Windows refugee here. I’m planning to move to Linux Mint but want to make sure I don’t do something stupid, as I’m unfamiliar with the Linux operating system.
I found this link with 10 tips to secure Mint.
Is this a good list? Anything else I should do to secure a Mint install?
Thanks for helping a noob!
Hi & welcome from a fellow Mint user.
It’s a stable distribution that comes with a lot of things preinstalled (so less extra stuff to install, but also a lot of stuff you might not need)- +1 for Encryption, both Luks for the system disk and whatever other internal drive and for USB stick or external storage. If someone was to steal my computer I would pissed off but OK, I can deal with it knowing they can’t access my files. Use a good password (mine is 20-ish characters long all random and, yeah, I’ve memorized them but I have a decent working memory ;)
-
- for (automated) backups.
- +1 for automated updates
- +1 for not installing from any source. It’s tempting but it should be the exception (for me, it means yt-dlp and Mullvad for the most, of there is also my RSS app of choice newsboat since it’s not officially available anymore :/)
- I don’t use antivirus on Linux (nor on my Mac). But I seldom download anything and don’t open attachments I’m not expecting to receive ;)
- I would not play with services as a beginner as you risk deactivating something you need.
- The firewall as gui that’s installed by default (on my Mint, at least ;): its Gufw on the command line and it’s called Firewall Configuration in the main Mint menu. Open it, type your password, activate the ‘Status’ toggle. Done. Then you can start adding rules as you need them.
I would add to that:
- Don’t rush to tweak everything at the same time. Try one at a time, it’s easier to revert back.
- Backup your home folder regularly. Not only does it contain all your precious files but it also contains most of your settings and tweaks. So, if you ever need to reinstall you will get back all those settings/tweaks when copying back your home to the fresh install.
On that topic,I’m not much of a geek (a 50-something dude and a 35+ years Apple customer) but I did learn to use git to keep a backup of my config folder. So, when I screw up something (so far, Mint has not once screwed up anything by itself, the few issues I had to deal with were all me-related) , I know I can revert back to the previous version of whatever settings I’ve just damaged without difficulty. Learning the basic of Git is not hard, it’s just…odd, and it works great. If it was compatible with LibreOffice files I would love to use if for that too…
Thanks for the tips. I did some got training a few months ago but hadn’t considered using it for Linux configs.
That is good advice.
Mint is fairly secure by default.
That said, nothing listed in the article is bad for your security, all pieces of advice do make sense in certain scenarios, but this is generally considered an overkill for home use.
If you’re an average user, don’t bother yourself with it.
Don’t concern yourself with hardening.
Just use your computer like you normally would, solving issues as you encounter them.
Don’t let people drag you down rabbit holes.
Does Mint have Apparmor installed?
It is default on OpenSUSE. When you add a new application you start apparmor, run your application through its normal use, it “learns” how the system is used by the app, you then apply this as an enforce option or warn option. If the app deviates it gets blocked or warning generated.
Also OpenSUSE has a hardening GUI that looks at your system and configs and lists out all the areas that pass, fail or need attention. It is a great visual tool, and gives explanations/suggestions. Maybe there is Mint package that emulates this. Yast Security Center (see image)
https://documentation.suse.com/sles/15-SP4/html/SLES-all/cha-security-yast-security.html
Don’t forget UBlock Origin and being smart on the web and install programs through the software center
Thanks. I take it that software centre is like a Linux app store?
That’s exactly right
Do not allow http or ftp traffic as this guide suggests, unless you are active as a server for your local network on those particular ports, and you are behind a NAT firewall that your router usually provides.
I love that Mint brings people to Linux, but its users write some silly guides sometimes.
Thanks!
Is this a good list?
The link definitely provides some good info. It’s better than nothing. However, it may or may not fall short based on how secure you’d like to make your system.
Anything else I should do to secure a Mint install?
What is it you’re trying to protect and from whom? Whenever the topic of security comes up, one simply can’t engage meaningfully without mentioning a threat model.
In this case, I’ll assume you’re just your average Joe. And, depending on how you engage with your system, Linux Mint might be fit from the get-go. However, if you actively engage in downloading random jank from the internet and have ‘survived’ with the help of Microsoft Defender Antivirus, then you should know that a safety net as such doesn’t exist over on this side. Sure, security through obscurity might save your ass a couple of times. But it’s inevitably a losing battle.
So, without knowing your threat model, note the following important advice that the article somehow hasn’t touched upon:
- Know that you, the user, are the largest attack surface. Even if some distros like Fedora and openSUSE (with the latter AFAIK scoring the best[1] according to Lynis) actually put in great work to offer pretty secure systems, they absolutely won’t be able to protect you against yourself.
- It’s important to mention that this excludes security-first distros like Kicksecure and secureblue. Nor is Qubes OS considered as it’s technically not even a Linux distro. Other distros like Tails or Whonix are also not considered as they’re not meant to be used as daily drivers and/or for general use.
Thanks for the reply. I’m fairy average Joe. I’ll mainly use this machine for downloading files and general browsing. I don’t have any personal files or accounts on that device.
I’m mainly concerned with neglecting to enable (or disabling) something critical or accidentally downloading something malicious (although this hasn’t happened for many many years).
Thanks for the clarification!
If you trust both the source and the file, then downloading by itself shouldn’t constitute a problem. Supply-chain attacks are still possible, but that’s a hard problem to solve anyways. I suppose I’d only trust Qubes OS to handle that gracefully.
For general browsing, GrapheneOS-folk would advice against Firefox(-based browsers). Instead, they’d recommend (something based on) Chromium. Personally, I do follow that advice. But I understand if you’d like to stick to Firefox(-based browsers).
Coming back to Linux Mint, I won’t go over my (personal) qualms with the security model of the distros it’s based on. But as Linux Mint offers one of the best onboarding experiences, it would be a disservice to lead you elsewhere. Become comfortable with Linux through it. And, perhaps one day, if you feel like venturing elsewhere, you can try out distros that offer better security. Thankfully, Linux Mint’s OOTB security should be sufficient until then.
As for the article, everything except for the fourth recommendation is a W. Utilizing ClamAV could be cool, but it’s based on a very naive understanding. You wouldn’t want an untrusted file on your system in the first place. Obviously, a lot more mileage[1] is possible. But one has to learn to walk before they can run 😉.
- Note that the information and instructions found on the excellent ArchWiki often work on and/or apply to other distros as well.
Thank you for your advice. I will take it. As a beginner, I’ll start with Mint.
Would your reccomend any other secure distro for the future?
For this writing, I’ll focus on the OOTB experience. Furthermore, a daily driver for general use is assumed. I’ll also try to keep it (relatively) brief and concise for the sake of brevity. The tier list found below goes from worst to best.
- Tier -1 : Actively detrimental distros. Joke/meme distros, abandoned/discontinued projects and even outright malicious products. Simply don’t use for production. The likes of Hannah Montana Linux and Red Star OS comes to mind.
- Tier 0 : Unopinionated distros. These should be regarded as blank canvases from which it’s expected that you meld and forge it to your liking. As such, at least by default, they offer nothing in this regard. However, it’s possible to build a fortress if you wish. Both Arch and Gentoo fall under this category.
- Tier 1 : Distros that have put in some work into security, but ultimately fall short. These distributions include security features and maintain regular updates, but their implementation choices can introduce security compromises. This tier often includes derivatives that modify their parent distribution’s security model, sometimes prioritizing convenience over security best practices. While it may be suitable for general use, they may not provide the same security guarantees as their upstream sources.
- Tier 2 : Distros with sane security defaults that rely on backports for their security updates. These distributions prioritize stability while maintaining security through careful backporting of security fixes. Rather than updating entire packages, they selectively patch security vulnerabilities into their stable versions. This approach provides a good balance of security and stability, though it means newer security features might take longer to arrive (if at all). Debian and Ubuntu are prime examples of this.
- Tier 3 : Distros with excellent security defaults and a (semi-)rolling release. For most normies, this is as secure as it needs to be. As it’s on a (semi-)rolling release, it receives security updates as soon as they come. Furthermore, this also allows them to benefit from new security features as soon as they appear. Curiously, the two distros that most resonate with this, i.e. Fedora and openSUSE Tumbleweed, are also known to innovate (and thus are pack leaders) when it comes to security solutions. FWIW, their respective atomic/immutable distros also belong in this tier.
- Tier 4 : Security-first distros. The crème de la crème. These are probably overkill for most people. This is also the first (and only) tier that may sacrifice usability and function for the sake of security. If your highest priority is security, then you can’t go wrong with this one. Kicksecure and secureblue are its flag bearers.
I’d personally grant Linux Mint a position in tier 2, though perhaps others would go with tier 1 instead. As such, a step-up would be a distro from either Fedora or openSUSE.
No love for Qubes or TAILS :(
As I noted in the footnotes of this comment, Qubes OS is technically not a Linux distro as it’s based on Xen instead. But yeah, it’s without a doubt the gold standard when it comes to secure by default desktop operating systems; far surpassing even Kicksecure and secureblue.
As for Tails, while its amnesiac property is excellent for protection against forensics, it’s not meant as a daily driver for general computing; which was also touched upon in the aforementioned footnotes.
For another view on installing antivirus software on Linux, see this: https://easylinuxtipsproject.blogspot.com/p/security.html?m=1#ID1.1
The only way I know to harden Linux Mint is using the Debian edition. Using LMDE, you can (unofficial) use Kicksecure to harden the base system. This isnt a great solution since the Linux Mint software is untested with Kicksecure and may/will reduce the security of the overall hardening.
That’s actually a fairly solid guide/list.
I’ve been running Mint MATE since 2017, good solid OS in my book 👍
Advice: Try to stick with LTS distros (Long Term Support).
Thanks!
GNU-Linux hardening is useless
https://madaidans-insecurities.github.io/linux.html#hardening
Therefore, we should not take any security measures at all?
In the opensuse TW installer you can adjust policykit and SELinux with strict enforcement
GNU-Linux hardening is useless
This opinion isn’t shared by the author in their actions, as they are known for their contributions to Whonix; both as a security researcher (by their own admission) and (are to this day accredited) as a developer.
Not that the author is necessarily off-base, but that blog post is almost three years old. Tech and software evolve fast, and I would hazard a guess that at least a few of their gripes have been addressed by now. Additionally, due partly to the success of the Steam Deck, Valve has officially partnered with Arch and it’s throwing some of their considerable resources into Linux development.
I also noticed that they barely mentioned SELinux or AppArmor, and they probably didn’t know about immutable distros (which didn’t really exist, yet). It’s fair to say that Linux isn’t the gold standard of good security, but the post reads like someone with a beef and not someone trying to inform by presenting a skeptic’s take (indeed, they seem to gush over Windows and MacOS).
They finish by name-dropping a few people with a vested interest in security, and they’re practically begging the question in doing so. If the facts don’t stand on their own as the author has presented, why should I listen to strangers who allegedly share the same opinion? That’s not how consensus is formed.
I guess what I’m trying to say is, an old article about the state of Linux Security should be assessed within a modern context if we’re to apply it to current software.
Hardening is not useless, but it doesnt fix the architectural issues with Linux and its outdated threat model. That article says the same thing. It isnt an all-or-nothing situation, hardening still improves Linux security. Projects exist like SELinux, Bubblewrap, Crablock, Sydbox, and Landlock. Efforts to harden GNU/Linux have been made, like Kicksecure (Debian) and Secureblue (Fedora Silverblue), which protect against many threat vectors, but not perfect obviously.
Escaping Bubblewrap sandbox
I watched the video. Yes, if your sandbox config is weak then it will allow sandbox escapes. I agree the should default should be a secure sandbox. Bubblewrap offers the opportunity to shoot yourself in the foot. Look into the others tools I mentioned if you want to see different implementations. Sydbox is the one I think is the most interesting.
Madaidan’s guides are one of a big piece of shit. (Some are valid tho)
