No system is absolutely secure!​

No matter how many steps or processes you implement, there is always a potential security hole.

This guide is going to present a few ways to secure your system from intrusions, malicious software and unwanted connections. There is always a balance between security and convenience. The more secure your system is, the less convenient is it to use.

Who wants a “bricked” computer because it is so secure you can’t even use it?

Please use some of the suggestions below as a baseline to secure your system. Then implement more in the future as you learn how to manage them.


Linux Built-In Security

• sudo
• Permissions

Every Linux distribution includes security features like other operating systems.
Users are tied to groups with access to their own files and data. Linux adds another layer of security when an application needs to run or install. The current user needs to be in the super user group, then enter a password when software is installed or permissions need to be changed. If you copy any executable files from one computer to another, the execute permissions are disabled. The root file system also has extra security requiring you to enter your super user password before making any changes to files or directories.


Local User Access

• Limited Account (no SU/Sudo access)

Creating a limited user account can be useful for secure browsing, gaming and personal use. This limited account can not install any software, updates or packages. This account will not store any files or data locally as it is meant for temporary use. It is not a member of any Unix groups which prevents sudo capabilities. If this account is compromised there is no way to gain access deeper in the system through “sudo” or “su”. You can configure users who need “sudo” access to be in a group names: Wheel

Admin Workaround
If you need to install a game or application, use the “Switch User” option by going to the logout button. Login as a super user and install the software, then switch back to your limited user.

​

Note: If your distribution does not provide the “Switch User” option you will need to use the TTY shell and start your graphical environment. This is outside the scope of this guide.


https://wiki.archlinux.org/index.php/Su#su_and_wheel


Encryption

• /
• /home
• /boot

Encryption does not protect your data from malicious threats or harmful software. Instead it protects your data from physical theft. Most Linux distributions have an application called: dm-crypt

You create a partition for your sensitive data (LUKS partition). When you unlock it, you can format it and mount it. Then use it for any purpose, even an operating system.

Another way to encrypt your hard drive is using an “encryption layer”. You can encrypt a directory on your hard drive and can result in poor performance but offer more flexibility.

Arch Wiki
https://wiki.archlinux.org/index.php/Disk_encryption

Note: Do not encrypt your UEFI partition


File System Backup

• Timeshift
• Snapshots

Snapshots can roll your system back in time by creating a copy of your system files and configurations. This way if your system breaks or is compromised you can roll back to an earlier date when it was stable and secure. There is also risk of your snapshot backups being compromised as well. So it is recommended to keep them on an external drive or a separate partition.

Note: The best method of cleaning up a compromised system is a fresh installation of Linux



Firmware

• UEFI
• BIOS

Every motherboard has some type of firmware that communicates between the hardware and software. Legacy computers have what is called a BIOS hosted on a chip on the motherboard. Newer systems have a bootloader called UEFI on a hard drive partition (FAT). Both have very similar settings, but UEFI has significantly more settings and control than BIOS.

In order to enter your UEFI it requires a reboot and a keyboard key pressed while booting. Each computer has security settings in UEFI to secure your hardware and firmware configurations.


Browsers

• Sandbox Firefox
• Firejail
• Noscript plugin

Web browsers are one the most vulnerable ways to exploit your system. Websites can cache (store files) cookies, scripts, images and more on your local computer.

Noscript
Noscript is a plugin that refuses all scripts that run in the browser. Then you can manually whitelist scripts you want to enable for a specific webpage/URL.


Firejail
Sandboxing is a better way to secure your browser as it removes access to your /home/username directory. Firejail can run for all applications on your system, but can affect applications like Wine. Firejail provides profile templates (may need to install separately) to configure what you want Firefox to allow.

Then run Firefox with the following command: firejail firefox

Now Firefox only has access to the downloads directory (depending on the profile you use). If it is exploited by a malicious plugin, extension, script or other method it only has access to downloads, not other /home/username directories. It also prevents local scripts from being launched by your browser.


Applications

• Apparmor

Apparmor can be configured with profiles to allow applications to access only what they need to run. If an application tries to access a system process or service that is out-of-scope, then Apparmor will deny it. The profiles are common to Linux software environments. This adds slightly more security over the default file permission restrictions on Linux.


External Devices (USB)

• USB Guard

Your system firmware (UEFI) can be compromised with an external USB device. This means someone could steal your computer, use a USB flash drive to boot into their own operating system and access your files. Encryption can prevent this, but another layer of security helps by denying physical access.

UEFI Password
Every computer has an ability to secure its firmware with a password. This protects malicious hacking and booting USB devices. Make sure to configure your firmware to only boot to internal hard drive first. Please keep the password in a secure location. Losing the password could “brick” your device as well.

USB Guard
USB Guard can deny all unauthorized USB access to a running Linux operating system only. You can manually whitelist each device you want to allow communication. The safest option is to completely deny all USB access, but obviously we might need a flash drive, external webcam, speakers or even a controller to user our system. USB Guard blocks devices on a kernel level by default.

https://wiki.archlinux.org/index.php/USBGuard


Firewall

• ufw
• gufw (With a Graphical User Interface)

Applications that run over a network connect via ports through the operating system network configuration. Applications like games, browsers, FTP and more. Firewalls can protect your computer from malicious incoming connections from outside the computer. The most secure configuration is DENY all incoming connections. Then open ports as needed depending on the application you are using. By default most Linux distributions have disabled network facing services.

Example: Open port 22 in order to allow an SSH connection on the local network only.

​

Antivirus

• ClamAV
• Comodo

Many feel an antivirus is not necessary in Linux. This is partially true depending on how you use Linux. If you are using Wine, sharing documents with people who use Windows or downloading files with executables from non-trusted sites… an antivirus may be helpful. If you were to download a compromised Word document and send it to a friend who uses Windows. This could infect or compromise their system. With an antivirus you can scan the downloaded file before sending it.

The majority of threats and malicious software is written to execute in a Windows environment and probably won’t affect your Linux processes. Some have actually scanned their distribution with an antivirus and it resulted in finding threats, but after researching they found it was in part of the definitions meant for Windows environments.


Official Repositories

• Distribution Repositories
• PPA

Distribution Repositories
Repositories are collections of software packages. All your software and updates are installed from a repository. Distributions are normally configured to use their official repositories. You can also add your own depending on the software and updates you want to install.

​

Each repository is handled by communities or single individuals who create software, compile them for ready-to-use installations and updates. By using a Linux distribution, you are choosing to trust all officially packaged software provided by the people who package for your chosen distribution. Most distributions are also open to add unofficial repositories, such as PPA’s for Ubuntu and Mint.

In Mint you can check the source of all the repositories by looking in the source file:
/etc/apt/source.list
Each URL is a repository

PPA (Personal Package Archive)
A PPA is a software repository you can add to your distribution to install software and/or updates for that software. Anyone can create an unofficial repository and potentially include malicious software with it, so you should never blindly trust an unofficial source. Any PPA you add will also be located in the source file:
/etc/apt/source.list

For example:
Install an application like simplescreenrecorder and it requires a PPA to automatically update it.

Arch User Repository AUR
Arch users can additionally use the AUR to download the source code and compile it themselves. This process has been automated in AUR, but its important to inspect the PKGBUILD file to check the source code URLs. Also check included patches/install scripts to verify nothing malicious is included. This could take some time researching if you aren’t familiar with the process.

.DEB Files
Debian, Ubuntu, Mint and other distributions (based on Debian) can install applications via .deb

Any developer can create a .deb installer so it is important to investigate the maintainer or source before installing it. You can also inspect a .deb by opening it with Archive Manager. Checking out the directories and included files, then researching online.

Flatpak and Snap
Other ways to provide software from 3rd party repositories is applications like Flatpak and Snap. These can install other unnecessary packages (aka bloatware) and anyone developer can add their package to them. Please use at your own risk and investigate software before installing it.