This post to explain how to use Linux Mint securely.
Trend Micro's report for the first half of 2021 shows ~ 13,000,000 attacks on Linux systems. This report is from companies, the only ones equipped with protection software from Trend Micro (which does not offer software for individual users); but this does not mean that individuals are not attacked, just that it is not known, in the absence of feedback.
The attacks are distributed as follows:
- Cryptocurrency miners: 24.56%; they use the computing power of your computer to "mine" bitcoins, ethereums...
- Web shells: 19.92%; installed on a compromised server, they make it easier to take control of a network.
- Ransomware: 11.55%; they encrypt all or part of a system, prevent its use, and demand a ransom (usually in cryptocurrency) to unlock the use of the system.
- Trojans: 9.65%; they hide in a download that seems legitimate, to take control of the system.
The protections included in Linux:
Linux separates the user from the superuser; to be able to modify / write a system file, you must enter a password.
In addition, the downloaded files are not executable by default, they must be made executable expressly.
- under Linux the text files can be executable, whatever their extension,
- downloaded compressed files may contain executable files; after decompression, they will be executable without the need for the user to made them executable.
Protection tools are included in Linux:
The main ones are iptables, seccomp, AppArmor, SELinux, grsecurity, PaX. They are used by some applications during their installation (antivirus programs like Clamav use AppArmor), or used by the kernel, or set by the user (iptables).
The protection mechanisms would be perfectly effective without programming flaws (specification / encoding / testing) which lead to bugs and vulnerabilities (and which can be found in all operating systems such as MacOS, Windows, Linux,iOS, Android ...).
In particular, the security of the Linux kernel is highly criticized:
- It is an aggregate of separate developments, made by different developers, at different times (some are very old), without development guidelines in terms of security.
- Google also criticizes the insufficient resources put into kernel security, in terms of the number of hours of development and testing.
The vulnerabilities are not only concentrated in the kernel, but also in system software, software with internet access etc.
Because of these vulnerabilities, protections can be bypassed (for example, an attacker could acquire super-user rights without having to enter the password).
Using Linux securely:
The user can significantly improve the security of his system by taking a number of precautions.
Update system and programs:
Trend Micro's report shows that the attacks are focused on outdated systems:
- old distributions no longer maintained (as a reminder, Mint LTS distributions maintained are 19.x until April 2023 and 20.x until April 2025),
- kernel, system software, browsers, other outdated software.
In Mint's LTS distributions, the programs have a frozen version (like on Ubuntu) but:
- the kernel, system software, libraries, etc. are updated each time a security breach is detected,
- browsers and email clients are updated each time their developers update them.
The first rules to apply are therefore:
- stop the use of distributions which are no longer maintained,
- apply all the updates proposed by the update manager,
- update the user installed programs.
User and root passwords:
- Set a root password: Mint does not requires to set a root password by default; you have to set one.
Code: Select all
sudo passwd root
- Choose strong passwords for root and user:
Avoid using a simplistic "qwertyu" password or your "peter37" username as the password.
Use a long password (8 characters minimum, 12 to 16 is better), mix alphabetic, numeric, signs, uppercase and lowercase characters.
Adopt two different passwords for root and user.
- To change the user password:
Code: Select all
Avoid connecting where it is risky:
You can combine several tools, IP address filter, adblocker, browser extensions to avoid malware, ads and tracking.
Hosts file: the '/etc/hosts' file can be used as an IP address filter; for that :
* Copy your '/etc/hosts' file to your home '/home/$USERNAME' where $USERNAME is your username.
* Rename the copied file to "hosts_base.txt".
* Launch a text editor, for example xed, and copy the following code into it:
Code: Select all
#!/bin/bash # anti malware, anti spam and anti cryptominers hosts file # system wide connections sudo mv /etc/hosts /etc/hosts.bak # malware lists wget "https://raw.githubusercontent.com/davidonzo/Threat-Intel/master/lists/latestdomains.piHole.txt" -O hosts1.txt wget "https://urlhaus.abuse.ch/downloads/hostfile/" -O hosts2.txt wget "https://curben.gitlab.io/malware-filter/urlhaus-filter-hosts.txt" -O hosts3.txt # spam list wget "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts" -O hosts4.txt # no coin list wget "https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt" -O hosts5.txt # merge in one file cat hosts_base.txt hosts1.txt hosts2.txt hosts3.txt hosts4.txt hosts5.txt > hosts sudo mv hosts /etc/hosts rm hosts1.txt rm hosts2.txt rm hosts3.txt rm hosts4.txt rm hosts5.txt # DNS cache flush sudo systemd-resolve --flush-caches read -s -n1 -p "Press any key to continue..."; echo
* With your file manager, select the file, right click, properties, permissions and make it executable.
=> When you will run this file, it will update your '/etc/hosts' file.
Adblocker: intentionally the hosts file does not contain a list of anti-advertising IP addresses; this role will be reserved to an adblocker, uBlock Origin; several advantages:
* When a page has trouble loading, you can deactivate the adblocker for this page (you cannot deactivate the hosts).
* The adblocker will use a mixture of lists of IP addresses to block, in addition to those of the hosts file, and lists of keywords which will allow to block the URLs containing these keywords (with a cross filtering of IP addresses and keywords, you will have more effective filtering).
The adblocker, as configured below, will filter advertising, malware and tracking, in addition to what the hosts file already does.
uBlock Origin is available for internet browsers (Firefox, Chrome, Chromium, Ungoogled-Chromium) and for the Thunderbird mail client. You have to do two separate installations, in the browser and in Thunderbird.
Configuration of uBlock Origin (identical in both cases):
- in the "Filter lists" page of the uBlock Origin configuration, check:
* "Update the lists of filters selected automatically",
* "In addition, use the aesthetic rules",
* in "Integrated" check the 5 lists,
* in "Advertising" check "AdGuard base", "EasyList"
* in "Confidentiality" check "AdGuard Tracking Protection" and "Easy Privacy",
* in "Malicious domains" check "Spam404"
* in "Nuisances" check "Fanboy's Annoyances"
* in "Regions, languages" check the list corresponding to your language / country
* add the following two specific lists:
. "Fanboy's Enhanced Tracking List", https://secure.fanboy.co.nz/enhancedstats.txt
. "StevenBlack / hosts", https://raw.githubusercontent.com/Steve ... ster/hosts
[NB: The lists defined above are complementary to those in the hosts file.]
Browser extensions: in addition to uBlock Origin, several browser extensions play a role in security, privacy or anti-tracking
* Block Ads for Social Networks (Chrome and family), Block Facebook™ ads in your Chrome.
* Decentraleyes (Chrome and family, Firefox), Protects from tracking linked to "free", centralized content distributors.
* HTTPS everywhere (Chrome and family, Firefox), Encrypt the Web! Automatically use HTTPS security with many sites.
* Privacy Badger (Chrome and family, Firefox), Privacy Badger automatically learns to block invisible trackers.
* Facebook Container (Firefox), Facebook Container for Firefox helps you take back control and separate your web activity from your Facebook profile.
Avoid unwanted incoming connections:
In Linux Mint, there are two easy ways and a complicated one to avoid unwanted incoming connections.
"hosts.deny" and "hosts.allow": these two files, found in '/etc', allow you to authorize ("hosts.allow") or block ("hosts.deny") incoming connections.
For a single user, the settings are simple.
* Open "hosts.deny" with xed:
Code: Select all
sudo xed /etc/hosts.deny
Code: Select all
Code: Select all
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # # Example: ALL: some.host.name, .some.domain # ALL EXCEPT in.fingerd: other.host.name, .other.domain # # If you're going to protect the portmapper use the name "rpcbind" for the # daemon name. See rpcbind(8) and rpc.mountd(8) for further information. # # The PARANOID wildcard matches any host whose name does not match its # address. # # You may wish to enable this to ensure any programs that don't # validate looked up hostnames still leave understandable logs. In past # versions of Debian this has been the default. # ALL: PARANOID ALL: ALL
Code: Select all
sudo xed /etc/hosts.allow
* Save; your "hosts.allow" file should content:
Code: Select all
# /etc/hosts.allow: list of hosts that are allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # # Example: ALL: LOCAL @some_netgroup # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu # # If you're going to protect the portmapper use the name "rpcbind" for the # daemon name. See rpcbind(8) and rpc.mountd(8) for further information. #
GUFW firewall: this is the UFW graphical interface; start it with "gufw" and, for a single user, choose the options "block incoming connections" and "allow outgoing connections". For more setting options, read GUFW's built-in help.
[NB: you can use hosts.deny / hosts.allow and GUFW; this gives two protections in parallel; but make sure that you have the same permissions / exclusions for incoming connections in both cases.]
iptables: it is a very elaborate firewall, refer to its man pages and its online documentation if you want to use it.
Linux Mint's default browser choice is Firefox.
But is it the best choice when it comes to security? Although opinions diverge sharply, we see that for several years Firefox has not been invited to the "Pwn2Own annual hacking contest", in which hackers receive bonuses if they manage to bypass software security. And this is because Firefox is considered too easy to hack, with too low security.
The least badly performing family of browsers is Chrome and its derivatives (they are regularly hacked, but, at least, they are invited to contest). Under Linux Mint you can install:
- Google Chrome, from its website.
- Chromium, fully OpenSource, directly from the distribution (Mint 19.x or 20.x).
- Or Ungoogled Chromium, an OpenSource version of chromium in which all links with Google have been severed.
All three have the same user interface; Chromium and Ungoogled Chromium can share the same user profile; Ungoogled Chromium is the version that best protects against Google tracking.
To install ungoogled-chromium:
- "Archive" version of Marmaduke:
* Download it from https://chromium.woolyss.com/
* Unzip the "*.tar.xz" archive and copy the resulting directory where you want, for example to '/home/$USERNAME/opt'.
* Ungoogled-chromium is ready to use, you can run it directly (read the "readme") or create a launcher.
* Widevine is included, you need to add a "chromium-web-store" extension to be able to install Google web store extensions. See https://ungoogled-software.github.io/un ... uto-update.
- Installable version, for Ubuntu Focal or Mint 20.x:
Code: Select all
echo 'deb http://download.opensuse.org/repositories/home:/ungoogled_chromium/Ubuntu_Focal/ /' | sudo tee /etc/apt/sources.list.d/home-ungoogled_chromium.list > /dev/null curl -s 'https://download.opensuse.org/repositories/home:/ungoogled_chromium/Ubuntu_Focal/Release.key' | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/home-ungoogled_chromium.gpg > /dev/null sudo apt update sudo apt install -y ungoogled-chromium
* It will be necessary to install the extension "chromium-web-store", see above.
* Widevine is not installed, it will need to be installed separately, see https://ungoogled-software.github.io/un ... devine-cdm, including a script to automate this process.
Use flatpak versions of browsers: Firefox, Chromium and ungoogled-chromium are available as flatpaks; since flatpaks are launched in sandboxes, this adds a supplemental security layer; note that Chromium and ungoogled-chromium need a minimal version of flatpak >= 1.8.2 not provided by Mint. You can get a recent version of flatpak from this ppa: https://launchpad.net/~alexlarsson/+arc ... tu/flatpak.
You can also use Firejail as a sandboxing utility.
System and user files backup:
Backup is a very important element:
- against hard drive failures,
- against system errors,
- against bad manipulations by the user,
- and it is one of the only effective means of protecting against ransomware (do not hope to regain access to your system by paying a ransom ...).
The following assumes:
* That the Mint installation was done with separate partitions, '/' which contains root and system files, programs, libraries; '/home' which contains the directory '/home/ $USERNAME' and user files; and a swap partition.
[A separate '/home' partition facilitates successive installations and avoids losing user files in the event of a system malfunction. And a separate '/' partition allows system backups by making partition images or archives that are not too large].
* You have a Linux Mint installation DVD or USB key,
* You have a DVD or bootable USB key allowing the creation of partition images or archives,
* You have an external device, USB hard drive or large key, for backups.
User files backup: Mint contains backup software, "mintbackup"; it is unfortunately unusable in practice because it backs up all files every time you use it, which takes a very long time.
We will therefore use FreeFileSync, with differential backup; during the first backup it copies everything; and during subsequent backups it only copies what has changed.
* From https://freefilesync.org/download.php download the Linux version.
* Uncompress the archive.
* Run the installer by choosing where to install FFS (I prefer to install it in my '/home/$USERNAME').
To start FFS I use a small script:
Code: Select all
cd FreeFileSync sudo ./FreeFileSync
The backup is done on an external USB disk (never backup on the system disk, everything would be lost in the event of a disk crash). I do one every two or three days.
System files backup:
- With Timeshift you take snapshots of the system; in RSYNC, on external disk; without planning (because the backup disk does not have to remain permanently connected); you keep at least two snapshots (I do one every two or three days).
By booting from the Mint installation DVD or USB key, you can launch the timeshift version that is there and restore the system to a previously functioning state.
- Timeshift does not always work in system restore. It must be completed with a bootable DVD or USB key containing utilities allowing to create an image or an archive of the '/' partition, and to restore it if necessary; this disk or key must also contain utilities (partitioning, boot sector repair, etc.).
For this, you can use Foxclone, https://www.foxclone.com/ or System Rescue, https://www.system-rescue.org/. Foxclone is the easier to use, System Rescue is harder to use but has a lot of repair tools installed.
Frequent Timeshift snapshots can be combined with a fortnightly or monthly backup with Foxclone or System Rescue.
In case of problem :
* You boot from Mint installation or USB key and try to restore the latest functioning snapshot with Timeshift; if it's good you leave it there.
* If the restoration by Timeshift does not work, you restore the '/' partition with Foxclone or System Rescue; then you restore the latest functioning snapshot with Timeshift.
Virus and malware scanning:
Several tools are available:
- Linux Malware Detect, on-demand malware scanning (12768 signatures of programs targeting Linux), not in Mint repos, https://www.rfxn.com/projects/linux-malware-detect/.
- Rkhunter, on-demand rootkit scanning, in Mint repos but not working (fails to update), http://rkhunter.sourceforge.net/.
- Chkrootkit, on-demand rootkit scanning, in Mint repos but outdated, http://www.chkrootkit.org/.
- Clamav, on-demand and on-access viruses and malware scanning, in Mint repos but outdated, https://www.clamav.net/.
- Clamav-unofficial-sigs, used to complete Clamav signatures, in Mint repos but outdated, https://github.com/extremeshok/clamav-unofficial-sigs/.
[This subject is not treated seriously by Ubuntu (and, as a consequence, in Mint): LMD missing, Rkhunter not working, chkrootkit, clamav and clamav-unofficial-sigs outdated.]
So, if interested:
* download these programs from their respective websites,
* carefully read their installation and user documentations before to install or use them.
To better protect the confidentiality of your data, you can use encryption:
- of the complete system: choice to be made when installing Mint.
- of a partition, of a directory in a partition: you can use Veracrypt.
* From Veracrypt download page, choose the version of Veracrypt adapted to your distribution (Mint 19.x <=> Ubuntu 18.04; Mint 20.x <=> Ubuntu 20.04).
* Install the DEB with gdebi (select the DEB, right click, install with gdebi).
* Read the large and complex Veracrypt documentation VERY CAREFULLY before using it.
- when browsing: with the HTTPS Everywhere extension; or encryption + anonymity with Tor Browser.
To install Tor Browser:
* Go to this page https://www.torproject.org/download/,
* Click on the "Download for Linux" button,
* Unzip the downloaded archive "* .tar.xz"; move the uncompressed directory where you want, for example '/home/$USERNAME/opt'.
* Launch Tor-Browser the 1st time: double-click on "Tor-Browser Setup" in the directory; it will change the icon to "Tor-Browser" and launch the browser.
* Launch Tor-Browser the next times: double-click on "Tor-Browser" in the directory, or create an entry in your menu using your menu manager.
- for your e-mails :
* Install Gnu Privacy Guard and a graphical interface.
* Generate your private key / public key pair.
* Publish your public key, or exchange your public keys with your correspondents.
* Encrypt your emails for the public key of your correspondents (and for yours).
* Sign the emails you send with your private key.
* Decrypt emails you receive with your private key.
Use of Windows apps:
- Some Windows apps, written in ".Net" language, can be executed under Linux with mono.
- Some others can be run using Wine, CrossOver ("polished" and pay version of Wine) or Play On Linux (graphical layer over Wine, more user-friendly).
However, doing this, Windows processes are not isolated from Linux ones and could offer a door to a potential attacker.
It is preferable, when possible, to install a copy of Windows in a virtual machine (qemu/kvm, Virtual Box, VMware Workstation Player...) and play the app on the Windows host, inside the virtual machine: Windows processes are isolated from Linux ones, a potential attack is more difficult. And then, to uninstall mono, Wine / Crossover / Play On Linux.
You can go further and use a security audit program to track your system weaknesses; this can be done with the free version of Lynis, https://cisofy.com/lynis/.
Once downloaded, see https://packages.cisofy.com/community/, and uncompressed, you launch Lynis, a script.
Lynis will examine your system, and make some recommendations (generally a few tens...).
Lynis itself does not apply any change to your system.
If you apply some or all of its recommendations to your system, its security will be improved.
Here we are.
This post is very long but it gives an overview of the means of security improvement. Take whatever you want. Among Linux Mint users there may be single home users, but also small companies, doctors, lawyers, journalists, activists... Different users, different needs.