I was just thinking about security on Linux when a timely video from a popular Linux commentator, (Michael Horn if you wish to know the source) popped up.
Obviously most of keeping your system safe is common sense – don’t visit strange sites, download from official sources, don’t use the AUR as an appstore… But what else should I do just for basic security and peace of mind?
I only recently switched to EndeavorOS and I haven’t configured much security-wise and I don’t know what the default comes set up as. There IS a firewall but is it configured right? It says default zone: public and it’s just me at home hardwired to my router. I was widely told I don’t need an Anti-Virus on Linux – but is that accurate?
He showed off a few tools that can come pre-packaged with widely-used distros like, AppArmor and SELinux. Are they good? Are they in Endeavor?
I’m aware of the AUR stuff going on. I also did check for the security-related posts and found one that was similar to what I was asking – but none of the comments answered my questions. It is a very handy that the forum checks what you’re typing and finds similar posts .
EndeavorOS is Arch-based which suggests you need to add everything yourself. Still being rather new, you’ll understand, I was wondering if there were any common-sense additions I should make.
Such as configure the firewall, some sort of anti-virus or malware checker, some sort of process checker… Ubuntu or Fedora comes with a lot of this built in.
By no means comprehensive but that’s what comes to my mind:
(Assuming we are talking about an average workstation desktop here)
Yes, EOS has a firewall installed and enabled with sensible defaults
If you want to SSH onto your desktop, make sure you secure SSH. There are plenty of tutorials how to secure SSH out there, RedHat might have a good one. Use a password protected sshkey over just a password
Not recommending an AV is always debatable, but you are safer than on Windows. The only Open Source solution I know is ClamAV. Afaik it only scans local files and does not do any kind of behaviour analysis. Would have probably detected the AUR viruses on your system. Read the docs carefully when setting it up.
Flatpaks and Snaps are sandboxed, therefore should be safer. That said, they are still plenty of apps (at least in Flatpak) that have overly permissive permissions by default. Luckily, flatpak-kcm for KDE (adds a tab in the system settings) and Flatseal for the rest are apps that let you lock down your Flatpaks more. I don’t know about Snaps because I don’t use them.
Harden your browser, at least with the settings it provides. Also, don’t store your passwords or any sensible information in there. The browser is were most attacks happen nowadays.
Apparmor and SELinux both require a considerable amount of work to set up effectively. If you just get them going without putting in a lot of work they’ll most likely either not increase security significantly or come back to bite you with weird bugs later (because they are to restrictive)
Encrypt your disk if you are worried about people gaining physical access to your machine
Keep snapshots of your filesystem (if you use Btrfs, LVM or ZFS) for two reasons: 1) in case an update or a newly installed package breaks something and 2) in case you catch ransomware you can probably restore from a read-only snapshot
The links provided by keescase are a good resource for sure. And, most important of all, don’t turn of your brain, especially when doing admin work
