meta data for this page

Security

Comparison

These are goals based on Mobian becoming part of Debian:

Mobian Android[1] IOS
Peer/community reviewed software[3] Yes No No
All OS components built from source Yes No
All apps built from source[2] Yes No
Closed firmware blobs Many
Reproducible builds Mostly No
Secure boot
Usbguard TODO No

[1] Stock Android with Google Apps

[2] Built from publicly available sources in an automated and verifiable manner

[3] Reviewed by DDs and/or Debian FTP masters

Features

Services

By default, Mobian has services for SSH and MTP running. The default SSH config is insecure, so it should be either hardened, or disabled from starting automatically via sudo systemctl disable sshd. The MTP service currently has no security whatsoever; if the phone is plugged into a computer, even with disk encryption, the computer will have full R/W access to your /home dir, and full read access to /. Disable autostart via sudo systemctl disable umtp-responder. Both of these services, when disabled, can be started on-demand by sudo systemctl start {service}.

Security updates

Currently provided as package updates in Debian Testing

Randomizing MAC

To randomize your Wi-Fi MAC address each time you boot, perform the following steps:

1. Install macchanger with sudo apt update && sudo apt install macchanger

2. Bring down the wireless interface with sudo ip link set wlan0 down

3. Paste the following into /etc/systemd/system/macspoof@.service:

[Unit]
Description=macchanger on %I
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
ExecStart=/usr/bin/macchanger -r %I
Type=oneshot

[Install]
WantedBy=multi-user.target

4. Run sudo systemctl daemon-reload && sudo systemctl enable –now macspoof@wlan0.service

5. Bring the wireless interface back up with either sudo ip link set wlan0 up or sudo systemctl restart NetworkManager

Randomizing MAC using NetworkManager

Create and edit the file: /etc/NetworkManager/conf.d/wifi_rand_mac.conf

[device-mac-randomization]
# "yes" is already the default for scanning
wifi.scan-rand-mac-address=yes

[connection-mac-randomization]
# Randomize MAC for every ethernet connection
ethernet.cloned-mac-address=random
# Generate a random MAC for each WiFi and associate the two permanently.
wifi.cloned-mac-address=stable

Restart NetworkManager:

 sudo systemctl restart NetworkManager.service

Check GNOME blog post for more details.

Always-On VPN

VPN functionality will be added to Gnome-Control-Center in the future, but for now you can configure this via nmcli. This guide will explain how to import an OpenVPN connection, and then configure other connections to require it as a “secondary”.

1. Add OpenVPN support for NetworkManager by running sudo apt install network-manager-openvpn.

2. Import your OpenVPN .ovpn file by running sudo nmcli connection import type openvpn file {yourovpnfile.ovpn}

3. Until this is integrated with gnome-keyring, you must store your username and password in the .nmconnection file (currently insecure due to lack of disk encryption, which is coming in the future as well). Edit your VPN config in /etc/NetworkManager/system-connections, where the file is {youropenvpnfilename}.nmconnection. Change the password-flags to 0. At the bottom of the [vpn] block, add username={your username}. Then, below the [vpn] block, add the following:

[vpn-secrets]
password={your vpn password}

4. Obtain the UUID of your VPN connection by running sudo nmcli con show {your vpn connection name}; the UUID is the second line.

5. In the same directory, you can now modify any connection, including your cellular one, to bring up and require the VPN connection by adding this to the end of the [connection] block: secondaries={UUID}; (dont forget the trailing semi-colon).

6. Restart NetworkManager with sudo systemctl restart NetworkManager for the changes to take effect.

Using SSH with a key instead of password

When you have SSH enabled on your phone, it is a good idea to use key-based authentication instead of password-based authentication. This is especially true in the case of numerical passwords only!

If you don't have already have a private/public key pair, you want to first generate one.

ssh-keygen -t ed25519

You should probably secure your key with a password. Now copy your public key to the device

ssh-copy-id mobian@mobian

Now you can log in via SSH. Search for PasswordAuthentication in /etc/ssh/sshd_config and change it to PasswordAuthentication no. Finally restart the sshd:

sudo systemctl restart sshd

Also it's good to use an uncommon port for SSH to reduce noise and battery usage caused by SSH scanners on the Internet.

Extra note:

If you have secured your SSH key with a password and don't want to bother retyping the password for every time you reconnect with SSH, you can run:

eval $(ssh-agent)
ssh-add

Now you should not be prompted to enter your password (as long as you are running ssh from the same environment/terminal).

Disk encryption

Disk encryption is currently available through the Mobian Installer. This image can be found in the installer directory of the download page for your device. For the PinePhone for example, this is https://images.mobian-project.org/pinephone/installer/.

Encrypted /home partition

The following method uses a keyfile which will be stored on disk, so it is strongly recommended to only use in conjunction with an encrypted rootfs.

1. Copy the contents of your home directory with: sudo mkdir /tmp/mobian && sudo rsync -avz /home/mobian/ /tmp/mobian/

2. Ensure your sdcard has a single ext4 (or f2fs) partition

3. Encrypt your sdcard (WILL ERASE ALL DATA): sudo cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/mmcblk0p1

4. Unlock the new encrypted partition: sudo cryptsetup luksOpen /dev/mmcblk0p1 home_crypt

5. Format the unlocked partition with ext4 (or f2fs): sudo mkfs.ext4 -m 0 /dev/mapper/home_crypt

6. Generate the keyfile which will automatically unlock the partition: sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4 && sudo chmod 0400 /root/keyfile

7. Add the keyfile to the Luks partition: sudo cryptsetup luksAddKey /dev/mmcblk0p1 /root/keyfile

8. UUID is more specific than device block for fstab, so run sudo blkid /dev/mmcblk0p1 and copy the UUID

9. In /etc/crypttab add the following line: home_crypt /dev/disk/by-uuid/{PASTE UUID HERE} /root/keyfile luks,timeout=30

10. Add the line to /etc/fstab: /dev/mapper/home_crypt /home ext4 defaults 0 2 (If you formatted it as f2fs then replace ext4 with f2fs)

11. Mount the partition: sudo mount -t ext4 /dev/mapper/home_crypt /home

12. Copy the contents of /tmp/mobian (original home dir data): sudo rsync -avz /tmp/mobian /home/ (Trailing slashes must be exactly as written)

13. Reboot (Upon verified success, delete /tmp/mobian)

Secure boot

TODO

Daemon sandboxing

Implemented on some system daemons using unit files

Use `sudo systemd-analyze security` to check the current status

Application sandboxing

Provided optionally by firejail. Not enabled by default.

Usbguard

Protects from unauthorized USB devices being connected. Provided optionally by the usbguard package. Not enabled by default.

To install: sudo apt install usbguard

/etc/usbguard/usbguard-daemon.conf is used to to configure runtime parameters of the daemon.

/etc/usbguard/rules.conf is used to define policy rules for USB devices.

This example will apply policies for any connected USB device and would only allow to operate devices that are allowed in /etc/usbguard/rules.conf.

/etc/usbguard/usbguard-daemon.conf
RuleFile=/etc/usbguard/rules.conf
ImplicitPolicyTarget=block
PresentDevicePolicy=apply-policy
PresentControllerPolicy=keep
InsertedDevicePolicy=apply-policy
AuthorizedDefault=none
RestoreControllerDeviceState=false
DeviceManagerBackend=uevent
IPCAllowedUsers=root
IPCAllowedGroups=root plugdev
IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
DeviceRulesWithPort=false
AuditBackend=FileAudit
AuditFilePath=/var/log/usbguard/usbguard-audit.log
HidePII=false

After installation, rules will be auto generated for all currently connected USB devices. If you are occasionally using other devices like USB hub, keyboard or mouse you'll need to plug all required devices and re-generate policy rules using:

sudo usbguard generate-policy > /etc/usbguard/rules.conf

Edit /etc/usbguard/rules.conf and simplify rules for WLAN modem. Auto-generated rule doesn't always match the modem and it might be not be allowed to connect after return from a deep sleep. Leave only allow, id, serial, name, hash and parent-hash values. I.e:

allow id 2c7c:0125 serial “” name “EG25-G” hash “…” parent-hash “…”

Troubleshooting:

  • Check active rules: usbguard list-rules
  • Examine /var/log/usbguard/usbguard-audit.log
Firewall

Protect network services using iptables.

1. Install iptables-persistent package to make iptables rules persistent after reboot with sudo apt install iptables-persistent.

2. Answer “yes” to save existing IPv4 and IPv6 rules.

3. Edit /etc/iptables/rules.v4 and /etc/iptables/rules.v6.

4. Examples of firewall configs. Can be used as a starting point for your setup.

  • Uncomment lines that logs packets for troubleshooting.
  • Replace 192.168.1.0/24 subnet with your LAN subnet or any other network from which you want to allow SSH access and ICMP.
  • To apply changes run: sudo iptables-restore /etc/iptables/rules.v4 for IPv4 rules and sudo ip6tables-restore /etc/iptables/rules.v6 for IPv6 rules.

/etc/iptables/rules.v6 - allows outbound connections only

# Generated by ip6tables-save v1.8.6 on Sun Dec 27 20:20:50 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Block remote packets claiming to be from a loopback address.
-A INPUT -s ::1/128 ! -i lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6[IN]: "

COMMIT
# Completed on Sun Dec 27 20:20:50 2020

/etc/iptables/rules.v4 - allow outbound connections and inbound SSH connections from specified subnet.

# Generated by iptables-save v1.8.6 on Sun Dec 27 20:20:50 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
# Block remote packets claiming to be from a loopback address.
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP

# Drop all packets that are going to broadcast, multicast or anycast address.
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
-A INPUT -m addrtype --dst-type ANYCAST -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP

# Accept access to SSH from 192.168.1.0/24 network.
-A INPUT -p tcp -s 192.168.1.0/24 --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT

# Accept pings from 192.168.1.0/24 network.
-A INPUT -p icmp --icmp-type 0  -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp --icmp-type 3  -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT

# Do not log packets that are going to ports used by SMB (Samba / Windows Sharing).
-A INPUT -p udp -m multiport --dports 135,445 -j DROP
-A INPUT -p udp --dport 137:139 -j DROP
-A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP
-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP

# Do not log packets that are going to port used by UPnP protocol.
-A INPUT -p udp --dport 1900 -j DROP

# Do not log late replies from nameservers.
-A INPUT -p udp --sport 53 -j DROP

# Prevent DOS by filling log files.
#-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip4[IN]: "

COMMIT
# Completed on Sun Dec 27 20:20:50 2020
Reproducible builds

Other