Fedora, Hardening, Information Security, Linux, Network Administration, Privacy, System Administration, Uncategorized

Detox Fedora 19/20/21

Leave a comment

I’ve always used Fedora, basically since it was RedHat 7.0 … However, from that time until now, it has changed a lot.

WARNING/DISCLAIMER: THIS GUIDE WILL CORRUPT AND DAMAGE YOUR LINUX FEDORA INSTALLATION. IF YOU ARE NOT FAMILIAR WITH LINUX, AND KNOW EXACTLY WHAT YOU ARE DOING, PLEASE LEAVE NOW.

IF YOU STAY, YOU AGREE THAT I’M NOT RESPONSIBLE OF ANY DAMAGE OR DERIVED DAMAGE CAUSED BY THIS GUIDE.

One of the reasons why I like fedora, is because it is one of the few distros that works natively with SELinux.

However, fedora has started to be a little more invasive since systemd abrtd, and networkmanager were introduced. Unfortunately it is difficult to get out of systemd.

Getting rid of NetworkManager:

!!! WARNING !!!: NetworkManager makes it easy for you to start the network seamlessly from your desktop or laptop disabling it, and not having the patience to configure the network-scripts, will make you to loose your internet conectivity. I am not responsible for it !.

In order to get rid of NM, you just need to execute this (as root):

systemctl stop NetworkManager.service
systemctl disable NetworkManager.service

systemctl enable network.service 
systemctl start network.service

In this way, we will enable the old network service and we will disable the NetworkManager.

Now you can configure your network scripts located on: /etc/sysconfig/network-scripts/

** If your computer is a laptop, you might want to keep NetworkManager **

Getting rid of AVAHI:

Avahi is a daemon for interconnecting small networks. It provides a distributed multicast DNS service and a Service Discovery Service. It’s useful to discover shared services across the local network.

I personally don’t like or need this service, Everything in my network is pre-configured. And I don’t have many plug and play devices that I usually connect to my network.

To disable AVAHI, run this as root:

systemctl disable avahi-daemon
systemctl stop avahi-daemon.socket
systemctl stop avahi-daemon.service

Getting rid of ABRTD:

Abrtd is the daemon that collects system information when a program falls into an error condition. This will allow developers to understand why your program fell into that condition.

If we are altruistic, we should leave this service, however, collected and sent information by this daemon may be a threat to your privacy.

And remember: The problem with the cloud is not about trust or not to trust someone specific (eg MEGA, Google, Fedora, TeamViewer, etc.) … It is that any mechanism that may be exploitable, will be exploited sooner or later, whether by individuals, by the owners or third parties who have (or will have) the technology to compromise it.

To get rid of ABRTD (root console):

systemctl stop abrt-ccpp.service
systemctl stop abrt-oops.service
systemctl stop abrt-vmcore.service
systemctl stop abrt-xorg.service
systemctl stop abrtd.service

systemctl disable abrt-ccpp.service
systemctl disable abrt-oops.service
systemctl disable abrt-vmcore.service
systemctl disable abrt-xorg.service
systemctl disable abrtd.service

Getting rid of PackageKit:

PackageKit is a service to keep your operating system up to date, however, this service is invasive … Maybe we want to use a better option like yum-cron, and let the updates to be installed at night without user interaction

To do this, we can disable the service PackageKit (root console):

systemctl disable packagekit.service
systemctl stop packagekit.service

** Stopping packagekit might take several minutes.

And do not forget to install yum-cron to constatly/daily update your system
To install yum-cron in fedora (root console):
yum -y install yum-cron

And now edit /etc/yum/yum-cron.conf

Replacing the following line:

apply_updates = no

by:

apply_updates = yes

Getting rid of FirewallD:

FirewallD is another attempt to separate the final user from the system internals. If we are familiar with iptables, maybe we want to control the firewall rules ourselves, and not through a “dumbinterface.

systemctl disable firewalld
systemctl stop firewalld

And next:

yum install iptables-services

With this, we can enjoy and configure the firewall using /etc/sysconfig/iptables. (BEWARE: it’s very important to configure your iptables!).

Disabling IPv6:

I describe IPv6 as a backdoor in your operating system. Nothing operates today with IPv6 (or almost nothing), maybe in the future it will be interesting to operate with IPv6, when our ISP provide us with a valid IPv6 address. But in the meantime, be IPv6 ready slow down the operating system and can create security breaches if we do not take care of it (eg. To configure firewall rules in ipv6)

If  you want to disable it, you just need to edit this file: /etc/sysconfig/grub:

and add to GRUB_CMDLINE_LINUX=, the value: ipv6.disable=1

Eg.

Before:

GRUB_CMDLINE_LINUX="rd.lvm.lv=vg0/root rd.luks.uuid=xyz rd.lvm.lv=vg0/swap rhgb quiet"

After:

GRUB_CMDLINE_LINUX="rd.lvm.lv=vg0/root rd.luks.uuid=xyz rd.lvm.lv=vg0/swap rhgb quiet ipv6.disable=1"

Then, to apply changes, you have to run grub2-mkconfig (as root):

grub2-mkconfig -o /boot/grub2/grub.cfg

and then, reboot…

And systemd?

Unfortunately,  I don’t have any solution here … maybe, you need to take a look on SystemV based distributions (like devuan)

Leave a Reply