Skip to content

Protect your Linux PC

General advice

Don't copy and paste commands from the internet directly into your terminal. First, find out what the command you're going to run does. Second, there's a way to "backdoor" your clipboard. See this article.

PATCH!

Always patch your applications and operating systems to the latest versions and don't run end of life software.

Automatically install security updates

Automatically install security updates with the unattended-upgrades package.
Make sure to install security updates only, not general application updates.
Here's the guide for how to install and configure it.

Firewalls

UFW (Uncomplicated Firewall) is built in to Ubuntu. Enable it with sudo ufw enable.
By default it blocks all incoming connections.

OpenSnitch - An application firewall that by default blocks outgoing connections.

Passwords and MFA

Use complex passwords and preferably a password manager like Bitwarden.
Always use MFA (Multi Factor Authentication) where you can and always use at least OTP (One Time Passwords) and not phone or SMS.

Check your downloads

Use the checksums available to verify that you've downloaded the correct software and it hasn't been tampered with.
For example the Ubuntu 22.04 ISO file here.
Download the file ubuntu-22.04-desktop-amd64.iso, click the "SHA256SUMS" on the web site.
Now run sha256sum ~/Downloads/ubuntu-22.04-desktop-amd64.iso in your terminal (it will take a little while) and compare the output to the checksum on the web page. If they match, you're good to go.

Application isolation.

Use snap/flatpak wherever you can for isolation purposes. Especially on applications like browsers and chat clients.

Backups

Backups! Do them and do them well. The 3-2-1 method is a good start. I explain more about it here.

DNS blocklists

AdGuard Home/PiHole are great for blocking adds, trackers, malware and phishing in your network on a DNS level.
I recommend the OISD and Firebog (green URLs) blocklists.

Browser

Firefox with arkenfox and uBlock Origin configured like this.

IDS/IPS - Intrusion Detection/Prevention System

If you have a decent firewall there's free and open source IDS/IPS like Snort.
Otherwise you can use CrowdSec, an open source IDS/IPS that's free for consumers.

Anti virus

Yes, it's needed. See this section here.

Disk encryption

Use FDE (Full Disk Encryption) on all of your devices. That way you protect your data and you don't have to spend time wiping drives you want to sell or throw away. Or even do a RMA. It's hard to wipe a broken disk, but it's possible to recover data from it.

On Ubuntu this is set up during installation. I can't be done after.

Use VPN on public networks

On your phone or laptop, use a VPN service (or your own). I strongly recommend Mullvad (€5/month), or if you need one temporarily ProtonVPN which has a free tier. You can also use your own to connect to your home network automatically when you leave your WiFi. I've explained it here.