Advanced Security Linux Mint Xfce laptop setup

Last updated
Feb 4, 2026
How it's used?
For work or educational use
Operating system
Linux
Other operating system
Linux Mint Zara
On-device encryption
Other full-disk drive encryption software
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
N/A - Linux / Mac / Other operating system
Smart App Control
N/A - Linux / Mac / Other operating system
Network firewall
Enabled
About WiFi router
TP-Link triband with IPv6 disabled and all security features enabled (TP-link home care, SPI-firewall, IP-MAC binding). E-mail log message level is set to critical.
Real-time security
Using Linux sandboxing: AppArmor for print, Firejail for accessories and Flatpak for applications. Added OpenSnitch outbound application firewall to compliment inbound GuFW.
Firewall security
Built-in Firewall for Mac/Linux
About custom security
Running standard user and sticking to official repo's and verified publishers. Added only a few hardening tweaks (removed execution rights from txt files, only allow admin to view logs/debug/etc, enabled ASLR system wide, set minumim TLS, disabled P2P). Enabled additional firejail profiles with firecfg and stripped flatpak permissions with flatseal.
Periodic malware scanners
None, using VirusTotal when downloading something.
Malware sample testing
I do not participate in malware testing
Environment for malware testing
None
Browser(s) and extensions
Brave with all build-in Ad Shield disabled using two profiles. My work profile has default website permissions and Microsoft Defender Browser Protection as only extension. The (default) surfing profile has most website permissions on block and AdGuard advertising and Kees1958 anti-tracking filters enabled with extra rules to enhance security (TLD firewall).
Secure DNS
  1. NextDNS in the Router with OISD plus telemetry blocklists enabled (for IOT devices) and limited the Top Level Domain scope (by manually blocking them one by one).
  2. We use Quad9 as default DNS for our Laptops and Smartphone (to bypass TLD scope limitations of router) because Quad9 is set & forget and good at malware blocking.
  3. In the browser (DOH) we use Cloudflare Zero Trust free plan with firewall policies and a personalized custom block page.
Desktop VPN
None, because my ISP uses dynamic IP allocation and I use my own router so our IP and IP location are changed regularly :-).
Password manager
Build-in
Maintenance tools
None
File and Photo backup
FreeFileSync
Subscriptions
    • None
System recovery
TimeShift
Risk factors
    • Browsing to popular websites
    • Working from home
    • Making audio/video calls
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
AMD Ryzen 7 laptop with 1 TB SSD and 16GB RAM
Notable changes
Keeping my setup as simple as possible. The only extra's I have are themes (for LibreOffice, Thunderbird and Brave).
  • 2025-12-04 Replaced DOH in browser (ControlD free with AppGuard DNS filter) with OS default (Quad9) because of website breakage
  • 2025-12-26 Tried Cloudflare Zero trust free plan in browser (DOH) using security and content categories as DNS firewall policies.
  • 2026-01-08 Finalized Cloudflare Zero Trust setup by adding geo based (resolved IP) policies (and a custom blockpage)
  • 2026-01-16 Finalized extension & filter tweaking (see post)
  • 2026-02-04 Added Microsoft Browsing Protection to work profile
What I'm looking for?

Looking for minimum feedback.

LinuxFan58 said:
Followed this thread to make linux look like Windows (with some small changes because I am not using Cinnamon but Xfce desktop and can change Linux Mint logo to Windows :-) ) https://forums.linuxmint.com/viewtopic.php?p=2635179&hilit=Windows#p2635179
Click to expand...
Nice, that’s a fun approach, especially on Xfce where you can tweak almost everything without too much overhead.

If you want to push the “looks like Windows” setup on Xfce even further, here are a few ideas (in case you haven’t already done them):

1. Panel layout (Taskbar-style)
  • Move the main panel to the bottom.
  • Set panel Mode to Horizontal and Lock panel after you’re done.
  • Use the Window Buttons plugin for a taskbar feel.
  • Add:
    • Whisker Menu (as a Start menu replacement) with a Windows logo icon.
    • Notification Area + Clock + Show Desktop button.

2. Whisker Menu = Start Menu
  • Right-click Whisker Menu → Properties.
  • Change the icon to your Windows logo image.
  • Switch to a single-column layout (if you prefer something closer to Windows 7/10 style).
  • Pin favourite apps so they show on top, similar to “Pinned” in Windows.

3. Theme & Icons
  • Use a flat/light theme to mimic Windows 10/11 (for example: Adwaita, Mint-Y, or any Windows-like theme from the repos).
  • Install a Windows-like icon pack (if you can find one in the repos or from a trusted source).
  • Set the window buttons layout to Close / Maximize / Minimize on the right for a more authentic look:
    • Settings → Window Manager → Button layout.

4. Login screen & wallpapers
  • Set a Windows-style wallpaper (classic blue, or Win10/11 style).
  • If you’re using LightDM, you can also set a matching login background, though that’s a bit more niche.

5. Optional extras
  • File manager: tweak Thunar to show Places similar to Windows Explorer (Home, Documents, Downloads, etc.).
  • Fonts: using something like Segoe UI-style fonts (or similar) can make the illusion stronger.

If you share which Linux Mint + Xfce version you’re on and exactly what you’ve already customized, I can suggest more specific tweaks (for example, panel config, themes, or where to get a good Windows icon set that plays nicely with Mint).
 
@Bot I already done that (literally posted"I am not using Cinnamon but Xfce desktop and can change Linux Mint logo to Windows") :-)

Using Linux Mint Xara with latest Xfce desktop. The only thing I would like (using Mint-L-Agua style with Mint-Y-Sand icons), is to change the active window of Thunar to blueish in stead of grey.
 
  • Like
Reactions: SeriousHoax, Zero Knowledge and harlan4096
Very good config. I have used most of your security controls. I just moved from Qubes to Fedora because I can SELinux semanage and confine the user to the user_r role. Which is a bit better than just plain standard user. And, I can mandate Yubikey use for sudo. Firejail does not work if you have confined the account to user_r; it complains about double 'confinment'. I kinda miss the virtualization protection of my non-networked Work cube. But I plan to add VirtualBox as replacement.

I haven't tried TimeShift before. How is that ?
 
Last edited:
  • Hundred Points
  • +Reputation
  • Like
Reactions: wat0114, Zero Knowledge, LinuxFan58 and 1 other person
Victor M said:
Very good config. I have used most of your security controls. I just moved from Qubes to Fedora because I can SELinux semanage and confine the user to the user_r role. Which is a bit better than just plain standard user. And, I can mandate Yubikey use for sudo. Firejail does not work if you have confined the account to user_r; it complains about double 'confinment'. I kinda miss the virtualization protection of my non-networked Work cube. But I plan to add VirtualBox as replacement.

I haven't tried TimeShift before. How is that ?
Click to expand...
Qubes and partitioned application environments are a bit over my head. TimeShift works great and is very easy to use. The only thing non tech savvy users like me have to figure out is to store the TimeShift backup on a different partition (because creating and managing partitions at Linux install is a bit more complicated than in Windows).
 
Last edited:
  • Sad
Reactions: Zero Knowledge
Qubes virtualization is pretty simple to use. All you have to remember is that each virtual cube has it's own colored frame. The beauty is that one cube cannot affect another. So if you do office work in one cube, you can browse freely on another one; and there will be no cross infection. Infostealers can steal your cookies, but they won't be able to steal your work documents and spreadsheets because they reside in another cube. And if you remember to setup MFA for every web service and sign out of Google accounts when done, there is not much that infostealers can do.

I will have to setup TimeShift to try it out.
 
  • Like
Reactions: Zero Knowledge, LinuxFan58 and harlan4096
The downside of Linux Mint (which also is an advantage) is that it is a lot of versions behind (now on Linux kernel 6.8 while 6.14 is out). This lagging behind also reduces the risk of exploits and increases stability a lot.
Click to expand...
Are you sure about this?
Linux Mint's kernel now should be, 6.14.0 on your system.
1764617088055.png
 
  • +Reputation
Reactions: simmerskool
SeriousHoax said:
What version of Linux Mint are you using really? Because Linux Mint is based on Ubuntu LTS and 6.12 is the latest LTS kernel at the moment which is used by both Ubuntu LTS and Linux Mint. 6.8 was never a LTS kernel. So, something is not right on your Mint. You should check what's going on.

The Linux Kernel Archives

kernel.org kernel.org
Click to expand...
Nothing wrong (upgraded from 22.1)
Linux Mint 22.2 "Zara" ships with the Linux kernel 6.14 as the default for new installations, which is part of the HardWare Enablement (HWE) stack designed to support newer hardware, including recent AMD processors and improved power efficiency through dynamic P-State management. However, users upgrading from Linux Mint 22.1 or earlier will continue to use the LTS kernel 6.8.0-79 by default, as the upgrade path does not automatically switch to the newer HWE kernel to maintain stability on existing hardware. This decision is intentional, as the 6.8 kernel is supported until April 2029, while the 6.14 HWE kernel is only supported until February 2026.
 
  • Like
Reactions: Trident and Victor M
LinuxFan58 said:
Nothing wrong (upgraded from 22.1)
Linux Mint 22.2 "Zara" ships with the Linux kernel 6.14 as the default for new installations, which is part of the HardWare Enablement (HWE) stack designed to support newer hardware, including recent AMD processors and improved power efficiency through dynamic P-State management. However, users upgrading from Linux Mint 22.1 or earlier will continue to use the LTS kernel 6.8.0-79 by default, as the upgrade path does not automatically switch to the newer HWE kernel to maintain stability on existing hardware. This decision is intentional, as the 6.8 kernel is supported until April 2029, while the 6.14 HWE kernel is only supported until February 2026.
Click to expand...
I see. I forgot that Ubuntu don't necessarily follow the same LTS versioning of the original unmodified kernel like most other non-Ubuntu based distros. The default Kernel 6.8 reached EOL on May 30, 2024, while Ubuntu's 6.8 is still supported.
 
  • Like
Reactions: simmerskool and Victor M
SeriousHoax said:
I see. I forgot that Ubuntu don't necessarily follow the same LTS versioning of the original unmodified kernel like most other non-Ubuntu based distros. The default Kernel 6.8 reached EOL on May 30, 2024, while Ubuntu's 6.8 is still supported.
Click to expand...
I made a TimeShift snapshot and installed the latest 6.14 to give it a spin. Does not feel faster than 6.8
 
  • Like
Reactions: Victor M
I don't thinking relying on Ubuntu's security is safe for a EOL'd kernel. They may support it, patching it and things, but without wider community support they are handicapped. It doesn't matter if it doesn't feel 'faster'.
 
  • Like
Reactions: simmerskool
Thanks @Victor M
I understand that it is not safe to use EOL kernel, but it looks like the 6.8 kernel is supported until april 2029, or am I misunderstanding something?

I asked AI and said it was okay to use
@LEO AI said:
The 6.8 kernel is safe to use in Linux Mint 22.2, especially if your hardware is fully supported and your system is functioning correctly. The 6.8 kernel is a Long-Term Support (LTS) series, supported until April 2029, which makes it a stable and reliable choice for older hardware. If your current setup works well, there is no compelling reason to upgrade
Click to expand...
In the Linux Mint forum a forum veteran (with a website on Linux Mint tips) explained that using an older (supported) kernel makes you less vulnarable to exploits (that is why I mentioned that the disadvantage also is a an advantage).
 
Last edited:
Small change: I started getting "website not secure" messages a lot when I typed in a domain name in the taskbar of my browser. When I refreshed the browser, the website would appear but that started to get annoying. I tried changing from ControlD free to Quad9 and the problem disappeared.

Because Quad9 does not offer ad/tracking blocking like ControlD-free-with-OISD does, I replaced Avira with uBol with only Peter's Low list enabled and adding (currently) 23 cosmetic rules and 20 DNR rules (running uBol in basic mode). The cosmetic and DNR rules are all website specific, this means that I only have to disable Peter Low's list when I am doing work from home. In my surfing profile I have Brave shields in aggressive mode (no extensions in that profile)
 
Last edited:
  • Like
Reactions: Sampei.Nihira and harlan4096
LinuxFan58 said:
Small change: I started getting "website not secure" messages a lot when I typed in a domain name in the taskbar of my browser. When I refreshed the browser, the website would appear but that started to get annoying. I tried changing from ControlD free to Quad9 and the problem disappeared.

Because Quad9 does not offer ad/tracking blocking like ControlD-free-with-OISD does, I replaced Avira with uBol with only Peter's Low list enabled and adding (currently) 23 cosmetic rules and 20 DNR rules (running uBol in basic mode). The cosmetic and DNR rules are all website specific, this means that I only have to disable Peter Low's list when I am doing work from home. In my surfing profile I have Brave shields in aggressive mode (no extensions in that profile)
Click to expand...

If you use a DNR rule like this:


Code: 
action:
  type: block
condition:
  domainType: thirdParty
  resourceTypes:
    - websocket
    - webtransport
---


, be aware that it prevents searching on certain websites.
 
  • Thanks
Reactions: LinuxFan58
@Sampei.Nihira

No my DNR rules are just for adblocking, cookie consent and two paywalls and are all website specifc, not so advanced as you made (I just discovered that uBol automatically translates ABP rules to DNR) and I installed uBol after changing to Quad9 (ComtrolD suddenly gave those connection erros, I just it for nearly a year with any issues).

action:
type: block
condition:
urlFilter: ||bbc.com/ngas/latest/dotcom-ads.js^
initiatorDomains:
- bbc.com
 
  • Like
Reactions: Sampei.Nihira
LinuxFan58 said:
@Sampei.Nihira

No my DNR rules are just for adblocking, cookie consent and two paywalls and are all website specifc, not so advanced as you made (I just discovered that uBol automatically translates ABP rules to DNR) and I installed uBol after changing to Quad9 (ComtrolD suddenly gave those connection erros, I just it for nearly a year with any issues).

action:
type: block
condition:
urlFilter: ||bbc.com/ngas/latest/dotcom-ads.js^
initiatorDomains:
- bbc.com
Click to expand...

Yes, if I understand correctly, you mean importing cosmetic rules, for example from uBo, but obviously they must only be cosmetic filters.

It's the same as creating a new cosmetic filter.
 
  • Like
Reactions: LinuxFan58
Sampei.Nihira said:
Yes, if I understand correctly, you mean importing cosmetic rules, for example from uBo, but obviously they must only be cosmetic filters.

It's the same as creating a new cosmetic filter.
Click to expand...
Yes, but my experience is that it skips static rules like ||example.org$script and only used the cosmetic rules.
 

You may also like...