Secure your new Linux install

Image by Gerd Altmann from Pixabay

In this post I am going to rundown how I usually secure my Linux installation when I boot it up for the first time. This will help keep your new install secure. Remember though, nothing is fool-proof so you still need to use common sense online.

Although these tips are aimed at securing the two Linux distros I recommended in my last post, (Mint & Manjaro), they are applicable to pretty much any distro installation.

Making your browser private & secure

First, I usually open the browser and add some plugins that help keep you safe while checking out websites. I usually use a Chromium-based browser like Brave, Chromium, or Ungoogled Chromium. I am not a fan of Firefox anymore since they started advocating for web censorship and deplatforming, but these plugins are all available for Firefox too. Librewolf is a much better fork of Firefox, imo.

The browser plugins I add to my browser are typically:

Using strong passwords

One of the best things you can do for your online security is to use unique, strong passwords for all your online accounts & logins. If you try doing this with pen and paper it becomes way too much work, so it is better to use a password manager. My favorite password manager is Bitwarden.

There are many password managers but Bitwarden is easy to use, it’s foss, and it’s cross-platform, which means you can use it on your computer, phone, tablet, etc. Bitwarden is available in Mint’s software repositories, and Manjaro’s AUR. It’s also available as an Appimage, Snap or Flatpak, or as a browser extension for Chromium/Firefox.

Bitwarden lets you generate unique, random, passwords for all your accounts, and it also lets you store secure notes, logins, credit card details, and ID info. You can choose how many characters, numbers and special characters to have in your passwords. It’s only weakness is that you need to set a password for Bitwarden itself, so I usually choose a multi-word password phrase rather than a password for the Bitwarden app.

Activating your Firewall

Getting your firewall working in Linux is super easy. The standard Linux firewall is UFW. To use ufw, just open a terminal and type:

sudo ufw enable

That should be sufficient for an average desktop user, it blocks incoming traffic and allows outgoing traffic by default. You can check your firewall’s status by opening a terminal and typing:

sudo ufw status verbose

UFW allows you to set more complicated rules, for directing and blocking traffic for specific ports, but that’s beyond the scope of this article. Read more about it here, if you’re curious.

Antivirus on Linux

People like to say that there are no viruses or malware for Linux, but that simply isn’t true. While it certainly is a much a smaller risk than using a snitchware OS like Windows or Mac, they also exist for Linux in the wild, albeit they’re much rarer.

For my antivirus app I always use Clamav, a foss antivirus app. On Mint you can install it by opening a terminal and typing:

sudo apt install clamav

For Manjaro, it can be installed by opening a terminal and typing:

sudo pacman -S clamav

After you’ve installed clamav, for both Mint & Manjaro you can update the clamav virus database by typing in the terminal:

sudo freshclam

You can scan your whole system and remove any infections (it may take a long time to do a complete scan) by using the following command in a terminal:

sudo clamscan -r --remove /

You can download the clamtk graphical front end app, which gives you a GUI for interacting with clamav by opening a terminal and typing:

On Mint: sudo apt install clamtk

On Manjaro: sudo pacman -S clamtk

Once you’ve installed it, clamtk should be in your start menu’s list of apps. Open it up and you can set a regular schedule for daily/weekly virus scans using the GUI. I think my computer is set to do it nightly at 3 am, while I am sleeping. You can also use clamtk to manually scan any downloaded files, email attachments, etc.

Rkhunter to find rootkits

Rkhunter is an app that detects root kits, malware, backdoors and exploits on your Linux machine. It is not an antivirus software, but it compliments your antivirus app by helping to identify other security problems related to malware.

You can install rkhunter on Mint by opening a terminal and typing:

sudo apt install rkhunter

You can install rkhunter on Manjaro by opening a terminal and typing:

sudo pacman -S rkhunter

Next we will want to update rkhunter and its database. In order to do this we need to edit the /etc/rkhunter.conf file, which is rkhunter’s configuration file. You can use any text editor to do this, such as vi, vim, nano, etc. We’ll use nano to keep it user-friendly. Open the file with:

sudo nano /etc/rkhunter.conf

Next you need to make the following changes to the file:

  • Where it says UPDATE_MIRRORS, make it say UPDATE_MIRRORS=1
  • Where it says MIRRORS_MODE, make it say MIRROR_MODE=0
  • Set WEB_CMD to say WEB_CMD=””

Save & exit with: control x, enter, enter

Next, update rkhunter with the command:

sudo rkhunter --update

and update rkhunter’s database with:

sudo rkhunter ----propupd

This will start a scan of your machine. You can manually scan it again whenever you want with the command:

sudo rkhunter --check

After you scan your machine you can check the logs to see any warnings with the command:

sudo cat /var/log/rkhunter.log

To set a daily scan, open the following file with your text editor /etc/default/rkhunter.conf:

sudo nano /etc/default/rkhunter.conf

and make the following edits:

  • set CRON_DAILY_RUN to make it say CRON_DAILY_RUN=”true”
  • set CRON_DB_UPDATE to make it say CRON_DB_UPDATE=”true”
  • set APT_AUTOGEN to make it say APT_AUTOGEN=”true”

Then exit and save with: control x, enter, enter

Firejail for sandboxing

Firejail is an app that creates a security sandbox around all your untrusted apps. I think it may have originally been developed for the Firefox browser, but it has expanded to integrate with your desktop environment and sandbox many apps for added security.

On Mint, you can install Firejail with:

sudo apt install firejail

On Manjaro, you can install Firejail with:

sudo pacman -S firejail

Firejail has a bunch of ways to use it manually, for each app, but I tend to just integrate it with my desktop and call it a day. You can read more about how to use Firejail, here.

To integrate it with your desktop, open a terminal and type:

sudo firecfg

Now we’ll need to create a firejail group and add our user to it. For that we’ll need root access.

To become the root user, type: sudo su

Then type the following commands to create the Firejail group:

# addgroup firejail
# chown root:firejail /usr/bin/firejail
# chmod 4750 /usr/bin/firejail
# ls -l /usr/bin/firejail

If you did it correctly, you’ll see the output:
-rwsr-x--- 1 root firejail 1584496 Apr 5 21:53 /usr/bin/firejail

Next we’ll add our user (substitute username with your actual username) to the newly created Firejail group, still as root, with:

usermod -a -G firejail username

In conclusion

Your Linux install is now “hardened” or more secure to threats to your security. The next step to reclaiming your privacy and security online is to use a VPN for web surfing.

We can purchase one, but that means trusting a 3rd party VPN company with your privacy, it’s not ideal. For less than the cost of a purchased VPN service, we can host our own on a VPS or spare computer.

In the next post, I’ll show you how to install a personal VPN so you can be sure nobody is logging or tracking the websites and IP addresses you browse online.

If you’d like to support my blog

You can donate from within our website shop, here with Bitcoin (onchain/Lightning)

You can donate here as a monthly Bitcoin patron on my librepatron.

You can donate Bitcoin here to my guerilla fundraising page.

You can become a Bitcoin patron here with Bitpatron.

I can do all things through Christ which strengtheneth me. – Philippians 4:13

Leave a Reply

Your email address will not be published. Required fields are marked *