Advanced Security Lenny's Security Config 2024

Last updated
Apr 28, 2024
How it's used?
For home and private use
Operating system
Linux
Other operating system
Linux Mint cinnamon
On-device encryption
N/A
Log-in security
    • Basic account password (insecure)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
N/A - Linux / Mac / Other operating system
Smart App Control
Off
Network firewall
Enabled
About WiFi router
We have a tri-band router at home. One 5Ghz channel for me and one 5Ghz for my wife. All IOT devices and smartphones are on the Guest network of 2.4 Ghz (the 2.4 Ghz band itself is not used) with a short lease time (12 hours). It is a setup idea I copied from a member on MT. It actually works very well for us. In all our rooms of our appartement we achieve maximum ISP contract WIFI speeds (up/down) with this 'each has its own channel' setup. This setup also has some security benefits (the 2.4 Ghz network is partitioned and the 5 Ghz networks have MAC-IP binding). Our router is supposed to have stateful packet inspection on top of the NAT-firewall and checks for clients using not updated vulnerable protocols (and blocks them).
Real-time security
None :eek: (running standard user) using only passive protection:
  1. NextDNS setup in resolved.conf
  2. Thunderbird
    a) Emails are scanned by ISP
    b) WarnAttachment (add-on)
  3. Brave:
    a) Google safe browsing
    b) VT4Browsers (extension)
Firewall security
Built-in Firewall for Mac/Linux
About custom security
  1. Using flatpaks for user applications (browser, mail, office, mediaplayer, image editor) with build-in bubblewrap sandbox
  2. Stripped rights from flatpaks using Flatseal and user applications have only read access to my data partition.
  3. Pinting service is allowed in user applications, because it is running with AppArmor profile enabled.
Periodic malware scanners
None, when you know a browser based scanner, please let me know
Malware sample testing
I do not participate in malware testing
Environment for malware testing
None, do not participate
Browser(s) and extensions
Brave as only browser with hardened site permissions and V8 JIT only allowed on trusted topleveldomains, using Brave's adblock filter plus Kees1958 Mv2 most used filter and some 30 custom rules. Added three extensionsL DarkReader in automatic mode, VT4Browsers in ask mode and using NoScript for fun just to check effectiveness of Brave (link)
Secure DNS
NextDNS free account with all security enabled, but without ad/privacy blocklists.

Desktop VPN
Free Windscribe (only on holiday or on hotspots for sensitive tasks).
Password manager
Linux build-in keys/password manager
Maintenance tools
None
File and Photo backup
Free FileSync (data base disabled) to external USB HD and we are using an extra Gmail account to send important documents to (e.g. insurance, mortgage, testament, work contracts etc)
Active subscriptions
    • None
System recovery
TimeShift with snapshots stored on a separate partition (so I can always restore using Live USB-iso)
Risk factors
    • Browsing to popular websites
    • Working from home
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
Laptop with Ryzen7 5700U, 16GB RAM and 1TB M2.SSD
Notable changes
28-04-2024 - New chapter, moved to Linux Mint (going in MT rehab)
What I'm looking for?

Looking for maximum feedback.

Practical Response

Practical Response

Level 8
Mar 10, 2024
359
LennyFox said:
Agree, but some habits can be automated and enforced by tools. I have two chrome profiles with wo different DNS settings (with different security measures and limitations), which are my similar to using my admin and standard user account, The good habit is to use the correct profile for the intended purpose (web surfing versus trusted sites). With technology the user is always part of the solution (with good habits) or part of the problem (ignorance or over confidence), but no matter how good your driving skills or habits are, you are safer in a 5 star NCAP car than a 2 star NCAP car, you are safer with safety belt and airbag than only applying (the good habit of holding) the steering wheel firmly with two hands in the ten for two position.
Click to expand...
Which level of awareness would you consider yourself as to how the operating system works? Now ask yourself the same awareness of the security tools you are using. Do you find yourself looking things up or asking questions to configure these tools, do you know for a fact you are doing so properly based on your knowledge of the tool and operating system. Now consider an average users that has less "awareness" then you do, do you really think they would fair well, when I'm betting you can not claim your are completely competent with both the OS and tools.

It hinges more on the habits then it does the tools. It does not matter if they are running windows default or a 3rd party suite if they lack habits and are happy go lucky clickers that just don't care. The seatbelt, airbag would all be pointless in a careless environment at highspeeds.

Safer indeed.

I wont continue this and hijack your thread anymore then we have, but there are plenty of convos on the forum conserving this.
 
Last edited:
  • Like
Reactions: Nevi, toto_10 and LennyFox
L

LennyFox

Level 7
Thread author
Jan 18, 2024
314
The only program needing execution rights in user folders, moved to a web service (y) , so I tightened Software restriction Policies to default deny

1713249440563.png
 
Last edited:
  • Like
Reactions: TairikuOkami, toto_10, oldschool and 1 other person
L

LennyFox

Level 7
Thread author
Jan 18, 2024
314
Moved to linux Mint permanently. Was annoyed that my new laptop on Windows 11 did not feel much faster than my old desktop on Linux Mint (with a CPU bench mark of 1/3 of my laptop). Laptop feels snappier now :) (y)

When someone knows a scanner which I can use on Linux or from a browser, please feel free to post. I know of clamAV, but according to what I read ClamAV is intended for mail and my ISP already does mail scanning (in the past with Ziggo checked emails with ClamAV and Avast. and now probably with Clam and Fsecure, because they are offering a rebranded F-secure).
 
Last edited:
  • Like
  • Wow
  • Sad
Reactions: oldschool, TairikuOkami, Gandalf_The_Grey and 1 other person

Similar threads

R
    • Like
  • Locked
Norton Security Review 2017
Replies
0
Views
3,762
Norton
ras74
R
Bot
    • Like
  • Locked
Announcing Windows 10 Insider Preview Build 17063 for PC
Replies
0
Views
1,938
OS Archive
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top