No system is absolutely secure!
No matter how many steps or processes you implement, there is always a potential security hole.
This guide is going to present a few ways to secure your system from intrusions, malicious software and unwanted connections. There is always a balance between security and convenience. The more secure your system is, the less convenient is it to use.
Who wants a “bricked” computer because it is so secure you can’t even use it?
Please use some of the suggestions below as a baseline to secure your system. Then implement more in the future as you learn how to manage them.
Linux Built-In Security
- sudo
- Permissions
Users are tied to groups with access to their own files and data. Linux adds another layer of security when an application needs to run or install. The current user needs to be in the super user group, then enter a password when software is installed or permissions need to be changed. If you copy any executable files from one computer to another, the execute permissions are disabled. The root file system also has extra security requiring you to enter your super user password before making any changes to files or directories.
Local User Access
- Limited Account (no SU/Sudo access)
Admin Workaround
If you need to install a game or application, use the “Switch User” option by going to the logout button. Login as a super user and install the software, then switch back to your limited user.
Note: If your distribution does not provide the “Switch User” option you will need to use the TTY shell and start your graphical environment. This is outside the scope of this guide.
https://wiki.archlinux.org/index.php/Su#su_and_wheel
Encryption
- /
- /home
- /boot
You create a partition for your sensitive data (LUKS partition). When you unlock it, you can format it and mount it. Then use it for any purpose, even an operating system.
Another way to encrypt your hard drive is using an “encryption layer”. You can encrypt a directory on your hard drive and can result in poor performance but offer more flexibility.
Arch Wiki
https://wiki.archlinux.org/index.php/Disk_encryption
Note: Do not encrypt your UEFI partition
File System Backup
- Timeshift
- Snapshots
Note: The best method of cleaning up a compromised system is a fresh installation of Linux
Firmware
- UEFI
- BIOS
In order to enter your UEFI it requires a reboot and a keyboard key pressed while booting. Each computer has security settings in UEFI to secure your hardware and firmware configurations.
Browsers
- Sandbox Firefox
- Firejail
- Noscript plugin
Noscript
Noscript is a plugin that refuses all scripts that run in the browser. Then you can manually whitelist scripts you want to enable for a specific webpage/URL.
Firejail
Sandboxing is a better way to secure your browser as it removes access to your /home/username directory. Firejail can run for all applications on your system, but can affect applications like Wine. Firejail provides profile templates (may need to install separately) to configure what you want Firefox to allow.
Then run Firefox with the following command: firejail firefox
Now Firefox only has access to the downloads directory (depending on the profile you use). If it is exploited by a malicious plugin, extension, script or other method it only has access to downloads, not other /home/username directories. It also prevents local scripts from being launched by your browser.
Applications
- Apparmor
External Devices (USB)
- USB Guard
UEFI Password
Every computer has an ability to secure its firmware with a password. This protects malicious hacking and booting USB devices. Make sure to configure your firmware to only boot to internal hard drive first. Please keep the password in a secure location. Losing the password could “brick” your device as well.
USB Guard
USB Guard can deny all unauthorized USB access to a running Linux operating system only. You can manually whitelist each device you want to allow communication. The safest option is to completely deny all USB access, but obviously we might need a flash drive, external webcam, speakers or even a controller to user our system. USB Guard blocks devices on a kernel level by default.
https://wiki.archlinux.org/index.php/USBGuard
Firewall
- ufw
- gufw (With a Graphical User Interface)
Example: Open port 22 in order to allow an SSH connection on the local network only.
Antivirus
Many feel an antivirus is not necessary in Linux. This is partially true depending on how you use Linux. If you are using Wine, sharing documents with people who use Windows or downloading files with executables from non-trusted sites… an antivirus may be helpful. If you were to download a compromised Word document and send it to a friend who uses Windows. This could infect or compromise their system. With an antivirus you can scan the downloaded file before sending it.
The majority of threats and malicious software is written to execute in a Windows environment and probably won’t affect your Linux processes. Some have actually scanned their distribution with an antivirus and it resulted in finding threats, but after researching they found it was in part of the definitions meant for Windows environments.
Official Repositories
- Distribution Repositories
- PPA
Repositories are collections of software packages. All your software and updates are installed from a repository. Distributions are normally configured to use their official repositories. You can also add your own depending on the software and updates you want to install.
Each repository is handled by communities or single individuals who create software, compile them for ready-to-use installations and updates. By using a Linux distribution, you are choosing to trust all officially packaged software provided by the people who package for your chosen distribution. Most distributions are also open to add unofficial repositories, such as PPA’s for Ubuntu and Mint.
In Mint you can check the source of all the repositories by looking in the source file:
/etc/apt/source.list
Each URL is a repository
PPA (Personal Package Archive)
A PPA is a software repository you can add to your distribution to install software and/or updates for that software. Anyone can create an unofficial repository and potentially include malicious software with it, so you should never blindly trust an unofficial source. Any PPA you add will also be located in the source file:
/etc/apt/source.list
For example:
Install an application like simplescreenrecorder and it requires a PPA to automatically update it.
Arch User Repository AUR
Arch users can additionally use the AUR to download the source code and compile it themselves. This process has been automated in AUR, but its important to inspect the PKGBUILD file to check the source code URLs. Also check included patches/install scripts to verify nothing malicious is included. This could take some time researching if you aren’t familiar with the process.
.DEB Files
Debian, Ubuntu, Mint and other distributions (based on Debian) can install applications via .deb
Any developer can create a .deb installer so it is important to investigate the maintainer or source before installing it. You can also inspect a .deb by opening it with Archive Manager. Checking out the directories and included files, then researching online.
Flatpak and Snap
Other ways to provide software from 3rd party repositories is applications like Flatpak and Snap. These can install other unnecessary packages (aka bloatware) and anyone developer can add their package to them. Please use at your own risk and investigate software before installing it.
Last edited: