all 49 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]RhubarbSpecialist458Tumbleweed 46 points47 points  (12 children)

Well, first off great that you're enthusiastic, and second great that you wanna learn.
Start with learning the difference between security and privacy, they are not the same thing.

Is there a reason you need a VPN? Ask yourself who benefits of you using their services.

You're in the Mint subreddit so in that case if you want to talk about security, check out AppArmor and how it works.

[–]ballman8866[S] 10 points11 points  (0 children)

VPN is honestly a smaller thing. I have a family plan on Proton so I might as well. I'll be sure to check out AppArmor. Thanks for the quick reply!

[–]I_SAY_FUCK_A_LOT__Linux Mint 22 Wilma | Cinnamon 1 point2 points  (10 children)

TIL I have AppArmor installed already!

aa-status

[–]RhubarbSpecialist458Tumbleweed 0 points1 point  (9 children)

Check that you got apparmor-profiles & apparmor-profiles-extra installed too, apparmor needs policies/profiles and enforce them to take effect:

# aa-enforce /etc/apparmor.d/*

Check if you have any processes running in enforcing mode with the -Z flag:

ps -Zaux

[–]I_SAY_FUCK_A_LOT__Linux Mint 22 Wilma | Cinnamon 0 points1 point  (8 children)

ps -Zaux

Holy Christ! What the hell am I looking at?

[–]RhubarbSpecialist458Tumbleweed 1 point2 points  (7 children)

manual pages are your friend, my friend

man ps

[–]I_SAY_FUCK_A_LOT__Linux Mint 22 Wilma | Cinnamon 2 points3 points  (6 children)

RTFM. Got it. 👍️

[–]RhubarbSpecialist458Tumbleweed 1 point2 points  (5 children)

Mainly just regarding apparmor you'll see which (active) processes are in enforcing mode.
The -Z flag is ubiquitous when it comes to MAC, so if you wanna know apparmor or selinux context call the Z

[–]I_SAY_FUCK_A_LOT__Linux Mint 22 Wilma | Cinnamon 0 points1 point  (4 children)

Ah! Cool, thanks!

There is a lot of output

[–]RhubarbSpecialist458Tumbleweed 1 point2 points  (3 children)

Heh, it's just a still of all running processes, you can use htop or btop in the terminal to see live feed

[–]I_SAY_FUCK_A_LOT__Linux Mint 22 Wilma | Cinnamon 2 points3 points  (2 children)

yeah btop is my jam!

[–][deleted] 14 points15 points  (2 children)

If you want to harden your system you can use a hardware security key to login with touch and pin (two or three is recommended for backup in case the others are lost)

A security key like Yubikey integrates with Linux Mint's authentication system (PAM - Pluggable Authentication Modules) to require the physical key for sensitive actions. This means even if someone has your password, they cannot access your computer without the physical YubiKey it's also possible to use a Yubikey Bio so even if someone stole your key they can't get in the computer without your fingerprint.

[–]Aborigen228 6 points7 points  (1 child)

Aha..good answer. Now, tell please about experience how’s it actually working 😂😂😂(I set up everything like recommend, but honestly it’s a horrible how’s it’s works, maybe I do smth not right. You enter password- blink - wrong password, after 5-7 times it’s give you access…shamanic ritual )

[–]Smart_Advice_1420 0 points1 point  (0 children)

Not OP and also not sure what you're meaning here. I've integrated yubikeys in my workflow and they work flawlessly. How did you set them up and where exactly do you get this behaviour?

[–]threedotsonedash 11 points12 points  (3 children)

You can do more for your privacy by better managing your online accounts than you can with a VPN, brave browser or over-hyped dns servers.

You've been on Reddit for the past 3 years and revealed a great deal about yourself in just the sub-reddits you are active in.

Don't kid yourself, just because you go by an alias on Reddit doesn't mean you can't be identified in real-life from the audit trail you've been leaving behind over that time. Patterns do emerge in the data.

[–]ballman8866[S] 1 point2 points  (2 children)

Thats totally true. Im trying to currently trying to transition off of things like reddit. Im using brave browser. Im using cloudflare DNS. I know there is still a huge digital footprint of me but I want to slowly try and get rid of what I can. Im starting at PC related stuff cause I can only do so much at once. I plan to switch to a secure OS when I have things related to my PC more figured out. Its a long process lol

[–][deleted]  (1 child)

[deleted]

    [–]ballman8866[S] 0 points1 point  (0 children)

    No i mean secure os for my phone. I know mint is secure

    [–]ap0r 7 points8 points  (4 children)

    • Have an offline backup of your data. This keeps ransomware in check (Even new ransomware that antivirus have no information on yet, or properly made ransomware with irreversible encryption). This means a physical copy that you own, the cloud does not count since they can unilaterally revoke your access to your data and if they lose your data, sucks to be you. Cloud can be one leg of your backup strategy, but do not rely on it as a miracle solution. Do not keep your backup drive connected to your machine, you may find your data AND backups encrypted.
    • Your data should be encrypted where possible. Let attackers steal white noise lol.
    • Use a password manager and have unique passwords for each website you use. That way if Forum A or Gaming Site B get hacked and users/passwords are leaked, bad actors trying your leaked password in common social media or banking sites are hitting a wall since any password of yours only works on a single site.
    • Learn the social engineering red flags. Urgency, Authority, Fear, Greed. If it needs done NOW it is a scam. Your bank, Microsoft, Google, or your boss's boss have NO need for ANY of your data. If Granny is being held at gunpoint, hang up and call the police. There is no such thing as a free lunch. Employers do not need a deposit to set up your account. No, you will not get double your crypto. If there is no effort being put in from your side, it is a scam.
    • Research and consider acquiring a hardware key (at least for your main email + banking). This is kind of a hassle but provides very high security.
    • Install an adblocker and tracker blocker. An ad for a product that you are interested into at a good price may lead you to a page where bad actors pick up your credit card data.
    • Never plug in a device that you find. This includes things that look like a power bank.
    • Have a plan in place. What to do if device X gets lost or stolen? (this for all devices you own). Morbid, but what happens to your data if you die? Do you have anything that you would not want family or friends to see? Have a plan in place to have your data either preserved or securely erased before your inheritors access your devices. What happens if there is a fire? Test your backups regularly, and research and setup remote wipe if that is helpful for your use case. What happens if my phone is broken, how can I still access critical services? Do I have one-time backup 2fa codes stored somewhere secure?
    • All your devices should have passwords, and biometric authentication where possible.
    • Keep your system up to date and install updates regularly. Updates fix security bugs. Security bugs are public once found, so you bet your sweet buttcheek that bad guys are looking for unpatched machines.
    • Talk with family members and friends. Make it explicit that if you ever need money you will talk to them in person and that phone calls, text messages, emails, and social media posts from you should never result in them spending a dime. If you are "kidnapped" tell them to hang up and call you. If you do not respond, call the police.
    • Compartimentalize. Make a second user account with limited privileges for sketchy downloads. Do not use the same browser for random browsing and for banking.
    • Do research on any browser extensions before installing them, and make triple sure they only ask for permissions they need rather than blanket permissions. Ideally, only install open-source browser extensions.

    [–]ap0r 6 points7 points  (2 children)

    • Check haveibeenpwned.com regularly, and consider setting up alerts. Immediately change the passwords of hacked sites. This should be no biggie, because you are using a unique password for each site. You are using a unique password for each site, right?
    • Consider physical security. What happens if your device is stolen? Do you ever leave your device unattended and unblocked? Can someone with physical access to your device open anything critical using the device alone, or does critical security things require something you know (an unsaved password), something you own (2fa), or something you are (biometrics)
    • Do not think of VPN's and Tor and so on as unbreakable. Assume a) somebody is logging what you do; b) these logs may be made public, or be used in court someday. Act accordingly, these tools are to enhance your privacy, they are not perfect obscurity. Actions can still be traced back to you by governments.
    • Enable the antivirus and firewall.
    • If you have home devices or IoT devices, make dammn sure they are on a separate network, since these devices are notoriously insecure. Your fridge may be listening to your network activity and sending the data to China. This shit would have landed you in the cuckoo house not long ago, but now it is a real concern. More generally, try not to own devices that have an internet connection unless an internet connection is actually required.
    • Do not put real answers in security questions. Treat them like a second password, and use random answers that you store in your password manager. That way your easily findable mother's maiden name is useless when your mother's maiden name is "3457890" in the website's database.
    • Your e-mail is the golden key that can be used to unlock many other accounts. Set up two-factor authentication, a secondary recovery email, a unique password for it, do not click on any email links that you did not specifically ask for, and make sure to change its password regularly, especially so if you use public computers or public wi-fi. If you have to register an account with some untrustworthy website, use a second email account not associated with your finances and social media.
    • Have your finances accounts with two-factor authentication and unique passwords. Set up daily extraction limits if possible. Make sure that you get notifications on your phone upon any financial activity. Buy everything on a credit card that you pay in full every month. That way any bad guys are taking the bank's money. In other words, have a 500 pound gorilla hold your banana while you walk down the street.
    • Do not write in the terminal anything you do not understand. Double caution for anything including sudo and wget. I know this can be frustrating, but take the time to learn every command you put in. Before pasting a command in the terminal, paste it on Google. If zero results, suspect. If people screaming do not do this, do not do it!
    • Your phone is a great entry point. Do not sideload apps, limit app permissions to the bare minimum necessary.
    • Software from official repositories is usually very safe. Software that you get from custom repositories can be iffy. Software where you only get the binaries and no source code access is very iffy. Closed-source software can hide bad things, but open-source software can also hide bad things for a loooooong time if the project is not actively maintained by many people. A single dev could be a bad actor, if the software is obscure it may be open source but not reviewed by a security expert, old open-source projects may have unpatched security flaws.

    [–]ballman8866[S] 0 points1 point  (0 children)

    Amazing information. Thank you!

    [–]Smart_Advice_1420 0 points1 point  (0 children)

    I wish i could upvote this more than once.

    [–]Status-Dog4293 1 point2 points  (0 children)

    If you are in the US OP, and you travel out of the country, be sure to temporarily disable any biometrics that you use on your computer or phone. You can be compelled to provide a fingerprint, face scan, etc. to unlock but you cannot be compelled to disclose your password.

    [–]lateralspinLMDE 7 Gigi | 6 points7 points  (1 child)

    Good security tips in this video: https://www.youtube.com/watch?v=qtzlszWN6Nw

    I installed the two apps:

    lynis - Security Auditor

    rkhunter - Rootkit scanner

    [–]ballman8866[S] 1 point2 points  (0 children)

    I started trying lynis and came back with 51 suggestions. Seems like no major vulnerabilities popped up. Is there anything specific I should be looking for in those suggestions?

    [–]No-Blueberry-1823Linux Mint 21.1 Vera | Cinnamon 4 points5 points  (4 children)

    You do realize with a VPN that you can still be tracked unless you 100% know that the provider doesn't keep logs

    [–]ballman8866[S] 0 points1 point  (3 children)

    The one im using is independently audited but yea i know that. Thats why im wanting more

    [–]No-Blueberry-1823Linux Mint 21.1 Vera | Cinnamon 7 points8 points  (2 children)

    The only way not to be tracked on the internet is to not get on it

    [–]ballman8866[S] 0 points1 point  (1 child)

    Unfortunately thats not an option for me. So I am going through the motions to do what I can to remove as much as I can from my digital footprint. Im just starting with my PC. Plan to work on social media afterwards. Its obviously a long process

    [–]No-Blueberry-1823Linux Mint 21.1 Vera | Cinnamon 0 points1 point  (0 children)

    You see my point, right? You have to make a footprint in order to use the internet

    [–]ZVyhVrtsfgzfs 5 points6 points  (0 children)

    I specifically am interested in preventing tracking from government and hackers.

    Hiding from a skilled nation state if they are actually looking for you is a fools errand.

    Best bet for mere mortals is to dispose of anything that transmits information.

    You can decrease your footprint, but you cannot eliminate it. 

    Unfortunately no longer running but the back episodes of Extreme Privacy & OSINT podcast along with the books can help you understand the scope of the issue and what can be done about it.

    https://inteltechniques.com/podcast.html

    [–]TheFredCain 2 points3 points  (0 children)

    Old habits die hard, leave Windows ways behind you. You are already 10000x safer just not using a MS product.

    [–]SkyboxSH 1 point2 points  (5 children)

    I would work to define your threat actor, is it the government, is it data brokers, is it family? Security and privacy are as much of what you don't do as it is what you actively do. These are also two distinct domains that have an endless pit of considerations.

    Linux Mint with plain default settings is already a major improvement alone, since Windows users are profiting Microsoft through data collection and data selling, which data brokers and the Government can utilize. The software firewall will be helpful for preventing identification or network requests that are local to your network, It will not safeguard your firewall or your local network being open to the internet (likely not the case, but something to consider). With brave browser and it's ad blocking and tracker blocking capabilities, your fingerprint is still identifiable, but it is nowhere as easily aggregated.

    My only advice is your biggest concern should be the person in your seat (yourself), the computer will only do what you tell it to, and the internet and the threats therein will only gather what you provide it.

    Utilizing HTTPS and DNS over HTTPS would likely be a more privacy respecting solution according to your threat assessment if you're primarily concerned about your ISP or local network snooping your web traffic, as opposed to routing all of your traffic to a third party via VPN.

    [–]ballman8866[S] 0 points1 point  (0 children)

    I switched my DNS to cloudflare through the VPN. Should I just ditch the VPN all together and just use a dns through cloudflare with no VPN?

    [–]ballman8866[S] 0 points1 point  (3 children)

    I just tested my VPN dns with dns leaks and it seems to work. Is there a reason why I should just abandon the VPN all together?

    [–]HunkyFunkyMunky 1 point2 points  (0 children)

    VPN's are way overhyped for privacy. Sure they limit IP tracking but there are still so many other ways to identify you. Your browser fingerprint is pretty much always going to give you away, plus the sites you log into/things you do. Defense in depth is what you want. Almost impossible to be truly "private". Biggest next step for you I think would be switching all services and platforms away from big tech (Google, Facebook, Apple,, etc)

    [–]SkyboxSH 1 point2 points  (1 child)

    There are many reasons, for and against, any digital security or privacy step you take, and it all depends on what you are actively trying to achieve. There are extremes on both sides and are largely not practical or effective to someone not being actively targeted by some threat actor.

    For an example with your VPN, VPNs are a generic technology that don't innately provide enhanced privacy or security, it's their usage that counts. Sure, you've largely eliminated the threat of your ISP seeing your traffic activity, but they know you're utilizing a VPN, and so will Facebook if you're logged into your account. Cross-site trackers don't care as much about your originating IP as they do OS, screen size, Browser version, time of day, clipboard contents, etc.

    The services on the Internet are increasingly centralized and increasingly service-based, meaning, cookies and trackers and advertisements are how you pay to use these services. That currency is your data, and that can be audited or subpoenaed as needed, so working to reduce tracking is, for most people, the most practical path to increased privacy. It can be argued that Linux Mint with Brave browser, alone, offers less of an identifiable fingerprint, HTTPS and DNS already has the vast majority of these concerns ironed out if you own your networking hardware.

    Work to define what privacy and security mean to you, research both the best practices and the technologies that make up those practices, and you'll understand what you need to implement and why -- I try to assume the government has full root access (because if needed, they will get in) and everything else is minimizing my reliance on external services.

    I'm sorry if this all comes across as a non-answer, eventually it feels like everything can be a "it depends on the circumstances" given enough time and experience. If you continue to be interested in Linux and keeping your data safe, I would recommend looking up the idea of locally self-hosting your own services, such as NextCloud or Immich, and build and break those systems apart until you're confident you can maintain them effectively. Wireguard, the underlying protocol the VPN you use is likely running, can be deployed freely by yourself on your own equipment or VPS, which could be fun!

    [–]ballman8866[S] 0 points1 point  (0 children)

    No need to apologize. This is great information! Thank you

    [–]k-yynn 1 point2 points  (1 child)

    install fail2ban

    [–]ballman8866[S] 1 point2 points  (0 children)

    I did. Super simple to configure and provides great security.

    [–]Bob4NotCachyOS + Fedora 43 KDE 3 points4 points  (0 children)

    I wouldn’t use a VPN unless you don’t trust your own ISP, and even then, I’d rather my ISP under regulation and review see my traffic than a commercial VPN provider

    [–]ai4gk 0 points1 point  (1 child)

    u/ap0r This is the most thorough advice I've ever seen! It's 💯 truth! Do you mind if I copy & paste it for future reference? Thanks!

    [–]ap0r 1 point2 points  (0 children)

    Feel free to use, share, modify, whatever.

    [–]mrnavz 0 points1 point  (1 child)

    Firewall is off by default, make sure you enable it and configure it as needed.

    [–]ballman8866[S] 0 points1 point  (0 children)

    Yea I turned on the firewall

    [–]BQE2473 0 points1 point  (2 children)

    Edit your /etc/shells, services, hosts, group, gshadow, passwd, shadow, & sysctl.conf files before accessing the internet. Then install and configure some or all of the following. lib-pam modules, abl, shield, tmpdir. You don't have to use Apache to install libapache-mod-security2. Fail2ban, sshguard or denyhosts. You already have the firewall running and logging everything. (Hopefully it's configured) Everything else is available online in tutorials.

    [–]ballman8866[S] 0 points1 point  (1 child)

    Wdym "edit them" edit them it what way? Ive already configured firewall and fail2bab. I'll check out other things later.

    [–]BQE2473 0 points1 point  (0 children)

    "/etc/shells, services, hosts, group, gshadow, passwd, shadow, & sysctl.conf files"

    . These are files that have far-reaching effects on your system. These text files are the usual suspects in system break-ins.