Linux Security

[MurphCID]

What are some of the things one can do to make Linux (and Linux Mint) more secure? What I know so far:

a) Firewall
b) Don't load unknown software
c) ?????

Browser security? How do you keep Chromium/Chrome from "phoning home"
Internet security? Logging into the coffee shop wifi?

Perhaps a good tutorial?

[DAMIEN1307]

at the coffee shop huh...lol...the county sheriffs come to my house for coffee, they say mines better than they get at the shops lol...as far as browser security on chromium/chrome based browsers, i like to start with the "startpage.com" search engine as its about as private and secure as can be, duck duck go is also my second choice...browser extension "must haves" would be ublock origin, (make sure to set up its settings to your preferences), along with its ublock origin extra, also privacy possum is a good sidekick to use with the ublock origins...there all found in the chrome store and work quite well...enjoy your java this morning...DAMIEN

PS...if anyone recommends "Trace" right now, dont even consider it at the moment...it used to be good but after an update they put out on the 2nd i think it was, half of the most needed features of it no longer work...ive reported to them just what was wrong with it 3Xs over the last 5 days with no response from the trace team even though they ask for email address to do so.

[JoeFootball]

Browser security?

I like to use Firejail. Lots of documentation there.

Joe

[Hoser Rob]

... i like to start with the "startpage.com" search engine ....

Actually Startpage HTTPS is even better.

[DAMIEN1307]

i actually have been manually changing it to HTTPS:// when i change other settings for search as follows which also includes dark theme settings, celsius vs. farenheight, post vs. get etc...DAMIEN

https://www.startpage.com/do/mypage.pl? ... e303ea9c23

[JoeFootball]

Speaking of HTTPS, I like to use HTTPS Everywhere for my browser.

Joe

[DAMIEN1307]

hi joe...Brave browser enforces https as well it as well...DAMIEN

[JoeFootball]

[removed per above edit]

[DAMIEN1307]

hi joe...i think i mispoke here...its the brave browser doing the https thing, not ublock origin...sorry...DAMIEN

PS...ammended my post concerning ublock origin and instead just mentioned brave browser as enforcing https.

[Hoser Rob]

Speaking of HTTPS, I like to use HTTPS Everywhere for my browser.

Joe

Forgot to mention that one, it's good.

If you really want to go nuts try noscript. However, there's a real tension between security and useability in general, and I think thatt strays too far from useability for most people.

And re coffee shops, I have an old netbook that's used for little else. It's also the machine I used to do distro/DE hopping a while back. And several times, after reinstalling, I forgot to turn on the firewall. Once for over a month. Guess what? I never got hacked. I'm certainly not suggesting you be so cavalier but that shows you just how secure Linux really is.

[absque fenestris]

Logging into the coffee shop wifi?

Maybe turn off JavaScript?
It's easy with uBlock Origin: Click on the logo and switch JavaScript on or off in the pop-up window at the bottom right.
Or/and install uMatrix (also by Mr. Gorhill...)

Or Tor Browser on security level high...

[majpooper]

Security/Privacy - Linux or otherwise:
1-3 too easy and good2go out of the box and you probably don't even need #2 for general home use
1.) Any linux OS (note: without WINE)
2.) Turn on the fire wall
3.) Install firejail
4.) FireFox (or other more secure browser than Chrome/Chromium- this is an opinion and there are many when it comes to browsers)
5.) StartPage Search Engine
6.) Browser extensions (Again lots of opinions here - a,b,c probably enough)
a.) HTTPS Everywhere
b.) Privacy Possum
c.) uBlock Origin
d.) Disable WebRTC (WebRTC is a communication protocol that relies on JavaScript that can leak your actual IP address from behind your VPN, by default. This addon fixes that, making VPNs more effective)
e.) IDN Safe (IDN Safe is a browser extension which blocks internationalized domain names to prevent you from visiting probable fake sites.)
7.) Encrypted password vault (I like LastPass but there are others that are just as good)
8.) Change your DNS settings away from your ISP (I like CloudFlare 1.1.1.1 1.0.0.1 but again the opinions range on providers)
9.) install a VPN (there are many good choices and some not so good so do a little research - I like PrivateTunnel they are associated with OpenVPN and easy to use)
10.) Install a PiHole DNS server (easy to do for ~$100 - makes your browser run faster and blocks ads and bad guys - probably overkill to some https://pi-hole.net/)
11.) Your router (maybe the weakest link in your security)
a.) make sure the firmware is up to date
b.) turn on the firewall
c.) turn off UPnP (gamers evidently need this turned on but if not a gamer turn it off)
d.) turn off remote access
e.) Do Not turn off SSID
Edited:
Using MAC filtering is useless but implement it if you want. I had previously stated the same about SSID but I was wrong actually - see Pjotr's comment below. Also I change the network address away from the typical default to something like 192.168. 63.31

by Pjotr » 17 Jul 2019, 05:44
Implementing MAC filtering is merely useless (and bothersome), so this particular useless complication is innocent.

But turning of SSID broadcasting is worse, because besides being useless it actually diminishes your security:
https://easylinuxtipsproject.blogspot.c ... html#ID1.1

TL;DNR: You then turn your laptop into a machine that's literally shouting that it can be hacked, whenever it's moved outside the range of your WiFi network.

Turning off SSID broadcasting for security, is a myth that should be dragged behind the barn and shot.

12.) Y router configuration (definitely overkill but I put my wired devices on a separate network from my wireless and guest devices - https://pcper.com/2016/08/steve-gibsons ... nsecurity/)

EDIT: Add Pjotr comments RE: SSID and MAC filtering.

[DAMIEN1307]

THAT is a beautifully done comprehensive list there majpooper...DAMIEN

[MurphCID]

Excellent list. Thanks.

[Pjotr]

turning off SSID and using MAC filtering is useless but implement those if you want.

Implementing MAC filtering is merely useless (and bothersome), so this particular useless complication is innocent.

But turning of SSID broadcasting is worse, because besides being useless it actually diminishes your security:
https://easylinuxtipsproject.blogspot.c ... html#ID1.1

TL;DNR: You then turn your laptop into a machine that's literally shouting that it can be hacked, whenever it's moved outside the range of your WiFi network.

Turning off SSID broadcasting for security, is a myth that should be dragged behind the barn and shot.

[majpooper]

turning off SSID and using MAC filtering is useless but implement those if you want.

Implementing MAC filtering is merely useless (and bothersome), so this particular useless complication is innocent.

But turning of SSID broadcasting is worse, because besides being useless it actually diminishes your security:
https://easylinuxtipsproject.blogspot.c ... html#ID1.1

TL;DNR: You then turn your laptop into a machine that's literally shouting that it can be hacked, whenever it's moved outside the range of your WiFi network.

Turning off SSID broadcasting for security, is a myth that should be dragged behind the barn and shot.

THX much Pjotr - I edited my post to reflect your comments