How to secure/harden Linux? (Linux beginner)

Hello, I am going to be using a Linux OS, more specifically Debian, for the first time in my life and I would like to receive some feedback on some good measures that I could take in order to have a more secure and private experience.

Could someone recommend me some good guides on how to harden Debian and the basics of the terminal? I don’t know if there are different kinds of hardening or what they accomplish, so if you can recommend me some basic stuff it would be nice. Also, I have used the terminal a bit so I know certain stuff, just to keep in mind.

These are a couple of good practices that I think should be taken in order to achieve what I previously mentioned, please correct me if I’m wrong:

  • Having a superuser password
  • Having full disk encryption
  • Having your main folder encrypted
  • Inside my main folder, encrypt the databases of my passwords
  • Using a fire-wall
  • Sandboxing every possible software
  • Trying to use VMs whenever possible to connect to the internet (Whonix, Tails, etc)

I have a few doubts regarding passwords here though, if I have to use one password for my SU account, one for full disk encryption, one for decrypting my databases and another for opening these, should I remember 4 passwords in order to be able to use my machine? Would using a diceware for my SU and another for decrypting my HD be less secure?

1 Like

Of course, there are different ways of hardening. Hardening basically means “disabling unnecessary features”. “unnecessary” depends on your use cases. You can disable almost everything on a system, however, this will likely result in a system that is rendered completely unusable. So you should know your use cases and understand what you disable. Do not implement arbitrary “hardening guides” without understanding what you do. This can result in a false sense of security.

Again, these measures depend on your use cases. For example, sandboxing everything can result in applications that can’t access essential folders. Besides, sandboxing software also comes with security vulnerabilities. The same is true for VM software. What is “your main folder”? Why do you want to encrypt it again if you already use full-disk encryption?

A very basic recommendation: Instead of using the root account, create a new user account with privileges to run sudo commands. Afterwards, always use this user account and disable root, or set a very strong password.

You can also use security tokens to simplify logins and make them more secure. Examples are YubiKeys, or Solokeys.

Diceware passphrases and passwords can be equally strong, because you can calculate and compare the strength of boths ways. In the end, Diceware passphrases and passwords are basically the same: Diceware passphrases consist of randomly chosen words, passwords consist of randomly chosen characters.

2 Likes

Mmm, I see, I would like to avoid possible malware, keyloggers or attacks (one of which I’m interested to avoid is the evil butler attack), I don’t if this is too broad tho. I obviously want a functional OS not an offline machine.

I think of sandboxing browsers mainly, does that sound bad? What vulnerabilities could bring up using VMs? Does every possible infection not remain in the VM?

I generally have a folder on my desktop where I keep images, videos, texts, etc where I store my sensitive information. I guess that if someone manages to use my machine it would be useful to encrypt it too so they would need another password to decrypt it.

A root account is the main account you create when you install the OS right? So I should use a basic user account instead of the root one and delete/disable the root one? Couldn’t this bring up problems if I ever need to use the root account?

I want to do this but they are really expensive where I live so I can’t afford one right now.

Okay, thanks! I’m going to use passphrases to enter my machine instead of passwords since they are easier to remember.

You can use Cryptomator for this one. I’d suggest you give it a try, although if that folder is too large the decryption (which is on-the-fly) may slow things down a bit, in which case I’d suggest to separate whatever files you have in there in their respective folders and encrypt those separately.

This has also the benefit that your folder is now encrypted and you can safely upload it to the cloud (be sure to use a secure password). Give it a try and see if this works for you or not.

I think I prefer to use something local like Veracrypt, my plan is to back everything up into an offline HD once in a while and just keep certain stuff in there. Anyway, I’m good with waiting if the encryption is properly implemented.

For full disk encryption do you think LUKS is the way to go?

Veracrypt is definitely more versatile than Cryptomator but I think either or work in your case. I personally only use Cryptomator since I find it much easier to use, but I also don’t have the need to encrypt entire external drives (I encrypt specific folders only). Once again I would suggest using it for a while and see if it works for you, it’s really easy and intuitive to get started.

I will let someone more knowledgable than me answer this one :slight_smile:

Then, it is likely already sufficient to install only packages from the official Debian repositories, update all of them regularly, keeping backups, and use an up-to-date modern web browser.

For this, you can use fscrypt (if you use ext4 as the filesystem). It uses built-in encryption at folder level: https://infosec-handbook.eu/blog/2019-11-monthly-review/#toolotm

Yes, by default, you are using a root account after installing most operating systems. Some operating systems offer you to create a non-root user account during installation. The idea is: Normally, you are using a non-root account that requires you to enter a password and write sudo in front of a command that requires root permissions to be executed. If you always use root, there is no need to enter a password and write sudo in front of a command. This increases the risk of accidentally running root commands (like installing malware, deleting system files, overwritten configuration files).

Yes, use LUKS/cryptsetup since it is built-in and standardized. Keep in mind that they are some limitations as mentioned in https://infosec-handbook.eu/blog/yubikey-luks/#goal

If I understood that correctly, it works in a similar way to Cryptomator in that it encrypts directories alone. Could those be then migrated to an external hard drive, uploaded to the cloud, etc?

Quick edit: My question is more focused on whether the encrypted directory would become corrupt if moved to a different file system.

Another approach you may want to consider is the following.

  1. wipe your hard disk
  2. boot with a linux live cd and encrypt the entire disk or partitions with LUKS
  3. boot with a rolling linux live cd such as Gecko (based on OpenSUSE tumbleweed) and decrypt the disk or partitions as needed.

You won’t install linux onto your hard disk, just running the system off the live cd but your entire hard disk will be securely encrypted. Gecko is a rolling live cd and allows modifications.

https://geckolinux.github.io/

1 Like

I really like this idea but I’m living with people who are not willing to use a live OS, I’m trying to make them be more privacy conscious and doing something like this will seem to overkill for them and it will backfire. I’ll try to apply something similar once they are more used to Linux and such.

Do you have in mind some other kind of recommendation that could be applied to a normal OS?

A normal OS like Winblows or MacOS? Or do you mean a more normal Linux variant? If the latter, choose Ubuntu.

Winblows is a security nightmare, even just the other day a vulnerability was discovered in Win10. MacOS is much more secure.

If you choose Ubuntu you can run Whonix, which runs inside your current OS securing everything

Yes, however, Cryptomator adds additional software on top while fscrypt uses native encryption of the filesystem.

Should be possible. However, you need the necessary metadata, which is stored in hidden fscrypt folders, to decrypt/encrypt files (as described by fscrypt and in the article).

1 Like

The amount of security vulnerabilities doesn’t tell anything about the actual security of software.

Assuming that Whonix is and remains always 100% secure (which can’t be the case), you still have to care about humans and processes to gain a secure system.

1 Like

How do you come to that conclusion? If the software is buggy with many security vulnerabilities, then there is a problem with the security of the product, in this case Windows. That isn’t an opinion, it is fact. Windows 10 is a security nightmare. You can argue the case against this, but evidence is not on your side.

If you meant that security vulnerabilities don’t tell anything about the utility of the software (Windows), that is a different matter, and I would agree with that statement.

For simple reasons: 1, 10, or 100 security vulnerabilities are just numbers that don’t say anything. By just looking at those numbers, you ignore the severity, the actual likelihood to be exploited, the complexity of the software product etc.

Lots of fixed security vulnerabilities can just result from lots of security testing and good code maintenance. On the other hand, 0 security vulnerabilities ever can just result from no testing activity at all.

Instead of counting security vulnerabilities, it is important to look at how fast they are fixed or if the software manufacturer never fixes anything. Security vulnerabilities are basically everywhere, and you can’t just say “MacOS is more secure than Windows because there are fewer security vulnerabilities”. Both operating systems come with different code, different packages, different complexity, and they don’t have an equal amount of code.

3 Likes

While you have discussed how you want to use your Linux box, you have never really said anything about your use case for your machine.

If you truly need security with minimal fiddling, I suggest QubesOS (Fedora/RedHat based) instead of Debian. It has virtualizations already incorporated in place. Idea is that the trust is with the user and that the machine may or may not be trusted (vs the usual paradigm of trust the machine and distrust the user accessing the machine). Honestly Qubes is not daily driver worthy unless your threat model approximates that of the likes of Edward Snowden or journalists at risk.

Subgraph OS is Debian based but is still in the infancy/alpha versions. Do use and help its development it if you want a Debian based distro, but it is not ready for prime time.

Frankly while Canonical has its shares of shenanigans along its way, it still ways better than all proprietary alternatives. There is a separate rabbit hole whether you want to be ideologic/truly free FLOSS (as in no proprietary code within like vanilla Debian/Trisquel) or you want to be practical (Pop!_OS or Linux Mint). Your present hardware may have a say in this matter (especially if you use nVidia).

Having layers of security is good. Just make sure it is bearable/usable so that you wont get lazy typing it eventually. Just remember:

  • KeePass database is already encrypted by its password.
  • You will drive your spouse/SO insane with so much layered security. Do respect the other users of your machine if it is shared.

Get a hardware firewall. I suggest build your own with PCEngines APU and install either pfSense or OPNsense. Bonus if you can deploy the pfBlocker-ng or a Raspberry Pi running PiHole within your network.

Sandboxing only mitigates things attempting to break out of the software if it had access to the internet. Sandboxing KeePassXC doesnt make sense because it doesn’t connect to the internet. Sandboxing wont help with things trying to break into the sandbox. I think this is where containerization helps instead of sandboxing.

I believe those distros are best run in bare metal with USB sticks and not VMs. Just properly do a reboot and plug the USBs in.


In the end: Dont forget physical security. The most complex passwords is easily defeated by simple torture. Careful with social engineers: A complex password is equally defeated by a long con - Honey, can I borrow your KeePass password/Yubikey?

I quickly dropped https://wiki.privacytools.io/view/Linux_hardening there in case it’s going to be removed from the main site and I imagine YAMA Ptracing and Userns are considered as “too much difficult security that has nothing to do with privacy” to be included in the site. It needs cleanup though

Reading this thread I seem to have went somewhere different that was in mind here, but please feel free to improve it

Yeah, I know my threat model is not Snowden’s, but I think it is really good anyway because it protects you from malware so I don’t know if it’s just tinfoil paranoia to use QubeOS. Still, my machine doesn’t have supported hardware and AFAIK it needs very specific specs.

I think it’s dead, last issue on their GitHub is from July, last year, last thing updated on their repositories is from October, last year, and on their main website the date of the copyright thing is from 2014. Such a shame, it looked like a really interesting project.

Ideally I would like a full FLOSS OS, but since I can’t afford two separate PCs (one for general use and another one for gaming) I can’t not have proprietary firmware installed.

I try to do things more or less simple, but it’s not so much the thing about having use a password when
you turn on the machine, but the level of hardening on my browser that annoys other people who use it. I’ve been thinking on creating a soft profile on Firefox for them.

If I need to invest on components I don’t think I can do this right now, I’ll try to look into what all those things are, I would like to buy a good router first but they are really really expensive where I live.

Would sandboxing Steam make sense?

Tails is, Whoniz is designed to be run as a VM with Qubes. I would prefer to buy a CD reader and burn tails there and run it from there, but I’ll have to wait for that.

I don’t think anyone is going to torture me, and they won’t find much except pirated cartoons since, and I
won’t give my KP to anyone, also my social life is almost non existent so it’s hard and rare if someone tried to SEd me.

I will try to apply what’s in there, but I’m not sure I’ll be able to, it looks a little hard for me but I don’t know.
Thanks!

1 Like