Quick tips to improve Linux Security on your desktop, laptop, or server (hardening for beginners)

Try out Proton Mail, the secure email that protects your privacy: proton.me/mail/TheLinuxEXP

As usual, LE speaks the truth that others are afraid to say. Linux isn't bulletproof. Any OS is only as secure as the effort the admins put into it.

Don't forget, every time you disable SELinux, you make Dan Walsh weep. Dan is a nice guy and he certainly doesn't deserve that.

I'd love to have a noob understandable video about firewalld and selinux configuration for an average Steam gaming and internet browsing pc! Also Clamav on access scanning and/or commercial antivirus software for consumer desktops would be nice.

IMO it's also worth to pay attention to secure boot configuration, especially on laptops. Many distros do not implement initrd checking during boot, so attacker can easily modify it and intercept password for encrypted partition. To avoid this there's a thing called "unified kernel image", which combines kernel and initrd into a single file and adds SB digital signature. The main problem is that it is NOT configured out of the box on most systems. Canonical has plans to implement it in next Ubuntu release (thanks to systemd-ukify), so hopefully this will be changed in a future.

very interesting and a video about SElinux or firewall would be amazing

More security videos are always good!

A video on AppArmor or SELinux would be very useful.

One thing I thought I should mention - although primarily effective for windows/Mac users, even just having an adblocker (unlock origin being my FOSS choice) can have a huge impact at web based attacks - not only malware, but web based tracking and information gathering.

Thanks! Good vid. Always interested in the security side for the user. Not so much for the server but never hurts to learn. You do a really good job of explaining "how to" and "why". Please continue...

A firewall video would be great!

The problem with Linux is the user base, not the software. You can lock down Linux tighter than a nuns nasty, and you can achieve bulletproof (nearly) tin foil hat status, but, you need to know how, and that's where 9x% of people get in trouble. I've run dozens, maybe in the lower 100 counts of Linux servers, and I've the number of times I've seen an “experienced IT professional” do something that causes a head smack to crack your skull, is countless. My list of stuff to check as a first pass. This won't bulletproof the tin foil, but it will shine. (Nick brought some of these up) 1. The first biggest issue, by far, is having permissive sudo settings! —DO NOT GIVE EVERYONE SUDO ACCESS. 2. The second-biggest issue, by far, is having permissive sudo settings! —DO NOT GIVE EVERYONE SUDO ACCESS. 3. The third-biggest issue, by far, is having permissive sudo settings! —DO NOT GIVE EVERYONE SUDO ACCESS. 4. Lock down SSH, and DO NOT change the port. Changing the port is not going to help you. If you're at the point that moving from 22 to 9022 is going to polish the top of your security walking stick, then fine, but if that's the case you're also going to agree it's usually pointless. 5. Lock down user accounts. Make sure user accounts are properly controlled, groups are reviewed, passwords policies are in effect, and review system permissions. 6. Use SELinux or another security framework, if SELinux is fighting you, in 9X% of cases, you've done something wrong. 7. Use IPTables, BPF Tables, and other tools to build the proper routing settings! 8. Sweep for kernel modules! 9. Manage keys correctly, don't have users with a single SSH key that use the same key on everything. 1 key = 1 service. 10. Use multifactor authentication. You are NOT too busy to have additional factors, PERIOD! 11. Monitor, Monitor, Monitor, oh and make sure you monitor. All logs should be sent to a remote server. 12. (Nick brought this up), remove the stupid GUI! It's a server, learn to use it. 13. Use VM's, for isolation. 14. Disable services you don't need, and close ports that shouldn't be open. 15. If you use an email server, FULLY ISOLATE IT. Seriously! Do not install an email server with other services. If you follow these points, you'll be at least in a good default state, from there have fun polishing the tin foil even more.

Besides obvious things like applying security updates: I think most critical is that you have control over open ports. You don't want other people to get remote access to your system. So either close ports by disabling services or via firewall. For servers I recommend fail2ban as well. That bans IP addresses by amount of failed attempts which can prevent primitive DoS attacks by single attackers. Additionally you can improve internal security by dividing services and applications into containers, users and groups. So you don't run software with permissions they don't need or shouldn't have in general. Another thing for SSH: If your server is public, you should only allow access via public keys and disable root login as well. Otherwise people will brute-force it...

I like the defaults on Fedora, firewall on by default, selinux on by default, root login disabled by default, only official repositories enabled by default

11:00 with usbguard you can allow and block USB ports based in plugged in devices, so you can create a whitelist with your devicea, and block anything else.

Love to see some security related content. It's such a confusing and noobie-unfriendly territory to get into when learning Linux, whe need more videos like those. The firewall is specially important: it's the first line of defense past the Router, and it's frequently off by default. Full Disk encryption is also a must. For me, the most important thing to learn right now is to learn how to setup full disk encryption together with secure boot, and if possible along with the TPM (Trusted Platform Module) so I have the option of setting it up without entering the password every time I boot. Tips on troublesshoting it when making changes to the system (changing partitions, distro hopping without losing files) would also be welcome. I haven't been able to crack down linux security by myself yet. If this series does goes on, maybe I'll finally be able to do it.

Updates are just as likely to break things on linux as well. currently, Linux 6.5.5 seems to produce segfaults in FIO with BTRFS, and Mesa 23.2 breaks HEVC and H264 encoding in OBS Studio, again, for now. The difference with updates in linux, is you can scrutinize each package, update individually, and find exactly what's causing the problems, and then not update that package until it's fixed. Timeshift and BTRFS subvolumes make this pretty quick and easy, vs System Restore and Windows Update, and use much less disk space for more restore points. Linux updates are not bug free, and you should always have a backup to fall back to before updating.

Finally, a useful video that actually helps enhancing the security side by side making linux use less resources.

4:53 you can also do `sudo systemctl disable --now service` to disable a service and stop it at the same time. saves you from typing out a second command

I have watched a security video where they also suggested CalmAV to regularly scan your system especially if you dual boot with Windows.