meta data for this page
Security
Comparison
These are goals based on Mobian becoming part of Debian:
| Mobian | Android[1] | IOS | |
|---|---|---|---|
| Peer/community reviewed software[3] | Yes | No | No |
| All OS components built from source | Yes | No | |
| All apps built from source[2] | Yes | No | |
| Closed firmware blobs | Many | ||
| Reproducible builds | Mostly | No | |
| Secure boot | |||
| Usbguard | TODO | No |
[1] Stock Android with Google Apps
[2] Built from publicly available sources in an automated and verifiable manner
[3] Reviewed by DDs and/or Debian FTP masters
Features
Services
By default, Mobian has services for SSH and MTP running. The default SSH config is insecure, so it should be either hardened, or disabled from starting automatically via sudo systemctl disable sshd. The MTP service currently has no security whatsoever; if the phone is plugged into a computer, even with disk encryption, the computer will have full R/W access to your /home dir, and full read access to /. Disable autostart via sudo systemctl disable umtp-responder. Both of these services, when disabled, can be started on-demand by sudo systemctl start {service}.
Security updates
Currently provided as package updates in Debian Testing
Randomizing MAC
To randomize your Wi-Fi MAC address each time you boot, perform the following steps:
1. Install macchanger with sudo apt update && sudo apt install macchanger
2. Bring down the wireless interface with sudo ip link set wlan0 down
3. Paste the following into /etc/systemd/system/macspoof@.service:
[Unit] Description=macchanger on %I Wants=network-pre.target Before=network-pre.target BindsTo=sys-subsystem-net-devices-%i.device After=sys-subsystem-net-devices-%i.device [Service] ExecStart=/usr/bin/macchanger -r %I Type=oneshot [Install] WantedBy=multi-user.target
4. Run sudo systemctl daemon-reload && sudo systemctl enable –now macspoof@wlan0.service
5. Bring the wireless interface back up with either sudo ip link set wlan0 up or sudo systemctl restart NetworkManager
Randomizing MAC using NetworkManager
Create and edit the file: /etc/NetworkManager/conf.d/wifi_rand_mac.conf
[device-mac-randomization] # "yes" is already the default for scanning wifi.scan-rand-mac-address=yes [connection-mac-randomization] # Randomize MAC for every ethernet connection ethernet.cloned-mac-address=random # Generate a random MAC for each WiFi and associate the two permanently. wifi.cloned-mac-address=stable
Restart NetworkManager:
sudo systemctl restart NetworkManager.service
Check GNOME blog post for more details.
Always-On VPN
VPN functionality will be added to Gnome-Control-Center in the future, but for now you can configure this via nmcli. This guide will explain how to import an OpenVPN connection, and then configure other connections to require it as a “secondary”.
1. Add OpenVPN support for NetworkManager by running sudo apt install network-manager-openvpn.
2. Import your OpenVPN .ovpn file by running sudo nmcli connection import type openvpn file {yourovpnfile.ovpn}
3. Until this is integrated with gnome-keyring, you must store your username and password in the .nmconnection file (currently insecure due to lack of disk encryption, which is coming in the future as well). Edit your VPN config in /etc/NetworkManager/system-connections, where the file is {youropenvpnfilename}.nmconnection. Change the password-flags to 0. At the bottom of the [vpn] block, add username={your username}. Then, below the [vpn] block, add the following:
[vpn-secrets]
password={your vpn password}
4. Obtain the UUID of your VPN connection by running sudo nmcli con show {your vpn connection name}; the UUID is the second line.
5. In the same directory, you can now modify any connection, including your cellular one, to bring up and require the VPN connection by adding this to the end of the [connection] block: secondaries={UUID}; (dont forget the trailing semi-colon).
6. Restart NetworkManager with sudo systemctl restart NetworkManager for the changes to take effect.
Using SSH with a key instead of password
When you have SSH enabled on your phone, it is a good idea to use key-based authentication instead of password-based authentication. This is especially true in the case of numerical passwords only!
If you don't have already have a private/public key pair, you want to first generate one.
ssh-keygen -t ed25519
You should probably secure your key with a password. Now copy your public key to the device
ssh-copy-id mobian@mobian
Now you can log in via SSH. Search for PasswordAuthentication in /etc/ssh/sshd_config
and change it to PasswordAuthentication no. Finally restart the sshd:
sudo systemctl restart sshd
Also it's good to use an uncommon port for SSH to reduce noise and battery usage caused by SSH scanners on the Internet.
Extra note:
If you have secured your SSH key with a password and don't want to bother retyping the password for every time you reconnect with SSH, you can run:
eval $(ssh-agent) ssh-add
Now you should not be prompted to enter your password (as long as you are running ssh from the same environment/terminal).
Disk encryption
Disk encryption is currently available through the Mobian Installer. This image can be found in the installer directory of the download page for your device.
For the PinePhone for example, this is https://images.mobian-project.org/pinephone/installer/.
Encrypted /home partition
The following method uses a keyfile which will be stored on disk, so it is strongly recommended to only use in conjunction with an encrypted rootfs.
1. Copy the contents of your home directory with: sudo mkdir /tmp/mobian && sudo rsync -avz /home/mobian/ /tmp/mobian/
2. Ensure your sdcard has a single ext4 (or f2fs) partition
3. Encrypt your sdcard (WILL ERASE ALL DATA): sudo cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/mmcblk0p1
4. Unlock the new encrypted partition: sudo cryptsetup luksOpen /dev/mmcblk0p1 home_crypt
5. Format the unlocked partition with ext4 (or f2fs): sudo mkfs.ext4 -m 0 /dev/mapper/home_crypt
6. Generate the keyfile which will automatically unlock the partition: sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4 && sudo chmod 0400 /root/keyfile
7. Add the keyfile to the Luks partition: sudo cryptsetup luksAddKey /dev/mmcblk0p1 /root/keyfile
8. UUID is more specific than device block for fstab, so run sudo blkid /dev/mmcblk0p1 and copy the UUID
9. In /etc/crypttab add the following line: home_crypt /dev/disk/by-uuid/{PASTE UUID HERE} /root/keyfile luks,timeout=30
10. Add the line to /etc/fstab: /dev/mapper/home_crypt /home ext4 defaults 0 2 (If you formatted it as f2fs then replace ext4 with f2fs)
11. Mount the partition: sudo mount -t ext4 /dev/mapper/home_crypt /home
12. Copy the contents of /tmp/mobian (original home dir data): sudo rsync -avz /tmp/mobian /home/ (Trailing slashes must be exactly as written)
13. Reboot (Upon verified success, delete /tmp/mobian)
Secure boot
TODO
Daemon sandboxing
Implemented on some system daemons using unit files
Use `sudo systemd-analyze security` to check the current status
Application sandboxing
Provided optionally by firejail. Not enabled by default.
Usbguard
Protects from unauthorized USB devices being connected. Provided optionally by the usbguard package. Not enabled by default.
To install: sudo apt install usbguard
/etc/usbguard/usbguard-daemon.conf is used to to configure runtime parameters of the daemon.
/etc/usbguard/rules.conf is used to define policy rules for USB devices.
This example will apply policies for any connected USB device and would only allow to operate devices that are allowed in /etc/usbguard/rules.conf.
/etc/usbguard/usbguard-daemon.conf RuleFile=/etc/usbguard/rules.conf ImplicitPolicyTarget=block PresentDevicePolicy=apply-policy PresentControllerPolicy=keep InsertedDevicePolicy=apply-policy AuthorizedDefault=none RestoreControllerDeviceState=false DeviceManagerBackend=uevent IPCAllowedUsers=root IPCAllowedGroups=root plugdev IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/ DeviceRulesWithPort=false AuditBackend=FileAudit AuditFilePath=/var/log/usbguard/usbguard-audit.log HidePII=false
After installation, rules will be auto generated for all currently connected USB devices. If you are occasionally using other devices like USB hub, keyboard or mouse you'll need to plug all required devices and re-generate policy rules using:
sudo usbguard generate-policy > /etc/usbguard/rules.conf
Edit /etc/usbguard/rules.conf and simplify rules for WLAN modem.
Auto-generated rule doesn't always match the modem and it might be not be allowed to connect after return from a deep sleep.
Leave only allow, id, serial, name, hash and parent-hash values.
I.e:
allow id 2c7c:0125 serial “” name “EG25-G” hash “…” parent-hash “…”
Troubleshooting:
- Check active rules:
usbguard list-rules - Examine
/var/log/usbguard/usbguard-audit.log
Firewall
Protect network services using iptables.
1. Install iptables-persistent package to make iptables rules persistent after reboot with sudo apt install iptables-persistent.
2. Answer “yes” to save existing IPv4 and IPv6 rules.
3. Edit /etc/iptables/rules.v4 and /etc/iptables/rules.v6.
4. Examples of firewall configs. Can be used as a starting point for your setup.
- Uncomment lines that logs packets for troubleshooting.
- Replace
192.168.1.0/24subnet with your LAN subnet or any other network from which you want to allow SSH access and ICMP. - To apply changes run:
sudo iptables-restore /etc/iptables/rules.v4for IPv4 rules andsudo ip6tables-restore /etc/iptables/rules.v6for IPv6 rules.
/etc/iptables/rules.v6 - allows outbound connections only
# Generated by ip6tables-save v1.8.6 on Sun Dec 27 20:20:50 2020 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Block remote packets claiming to be from a loopback address. -A INPUT -s ::1/128 ! -i lo -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6[IN]: " COMMIT # Completed on Sun Dec 27 20:20:50 2020
/etc/iptables/rules.v4 - allow outbound connections and inbound SSH connections from specified subnet.
# Generated by iptables-save v1.8.6 on Sun Dec 27 20:20:50 2020 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP # Block remote packets claiming to be from a loopback address. -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP # Drop all packets that are going to broadcast, multicast or anycast address. -A INPUT -m addrtype --dst-type BROADCAST -j DROP -A INPUT -m addrtype --dst-type MULTICAST -j DROP -A INPUT -m addrtype --dst-type ANYCAST -j DROP -A INPUT -d 224.0.0.0/4 -j DROP # Accept access to SSH from 192.168.1.0/24 network. -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # Accept pings from 192.168.1.0/24 network. -A INPUT -p icmp --icmp-type 0 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p icmp --icmp-type 3 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p icmp --icmp-type 11 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT # Do not log packets that are going to ports used by SMB (Samba / Windows Sharing). -A INPUT -p udp -m multiport --dports 135,445 -j DROP -A INPUT -p udp --dport 137:139 -j DROP -A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP # Do not log packets that are going to port used by UPnP protocol. -A INPUT -p udp --dport 1900 -j DROP # Do not log late replies from nameservers. -A INPUT -p udp --sport 53 -j DROP # Prevent DOS by filling log files. #-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip4[IN]: " COMMIT # Completed on Sun Dec 27 20:20:50 2020