System Hardening Chronicles: In Search of a Configuration Resilient to Targeted Attacks

⚠️ Notice! This article is a work in progress. Updates and additions are made as new data becomes available regarding the resilience of new security configurations and hacker activity.
Last content update: 2026-04-11

1. Introduction: Analysis of the Initial Configuration and Prerequisites for Hardening

1.1 Context and Assumptions

Adversary Profile:
Presumably, a group with at least 20 years of experience in targeted attacks. This experience has been honed on thousands of real-world targets. Their methods include technological, socio-technical, and psychological vectors.

My Initial Position:
— Since August 2022, working in a security agency (physical security, not cyber).
— Since March 2025, systematically studying cybersecurity.
— Hardware and configurations at the time the attack began (February–March 2011) were not prepared for targeted defense.
— In June 2011, an opportunity existed to receive free configuration and basic training from an acquaintance (a lawyer) — this opportunity was not taken.

Conclusion on the Initial Configuration:
In the initial phase, the system lacked resilience against a targeted attack. I accept full responsibility for this.

1.2 Nature of the Attack (Observed Model)

The attack combines:

Philosophical-occult rhetoric (active engagement in discussions about intuition, various forms of art, abstract concepts)
Technological and socio-technical methods (actual OS vulnerabilities, social engineering, psychological pressure)

This model fully corresponds to the classic scenario described in science fiction literature:
Distracting a person (or group) with metaphysics detached from reality + striking through technical and human vulnerabilities by leveraging superiority in scientific-technical and psychological knowledge.

1.3 Effectiveness of the Scientific Approach as a Countermeasure

The analysis established:

When fully rejecting adversary-imposed discussions in the field of metaphysics, as well as metaphysical and intuitive thinking models, in favor of scientific-technical analysis (logic, causality, verifiable data) — the intensity of attacking actions increases many times over.
The increase in pressure from the attacking group is a diagnostic indicator of the correctness of the chosen defense strategy.

Fact:
Attempts at moral and psychological suppression intensify in direct proportion to progress in studying AI, cybersecurity, social engineering, and forensic psychology. The more the victim's smokescreen of metaphysics and abstract concepts dissipates, the more the adversary displays their concern.

1.4 Current Strategy

No emotions. No resentment. No surprise.

The following course has been adopted:

Systematic study of security, cybersecurity, socio-technical systems, and forensic psychology.
Documentation of all attacks, vulnerabilities, responses, and configuration changes.
Continuous system hardening with results recording.

Objective:
Achieve a configuration resilient to targeted attacks, followed by publication of all developed materials under the CC0 license.

2. Executive Summary (Technical Report)

Parameter	Value
Initial Security Posture	Low
Attack Commencement	February–March 2011
Adversary Experience (Estimate)	≥ 20 years
Countermeasure	Scientific-technical analysis, hardening, documentation
Indicator of Effectiveness	Noticeable or even abrupt increase in attacking action intensity
Long-term Goal	Publish a resilient configuration under CC0

3. Chronicle of Hardening and Attacks

3.1 Description of the Previous System Configuration: CONFIGURATION 1

Hardware

Processor and Architecture:
Architecture: x86_64
Model name: AMD Athlon(tm) II X2 220 Processor

RAM (at time of capture):
total used free shared buff/cache available Mem: 5.8Gi 2.9Gi 809Mi 64Mi 2.5Gi 2.9Gi Swap: 5.6Gi 256Ki 5.6Gi

Motherboard:
SMBIOS 2.6 present.
Manufacturer: BIOSTAR Group
Product Name: N68S3B
Version: (not specified)
Serial Number: None
Type: Motherboard

Network Interface:
00:07.0 Bridge: NVIDIA Corporation MCP61 Ethernet (rev a2)
Subsystem: Biostar Microtech Int'l Corp Device 3407
Interrupt: pin A routed to IRQ 26
Capabilities: Power Management version 2, MSI (enabled)

Software

Operating System: Debian 12
Desktop Environment: MATE
Kernel: 6.1.0-34-amd64

Network and System Settings:

Internet access: ProtonVPN GUI in KillSwitch mode
Incoming ports in nftables: fully blocked
Outgoing ports in nftables: partially blocked (only ports required for the system and user applications allowed)
AppArmor: partially enforced profiles provided by default with the system. Additional profile collections not downloaded, custom profiles not created

Configuration 1 finalization date: 2025-08-01

3.2 Attack on Configuration 1

Date of attack: 2026-12-26

Confirmed adversary capabilities (post-factum):

Reading correspondence with ChatGPT and DeepSeek in authorized browser-based web versions of personal accounts
Viewing search queries on DuckDuckGo and Google (browser installed system-wide, browser fingerprint was masked)
Visual monitoring of icons on the MATE desktop environment taskbar
Viewing folder names in the KeePassXC root and icons of individual password entries (KeePassXC installed system-wide)
Access to images generated within ChatGPT
Reading text typed in the Pluma editor

Post-attack action: Old system wiped, clean installation of new configuration performed.

3.3 Hardened Configuration Post-Attack: CONFIGURATION 2

Hardware

Same system unit (no changes).

Software

Operating System:
Distributor ID: Debian
Description: Debian GNU/Linux 13 (trixie)
Release: 13 (13.4)
Codename: trixie

Kernel:
Linux home 6.12.74+deb13+1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.74-2 (2026-03-08) x86_64 GNU/Linux

Graphics Subsystem:
Environment: GNOME / Wayland
GNOME Shell 48.7
tty (fallback access)

nftables version:
1.1.3 (Commodore Bullmoose #4)

nftables ruleset file (2026-04-13):


# nftables ruleset, configuration 2
# Retrieved: 2026-04-13

table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
		udp sport 53 queue flags bypass to 0
		iif "lo" accept
		ct state established,related accept
		ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
		ip saddr 0.0.0.0/0 ct state new drop
		ip protocol icmp icmp type echo-request limit rate 1/second burst 5 packets accept
		ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
		ip protocol icmp icmp type echo-request drop
		ip daddr 239.255.255.250 udp dport 1900 drop
		ip daddr 224.0.0.251 udp dport 5353 drop
		udp dport 137 drop
		udp dport 138 drop
		udp dport 5355 drop
		ip saddr { 45.9.20.0/24, 89.248.160.0/19, 185.107.56.0/24, 185.129.62.0/23, 185.220.100.0/22, 198.96.155.0/24 } log prefix "🔥 BAN: known bots " flags all
		ip saddr { 45.9.20.0/24, 89.248.160.0/19, 185.107.56.0/24, 185.129.62.0/23, 185.220.100.0/22, 198.96.155.0/24 } drop
		tcp flags ! fin,syn,rst,psh,ack,urg drop
		tcp flags & (fin | psh | urg) == fin | psh | urg drop
		tcp flags & (fin | syn) == fin | syn drop
		tcp flags & (fin | syn | rst) == fin | syn | rst drop
		tcp flags & (fin | syn | rst | psh | ack) == fin | syn | rst | ack drop
		ip frag-off & 0x1fff != 0x0 drop
		ip saddr 127.0.0.0/8 drop
		ip saddr 10.0.0.0/8 drop
		ip saddr 172.16.0.0/12 drop
		ip saddr 192.168.0.0/16 drop
		ip saddr 169.254.0.0/16 drop
		ip saddr 0.0.0.0/8 drop
		ip saddr 224.0.0.0/4 drop
		ip saddr 240.0.0.0/5 drop
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		tcp dport { 53, 80, 443, 873, 12043, 13000-13050 } accept
		udp dport { 53, 443, 3478-3481 } accept
		tcp dport { 21, 22, 23, 137, 138, 139, 445, 1080, 1234, 1337, 1433, 1434, 1900, 3128, 3306, 3389, 4444, 5555, 5900, 8000, 8080, 8888, 9001, 9200, 10000 } drop
		udp dport { 161, 162 } drop
		tcp dport { 1024-65535 } drop
		udp dport { 1024-65535 } drop
		ip saddr { 37.0.0.0/8, 77.0.0.0/8, 88.0.0.0/8, 91.0.0.0/8, 185.0.0.0/8 } drop
	}

	chain output {
		type filter hook output priority filter; policy accept;
		ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
		ip saddr 0.0.0.0/0 ct state new drop
		ip protocol icmp icmp type echo-request limit rate 1/second burst 5 packets accept
		ip protocol icmp icmp type echo-request log prefix "🔥 BAN: ICMP flood " flags all
		ip protocol icmp icmp type echo-request drop
		ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
		ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept
		ip6 nexthdr ipv6-icmp icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } accept
		ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-solicit, nd-router-advert } accept
		ip protocol icmp drop
		ip6 nexthdr ipv6-icmp drop
		meta l4proto sctp drop
		meta l4proto dccp drop
		tcp dport { 53, 80, 443, 873, 3000, 3306, 3478, 3690, 4443, 12043, 13000-13050 } accept
		udp dport { 443, 13000-13050 } accept
		tcp dport { 21, 22, 23, 137, 138, 139, 445, 1080, 1234, 1337, 1433, 1434, 1900, 3128, 3306, 3389, 4444, 5555, 5900, 8000, 8080, 8888, 9001, 9200, 10000 } drop
		udp dport { 161, 162 } drop
		tcp dport { 1-5999, 7000-7999, 9000-32767 } drop
		udp dport { 1024-4095, 8192-32767 } drop
		ip saddr { 37.0.0.0/8, 77.0.0.0/8, 88.0.0.0/8, 91.0.0.0/8, 185.0.0.0/8 } drop
	}
}
table inet nat {
	chain filter-prerouting {
		type filter hook prerouting priority filter; policy accept;
	}

	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
	}

	chain input {
		type nat hook input priority srcnat; policy accept;
	}

	chain output {
		type nat hook output priority 100; policy accept;
	}
}
table inet mangle {
	chain output {
		type filter hook output priority mangle; policy accept;
		icmp type { echo-reply, destination-unreachable, echo-request } accept
		udp dport 51820 accept
		meta l4proto != tcp ct state related,new queue flags bypass to 0
		tcp flags & (fin | syn | rst | ack) == syn queue flags bypass to 0
	}

	chain prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain postrouting {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain forward {
		type filter hook forward priority mangle; policy accept;
	}
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
	chain DOCKER {
		iifname "docker0" counter packets 0 bytes 0 return
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 172.17.0.0/16 oifname != "docker0" counter packets 0 bytes 0 masquerade
	}

	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		fib daddr type local counter packets 0 bytes 0 jump DOCKER
	}

	chain OUTPUT {
		type nat hook output priority dstnat; policy accept;
		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
	}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
	chain DOCKER {
	}

	chain DOCKER-ISOLATION-STAGE-1 {
		iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
		counter packets 0 bytes 0 return
	}

	chain DOCKER-ISOLATION-STAGE-2 {
		oifname "docker0" counter packets 0 bytes 0 drop
		counter packets 0 bytes 0 return
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		counter packets 0 bytes 0 jump DOCKER-USER
		counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
		oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
		oifname "docker0" counter packets 0 bytes 0 jump DOCKER
		iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
		iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
	}

	chain DOCKER-USER {
		counter packets 0 bytes 0 return
	}
}

sysctl hardening configuration (2026-03-03):


# ============================================
# SYSTEM HARDENING CONFIG (Debian 13 / MATE)
# Version: 6.0 (final)
# Date: 2026-03-03 16:31
# ============================================
# Apply: sudo sysctl --system
# ============================================

# ========== CORE NETWORK ==========

net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.ip_forward = 0
net.ipv4.tcp_rfc1337 = 1
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.default.arp_filter = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 65536 4194304
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.tcp_synack_retries = 2

# ========== NETWORK HARDENING ==========

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.*.rp_filter = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_reuse = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# ========== KERNEL HARDENING ==========

kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
kernel.randomize_va_space = 2
kernel.yama.ptrace_scope = 1
dev.tty.ldisc_autoload = 0
fs.protected_fifos = 2
kernel.sysrq = 0
net.core.bpf_jit_harden = 2
kernel.unprivileged_bpf_disabled = 1

# ========== END OF CONFIG ==========

AppArmor:
Parser version: 4.1.0

Flatpak:
Version: 1.16.3

Installed Flatpak Applications:

Flatseal (com.github.tchx84.Flatseal) — 2.4.0
Viber (com.viber.Viber) — 24.9.0.3 (messenger, installed via Flatpak, system version removed)
LibreWolf (io.gitlab.librewolf-community) — 149.0-1 (browser, installed via Flatpak, system version removed)
Geany (org.geany.Geany) — 2.1.0 (code editor, installed via Flatpak, system version removed)
KeePassXC (org.keepassxc.KeePassXC) — 2.7.12 (password manager, installed via Flatpak, system version removed)

OpenSnitch:
GUI version: 1.6.9
protobuf: 4.21.12
grpc: 1.51.1

OpenSnitch user rules (excerpt):


# ============================================
# OPENSNITCH USER RULES
# Creation date: 2026-04-03 — 2026-04-08
# ============================================

# ========== BROWSERS (allowed) ==========

# LibreWolf
{
  "name": "allow-librewolf",
  "action": "allow",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/app/lib/librewolf/librewolf"
  }
}

# Firefox ESR
{
  "name": "allow-firefox-esr",
  "action": "allow",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/lib/firefox-esr/firefox-esr"
  }
}

# ========== APPLICATIONS (allowed) ==========

# Python interpreter (for scripts)
{
  "name": "allow-python3.13",
  "action": "allow",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/bin/python3.13"
  }
}

# Git (GitHub access)
{
  "name": "allow-git-remote-http",
  "action": "allow",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/lib/git-core/git-remote-http"
  }
}

# Systemd NTP client (time synchronization)
{
  "name": "allow-systemd-timesyncd",
  "action": "allow",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/lib/systemd/systemd-timesyncd"
  }
}

# APT (package updates)
{
  "name": "allow-apt-http-method",
  "action": "allow",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/lib/apt/methods/http"
  }
}

# NetworkManager (main network manager)
{
  "name": "allow-networkmanager",
  "action": "allow",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/sbin/NetworkManager"
  }
}

# Kernel connection (VPN services)
{
  "name": "allow-kernel-connection",
  "action": "allow",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "Kernel connection"
  }
}

# Client for updating firmware (fwupdmgr)
{
  "name": "allow-fwupdmgr",
  "action": "allow",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/bin/fwupdmgr"
  }
}

# ========== BLOCKED APPLICATIONS ==========

# Ruby interpreter (suspicious activity)
{
  "name": "deny-ruby3.3",
  "action": "deny",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/bin/ruby3.3"
  }
}

# DNS utility dig (risk)
{
  "name": "deny-dig",
  "action": "deny",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/bin/dig"
  }
}

# GNOME Software (not needed)
{
  "name": "deny-gnome-software",
  "action": "deny",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/bin/gnome-software"
  }
}

# Scanner daemon (not needed)
{
  "name": "deny-colord-sane",
  "action": "deny",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/libexec/colord-sane"
  }
}

# Printer service (not needed)
{
  "name": "deny-gsd-print-notifications",
  "action": "deny",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/libexec/gsd-print-notifications"
  }
}

# LibreOffice (internet access denied)
{
  "name": "deny-libreoffice-soffice",
  "action": "deny",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/lib/libreoffice/program/soffice.bin"
  }
}

# WebKitNetworkProcess (GNOME rendering engine)
{
  "name": "deny-webkit-network-process",
  "action": "deny",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/lib/x86_64-linux-gnu/webkitgtk-6.0/WebKitNetworkProcess"
  }
}

# Email server (not needed)
{
  "name": "deny-exim4",
  "action": "deny",
  "duration": "always",
  "operator": {
    "operand": "process.path",
    "data": "/usr/sbin/exim4"
  }
}

USBGuard:
Version: 1.1.3
Compiled with support for: Linux audit, Libcapng, Seccomp, Systemd, Umockdev

Key changes in Configuration 2 compared to Configuration 1:

Migration from MATE (Xorg) to GNOME (Wayland)
All critical applications (browser, password manager, code editor, messenger) installed via Flatpak, system versions removed
Interaction of Flatpak applications with the system restricted using Flatseal (minimum necessary permissions)
Strict AppArmor profiles configured and set to enforce mode for Nautilus, Pluma, CherryTree, Atril (D-Bus, /proc, /sys, Unix sockets, filesystem, temporary files restricted)
Incoming ports in nftables: fully blocked
Outgoing ports in nftables: partially blocked (only necessary ranges allowed)
OpenSnitch installed on top of nftables; user rules allow outgoing connections only for trusted applications
Internet access: ProtonVPN GUI in KillSwitch mode
USBGuard installed and configured to prevent USB device emulation
Browser fingerprint masking removed (deemed ineffective against this type of attack)
rkhunter scan performed (however, it is assumed the adversary does not use known rootkits present in anti-rootkit databases)
Analysis performed using lunis; system changes applied based on recommendations received

Configuration 2 finalization date: 2026-04-07

Current status of Configuration 2 (as of 2026-04-10):
— Under testing.
— Preliminary data: not all vulnerabilities have been closed.
— Data requires additional confirmation.
— Configuration 3 will be built based on the attack data gathered against Configuration 2.

↑ Back to top

Android System Hardening Chronicles: In Search of a Configuration Resilient to Targeted Attacks Analysis of targeted attacks on Android devices (smartphone, tablet). Attacker gains full remote access to microphone, camera, and network traffic. Partial tablet protection via NetGuard. Supplement to 'System Hardening Chronicles'.

Analysis of the Presumed Targeted Complex Attack — Description of the presumed complex targeted attack.

Psychological Suppression via the Disbelief Effect — analysis of manipulation tactics and protective strategies.

Rigidity of Expectations in Threat Analysis — The problem of rigidity of expectations in cybersecurity threat analysis: why an experienced attacker acts in non-standard (non-obvious) ways.

From Science to Worldview: Logic as a Foundation Against Delusion — an essay on rationality, awareness, and the dangers of intuition without critical grounding.

Three Types of Intellect and Their Role in Personal Stability — an analytical essay on cognitive, ethical, and emotional intelligence as components of psychological resilience.

Information and Behavioral Hygiene for Working with a PC — a foundational practical guide to digital, behavioral, and informational hygiene for personal computer users.

The Dialectical Law and the Myth of “Intuitive Insight” — philosophical analysis of the nature of inspiration and critical thinking.

Laws of Resilience: An Essay on System Survival — This essay formulates the laws of system survival: the priority of technology and logistics over ideology, competence over cultural barriers, and management and efficiency over resources and showiness. A text about moving from illusions to the harsh discipline of results.