Securing linux: – I’ve seperated categories by “_“ – I’d recommend using
sudo -s at the beginning to avoid having to constantly enter your password
Note: For arch based distros I mention pamac as opposed to pacman, as it’s easier to use, and all arch based distros for e.g Garuda, Manjaro, etc have pamac. Since some of these packages are AURs, you need to go to pamac’s gui app, settings, and enable the AUR repo. Else replace “pamac install” with “pacman -S”
UsbGuard: Protect yourself from physical usb attacks and executing malware/backdoors, this can work by making usb’s read only, unless you explicitly whitelist it.
sudo ln -s /dev/null /etc/systemd/system/usbguard.service #in order for unmask to work
sudo apt install usbguard
sudo pamac install usbguard
After installation run:
usbguard generate-policy#steps 1-2 whitelists already connected devices, e.g your current mouse/keyboard/storage
usbguard generate-policy > /etc/usbguard/rules.conf
systemctl unmask usbguard.service systemctl
systemctl enable usbguard.service
To allow a usb device permanently simply run:
usbguard allow-device EnterTheIdHere -p
SSH: Essentially, remote access to your devices terminal.
If this is enabled and you don’t use it, it’s best to disable it.
sudo systemctl disable ssh.service
Arch based (manjaro, Garuda, etc):
sudo systemctl disable sshd
If you do use it:
Changing the ssh port:
There‘s a few ways to secure ssh, the most obvious being to change the port. A lot argue that this is pointless, but it’ll at least deter less advanced attackers.
The default port is 22 for everyone.
sudo nano /etc/ssh/sshd_config
Change “Port 22” to any unused port. If ur unsure which port hasnt been used, try 99.
Fai2ban – deters brute force attacks
sudo apt install fail2ban
sudo pamac install fail2ban-client
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
“Ban time” = how long attackers are banned, “find time” = if an attacker enter a password incorrectly, how long do you have to wait before the incorrect password counter resets, “maxretry“ = the max amount of incorrect passwords before the ban, “ignore ip” = you may want to whitelist your own ip. Make sure to change fail2ban’s port to the one you chose in the previous step. “port = yourporthere“
Ssh keys (advanced) * see the “ssh key” section below
Network firewall: Only allow internet access to applications which need it.
This can mitigate spyware/trojans, which are rare on linux anyways, and stopping apps from collecting unnecessary info.
Opensnitch does a decent job at this, has a gui which prompts you once when an app wants to use the internet. Although installing this is a bit of a pain since it’s not on any repos, so you’ll have to manually install it.Ubuntu based:
- Getting the dependencies
sudo apt-get install protobuf-compiler libpcap-dev libnetfilter-queue-dev python3-pip
go get -u
python3 -m pip install --user grpcio-tools
- Getting opensnitch and building it
go get github.com/evilsocket/opensnitch
- If command 8 didn’t work, just cd into the downloaded opensnitch folder
sudo make install
- Enabling the service
sudo systemctl enable opensnitchd
sudo service opensnitchd start
Arch based: Someone made an aur, which saves you so much time:
pamac install opensnitch-git
sudo systemctl start opensnitchd
Malware/rootkit scanner: I wouldn’t really say this is necessary, but if you think you have malware then you can run a scan:
sudo apt-get install clamav clamav-daemon
sudo pamac install clamav
File permissions: You may want to get familiar with chmod, and chown, to change file permissions. For e.g, if you store important files somewhere you may want to make it require root access in order to read/write: in which case you‘d run:
sudo chown root:root /path/to/application
sudo chmod 700 /path/to/application
I’d suggest learning firejail, or bubblewrap (more advanced), to sandbox and isolate apps.
However, if that sounds too complicated, then downloading apps as flatpaks is a great way to have some security, whilst not a silver bullet, its extremely easy to use and permissions can be managed through it’s gui app: flatseal, or just cli.
Other, more general tips below:
DNS: not really linux related, but I’d recommend doing this.
By default, ur using plain text dns, it’s vulnerable to mitm attacks, your isp can log all traffic, etc. By doing this, you’d also have the ability to block ads/trackers/malware/and malicious ip’s reported for ssh attacks
You’ll be selfhosting adguard home (only takes 1 command), and can even use this on other devices, but if you don’t want to leave your computer on 24/7, then you can use it solely on your own device.
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
That’s it, then go to http://localhost:3000, to access its web gui. (It might not be port 3000, as I did this ages ago, but it says in the terminal, change the ports to anything else within the web gui if planning on selfhosting the apps below)
It’s best to setup https for its web interface, but feel free to skip this step:
openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out adguard1234g.crt -keyout adguard1234g.key
Go to settings > encryption settings > enable https, force https, and quite simply copy and paste adguard1234g.crt into the certificate field, and adguard1234g.key into the key field. That’s it. You can access it through https not http now. https://localhost
Adguard Home recommended settings
Configuring adguard home should be common sense since it has an easy to use gui. But here’s my recommendations:
Quad9’s Dnscrypt: 2.dnscrypt-cert.quad9.net
Quad9’s dns over tls: tls://dns.quad9.net
Filters > Blocklist
I’d recommend using oisd.nl’s blocklist for ad/tracker/malware/crypto/etc blocking without false positives, or if you’re brave use energised unified/ultimate but be willing to whitelist a lot of stuff.
Why not pihole? Because by default it doesn’t support, dns over tls, dnscrypt, or https for its web interface, etc.
dont use dns-over-https as it’s useless in terms of privacy. Why? The SNI, and OCSP fields aren’t encrypted, which allow seeing the ip address of all queries.
Secure cloud storage:
Use cryptomator to auto encrypt files when uploading files to cloud. Use veracrypt for a more secure, but manual option, or just GnuPg which is included by default in most distros, however gnupg doesn’t support folder encryption.
Or selfhost nextcloud on a device which is on 24/7 for your own cloud storage. It’s incredibly easy to setup (with https), and requires 2 commands.
sudo snap install nextcloud
sudo nextcloud.enable-https self-signed
*ssh keys are a great way to secure ssh logins, as it‘ll be unique to you and can even be combined with a passphrase. Bare in mind, this causes issues with a lot of ssh clients, filezilla (sftp file transfer)’s ssh key implementation isnt compatible with openssl, most mobile clients lack this feature.
ssh-copy-id username@remote_host – change to ssh key for login.
If ssh-copy-id doesnt work, you’ll need to manually copy the key to your authorised keys.
Now, the server has your public key, and you ssh via your private key.
Lastly, use lynis for system audit, and overview of security risks
lynis audit system
Further securing against physical attacks, when making this post, my intention was leaning closer towards software but included usbguard as it’s probably the most likely physical attack you’ll face, due to how fast and easily it can be performed. However, see the below sections if you want to secure against physical attacks:
Its worth noting that, despite having a password, an attacked with physical access to your device can access all files. Encryption solves this problems, and there’s 2 types:
Full disk encryption:
Securing and encrypting all files. More convenient than encrypted volumes as you’ll only need to enter your password once, on boot. But it can have an impact on performance by lowering read/write speeds.
Luks: can only be enabled when you’re installing ur os.
Veracrypt’s full disk encryption: can be used after installation. More secure than Luks as it’s had countless security audits, and encrypts the keyfiles in memory preventing malware from accessing it (unlike Luks)
Encrypt only confidential files within volumes, less convenient, but doesnt impact the entire os’s performance.
Which encryption algorithm + hash to use?
I didn’t want to overly bloat this post so I said it in a comment instead, see here:
so no one can go around your bootloader password by booting off of an external drive
When booting, press all of the f keys (f1 – f12) and esc, until you get the bios, somewhere in the bios, there’ll be a security section, and underneath that will be “password” option.
Unfortunately, I can’t provide an exact guide for this of these as it’s specific to your device.
Boot loader password: – (Advanced)
so no one can change kernel parameters and, say, boot directly into a root terminal
if anyone else has any other advice that I’ve missed, share it in the comments and I’ll edit this post with ur username
As a general advice it is always a bad idea to run curl installing software from random/untrusted sources.
pamac install arch-audit-gtk
A great tool, notifying you on missing security updates, and vulnerable packages. With support for tor to anonymise requests. Although, bare in mind this tool is already in lynis, so get this only if you want a tray application + notifs.