# Security and Hardening Recommendations for archsetup These recommendations come from the install-archzfs base install. The base system is minimal - archsetup should handle hardening. ## SSH Hardening (Priority: High) If SSH was enabled during install (for headless servers), it uses password auth. archsetup should: 1. Install and configure fail2ban - pacman -S fail2ban - Enable sshd jail - Configure ban times (suggested: 10m first offense, escalating) - Consider integration with firewalld/nftables 2. Switch to key-based authentication - Prompt user for SSH public key or generate keypair - Disable password authentication in /etc/ssh/sshd_config: PasswordAuthentication no PermitRootLogin prohibit-password (or 'no' for desktop) 3. Consider changing default SSH port (optional, security through obscurity) ## Firewall (Priority: High) Base install has no firewall configured. Options: 1. firewalld (recommended for most users) - pacman -S firewalld - systemctl enable --now firewalld - Default zone should block incoming except SSH 2. nftables (for advanced users) - Already installed as iptables backend - Needs manual configuration 3. ufw (simpler alternative) - pacman -S ufw - Good for users coming from Ubuntu ## ZFS-Specific Recommendations 1. Sanoid/Syncoid for automated snapshots - pacman -S sanoid - Configure /etc/sanoid/sanoid.conf for automatic snapshot retention - Suggested policy: hourly for 24h, daily for 7d, monthly for 12m 2. ZFS scrub timer - systemctl enable zfs-scrub-weekly.timer - Or create monthly timer for large pools 3. ZED (ZFS Event Daemon) email alerts - Configure /etc/zfs/zed.d/zed.rc - Set ZED_EMAIL_ADDR for pool health notifications 4. Consider zfs-auto-snapshot as alternative to sanoid ## User Account Setup Base install only has root. archsetup should: 1. Create primary user account with sudo access 2. Lock root account for direct login (sudo only) 3. Configure sudo timeout and logging ## Package Manager Hardening 1. Enable pacman hooks for security - Verify package signatures (already default) 2. Consider enabling reflector timer - Keeps mirrorlist updated with fastest/most recent mirrors 3. Install pacman-contrib for paccache - Configure paccache.timer to clean old package cache ## Automatic Updates (Optional) For servers that need unattended security updates: - Consider pacman-auto-update or similar - ZFS pre-pacman snapshots (already in install-archzfs) make this safer ## AppArmor/SELinux (Optional, Advanced) For high-security environments: - AppArmor is easier: pacman -S apparmor - Requires kernel parameter: lsm=apparmor ## Misc Recommendations 1. Install and enable systemd-timesyncd or chrony for NTP 2. Configure journald retention - /etc/systemd/journald.conf - SystemMaxUse=500M (or appropriate for system) 3. Disable core dumps for security (optional) - /etc/security/limits.conf: * hard core 0 4. Install lynis for security auditing - pacman -S lynis - Run: lynis audit system ## Desktop-Specific (if applicable) 1. Consider firejail for sandboxing applications 2. Install a password manager (pass, keepassxc) 3. Configure automatic screen lock ## Server-Specific (if applicable) 1. Install and configure logwatch or logrotate 2. Consider setting up centralized logging 3. Install monitoring (prometheus node_exporter, netdata, etc.) --- Generated by install-archzfs build system These are recommendations - implement based on your security requirements.