diff --git a/README.md b/README.md index 8a26179..ed66e1d 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ A practical approach to Privacy and Security The website content (under `/content`) is under the [Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/) license. -The articles originally posted on [wonderfall.dev](https://wonderfall.dev), [seirdy.one](https://seirdy.one), and [akc3n.org](https://akc3n.org) are under the same license. +The articles originally posted on [wonderfall.dev](https://wonderfall.dev), [seirdy.one](https://seirdy.one), and [akc3n.org](https://akc3n.org) are under the same license. Articles originally posted on [wanderingcomputerer.gitlab.io](https://WanderingComputerer.gitlab.io) are under the [Attribution 4.0 International](https://creativecommons.org/licenses/by/4.0/) license. The Hugo Framework used to create this website is under the [Apache License](https://github.com/gohugoio/hugo/blob/master/LICENSE). diff --git a/content/os/Desktop-Linux-Hardening.md b/content/os/Desktop-Linux-Hardening.md index 4c4e463..0c9ad98 100644 --- a/content/os/Desktop-Linux-Hardening.md +++ b/content/os/Desktop-Linux-Hardening.md @@ -30,13 +30,13 @@ Depending on your distribution, encrypted swap may be automatically set up if yo ## Privacy Tweaks -### MAC Address Randomization +### NetworkManager Trackability Reduction -Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. +Most desktop Linux distributions including Fedora, openSUSE, Ubuntu, and so on come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager) by default to configure Ethernet and Wi-Fi settings. -It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. +WfKe9vLwSvv7rN has detailed guide on [trackability reduction with NetworkManager](/os/networkmanager-trackability-reduction/) and I highly recommend that you check it out. -If you use NetworkManager, add the following to your `/etc/NetworkManager/conf.d/00-macrandomize.conf` +In short, if you use NetworkManager, add the following to your `/etc/NetworkManager/conf.d/00-macrandomize.conf`: ``` [device] wifi.scan-rand-mac-address=yes @@ -46,13 +46,24 @@ wifi.cloned-mac-address=random ethernet.cloned-mac-address=random ``` +Next, disable transient hostname management by adding the following to your `/etc/NetworkManager/conf.d/01-transient-hostname.conf`: + +``` +[main] +hostname-mode=none +``` + Then, restart your NetworkManager service: -``` -systemctl restart NetworkManager +```bash +sudo systemctl restart NetworkManager ``` -If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). +Finally, set your hostname to `localhost`: + +```bash +sudo hostnamectl hostname "localhost" +``` Note that randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi card firmware. @@ -60,7 +71,6 @@ Note that randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi card There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](/knowledge/threat-modeling/): -- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. - **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. - **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). diff --git a/content/os/NetworkManager Trackability Reduction.md b/content/os/NetworkManager Trackability Reduction.md new file mode 100644 index 0000000..7113566 --- /dev/null +++ b/content/os/NetworkManager Trackability Reduction.md @@ -0,0 +1,181 @@ +--- +title: "NetworkManager Trackability Reduction" +tags: ['Operating Systems', 'Linux', 'Privacy'] +date: 2022-09-04 +author: WfKe9vLwSvv7rN +canonicalURL: https://wanderingcomputerer.gitlab.io/guides/tips/nm-hardening/ +ShowCanonicalLink: true +--- + +## MAC address randomization + +Note that Ethernet connections can still be tracked via switch ports, and WiFi connections can be broadly localized by access point. + +Furthermore, MAC address spoofing and randomization depends on firmware support from the interface. Most modern network interface cards support the feature. + +There are three different aspects of MAC address randomization in NetworkManager, each with their own configuration flag: + +#### WiFi scanning + +``` +[device] +wifi.scan-rand-mac-address=yes +``` + +#### WiFi connections + +``` +[connection] +wifi.cloned-mac-address= +``` + +#### Ethernet connections + +``` +[connection] +ethernet.cloned-mac-address= +``` + +#### Mode options + +`random`: Generate a new random MAC address every time a connection is activated + +`stable`: Assign each connection a random MAC address that will be maintained across activations + +`preserve`: Use the MAC address already assigned to the interface (such as from `macchanger`), or the permanent address if none is assigned + +`permanent`: Use the MAC address permanently baked into the hardware + +### Setting a default configuration {#macrand-default-configuration} + +It's best to create a dedicated configuration file, such as `/etc/NetworkManager/conf.d/99-random-mac.conf`, to ensure package updates do not overwrite the configuration. In general, I recommend the following: + +``` +[device] +wifi.scan-rand-mac-address=yes + +[connection] +wifi.cloned-mac-address=random +ethernet.cloned-mac-address=random +``` + +This configuration randomizes all MAC addresses by default. These settings can of course be [overridden on a per-connection basis](#per-connection-overrides). + +After editing the file, run `sudo nmcli general reload conf` to apply the new configuration. + +### Per-connection overrides + +Connection-specific settings take precedence over configuration file defaults. They can be set through `nm-connection-editor` ("Network Connections"), a DE-specific network settings GUI, `nmtui`, or `nmcli`. + +Look for "Cloned MAC address" under the "Wi-Fi" or "Ethernet" section: + +![nm-connection-editor screenshot](/images/nm-connection-editor.webp) + +In addition to the four mode keywords, you can input an exact MAC address to be used for that connection. + +For a home or other trusted network, it can be helpful to use `stable` or even `permanent`, as MAC address stability can help avoid being repeatedly served a new IP address and DHCP lease (though not all DHCP servers work this way). + +For public networks with captive portals (webpages that must be accessed to gain network access), the `stable` setting can help prevent redirection back to the captive portal after a brief disconnection or roaming to a different access point. + +### Seeing the randomized MAC address + +Activate the connection in question, and then look for `GENERAL.HWADDR` in the output of `nmcli device show`. This represents the MAC address currently in use by the interface, whether randomized or not. It is also visible as "Hardware Address" (or similar) in NetworkManager GUIs under active connection details. + +```bash +$ nmcli device show +GENERAL.DEVICE: enp5s0 +GENERAL.TYPE: ethernet +GENERAL.HWADDR: XX:XX:XX:XX:XX:XX + +GENERAL.DEVICE: wlp3s0 +GENERAL.TYPE: wifi +GENERAL.HWADDR: XX:XX:XX:XX:XX:XX +``` + +--- + +## Remove static hostname to prevent hostname broadcast + + +```bash +sudo hostnamectl hostname "localhost" +``` + +An empty (blank) hostname is also an option, but a static hostname of "localhost" is less likely to cause breakage. Both will result in no hostname being broadcasted to the DHCP server. + +### Disabling transient hostname management {#rmhostname-transient} + +It's best to create a dedicated configuration file, such as `/etc/NetworkManager/conf.d/01-transient-hostname.conf`, to ensure package updates do not overwrite the configuration: + +``` +[main] +hostname-mode=none +``` + +This will prevent NetworkManager from setting transient hostnames that may be provided by some DHCP servers. This will have no visible effect except with an empty static hostname. + +After editing the file, run `sudo nmcli general reload conf` to apply the new configuration. Run `sudo hostnamectl --transient hostname ""` to reset the transient hostname. + +--- + +## Disable sending hostname to DHCP server + +**This configuration will leak your hostname on first connection.** Setting a generic or random hostname is strongly recommended if possible. + +Due to [limitations in NetworkManager](https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/584 "NetworkManager issue: No way to set dhcp-send-hostname globally"), it is not possible to reliably disable sending hostnames by default. This setup is very much a hack. + +Due to being leaky, this configuration is virtually useless without also [randomizing MAC addresses by default](#macrand-default-configuration "MAC address randomization — Setting a default configuration"). Your MAC address and hostname will not be correlated starting with the second connection, assuming the first connection used a random MAC address. + +Create `/etc/NetworkManager/dispatcher.d/no-wait.d/01-no-send-hostname.sh` as follows: + +```sh +#!/bin/sh + +if [ "$(nmcli -g 802-11-wireless.cloned-mac-address c show "$CONNECTION_UUID")" = 'permanent' ] \ + || [ "$(nmcli -g 802-3-ethernet.cloned-mac-address c show "$CONNECTION_UUID")" = 'permanent' ] +then + nmcli connection modify "$CONNECTION_UUID" \ + ipv4.dhcp-send-hostname true \ + ipv6.dhcp-send-hostname true +else + nmcli connection modify "$CONNECTION_UUID" \ + ipv4.dhcp-send-hostname false \ + ipv6.dhcp-send-hostname false +fi +``` + +The script must have specific file permissions and a symlink to take effect: + +```bash +cd /etc/NetworkManager/dispatcher.d/ +sudo chown root:root no-wait.d/01-no-send-hostname.sh +sudo chmod 744 no-wait.d/01-no-send-hostname.sh +sudo ln -s no-wait.d/01-no-send-hostname.sh ./ +``` + +This script will be automatically triggered on connection events to modify the connection's `dhcp-send-hostname` settings. If the connection's _cloned MAC address_ is [explicitly overridden](#per-connection-overrides) to `permanent`, the hostname will be sent to the DHCP server on future connections. In all other cases, the hostname will be masked on future connections, so the DHCP server will only see the MAC address. + +### Verifying proper operation + +After initiating first connection with a network: + +```bash +$ nmcli c show | grep dhcp-send-hostname +ipv4.dhcp-send-hostname: no +ipv6.dhcp-send-hostname: no +``` + +`` can be the connection name (usually the SSID for WiFi networks) or UUID, obtained from `nmcli c show [--active]`. + +_Recall that these setting values are set based on the previous connection activation and take effect for the next connection activation._ + +--- + +## Sources +- [ArchWiki --- NetworkManager](https://wiki.archlinux.org/title/NetworkManager#Configuring_MAC_address_randomization) +- [hostnamectl man page](https://www.freedesktop.org/software/systemd/man/hostnamectl) +- [MAC Address Spoofing in NetworkManager 1.4.0](https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/) +- [NetworkManager.conf man page](https://networkmanager.dev/docs/api/latest/NetworkManager.conf.html) +- [NetworkManager-dispatcher man page](https://networkmanager.dev/docs/api/latest/NetworkManager-dispatcher.html) +- [NetworkManager: Disable Sending Hostname to DHCP Server](https://viliampucik.blogspot.com/2016/09/networkmanager-disable-sending-hostname.html) +- [nmcli man page](https://networkmanager.dev/docs/api/latest/nmcli.html) \ No newline at end of file diff --git a/external-blogs.sh b/external-blogs.sh index c2bbf5f..adcb4ec 100755 --- a/external-blogs.sh +++ b/external-blogs.sh @@ -38,4 +38,7 @@ sed -i '/^tags:.*/a author: Wonderfall' './content/os/Securing OpenSSH with FIDO # His GitHub repo: https://github.com/Seirdy/seirdy.one # Blogs by akc3n currently needs to be manually ported, though a script for it can be written later. He is planning to change his website soon, so it is better to wait till then. -# His GitHub repo: https://github.com/akc3n/akc3ndotorg \ No newline at end of file +# His GitHub repo: https://github.com/akc3n/akc3ndotorg + +# Blogs by WfKe9vLwSvv7rN currently need to be manually ported, as he uses a lot of HTML inside of the source instead of just markdown. +# His GitLab repo: https://gitlab.com/WanderingComputerer/WanderingComputerer.gitlab.io/ \ No newline at end of file diff --git a/static/images/nm-connection-editor.webp b/static/images/nm-connection-editor.webp new file mode 100644 index 0000000..55efc99 Binary files /dev/null and b/static/images/nm-connection-editor.webp differ