How to make Linux Mint reasonably secure?

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
Immemorial
Level 1
Level 1
Posts: 22
Joined: Sat Jan 27, 2018 7:58 am

How to make Linux Mint reasonably secure?

Post by Immemorial »

Hello,

to avoid accumulating any malware and such (be it rootkits, keylogger, ransomware and other stuff as well as stuff that might affect Wine or files sent to Windows PCs or that, in general, are damaging enough even while just possessing user privileges) as well as significant security vulnerabilities and such in general, what steps should I take to make Linux Mnt 18.3 reasonably secure.

I#ve repeatly read claims something along the lines of "Linux isn't vulnerable to such things/there is no need for antivirus softwares or something like that" but its not like that would put me at ease much as this doesn't particulary deal with the worries I#ve mentioned about.

Are there some good guides or general tips about how make Linux secure in general?

What security softwares (be it ones with active protection like plenty of serious Windows security suites and such offer or only those limited to scanning) work decently in Linux Mint 18.3 (if necessary through Wine)?

Can someone offer some helpful advice regarding this?

Thanks in advance.
Cosmo.
Level 23
Level 23
Posts: 17817
Joined: Sat Dec 06, 2014 7:34 am

Re: How to make Linux Mint reasonably secure?

Post by Cosmo. »

You don't need any "security" software and you should not install it. Security software can add new vulnerabilities to the system, holes, which would not exist without such a software. Last example (from this week): ClamAV, where not less than 7 holes had to be closed. Such things happen regularly for all such software, regardless how the company is named.
User avatar
Moem
Level 20
Level 20
Posts: 11932
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: How to make Linux Mint reasonably secure?

Post by Moem »

Linux Mint already is more than reasonably secure. Keep it updated, use common sense on the web, and switch the pre-installed firewall on; if you're using public WiFi, use a VPN. Don't use Wine for stuff that connects to the internet or for applications that you haven't downloaded directly from a reliable manufacturer.
You've now crossed the line into 'very secure'.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
User avatar
smurphos
Level 17
Level 17
Posts: 7332
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: How to make Linux Mint reasonably secure?

Post by smurphos »

https://sites.google.com/site/easylinux ... t/security

This is as good a read as any.

Linux is generally pretty secure out of the box.

My personal tips.....

1) Apply security updates offered by Update manager religiously.
2) Ensure your browser is secure.
3) I wouldn't have Wine installed on my system. If I needed Windows I'd dual boot or run it in a Virtual machine.
4) Enable UFW firewall.
5) Apply copious dollops of common-sense to where you obtain software from if it not from the included repositories.

if you really want to town and educate yourself in the meantime this is a good tool for security audits of linux in general. However you will be breaking a security rule of thumb by installing it the first place as it's not in the repos......:D

https://www.digitalocean.com/community/ ... untu-16-04
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
User avatar
Pjotr
Level 22
Level 22
Posts: 15878
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: How to make Linux Mint reasonably secure?

Post by Pjotr »

I endorse the first web link that smurphos gave you, because I wrote it.... :wink:

This is its new location:
https://easylinuxtipsproject.blogspot.c ... urity.html

Installing a normal application, any normal application, increases your attack surface. Installing antivirus increases your attack surface dramatically. Don't do it.

Edit: changed the link to the current location of that page.
Last edited by Pjotr on Fri Jul 17, 2020 3:51 pm, edited 1 time in total.
Tip: 10 things to do after installing Linux Mint 20 Ulyana
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Mattyboy
Level 6
Level 6
Posts: 1193
Joined: Thu Mar 26, 2015 2:17 pm

Re: How to make Linux Mint reasonably secure?

Post by Mattyboy »

Some tips.

Enable the firewall.
In terminal

Code: Select all

enable ufw
Install and set up firejail for internet connected programs, web browsers, E'mail clients, torrent programs etc.

Code: Select all

sudo apt install firejail

(Fix the 'sound bug' )

mkdir -p ~/.config/pulse

cd ~/.config/pulse

cp -v /etc/pulse/client.conf ~/.config/pulse

echo "enable-shm = no" >> client.conf
Add the command to launch icons, for example.

Code: Select all

firejail firefox %u
Check that its running

Code: Select all

firejail --list
Use web browsers that are regularly updated, eg firefox and install extensions to protect your privacy and prevent malicious script from running. eg
uBlock Origin
Https everywhere
Noscript ( or alternative )
etc etc

Only install software from the software center or synaptic.

DO NOT use Wine.

If you require the use of Windows programs either dual-boot or use a virtual machine setting its persistence according to requirements.

No need for 'antiviurs software' its generally considered more of a danger than a 'protector' in Linux.

Its not the responsibility of a Linux desktop user to protect Windows machines. That's a windows user or administrators problem, let them sort it out.

Keep your system and programs up to date.

Common sense , use it, always.

Done.
User avatar
daveinuk
Level 7
Level 7
Posts: 1555
Joined: Tue Mar 23, 2010 7:52 pm
Location: Manchester, England.
Contact:

Re: How to make Linux Mint reasonably secure?

Post by daveinuk »

Immemorial wrote:Hello, what steps should I take to make Linux Mnt 18.3 reasonably secure.

I#ve repeatly read claims something along the lines of "Linux isn't vulnerable to such things/there is no need for antivirus softwares or something like that" but its not like that would put me at ease much as this doesn't particulary deal with the worries I#ve mentioned about.
Only time & usage will eliminate your doubts, if you're not convinced it's secure, you're just not convinced. Install all the anti virus and anti everything stuff you can find until you feel happy with it, if you feel that's what it needs, like windows conditions you to. It will only be after a few years of usage and familiarity that you will convince yourself that it's not really needed.
I don't use A/V, defrag, use anti malware or any of that other stuff I did with MS. I don't need to. I don't install software from random sources off the net.
I use the system 'as is' with Ublock and adblock for my browser (FFQ) Windows and other OS's are inside VB and I've never had so few 'issues' or enjoyed actually using my PC more.
User avatar
Termy
Level 5
Level 5
Posts: 861
Joined: Mon Sep 04, 2017 8:49 pm
Location: UK
Contact:

Re: How to make Linux Mint reasonably secure?

Post by Termy »

I posted this elsewhere on this board and think it might have some stuff (albeit probably overkill for the average user) you'd find useful:

viewtopic.php?f=90&t=262689&p=1421787#p1421787

I did forget to mention using renowned browser addons for security, and avoiding using any other addons and extensions, if possible. Referring to Firefox, specifically. I use NoScript, Privacy Badger, and Adblock Plus; the three make a damn good team in blocking a lot of malicious content. I also have a rather bulky /etc/hosts file with many thousands of ad and other potentially (and proven) malicious domains, which get blocked.

Just note that there are a lot of things I've mentioned (especially in that link) which fall under or near the advanced category and so should probably not be done by an inexperienced user, lest they do something wrong by mistake.
I use Linux Mint 18.3 with Cinnamon in a VirtualBox VM for testing & sandboxing.

I'm LearnLinux (LL) on YouTube: https://www.youtube.com/channel/UCfp-lN ... naEE6NtDSg
I'm also terminalforlife (TFL) on GitHub: https://github.com/terminalforlife
Immemorial
Level 1
Level 1
Posts: 22
Joined: Sat Jan 27, 2018 7:58 am

Re: How to make Linux Mint reasonably secure?

Post by Immemorial »

Thanks for the help thus far.

So - outside of running Windows through some kind of virtual machine which likely still should run some kind of security software - at most some on demand installed (or web-based) file scanner seems necessary (though I wonder how easy it is to look for suspicious running files or such that way just to be sure ... without having to worry that stopping those might crash something or otherwise mess something up), if I understood this right as well as some e-mail providers (other than the privacy nightmare that is google) that uses decent mail anti-virus combined with decent privacy & security?

How far can sandboxing the browser (regular Firefox and TOR) actually go in Linux Mint without causing some noteworthy issues?

As far as browser extenstions go, I've typically already used PrivacyBadger, NonScript & HTTPS everywhere as well as Kasperskys Anti-Banner (which could be replaced by uBlock Origin but I don't know trustworthy that actually is in terms of privacy) while more or lss getting ride/disabeling vulnerable stuff like flash & such.

I'm replying to the other stuff once I#ve finished reading through it and I'm slightly less busy, so that's likely somewhen during the beginning of next week or so.
Mattyboy
Level 6
Level 6
Posts: 1193
Joined: Thu Mar 26, 2015 2:17 pm

Re: How to make Linux Mint reasonably secure?

Post by Mattyboy »

Immemorial wrote:How far can sandboxing the browser (regular Firefox and TOR) actually go in Linux Mint without causing some noteworthy issues?
Apart from the mentioned 'issues' with sound, which, as explained is an easy fix the only consideration is that in most cases your browser will only be able to access the downloads folder, so you won't be able to point to a .jpg on your desktop and upload it, you'll need to drop it in downloads... or white list specific locations. Find firejail profiles in

Code: Select all

/etc/firejail
Here's a more detailed list of the default firefox profile to give you an idea.

Code: Select all

cat /etc/firejail/firefox.profile 
# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ${HOME}/.mozilla
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
seccomp
protocol unix,inet,inet6,netlink
netfilter
tracelog
noroot
whitelist ${DOWNLOADS}
whitelist ~/.mozilla
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.lastpass
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
include /etc/firejail/whitelist-common.inc
Immemorial wrote:As far as browser extenstions go, I've typically already used PrivacyBadger, NonScript & HTTPS everywhere as well as Kasperskys Anti-Banner (which could be replaced by uBlock Origin but I don't know trustworthy that actually is in terms of privacy) while more or lss getting ride/disabeling vulnerable stuff like flash & such.
uBlock Origin is excellent, most round here recommend it

As for Windows in a VM then yeah, if you're going for persistent, you would 'need' whatever you use on a standard install anyway. Personally on my bootable windows I just use the default windows firewall, a user account ( so you have enter your admin password to make changes ) and the same browser configuration I use in Linux. Give it a scan from time to time with the free version of malwarebytes and check .exe files with virus total ( digitally signed ). Never had issues.

A lot of this probably stems from the intense paranoia of using Windows systems in your computing life. I've yet to encounter anyone who's ever got a virus on a Linux machine and can actually prove it. Follow the basic rules and you really have nothing to worry about.
jglen490
Level 5
Level 5
Posts: 999
Joined: Sat Jul 15, 2017 9:57 pm

Re: How to make Linux Mint reasonably secure?

Post by jglen490 »

It's not bravado to say that there are no proven instances of Linux malware. It's not that malware is absolutely impossible in Linux, it's that typical Linux security isolates a user's critical resources from the user's environment. In short, it costs too much to write an executable that crosses that isolation boundary. So use good computing habits, keep your system up to date, and have strong passwords/pass phrases. Limit your use of sudo, especially when on the internet, to system update management with known and trusted repos.
I feel more like I do than I did when I got here.
Toshiba A135-S2386, Intel T2080, ATI Radeon® Xpress 200M Chipset, 2GB RAM, 500GB
User avatar
majpooper
Level 6
Level 6
Posts: 1331
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: How to make Linux Mint reasonably secure?

Post by majpooper »

There is the operating system security concern and then there is the general paranoia about being on the Inter-net. The two often are conflated.

As far as the linux OS goes - inherit in it's design it is much more secure than Windows. Additionally the fact that from a desktop user perspective it still relatively rare as compared to Windows and Mac that it is not all that attractive as a target. Attacking linux servers makes much more sense and going after Windows PC/laptops as well makes much more sense as there is such an abundance of them. Never the less that said no OS is 100% bullet proof. So in a nut shell - go to Pjotr's web site and follow his security tips and you are goodd2go. I will say firejail is for me my OS security blanket.

On the Internet front it is a different matter. Your router and your browser are much more vulnerable than your OS and that is where your security efforts need to focus. And by the way Internet security includes privacy to many folks - sometime we tend to nit pick privacy as separate from security. And while if we want to be nuanced they are indeed different never the less are cousins and deserve to be discussed together.

There are several security and privacy threads on this forum that if you comb through them (use search) you will be able to lock down your system. But certainly keep the firmware on your router updated and turn on it's firewall as well - this is more important IMHO than worrying about your linux OS. I even changed my internal network away from the routers default. And I even had an old router lying around and put a router behind a router - probably overkill but what the heck it was fun setting it up. Also changing your DNS away from your ISP DNS servers to something like OpenDNS or Quad9 is wise. Using a search engine like DuckDuckGo or StartPage will help on the tracking front (yes not so much security as privacy- I know). The few add-ons discussed already in this thread are a good idea and NOT adding others are just as good an idea. And last - thou shall not download software that is not in the official repositories.
Immemorial
Level 1
Level 1
Posts: 22
Joined: Sat Jan 27, 2018 7:58 am

Re: How to make Linux Mint reasonably secure?

Post by Immemorial »

Thanks for the help thus far, I've finished reading through the provided information.

I guess on-demand and/or file-specific scanners (and stuff that is particulary made to locate rootkits and such) are much too counterproductive, then? What about Audit software like Lynis?

Is there some slightly more secure (in terms of privacy) method than using the suggested "https://www.virustotal.com" or Gmail ... as Google is pretty much the opposite of privacy ... for taking a look at specific files and such? I would have to look up how the scanning works for protonmail (using that one for some bit of stuff). I do remember something about Bitdefender providing some Online scanner a while back but no idea about if that one is much better in that regard (or more vulnerable in terms in regard to attacks, for that matter).

Now that I think about it ... how does one activate Firejail for TOR?
User avatar
Sir Charles
Level 7
Level 7
Posts: 1895
Joined: Thu Jan 04, 2018 1:00 pm

Re: How to make Linux Mint reasonably secure?

Post by Sir Charles »

One way of doing it is simply to run firejail tor in a terminal (if TOR starts with the command tor otherwise just put the appropriate command instead)
you can then check if TOR is firejailed by runningfirejail --list

You can also go to the application menu and right-click on the icon for TOR and choose "Properties"or "Edit Application" and add "firejail" followed by space att the beginning of the command line. Please note that if you have added launchers for TOR to your desktop or panel, these must be replaced by new ones in order for it to be started with the new command line. Here is how it looks in Xfce for Firefox starting with Firejail:
firefox-launcher.png
firefox-launcher.png (23.54 KiB) Viewed 3042 times
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.
Mattyboy
Level 6
Level 6
Posts: 1193
Joined: Thu Mar 26, 2015 2:17 pm

Re: How to make Linux Mint reasonably secure?

Post by Mattyboy »

Immemorial wrote: how does one activate Firejail for TOR?
In terminal

Code: Select all

firejail tor-browser-en.sh 
Or to set a launcher icon under edit the same.

You can set up a proper Tor profile using this as a template and xed ( text editor program depending on version in your system )
https://github.com/netblue30/firejail/b ... er.profile
Open the terminal and run

Code: Select all

cd /etc/firejail/
sudo touch start-tor-browser.profile
gksudo xed start-tor-browser.profile 
Just copy/paste the github profile into the text file and save as.
User avatar
Sir Charles
Level 7
Level 7
Posts: 1895
Joined: Thu Jan 04, 2018 1:00 pm

Re: How to make Linux Mint reasonably secure?

Post by Sir Charles »

Hi Mattyboy,

There is already one tor.profile in /etc/firejail, and of course one tor-browser-en.profile which contains almost nothing. I wonder if it is not just enough to copy the content of the former to the latter?

Edit: I compared the content of the tor.profile with the one you have linked to. They differ in certain lines. I understand the one from the github is the one to be used.
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.
Mattyboy
Level 6
Level 6
Posts: 1193
Joined: Thu Mar 26, 2015 2:17 pm

Re: How to make Linux Mint reasonably secure?

Post by Mattyboy »

Marziano wrote:Hi Mattyboy,

There is already one tor.profile in /etc/firejail,.
Is there? to be fair I didn't look :lol:.... I don't know, experimentation? You can always change it back
User avatar
phd21
Level 19
Level 19
Posts: 9811
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: How to make Linux Mint reasonably secure?

Post by phd21 »

Hi "Immemorial",

I just read your post and the good replies to it. Here are my thoughts on this as well.

+1 Linux and Linux Mint are already much more secure than MS Windows or Mac. Use the superb sandboxing application Firejail for applications accessing the Internet, add some browser security add-ons or extensions (Disconnect, uBlock Origin, Privacy badger or Privacy Protector Plus, etc...), for anonymity and security change your local ISP DNS server IP addresses and use VPN servers, use private windows and tabs, using good passwords, use non-tracking search engines like "Startpage" or "DuckDuckGo", common sense when downloading or opening attachments, etc...

There are many posts on this already in this forum, if you search for them.

"Lynis" is an excellent application to determine how secure your system is and where improvements can be made, but it is not for novices (newbies).

Although the Tor Browser Bundle and or Tor services are excellent, there is no need for them by the typical user for anonymity and security, if you change your Local ISP's DNS Servers to those from a secure DNS provider like (dns.watch, opennic, openDNS, etc...) and you use a good reliable VPN provider like "Private Internet Access (PIA)", or "ProtonVPN", etc... The Tor / Onion is required for users who want to surf (browse) the alternate "dark web" and "onion" websites.

FYI - Just found this article
Here's How To Get Solid Browser Security [Update 2017]
https://heimdalsecurity.com/blog/ultima ... -browsing/

Hope this helps ...
Phd21: Mint 20 and 19.2 Cinnamon & xKDE (Mint Xfce + Kubuntu KDE) & KDE Neon 64-bit (new based on Ubuntu 20.04) Awesome OS's, Dell Inspiron I5 7000 (7573) 2 in 1 touch screen, Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram, Intel 4 Graphics.
User avatar
Sir Charles
Level 7
Level 7
Posts: 1895
Joined: Thu Jan 04, 2018 1:00 pm

Re: How to make Linux Mint reasonably secure?

Post by Sir Charles »

Mattyboy wrote:
Marziano wrote:Hi Mattyboy,

There is already one tor.profile in /etc/firejail,.
Is there? to be fair I didn't look :lol:.... I don't know, experimentation? You can always change it back
:D yes, there is! I ran a check with the line you provided above and Tor started with firejail with no problem. The profile in the /etc/firejail seems to be adequate :P
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.
Mattyboy
Level 6
Level 6
Posts: 1193
Joined: Thu Mar 26, 2015 2:17 pm

Re: How to make Linux Mint reasonably secure?

Post by Mattyboy »

Marziano wrote:
Mattyboy wrote:
Marziano wrote:Hi Mattyboy,

There is already one tor.profile in /etc/firejail,.
Is there? to be fair I didn't look :lol:.... I don't know, experimentation? You can always change it back
:D yes, there is! I ran a check with the line you provided above and Tor started with firejail with no problem. The profile in the /etc/firejail seems to be adequate :P
Cool, nice one :)
Post Reply

Return to “Newbie Questions”