How do you secure a linux desktop?
Posted by Miraj13123@reddit | linux | View on Reddit | 123 comments
i use debian, btw
i use sid/unstable.
we hear a lot about linux such as "linux is safe and most servers run on linux"
but i came to realize that its only true for server installation or headless system. out of the box it maybe super secure.
but a lot of famous yt guys said its a lie when it comes to linux desktop. it's not safer than windows default defender. but we can make it secure.
i use ufw and fail2ban but are these enough. what precautions do you take
Left_Revolution_3748@reddit
I secure it like a military server
Miraj13123@reddit (OP)
some of the people said its not necessary if i am not a government traitor
Left_Revolution_3748@reddit
I am not a government traitor
But I secure my PC
Because I love security and privacy
Nelo999@reddit
In simple steps, enable full disk encryption, enable secure boot, register your MOK key in the boot screen(e.g machine owner key), enable ram encryption.
Set a password for your BIOS and bootloader(e.g GRUB).
Enable and configure Apparmor or SELinux.
Install only programs from the offfical repositories, preferably snaps and flatpaks.
Restrict permissions through the security centre or flatseal.
Disable unnecessary services and programs you don't need.
Install and configure a firewall, fail2ban and enable MAC randomisation.
Close all your open ports.
Install and configure usbguard, permit only usb drives that you know.
Disable usb media auto start.
Harden your browser, install a reputable adblocker, script blocker and link checker.
Install chkroorkit, rkhunter, linux malware detect and clam av with third party definitions.
Do periodic scans(once a month will generally suffice).
Install the lynis vulnerability scanner and aim for at least a passing score of 70.
Harden your router, change the default SSID and password, use WPA2/WPA3, disable DLNA, WPS, UPnP, port forwarding.
Enable SSID isolation.
Enable it's NAT(e.g network address translation).
Enable it's firewall and IDS/IPS.
Engage in network segmentation and create a separate guest SSID in order to separate additional devices from your main network.
Use a reputable VPN provider with a stealth protocol.
Miraj13123@reddit (OP)
nice advice on server security
I'll save this comment
actually in my post i said something wrong cause i had misconception. even thos i am using linux desktop. cause even with the misconceptions i believed with the setup and firewall my linux is more secure than windows
but after this post i learned what i needed to learn is SElinux and apparmor
eldoran89@reddit
Why use fail2ban on a desktop what pots do you have open and reachable from the internet on a desktop machine
Miraj13123@reddit (OP)
idk saw from christechtitus at that time i had no clue when i saw that vid.
but later i knew its about banning some ip when they try to reach the pc via ssh or something with wrong password
but used it during installation anyways
Miraj13123@reddit (OP)
now i remember
in another linux installation in my pc(few years ago). i enabled ssh. and tried to access my laptop through simulated linux in my phone.
maybe somehow i added fail2ban at that time
NakeleKantoo@reddit
yea no if you didnt open any ports in the router there is no way in hell of accessing your pc outside your house's network, fail2ban on a desktop machine is pretty much useless
Far_Understanding883@reddit
False. It's trivial to open a reverse tunnel once the malware is in the system.
Nelo999@reddit
Or better yet, use a dedicated IDS/IPS system such as Suricata, Snort, Crowdsec, Wazuh, Zeek, Pfsense/Opensense, Pihole and so on.
FryBoyter@reddit
In my opinion, the post you replied to is assuming an uncompromised system.
In my opinion, no security measures can reliably help a system that has already been compromised. The only solution here is a complete reinstallation.
eldoran89@reddit
This a compromised system is essentially burned.you can't salvage that. Every file every account present on the system everything has to be considered as burned and needs to be either discarded or cleared before further use...
So yeah it's moot to talk about compromised systems from a security perspective...and from that perspective a user asking for security tips and having installed a fail2ban because he saw it in a video. The only advice is to run a up to date browser with an adblock and to stop doing stuff on your machine because you saw it in the internet...the main security concern always is about 30 cm in front of the display
eldoran89@reddit
But if you have a malware that opens a reverse tunnel you won't need fail2ban as well...
NakeleKantoo@reddit
Is fail2ban of any help dealing with a reverse tunnel? or even getting malware, for that matter...
Ybalrid@reddit
What applies to a server doesn’t necessarily applies to a desktop computer.
If nobody is hammering your port 22, then it’s not a worry. (And nobody is, you would have to have put special rules on your router to expose your computer to the internet in this way). Do you even have sshd running?
eldoran89@reddit
Well given that answer the best you can do for security is update your system regularly use a good browser with an adblocker and use your brain when surfing in the internet...any software tool wouldn't really increase your security
Ontological_Gap@reddit
You aren't going to like it, but a different user amount for every application, or even every different use of an application.
Or learn how to write custom SELinux policy
Daytona_675@reddit
or grsec gradm
GuideUnable5049@reddit
Different account for each app? Do people actually do this?
Ontological_Gap@reddit
If they are really serious about it, they use a different VM for each app: https://www.qubes-os.org/
Dangerous-Report8517@reddit
You could use bubblewrap, firejail or flatpak apps to get sandboxing with isolation at least as strong as manually using different user accounts, with the caveat that installing flatpaks packaged by randos introduces a new attack vector so you need to make sure you trust the people who packaged them (since Flathub is just an open repo, not a curated repo, and that includes verified apps since all verified means is that they were packaged by the original dev, not necessarily that the dev is reputable)
ashleythorne64@reddit
Flathub is curated, every app needs to be reviewed and approved.
midnight-salmon@reddit
Why do you have fail2ban on a desktop? Anyway, the easiest thing you can do to secure your Linux desktop is to only install packages from your distribution's repo. The main threat targeting desktops is an infostealer. Stick to trusted package sources and don't save credentials in your browser.
Bogus007@reddit
Does the backdoor in xz-utils in Debian’s repository ring a bell? AUR, though not official repo of ArchLinux, had the RAT malware. Also, some Python packages are taken from PyPi, where compromised modules were found.
An IT guy told me that the best way to have a secure computer is to disconnect it from the internet. In order to damage you then, physical manipulation of the machine is required or the entire OS must be bogus.
midnight-salmon@reddit
Did I say "best and most perfect 100% flawless" or did I say "easiest?"
Bogus007@reddit
Convenience is not a substitute for awareness.
vcprocles@reddit
xz-utils trojan didn't reach debian stable and testing before being discovered, so using sid is actually the worst thing for security OP has done
Bogus007@reddit
It reached Debian testing:
(Source: Debian Security Advisory DSA-5449-1
Miraj13123@reddit (OP)
https://www.reddit.com/r/linux/s/cUW6FNvsV4
NordschleifeLover@reddit
Realistically, who is going to brute-force your sshd server in your local network? Why do you even have it running? If you care about security, step number one: stop making changes to your system just because of some random advice you heard on youtube that you don't fully understand.
Dangerous-Report8517@reddit
You're much better off just disabling ssh entirely, fail2ban is intended for situations where you want external connections with some filtering of malicious clients, in your situation you probably don't want any clients at all. Likewise, ufw is likely going to default to allowing ssh connections even though that's the main thing you would be wanting to block
kombiwombi@reddit
I would add that SSH now support Security Keys. These devices require a key press to prove human presence before continuing. I strongly suggest allowing only public keys with a SK mode to connect. Recent SSH also allow authentication to be staked, so you can require a security key and a password (so mere theft of the Security Key is not adequate).
The workflow is really straightforward. ssh remote.example.com, press the flashing button on the Security Key.
sweet-tom@reddit
That sounds interesting. Do you have a tutorial that you can recommend?
kombiwombi@reddit
The fundamental step is
ssh-keygen -t ed25519-sk
Which the ssh-keygen man page describes.
The server configuration is to turn off lesser authentication types.
Fuller technical notes are in the OpenSSH 8.2 release notes, but you can certainly use the feature whilst not knowing it's mechanical action.
sweet-tom@reddit
Thanks! 👍
SunlightBladee@reddit
There's a lot to unpack here.
1) If you're not using SSH, don't use fail2ban. Just disable SSH altogether. Otherwise, securing SSH connections should follow the same exact rules as if you were SSH-ing into Windows or any other OS.
2) The biggest threat to security of a system is always, always, always the user who owns / uses that system. And the more people using that system the more true that is. What I'm saying is if you know not to click phishy links, not download random software / scrips, and not get scammed,you're usually going to be fine. The safety of a system mostly comes down to you, not the OS.
3) With point #2 aside, windows is definitely not more secure by default. It's more targeted by scams and exploits than Linux by a large margin. Right now on the most recent version of Windows 11, clicking a bad link can let anyone run arbitrary code directly on your system with your same level of access.
Windows is not more secure than anything. In fact, it's probably the least secure OS right now.
If you want advice on how to secure a system, that advice is going to change based on what you actually use the system for and what your threats are.
Nelo999@reddit
Windows still allows people to be administrators be default.
Heck, even Linux with auto login is more secure than Windows.
TheCrustyCurmudgeon@reddit
I just turn mine on.
If I want more security, I turn it off.
FryBoyter@reddit
Just because you use a certain operating system, you shouldn't feel safe.
When it comes to Linux, there is also more and more malware. A relatively recent example would be https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/.
TheCrustyCurmudgeon@reddit
Just because it CAN happen doesn't mean it's likely to. You're more likely to be die in a plane crash than you are to be infected with malware on a linux desktop. I'll take those odds any day. In fact, I take those odds every time I fly...
I've been using Linux for decades. It is secure OOTB. The practical likelihood of a linux desktop being infected with malware without direct user involvement is a statistical zero. Even with user involvement, you have to work really hard and be incredibly unlucky. The majority of malware is windows-executable only. The few malware that target linux systems are designed primarily for industry/enterprise and not targeted at desktops.
I've been perfectly safe for over two decades and I'm relatively safe today. Suggesting that there's great risk or a need for massive security interventions is just fear-mongering.
Annual-Advisor-7916@reddit
Read that again, but slowly.
Miraj13123@reddit (OP)
to be exact
YouTubers who are famous.
i learned linux that way. not the only way. but i learned a lot from yt.
Annual-Advisor-7916@reddit
Uhh, it's not getting better, you know...
oxez@reddit
No offense, but it shows
AutoModerator@reddit
This submission has been removed due to receiving too many reports from users. The mods have been notified and will re-approve if this removal was inappropriate, or leave it removed.
This is most likely because:
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
_Sgt-Pepper_@reddit
If you care about safety, USE STABLE FFS
alexnu87@reddit
*90% of linux security discussions*
linux users: linux is way safer than windows and is super mega secure
anyone: how?
linux users: hackers don't target linux and if they do, it's simple, make sure you don't download their stuff
there are some few actually genuine technical suggestions, but most of the time that's how this conversation goes, which to me is mind boggling that for some people (or a lot, apparently) this is a logical argument, or worse, an "advice" on how to have a secure os.
the same goes for any conversation regarding anti-virus protection;
vodevil01@reddit
Simple it's not secure 🤷
LordAnchemis@reddit
Left_Revolution_3748@reddit
The best security guide I read in my life
MrKusakabe@reddit
Let's be fair, the last paragraph is exactly what the OP is talking about:
The "house" would be Linux. It is not something he can do, e.g. he can close the windows but if the house is from 1980, you can easily use a screwdriver to open it up. OP is asking to get burglary proof windows for his house.
Mysterious_Tutor_388@reddit
Always have unprotected physical connections with storage devices. You must know what is on that USB you found on the ground.
Arakan28@reddit
who knows it may have a cracked copy of clip studio paint
quite rare these days
rayjaymor85@reddit
Same steps you'd take on a Windows or Mac machine. Don't download dumb $#!*, and don't run random scripts without checking them.
I don't know if I'd bother with UFW or Fail2Ban on a desktop machine though, I'm not exposing a desktop machine to the internet....
xe_xe_x3@reddit
The same things as in Windows:
- use Firefox with Adblock and activate Malware-Lists
- activate the Firewall and block all incoming trafic
- Antivirus in Windows is needed and Microsoft Defender is mandatory, in Linux i would say its only needed for server-systems
- Common sense: dont klick an e-mail form your bank, if you dont expect something from them, try not to use local e-mail clients which download every executable and attachments
- use MFA on all your portals and use long passwords - combine this with a password manager which ideally works offline (KeepassKC)
- use best practice configurations for your router and home-network
ashleythorne64@reddit
Firefox isn't the best choice security wise, its sandboxing is worse than Chromium and Webkit's.
A browser like Trivalent (like Vanadium but for Linux desktop) has much better sandboxing and privacy protections than Firefox, though its build in ad blocker is much worse. It also makes extensions harder to use since they are a big attack vectior, but you can still install Ublock Origin Lite which does work very well as an ad blocker, even if it is missing some features of the full version.
Historical_Bread3423@reddit
If you're running Qubes OS, Firefox is fine.
ashleythorne64@reddit
Not really, unless you're also using a separate VM for each website you browse.
Historical_Bread3423@reddit
You use the untrusted Qube when you are using random websites. It resets to the default template when you shut it down. Whatever malicious activity is going on is isolated to that Qube and can't make any permanent changes or otherwise affect your system.
For example, your personal Qube would be for high trust sites you use all the time. For me, that would be Reddit, X, Proton Mail (Linux app is still beta), and the New York Times. But if I'm going to be searching for a ton of different stuff, I switch to a low trust Qube.
Honestly, I mostly use my Macbook Air with Safari for personal stuff and a Dell Workstation for my job. I have a small box running Qubes as an experiment as I'm considering a laptop as it's convenient for some travel. Not 100% convenient as Windows 11 is not supported to the degree I would like (I have not experimented with this yet). But having a Work Qube where I can run Teams (Linux native out now) and Outlook in Firefox would be great. And there is stuff I do in the Whonix Qube on Tor, or at least i'd like the option.
My main point is I don't think any browser is 100% safe and the Qubes OS model is the best solution. If I had $1,000,000, I'd give it to the devs to keep improving it.
xe_xe_x3@reddit
But with chromium the codebase is coming from google. One of the worst offenders of privacy violations. I understand that the codebase is inherently better than firefox, but it somehow doesnt sit tight with me to use it.
Historical_Bread3423@reddit
If you truly care about this stuff, Qubes OS is your only realistic option currently, despite all its shortcomings.
Historical_Bread3423@reddit
Keep recovery keys and crypto seed phrases on high quaity durable paper (waterproof, untearable paper is available and not too expensive). Store them in plastic sleeves, put them in a binder. Keep one binder in a safe in your house and one in a safe deposit box.
Puzzleheaded_Move649@reddit
Adblock and activate Malware-Lists => doenst prevent any good malware.... just saying.
FryBoyter@reddit
That's basically all I do.
I don't think a firewall like ufw is very helpful for private use. In the default configuration, all incoming connections are blocked and all outgoing connections are allowed.
However, you only have open ports if a service is listening on the port in question. Privately, you usually want to access this from outside and enable it.
And as all outgoing connections are allowed, ufw does not protect you if the system has been compromised.
I also consider Fail2ban to be pretty useless. Anyone offering a service such as SSH that is accessible via the internet would be better off simply prohibiting password-based logins.
Fail2ban also has a potential disadvantage. Not everyone who is, so to speak, the official administrator has a static IP number that can generally be activated. If third parties manage to obtain the currently assigned IP number, they can block it with fake requests to the server and thus prevent the official administrator from logging in (https://wiki.archlinux.org/title/Fail2ban#Custom_SSH_jail).
I consider SELinux and AppArmor to be useful tools. However, I do not consider either of them to be absolutely necessary for private use. I consider the things I have mentioned to be much more useful.
Outrageous_Trade_303@reddit
It's really simple regardless the OS: don't doenload and install random staff you find in the internet, don't run any scripts/commands that you can't understand and don't follow any instructions that other people suggest either by email or through the social media.
Hot-Employ-3399@reddit
If this was "simple" in real world, nobody would use or sing praises to nvim or vscode.
They **rely** on installing random stuff from the internet. So random, lazy-nvim downloads directly from main branch even caring about version number.
So random, vs code already was pegged.
Outrageous_Trade_303@reddit
well, vscode is microsoft :p
aftermarketlife420@reddit
As said from social media. I agree with you but still found it funny.
Outrageous_Trade_303@reddit
Well I mean instructions like when you are receiving a personal message from one of your friends saying something like "look at that funny image I found" and then providing a link to lets say xyz-123-abc.com :p
aftermarketlife420@reddit
I really want to click that now but im not on a device I don't worry about
Outrageous_Trade_303@reddit
lol! That's exactly my point :)
I believe that the majority of the people would have a great urge in clicking on that /s
aftermarketlife420@reddit
I love putting a live linux disc in and booting on a computer im about to completely wipe and testing usb on it. If I get hacked its a clean system that wont exist the next time its turned on.
Outrageous_Trade_303@reddit
I use what I call "one time VMs": I have a generic virtual box machine, I clone it, change mac addresses and any other shit that can identify me, boot, do some sketchy staff through VPN and then erase it :p
aftermarketlife420@reddit
Good call
Chahan_The_Great@reddit
SELinux
kimptoc@reddit
Dont forget to install some encryption at the disk level, otherwise they can boot your machine with a LiveUSB and read anything they want.
TheFredCain@reddit
Here we go on the FUD wagon. You would have to run Linux with "1234" as your root password for 7 years straight on an open network to be equivalent to the danger of even having a Windows machine in your house for an hour.
gorlove_@reddit
Firewall, fail2ban, ssh That's enough if you are not government traitor 🙂
rarsamx@reddit
Honestly. The YT bunch are going for clicks. Most of them are windows fans with barely any knowledge of Linux
Linux is inherently safer but not idiot proof.
Yes, if you follow windows insecure practices like downloading software and scripts from who knows where, you may get burned.
If you purposefully execute a file you downloaded from somewhere or got from an email or chat. Then you may get burned.
A hammer maker cannot prevent someone from hammering a nail on their head, right?
Those two examples above (getting software from untrusted sources) are common windows practices. Most of the infections happen that way.
In Linux, the common practice is getting the software from the repositories. That's why people usually make the choice between a stable distro and a bleeding edge rolling distro or somewhere in between.
When I was a Windows user I was super careful and got infected a few times. Things execute without me doing anything.
Back in the day, the web was a common vector. Browsers have become now the first line of defence.
In 20+ years of Linux I've never used an antivirus I browse the same kinds of sites and I've never gotten malware or met a Linux user who has.
The reports on the news tend to be stacks against particular services exposed to the internet. Most home users don't expose ports to the internet.
If course, if you are a high value target, someone will find a way to deliver malware but in that case, Linux has other safe wards like Apparmor, SE Linux, immutable distros, run everything as Snaps or Flatpaks.
Those may need more advanced configuration to tighten them but again, if you are a high value target it's worth it
anthony_doan@reddit
fail2ban is for public servers where those servers are getting hammer by bruteforcing ssh ports.
You don't need it for a client desktop. You're not even serving anything to get bruteforce.
Firewall, no sketchy package installations, keep up to date with security updates and package updates should be it imo.
Don't have port open that aren't needed to be open.
x_lincoln_x@reddit
One should never listen to "famous yt guys".
Miraj13123@reddit (OP)
regreting after writing it
x_lincoln_x@reddit
Fair enough.
Soakitincider@reddit
Don't open ports on your router, Have a guest hotspot and don't let them on your network.
Miraj13123@reddit (OP)
thats an unique suggestion. okay
Crackalacking_Z@reddit
Learning to use the shift key will increase password complexity and yield higher security ;)
kombiwombi@reddit
Not as much as you'd think. We have to use long complex passwords at work. But when used as a break-glass password they are terrible to read over the phone. So we asked, how much longer does a password have to be for just lower case and no symbols. A password of 20 characters had the same strength as the NIST-required password complexity and length.
iheartrms@reddit
Linux desktop is way safer. Almost as safe as server. The Year of the Linux Desktop was 1995, for me. I have run 100% Linux desktop since then. I have also administrated Linux desktop environments. Yes, there be are companies out there which are 100% Linux. In all this time across countless thousands of desktop Linux systems I have never once found malware or had any issues. Plus, if you are concerned you configure SELinux or fapolicyd.
I am well known for asking people to name a specific person I can speak with who got a specific malware and how they got it on Linux. So far, nobody has. But we all know someone who got a particular ransomware or wannacry or whatever.
2rad0@reddit
What's your score?
find / -perm -u+s | wc -lThere's also files capabilities setcap/getcap (?) for bonus points, but me kernel doesn't have the support for file capabilities to test the command.
Historical_Bread3423@reddit
Qubes OS. Linux on the desktop is no more secure than Windows. This is true.
primalbluewolf@reddit
Sure, if you turn on the firewall.
CTRL_ALT_SECRETE@reddit
Best protection is abstinence and the following don'ts
DON'T unlock you desktop environment.
DON'T touch you keyboard.
DON'T move your mouse.
DON'T even look at the monitor.
DON'T even think about your computer.
Famous_Damage_2279@reddit
Security is about attacks and defenses against those attacks. If no one is trying to attack you, you don't need that much security. Depending on who is trying to attack you and what tactics those people are using, certain defense tactics make sense or not.
As a non computer example, a locked door will protect you from wild animals. But a locked door will not protect you from a serious criminal gang that has a lockpicker in their gang. So a locked door is a good security tactic but not good enough if you are being targeted by serious criminal gangs.
Some research claims that a significant percentage of successful cyber attacks (32% in one study) are due to out of date software with known vulnerabilities. So one main thing you can do is keep your software up to date. Source: https://arxiv.org/abs/2505.13922
RevolutionaryHigh@reddit
quit learning about Linux on YT
torchmaipp@reddit
Physical theft? Somebody could take the ram dimms and graphics card out to sell for crack. That's tricky.
fek47@reddit
Linux security is a rabbit hole. Once you enter there's a high risk of disorientation. Though if you persevere there's potential for high rewards.
Besides the common sense advices like not clicking links on shady websites there's a couple of simple measures worth considering.
Keep your OS updated by checking for security announcements and updates at least once a day. Install updates immediately and reboot if necessary. IMO this is the single most important security measure.
Run a firewall with restrictive rules.
Be careful with installing software originating from outside your distributions repositories. When encountering software you are unfamiliar with take time to investigate it. Who are the developers? Are the project well resourced or not? Is it still alive or is it abandoned?
Install ClamAV and Freshclam to be able to scan downloaded files and your system as a whole.
Consider using distributions with a proven track record of providing timely security updates. Debian, Fedora, Ubuntu and Opensuse is projects with proven track records. Refrain from using niche distributions with limited resources, especially one man projects.
Prioritize distributions with comprehensive security enhancements. Fedora is one of the best by it's use of SELinux and for implementing new security measures early.
Consider using distributions that implement additional security measures that increases the difficulty of breaching your PC. Immutable/Atomic distributions like Fedora Silverblue or Secureblue is two examples. QubesOS is probably the most secure Linux distribution currently existing.
Install Rkhunter and Chkrootkit to scan for malware.
Dangerous-Report8517@reddit
For a novice user such as yourself the best approach is to maintain good internet hygiene, keep your system well patched and fully up to date, and only install things from the Debian repos. There's other things you can do but you need to know what you're doing (you can't just add more security, security features have downsides and defend against specific kinds of threats - for instance fail2ban defends against brute force attacks against servers which you should have none of on your system anyway, and ufw selectively blocks open ports which, again, you should have none of to begin with). In general most major distros will ship with reasonable defaults in place.
Miraj13123@reddit (OP)
understood
natermer@reddit
Fail2ban is just snakeoil if your goal is to "increase security".
A expert that tells you to install it always is not a expert.
Stuff like that is useful somewhat for rate limiting internet-facing applications. So if you have some heavy weight application and you don't want to have people bombard your system and cause a lot of pointless resource usage... Then it is "ok" for that.
For improving desktop security:
Keep everything up to date.
Only run what you need. Don't have it double up as a web server and crap like that. Turn off OpenSSH if you are not using it. Turn off file sharing unless you need it.
Don't install random crap off the internet. If somebody gives you a script to run don't just blindly execute it. Read it and make sure you understand what it does before you run it. Don't just copy and paste commands off the internet. Copy them into a text editor and make sure you know what they do. etc.
For a firewall all you need is firewalld.
Back up important files on your system. Mostly your /home directory. Don't worry about backing up the entire OS. Only worry about stuff you can't just go and download again.
Don't copy and paste passwords into random files in your home directory.
If you need OpenSSH running on your desktop then disable password logins. Use SSH keys.
A easy solution to 2FA is just to get a yubikey or similar hardware token that support FIDO2 authentication. This is natively supported by OpenSSH unless you are using a ancient version. Does't require OATH server, doesn't require editing PAM configurations or anything nutty like that.
shroddy@reddit
Linux might have a slight advantage because many standard programs are available in the repos, so you don't need to download them from random sites on the internet. However I would say that most if not all of these programs are safe as well if you download them from the developers website. The biggest danger here is if you don't actually find the developers website, but a malware site that only looks like the developers website.
If you need software that is not in the repos (including Flatpak and Snap) so you need to download them elsewhere, usually the developers website, there is nothing on Linux that protects you better than windows. On both Linux and Windows, by default every program you run has access to everything your user has access to, including passwords or session cookies in your browser. On both, it is possible to prevent that, but there is no clear howto or best practices.
For software that does not need the Gpu, the easiest way is to use a VM, but if the software needs the Gpu, it suddenly becomes really complicated to make the Gpu available to the VM.
Brilliant_Sound_5565@reddit
Well, you can remove fail2ban if you dont have any ports open on your router, if yoyu read up about what fail2ban actually is you will see why you dont need it. Running ufw is a good choice if you use your laptop away from home, that should be enough, but unless you are opening up ports in your firewall etc then you dont need fail2ban
Miraj13123@reddit (OP)
https://www.reddit.com/r/linux/s/cUW6FNvsV4
thanks for you advice
Brilliant_Sound_5565@reddit
No worries, you see it more on servers that are exposed to the internet , its not something that you would install by default on a laptop if you wernt planning on opening any ports to it
cmrd_msr@reddit
NSA build SElinux for us.
shroddy@reddit
But unfortunately they made it so complicated to use that only NSA can really configure and use it
/s but not much
Miraj13123@reddit (OP)
?!
cmrd_msr@reddit
#!
adminmikael@reddit
Why would you have fail2ban on a desktop? It doesn't make any sense, because if your desktop is reachable from the WAN or if you have to protect yourself from threats in your own LAN with it, something else is very wrong.
Desktop and server Linux are the same thing by the way. Like literally the only difference is the selection of software installed and the configuration applied. Nothing prevents you from having things like SELinux and proper OpSec on the desktop. All cybersecurity starts and end with the user, software safeguards won't help much if ther takes risks.
Miraj13123@reddit (OP)
https://www.reddit.com/r/linux/s/cUW6FNvsV4
rdcldrmr@reddit
This has some good tips for kernel and userland hardening: https://vez.mrsk.me/linux-hardening
Liam_Mercier@reddit
Most issues are from what you download, so don't download something that you don't trust.
Your browser is probably the second biggest attack vector since it needs to parse many different formats of data, from different servers, integrated with your operating system, etc. Chances are this doesn't matter as much because 99% of the time people are not going to use some advanced javascript engine exploit when they can just trick you into downloading the payload.
Your firewall is meant to prevent a lot of other attacks (unless it's being exploited), usually it defaults to blocking any packets unless they are part of an established connection. If you open your machine up to host a messaging server for example, now the messaging server software can be exploited.
sej7278@reddit
Look at CIS benchmarks. Fail2ban and even ufw are a bit pointless if you're behind NAT as most desktops are.
BicycleIndividual@reddit
For best security, don't let the desktop connect to a network. They you only have to worry about physical access threats; and nothing is really secure against physical access trheats.
Tuerai@reddit
set a password and use a firewall. nothing that special about security unless u wanna learn weird enterprise stuff like selinux and fapolicyd
zardvark@reddit
The more packages you add, the more attack vectors from which the bad guys can choose.
Secure? Secure from what?
The first thing that you need to do is assess that from what you need protection. Be honest, because you can lock your machine down to the point that it is neither a pleasure to use, nor useful.
Miraj13123@reddit (OP)
yeah. i use linux [debian sid] for programming, scripting, browsing and gaming(at last)(from steam or just Minecraft).
Gjallock@reddit
“Super insecure” in the sense that a desktop user is operating it, yes, but there is not inherently a security gap in the packages used unless you’re on some experimental desktop environment.
Admittedly I primarily use Linux for server applications, but I don’t see why you feel “unsafe” in Linux more than any other OS. If you don’t feel confident in yourself to discern what software is safe, then stick to reputable software by trusted developers. Honestly, the biggest benefit of Windows Defender is the fact that it automates that process. Many package manager essentially have that feature “built-in,” so again I do not feel like you are in an unsafe position just by virtue of being on Linux.
Keep your system and software patched, and don’t click weird links. That’s about it. The most common attack vectors that an average Joe is impacted by are links on the web and links in your email.
Miraj13123@reddit (OP)
yeah got it. i have that much common sense to not click that type of email. i actually never click on these.
thanks. i just wanted to know as i made linux as my main daily driver. i had to know about what was poking me in my mind.
totallynotbluu@reddit
The most secure protection against this is whoever is behind the keyboard.
Miraj13123@reddit (OP)
:)
BloopomaticTranswarp@reddit
Be very wary of adding PPAs to install software and try to use snaps/flatpaks (whichever is used in Debian) as much as possible
SteveHamlin1@reddit
Run a verbose nmap against your computer's IP and see what it shows.