Advanced Security Linux Mint Cinnamon Wayland setup

Last updated
Jun 1, 2026
How it's used?
For work or educational use
Operating system
Linux
Other operating system
Linux Mint 22.3 Zena Cinnamon Wayland
On-device encryption
Other full-disk drive encryption software
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
N/A - Linux / Mac / Other operating system
Smart App Control
N/A - Linux / Mac / Other operating system
Network firewall
Enabled
About WiFi router
TP-Link triband with IPv6 disabled and all security features enabled (TP-link home care, SPI-firewall, IP-MAC binding). E-mail log message level is set to critical.
Real-time security
Sticking to trusted package sources and using Linux sandboxing (AppArmor, Firejail, Flatpak) to contain utilities, accessoires and applications.
Firewall security
Built-in Firewall for Mac/Linux
About custom security
  • Using only official package sources from verified publishers and de-installed all unused accessoires and applications.
  • Mildly hardened Linux by disabling P2P, remote access, old TLS versions and enabling ASLR system wide.
  • Created additional Firejail profiles with firecfg and reduced Flatpak permissions with flatseal.
  • Added OpenSnitch outbound application firewall to compliment inbound GuFW.
  • Installed logcheck with e-mail warning for security alerts & events
  • Using Wayland (experimental) on Cinnamon desktop.
  • Enhanced browser security with flags.
Periodic malware scanners
When I receive files from others I scan them with Virus Total. My half yearly data backups to external USB are scanned with Microsoft Defender :cool:
Malware sample testing
I do not participate in malware testing
Environment for malware testing
None
Browser(s) and extensions
Brave with two profiles, one for surfing and one for work. Privacy wise I have Brave shieds disabled in my work and enabled in my surfing profile (only Ads, Kees1958 and custom rules). Security wise my surfing profile has most site permissions on block and Bitdefender Traffic Light while my work profile has website permission on default with NVT Browser lockdown limiting website access to a few trusted domains and file download to usual office documents.
Secure DNS
  1. NextDNS in the Router with OISD and telemetry blocklists enabled (for IOT devices), allowing only common TopLevelDomains to connect.
  2. We use Quad9 as default DNS (at OS-level) for our Laptops and smartphones (to bypas router TLD firewall restrictions)
  3. Cloudflare Zero Trust Free plan (with malware protection) is used as DNS over HTTPS in the browser.
Desktop VPN
Proton VPN free for Linux on-demand (out of home). At home I have little use for VPN because our IP and IP location are changed regularly :-).
Password manager
Build-in (OS and Browser)
Maintenance tools
None
File and Photo backup
  • FreeFileSync quick on-demand backups to a partition on my internal SSD to which sandboxed utilities, desktop accessoires and applications have no access to.
  • The half yearly full backup saves to an external USB-SSD which is checked (afterwards) by Microsoft Defender on my wife's laptop (which has triple USB protection).
Subscriptions
    • None
System recovery
TimeShift (to another partition on 1 TB SSD)
Risk factors
    • Browsing to popular websites
    • Working from home
    • Making audio/video calls
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
AMD Ryzen 7 (5700U) laptop with 1 TB SSD and 16GB RAM
Notable changes
To many :)

After jumping back and forth, I finally decided for:
  • Changed from ControlD free to Cloudflare free ZT
  • Replaced 7-zip (unsandboxed) with PeaZip in Flatpak
  • Moved from LibreOffice in Flatpak to LibreOffice in Firejail
  • Moved from Thunderbird to Evolution (both in Flatpak sandbox)
  • Moved from Xfce desktop with X11 to Cinnamon desktop with Wayland
What I'm looking for?

Looking for maximum feedback.

@lokamoka820 and @Miravi

Flatpak 14.6.6 landed which has the vulnabilities fixed according to AI. So went back to Flatpack except for Libre Office. Libre Office in Firejail does not has the large powerpoint problem which makes Libre Office in Flatpak unuseable for me. So went from Libre Office (Flatpak) to Only Office to Collabra Office to Libre Office (Firejail).

I moved to Firejail, because as far as I known Ubuntu favours Snaps in stead of Flatpaks and it was a Flatpak problem. It was usefull for one aspect, discovered how easy it is to create custom firejail profiles.
 
Last edited:
  • Like
  • Applause
Reactions: lokamoka820, Sampei.Nihira, simmerskool and 1 other person
Currently only 0.1 behind on Linux plus Flatpak compared to same laptop with Windows 11 + SAC + SRP + Defender
1776417969276.png
 
  • Like
  • Wow
Reactions: simmerskool, Sampei.Nihira and lokamoka820
LinuxFan58 said:
Flatpak 14.6.6 landed which has the vulnabilities fixed according to AI.
Click to expand...
Are you sure your Linux Mint system has the latest version? They haven't fixed the issue yet on Ubuntu. To check, run the following code in your terminal:

Code: 
flatpak --version

Another way to check is to run the following code in your terminal and check the "Version" section:

Code: 
$ apt show flatpak
 
  • Like
Reactions: simmerskool, LinuxFan58 and Sampei.Nihira
LinuxFan58 said:
Before I posted I checked with: flatpak --version so yes I am 100% certain (I posted this earlier, but you will be seeing this much later :-) )
Click to expand...
I just noticed your post, and I'm not sure why I didn't receive a notification that you mentioned me. Given that Miravi didn't respond either, I believe there may be a problem with notifications.
 
  • Like
Reactions: simmerskool and LinuxFan58
I have to check al lot of exams this weeks which is very boring work, so I started playing with my adblock setup again, I have two favorite setups
1. Running Privacy Badge all the time (for compatibility reasons) and Brave's build in on-demand to nuke annoying website.
2. Running Brave only a specific websites (website permissions and shield settings are not cleared at exit) with light adblocking of CloudFlare ZT ads category.

Today I thought of reversing my setup, running Brave with custom rules only and uBOL on demand (with only EP, Peter Low and uBO filters), while I was playing with this setup, ChatGPT told me to have a look at Kees1958 most used (see screen print) to accompany my own custom rules in Brave (and disable all other Brave filter lists).

The medium mode ChatGPT referred to is the that I complete strip the websites I visit a lot (zero trackers and ads). So medium mode applies only to the few websites I made custom rules for in uBlockOrigin Lite.

1777632303233.png

I followed Chat's advice and added Kees1958 most used EU-US DNR to custom rules, so according to ChatGPT I am now officially a power user :ROFLMAO:
 
Last edited:
  • Like
Reactions: simmerskool, oldschool, lokamoka820 and 1 other person
AI explanation why I replaced Avira Browser Safety (when it moved from German privacy law to US law) with MalwareBytes Browser guard (with adblock off)

1777115425507.png

Avira when under German law had an only 7 day retention for blocked URL's (with IP Geolocation, not IP) and only collected anonymized telemetry totals of blocked URL's (running year stats). Now it is moved to Gen Digital (US Law), the tight German privacy laws are also abandoned. Funny to see when the context changes AI's interpretation also changes. Because Avira dropped in valuation AI increased its valuation for MBAM (increased from good to strong :-) )
 
Last edited:
  • Like
Reactions: Sorrento, lokamoka820, Digmor Crusher and 3 others
I’m just reaching out because you changed the feedback.
I had Claude AI analyze your security configuration (it’s very trendy right now), and he suggested several areas that need attention.
Here are the ones I think you should check as soon as possible:
1.png


Let me know if Claude AI was helpful or not.
Thanks for your attention.:)
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: Sorrento, simmerskool, lokamoka820 and 1 other person
Sampei.Nihira said:
I’m just reaching out because you changed the feedback.
I had Claude AI analyze your security configuration (it’s very trendy right now), and he suggested several areas that need attention.
Here are the ones I think you should check as soon as possible:
View attachment 297427


Let me know if Claude AI was helpful or not.
Thanks for your attention.:)
Click to expand...
Thanks my friend I really appreciate your tips (y), I installed USB Guard. Good addition, very helpful (also installed USBGuard notifier).

Claude overlooks that I only install/update from official sources and with Linux it is impossible to install without user consent (as far as I know). So my mild HIDS (logcheck) and NIDS (router) do the job for me, considering everything non-basic OS is sandboxed or double sandboxed (like the browser and e-mail). I asked ChatGPT whether I should add something like AIDE, Tiger, SNORT or Suricata and it said it was not worth the trouble or overhead.

Moving to Fedora (with Sellinux) and Wayland woud be more productive (according to AI), but I will delay that until 2029 (remember @oldschool advice "stay safe, not paranoid" ) :-) practical maximum is enough (not seeking absolute maximum).
 
Last edited:
  • Wow
  • +Reputation
  • Thanks
Reactions: Sorrento, simmerskool, lokamoka820 and 1 other person
Met a php/backend programmer, who uses Linux himself. He explained that running Chrome with (full sandbox) with a (partly crippled) Firejail is stronger then Chrome solo or Chrome (with crippled sandbox) in Flatpak. So dropped Brave (in Flatpak) for Chrome (in Firejail) and also replaced Cloudflare Zero Trust with ControlD free with OISD large (because of the obvious impact of losing Brave's adblocker),

CUPS (print) runs in AppArmor, all desktop accessoires. Libre Office and Chrome run in Firejail and Teams plus Evolution in (stripped) Flatpak. Evolution uses Bubblewrap to sandbox the HTML renderer and is itself also sandboxed in Flatpak. The programmer uses Fedora.
 
Last edited:
  • Like
Reactions: Sorrento, Victor M, simmerskool and 2 others
Made a 180 :-) (again :unsure:)

Because I switched from Brave in Flatpak (adds a horizontal layer, but breaks Chrome vertical sandboxing) to Chrome in Firejail (keeps Chrome's internal sandbox in tact and adds a less restricted horizontal layer), I switched back from CloudFlare Zero Trust to ControlD free with OISD and using two browser profiles.

Because I discovered the Safe browsing v5 API flag (link) and read about NVT Api Void Browser Protection on MT, so I decided to drop my free URL filtering browsing protection extension and translated some ideas of NVT to extra protection rules in uBol with different TLD rules for work and surfing.

Main differences between work and surfing browsing profiles:
  • Theme
    Work has 'Chrome classic darker blue' and Surfing has 'Simple red' theme for visual feedback which profile I am using.
  • Site permissions
    Work set some permission related to MS Teams to ask (camera, mic, window management, scroll and zoom), Surfing has all on block.
  • uBlock Origin Lite filters
    Work only has custom rules while Surfing profile has EasyList with AG parameter filter and Kees1958 most used (as adviced by ChatGPT).
1777619901274.png
 
Last edited:
  • Like
Reactions: simmerskool, Sampei.Nihira and Sorrento

You may also like...