlify.toml +++ b/netlify.toml @@ -1,5 +1,5 @@ [build.environment] - HUGO_VERSION = "0.116.1" + HUGO_VERSION = "0.117.0" [context.deploy-preview] command = "sed -i 's/! Content-Security-Policy//g' static/_headers && hugo -b $DEPLOY_PRIME_URL" From 11afd1c1480bd87ae0e1ce99dfd10f1969c37b85 Mon Sep 17 00:00:00 2001 From: Tommy Date: Mon, 7 Aug 2023 18:45:20 -0700 Subject: [PATCH 04/13] Update public key Signed-off-by: Tommy --- .../hu/mmzmicezznjxwooyrfdqjttmh35mattb | Bin 10152 -> 12535 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/static/.well-known/openpgpkey/hu/mmzmicezznjxwooyrfdqjttmh35mattb b/static/.well-known/openpgpkey/hu/mmzmicezznjxwooyrfdqjttmh35mattb index 350fc915083f5da62ce10f5fa84846cfafb6c0a0..399fc708ea785945756fb13904d95d5dbe4b21ff 100644 GIT binary patch delta 2197 zcmV;G2x|AJPxoQ4iv*K10z!X=J&FPu0RRdK5C#h=>zQlW@^=pp|7Sji_wK*iDO|ph z4Z!8hO=q?3g(7dG|EELYghCIi${Bw1NtaM}u6}GofV-LdJ2|yf6a=GysU}Yb**P~T ztG$~yDwJT_#3u{%Um@Kbd>VRoDN5brg*yTW&}EC59phe)kV`K2+?0PyN#flB3emr@ z5ysb5da3q0G4t%d1{*QDJwX11!aHMN<|PpALXY4)XKM} zMY#4t$oNYoauU<+uUAeVF=AFrj6MTfEF%&f(M!puBM?<5jv+p)DE5?JgS#gb9i;D` zZ!r2wI})UkL%J@iMe&_Toia21$=c;5NqnT<;}djuo3-rE7%)cLGD%wXYD<@I z0v&$<3JDMf3n}ZFYuWOK%Mbrte;M1Hb@lw~3Bs_JALl{NaUHIoLb7(G=^oTeM*iWz zP14*q2~skMS3<7t+kloGQp|dXE|!xKtiTzOr2<;EMb)CAMOt#Ae?|xBG@Xjaq@D~` z_P|~r5Ihz3h&2jK;!~op(bZgX7>MN!$3lO!Wm7h-kaI-hm1VKv#we(PfM`N@K+!#G z8#7kU{-kM9qi%>mbsI!skhKpx2^Xw+SnRxWBCDyxosC0Xb{1WlEU<}Bv z@*xVD+wZpO7>TP?oZ+HbpBQZyrxyU ztz9Cxs_}TMpFf*4hVOM@No46!2RDCVXngUxoR-oJ()>vEzIzjUc_x+Ct%IB`J~n_A zvLmxMTXeer7Z&+o9q=i`cX>#g_1p_t{}hFJUhBJ7R>l`P4fFlq7DN>=x z821;C?<^Zrz)s!0%6^O?5Q$SD+ii2)ROirb{ZHs`boOc#5U!WNP`a*C98QleBDMo6 zhg1l80k>+imD&w|eZ>qgRx=sFQxoewjK(w5yehpR0eV{=V!%*o{Lo8wEb92vh=Tp~ zMNCK1*k@~0=*7=dwg^st0e??YjeOT+yWa&%-5WJ~^c6S(CsvqiYzDIiIL*S>{INK% z_Dfp!r1xv^nOupX88?eCcMoYD@CJl^QLUDQKfBz5nzn8(o5}=;(QX&B=jA~wiueTw zW#)@U>Z-jadtRjtAka_Rp+=CUqoCcTy2D!%Xr7ECob-k@mBZD4S#G3+$+(B-eN`p6 z8oH@u=`kg833pR~x~8^-;pql#urxI_2qggg$z6};p5+YW3R2uV6Eq$G@n7S;YSZf3w+v_Gh# zQj~^K0j16&nUNQz(t-_CB*Escn7ZtICp(Q3Rg#DmBnDapqeDQt}y>P2d%qo(9i2_ap69EVS zIFm0S83ba6E3=d994CKEY7hTxzWpU&=>isb+<=Iqk$-zU(#zM-%RTgEWpJ5uJ1$nD zf6#-BQAcwmKWge`KoG848uH-;D7N9yIPO_twR%EiKVU!ZN|l;1rRU9tbq=~C22Xk< zue;#Yk3-iw?m&w+A8D~R1{k4cSf)*+QVrN}x!dxbnG8F%Rf>OkU_tlRoT+Rv>15xAzp$utVK*-3k?6@2cUciP1*Q>9&wKT*={ zreNUbU08*}Hn@Jl1KHl?=<6+Ss!PE%0pYJhD~=D2Z!bP5Sw@@ z5)^;oC555p&}4tc@+RI9quh*`MG#Tnlv>;Oi8B&gQCt*!robLJe#iVWP*5IM?(bGx zEicIHZzb;`2vkoL8Z^_v&JpH#&ZJ@rSiWqGszs*`&HF7P%)s77hyVbQjsmgR*OZU1 zyYt2c(BgGf=7qQW9&E!?l)9gCRyd{zNcZ0ue(gkKzv+LstGHH<(t!%|7O#W`H~Cwo zRmWieh_XmQBhncZIR#M@@1dWPK!mt1VgUaKj8T72;FyvM$T`!3cuhy1R@)>PxJjeV zj)zA;l1?1lASg0vhqEsmPVPN&`y!f{G&(p(|w^07pdz*8l(j From 8bfc2ba1c8118e3ea2c8dfec23a95be064dcc88a Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 8 Aug 2023 00:14:37 -0700 Subject: [PATCH 05/13] Update privacy policy Signed-off-by: Tommy --- content/privacy.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/content/privacy.md b/content/privacy.md index 3b7fc15..82603d9 100644 --- a/content/privacy.md +++ b/content/privacy.md @@ -7,11 +7,9 @@ PrivSec.dev as a project does not collect any personal information. We do not tr ## Hosting Provider -We use Google Domains and Google DNS. We host our website on Netlify. We do not use Netlify assets optimization, so nothing is hosted on CloudFront. +We use Cloudflare for domain registration, DNS, and web hosting. We use Netlify for website previews. We do not use Netlify assets optimization, so nothing is hosted on CloudFront. -Netlify does store your IP address and access logs for less than 30 days. Please check out [this link](https://www.netlify.com/gdpr-ccpa/) for their policy regarding this. Their general privacy policy can be found [here](https://www.netlify.com/gdpr-ccpa/). - -We use [Netlify Analytics](https://www.netlify.com/products/analytics/) to analyze the access logs stored by Netlify. This information is not shared with any third parties. +We do not have access to your IP addresses or activity logs. Cloudflare does keep logs of your website visits in accordance with their [privacy policy](https://www.cloudflare.com/privacypolicy/). ## Software From 90dce6a30b122752fefdc771c7e22e254ad7443c Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 8 Aug 2023 21:08:20 -0700 Subject: [PATCH 06/13] Update Chrony configurations --- content/posts/linux/Desktop Linux Hardening.md | 7 +++++++ .../macos/Secure Time Synchronization on macOS.md | 12 +++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index a044dfc..75d097b 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -388,6 +388,13 @@ If decide on using NTS with chronyd, consider using multiple, independent time p GrapheneOS uses a [quite nice chrony configuration](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf) for their infrastructure. I recommend that you replicate their `chrony.conf` on your system. +You should also enable the secommp filter for chronyd in `/etc/sysconfig/chronyd`: + +``` +# Command-line options for chronyd +OPTIONS="-F 1" +``` + ![Verifying NTS configuration](/images/nts.png) ### Pluggable Authentication Modules (PAM) diff --git a/content/posts/macos/Secure Time Synchronization on macOS.md b/content/posts/macos/Secure Time Synchronization on macOS.md index c3ed836..b7070f9 100644 --- a/content/posts/macos/Secure Time Synchronization on macOS.md +++ b/content/posts/macos/Secure Time Synchronization on macOS.md @@ -103,6 +103,9 @@ server ptbtime1.ptb.de iburst nts minsources 2 authselectmode require +# EF +dscp 46 + driftfile /var/lib/chrony/drift ntsdumpdir /var/lib/chrony @@ -117,7 +120,14 @@ cmdport 0 allow 10.0.2.2/32 ``` -If you are confused about what this configuration is doing, here are some quick explanations: +Optionally, you can enable the secommp filter for chronyd in `/etc/sysconfig/chronyd`: + +``` +# Command-line options for chronyd +OPTIONS="-F 1" +``` + +If you are confused about what these configurations are doing, here are some quick explanations: * We get our time from 4 different sources: From f8fea8190ae65db3c9cda0563bd78afadc093761 Mon Sep 17 00:00:00 2001 From: Thien Tran Date: Tue, 8 Aug 2023 21:26:01 -0700 Subject: [PATCH 07/13] Clarify the location of Chrony's EnvironmentFile Signed-off-by: Thien Tran --- content/posts/linux/Desktop Linux Hardening.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index 75d097b..5d208ce 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -388,13 +388,15 @@ If decide on using NTS with chronyd, consider using multiple, independent time p GrapheneOS uses a [quite nice chrony configuration](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf) for their infrastructure. I recommend that you replicate their `chrony.conf` on your system. -You should also enable the secommp filter for chronyd in `/etc/sysconfig/chronyd`: +Next, enable the secommp filter for chronyd. On Fedora and Arch Linux, you will need to edit Chrony's environment file in `/etc/sysconfig/chronyd`: ``` # Command-line options for chronyd OPTIONS="-F 1" ``` +On Ubuntu and Debian, the environment file is `/etc/default/chrony`, and the seccomp filter should already be enabled by default. + ![Verifying NTS configuration](/images/nts.png) ### Pluggable Authentication Modules (PAM) From 0f9f94d2ce1c1510e5e4471447ba3f8f780f7612 Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 15 Aug 2023 17:09:44 -0700 Subject: [PATCH 08/13] Add upgrade-insecure-requests; --- .../linux/Slightly Improving Mailcow Security.md | 2 +- static/_headers | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/content/posts/linux/Slightly Improving Mailcow Security.md b/content/posts/linux/Slightly Improving Mailcow Security.md index 446774e..b66acc0 100644 --- a/content/posts/linux/Slightly Improving Mailcow Security.md +++ b/content/posts/linux/Slightly Improving Mailcow Security.md @@ -81,7 +81,7 @@ add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https #### If you do not use Gravatar with SOGo ``` -add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'"; +add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'"; ``` ### Cross-Origin Resource, Opener, and Embedder Policies diff --git a/static/_headers b/static/_headers index 05e6de3..d7a0180 100644 --- a/static/_headers +++ b/static/_headers @@ -1,6 +1,6 @@ /* Strict-Transport-Security : max-age=63072000; includeSubDomains; preload - Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' + Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none' X-Content-Type-Options : nosniff Referrer-Policy : no-referrer X-Frame-Options : DENY @@ -12,27 +12,27 @@ /posts/knowledge/multi-factor-authentication/ ! Content-Security-Policy - Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' + Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /posts/android/android-tips/ ! Content-Security-Policy - Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' + Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /posts/android/choosing-your-android-based-operating-system/ ! Content-Security-Policy - Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self' https://i.ytimg.com; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' + Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self' https://i.ytimg.com; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /posts/linux/choosing-your-desktop-linux-distribution/ ! Content-Security-Policy - Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' + Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /posts/linux/desktop-linux-hardening/ ! Content-Security-Policy - Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' + Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /*.xml From e14fb3e05a526be6116c6f011a96d5becb69b40d Mon Sep 17 00:00:00 2001 From: Tommy Date: Wed, 16 Aug 2023 04:12:33 -0700 Subject: [PATCH 09/13] Consistency fix Signed-off-by: Tommy --- content/posts/linux/Slightly Improving Mailcow Security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Slightly Improving Mailcow Security.md b/content/posts/linux/Slightly Improving Mailcow Security.md index b66acc0..26ffcea 100644 --- a/content/posts/linux/Slightly Improving Mailcow Security.md +++ b/content/posts/linux/Slightly Improving Mailcow Security.md @@ -75,7 +75,7 @@ Use the following as your [Content Security Policy](https://developer.mozilla.or #### If you use Gravatar with SOGo ``` -add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com https://www.gravatar.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'"; +add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com https://www.gravatar.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'"; ``` #### If you do not use Gravatar with SOGo From b58a5decf8d8fdd8e9b143145103b2e45b7282db Mon Sep 17 00:00:00 2001 From: Thien Tran Date: Wed, 16 Aug 2023 04:43:35 -0700 Subject: [PATCH 10/13] Create a timesync cron job on macOS Signed-off-by: Thien Tran --- .../Secure Time Synchronization on macOS.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/content/posts/macos/Secure Time Synchronization on macOS.md b/content/posts/macos/Secure Time Synchronization on macOS.md index b7070f9..2cdd04b 100644 --- a/content/posts/macos/Secure Time Synchronization on macOS.md +++ b/content/posts/macos/Secure Time Synchronization on macOS.md @@ -192,6 +192,22 @@ sntp 127.0.0.1 Once you have verified that everything is working, you can optionally remove the port `22/TCP` forwarding since we will no longer need it. +## Create a Synchronization Cron Job + +macOS synchronizes time with the NTP server around once every 20 minutes. This can cause the clock to be out of sync for quite awhile when the computer wakes up from sleep, as the NTP server may not have its time corrected by the time macOS makes the first synchronization request. + +To work around this, create a cron job to have macOS synchronize time every minute as `root`: + +``` +sudo crontab -e +``` + +Add the following: + +``` +* * * * * /usr/bin/sntp -Ss 127.0.0.1 +``` + ## Automatically start the NTP server at boot Finally, follow the [official documentation](https://docs.getutm.app/advanced/remote-control/) to automatically start the virtual machine at boot. From 813112909992cee90d2830b8e6430b0931842170 Mon Sep 17 00:00:00 2001 From: Tommy Date: Wed, 16 Aug 2023 06:04:49 -0700 Subject: [PATCH 11/13] Mention Ubuntu Pro (#149) Update Desktop Linux Hardening.md Signed-off-by: Tommy --- content/posts/linux/Desktop Linux Hardening.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index 5d208ce..c35b55c 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -176,6 +176,22 @@ Another option is [Kata Containers](https://katacontainers.io/) which masquerade ![opensuse-computer.jpg](/images/opensuse-computer.jpg) +### Ubuntu Pro + +If you are using Ubuntu LTS, consider subscribing to [Ubuntu Pro](https://ubuntu.com/pro). Canonical currently allows up to 5 machines with the free subscription. + +With Ubuntu Pro, you gain access to the [The Ubuntu Security Guide]([https://discourse.ubuntu.com/t/ubuntu-advantage-client/21788](https://ubuntu.com/security/certifications/docs/usg)), which allows for easy application of the CIS OpenSCAP profile: + +```bash +sudo ua enable usg +sudo apt install -y usg +sudo usg fix cis_level2_workstation +``` + +You will also gain access to the [Canonical Livepatch Service](https://ubuntu.com/security/livepatch), which provides livepatching for [certain kernel variants](https://ubuntu.com/security/livepatch/docs/livepatch/reference/kernels). Note that the [Hardware Enablement (HWE)](https://ubuntu.com/kernel/lifecycle) kernel is not supported. + +While livepatching is less than ideal and we still recommend regularly rebooting your computer, it is quite nice to have. + ### Umask 077 On distributions besides openSUSE, consider changing the default [umask](https://wiki.archlinux.org/title/Umask) for both root and regular users to `077` (symbolically, `u=rwx,g=,o=`). _On openSUSE, a umask of 077 can break snapper and is thus not recommended._ From 55e7b2fe58cbae1f62836b5611adb3e7b29966f4 Mon Sep 17 00:00:00 2001 From: Tommy Date: Wed, 16 Aug 2023 06:05:34 -0700 Subject: [PATCH 12/13] Syntax fixes Signed-off-by: Tommy --- content/posts/macos/Secure Time Synchronization on macOS.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/posts/macos/Secure Time Synchronization on macOS.md b/content/posts/macos/Secure Time Synchronization on macOS.md index 2cdd04b..f50629c 100644 --- a/content/posts/macos/Secure Time Synchronization on macOS.md +++ b/content/posts/macos/Secure Time Synchronization on macOS.md @@ -184,7 +184,7 @@ Now, we can use our NTP server as the time server for your macOS. Set the time s Verify that NTP works on your macOS host: -``` +```bash sntp 127.0.0.1 ``` @@ -198,7 +198,7 @@ macOS synchronizes time with the NTP server around once every 20 minutes. This c To work around this, create a cron job to have macOS synchronize time every minute as `root`: -``` +```bash sudo crontab -e ``` From 950bf8ee1d584ab9faaed9a4b432c5297907b520 Mon Sep 17 00:00:00 2001 From: Tommy Date: Wed, 16 Aug 2023 06:10:34 -0700 Subject: [PATCH 13/13] Pronoun fix Signed-off-by: Tommy --- content/posts/linux/Desktop Linux Hardening.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index c35b55c..2daddff 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -190,7 +190,7 @@ sudo usg fix cis_level2_workstation You will also gain access to the [Canonical Livepatch Service](https://ubuntu.com/security/livepatch), which provides livepatching for [certain kernel variants](https://ubuntu.com/security/livepatch/docs/livepatch/reference/kernels). Note that the [Hardware Enablement (HWE)](https://ubuntu.com/kernel/lifecycle) kernel is not supported. -While livepatching is less than ideal and we still recommend regularly rebooting your computer, it is quite nice to have. +While livepatching is less than ideal and I still recommend regularly rebooting your computer, it is quite nice to have. ### Umask 077