Advanced Security Linux Mint Xfce practical maximum setup

[Sampei.Nihira]

Yes, but my experience is that it skips static rules like ||example.org$script and only used the cosmetic rules.

Well, obviously your rule is a network rule, not a cosmetic rule.
A network rule can only be added using DNR rules.

Although Gorhill does not encourage the extensive use of network rules that may conflict with those of the lists subscribed to in the extension.

 

[Sampei.Nihira]

I see you use Thunderbird.
If you want to try increasing Thunderbird's sandbox level, this is possible.
Some AI will tell you that you can't go beyond a certain level, or, as in my case, they insert threads that I created years ago.
Some AI might even claim that this is not possible or doesn't work.

If, on the other hand, you prefer to leave Thunderbird's level at the default value, in this js you will find how to harden Thunderbird, in a similar way to Firefox:

thunderbird-user.js/user.js at master · HorlogeSkynet/thunderbird-user.js

 

[LinuxFan58]

I see you use Thunderbird.
If you want to try increasing Thunderbird's sandbox level, this is possible.
Some AI will tell you that you can't go beyond a certain level, or, as in my case, they insert threads that I created years ago.
Some AI might even claim that this is not possible or doesn't work.

If, on the other hand, you prefer to leave Thunderbird's level at the default value, in this js you will find how to harden Thunderbird, in a similar way to Firefox:

thunderbird-user.js/user.js at master · HorlogeSkynet/thunderbird-user.js

Thanks I am on holiday until the 26th without laptop, but will certainly look into it. May I PM you when I have questions?

 

[Sampei.Nihira]

If you can't do without it...

 

[wat0114]

Nice and secure configuration you have there. Btw, is the built-in password manager KeepassXC or something else?

 

[LinuxFan58]

Nice and secure configuration you have there. Btw, is the built-in password manager KeepassXC or something else?

Thanks
Out of the box desktop vault KeepassXC

 

[LinuxFan58]

I am currently on holiday and found out that Google has something called Apps Script which you can use to automate stuff like auto deleting mail in Gmail.

I forward all my ISP email to my (2nd) Gmail account and excluded this Gmail account in my unified (search folder) inbox in Thunderbird to automatically check it on virus by Google.

Until now I manually deleted all those emails in my (second) Gmail account (only setup for this purpose), but will write a script when back from holiday.

 

[LinuxFan58]

I replaced ControlD with Cloudflare Zero Trust free plan (thanks @rashmi for posting).

Reason was that I am running out of 300.000 queries limit, when I am doing a lot of research when developing new courses for the business university I am working for (teaching my old profession for fun as pensionado). I am impressed with the granular control and option ot add a (unique) warning or explanation sentence for each policy

 

[LinuxFan58]

The website permission settings of my surfing profile

Spoiler: Hardened website permissions in surfing profile

 

[Sampei.Nihira]

I'm curious, did you harden Thunderbird or not?
I've hardened the email clients I've used over time without any problems, including increasing the sandbox level to default:

https://www.wilderssecurity.com/threads/hardening-thunderbird.432718/

 

[LinuxFan58]

@Sampei.Nihira Yes, done

 

[LinuxFan58]

Removed Avira because Cloudflare with Zero Trust performed surprisingly well when trying some random malware and phishing links.

Using uBol in both work and surfing profile. In work profile I only have custom Cosemetic and DNR-rules for some bookmarked websites. For surfing I use uBol only to reduce the attack surface (together with the tight website permissions should increase security).

____________ posting scrambles the indentation ___________
---
#
# Upgrade HTTP to HTTPS when available
#
priority: 40
action:
type: upgradeScheme
condition:
urlFilter: http://
---
#
# Block scripts of unsafe HTTP connections
#
priority: 30
action:
type: block
condition:
urlFilter: http://
resourceTypes:
- script
---
#
# Block protocols that are normally not needed for casual internet surfing
#
priority: 30
action:
type: block
condition:
urlFilter: magnet://
---
priority: 20
action:
type: block
condition:
urlFilter: telnet://
---
priority: 30
action:
type: block
condition:
urlFilter: slack://
---
priority: 30
action:
type: block
condition:
urlFilter: org-protocol://
---
priority: 30
action:
type: block
condition:
urlFilter: vscode://
---
priority: 30
action:
type: block
condition:
urlFilter: apt://
---
priority: 30
action:
type: block
condition:
urlFilter: irc://
---
priority: 30
action:
type: block
condition:
urlFilter: git://
---
#
# Block resources mis-used for tracking or posing a security risk
#
priority: 20
action:
type: block
condition:
resourceTypes:
- csp_report
- ping
- object
- webbundle
---
#
# Block links containing executable Linux formats
#
priority: 20
action:
type: block
condition:
regexFilter: /.*\.(appimage|bin|deb|elf|py|pyc|pyo|pyd|pyw|pyi|pyz|ipynb|sh|rpm|run)\b/
---
#
# Block request outside EU-zone and 5 eyes countries
#
priority: 10
action:
type: block
condition:
excludedRequestDomains:
- com
- edu
- io
- net
- org
- EU
- AT
- BE
- BG
- HR
- CY
- CZ
- DK
- EE
- FI
- FR
- DE
- GR
- HU
- IE
- IT
- LV
- LT
- LU
- MT
- NL
- PL
- PT
- RO
- SK
- SI
- ES
- SE
- NO
- CH
- IS
- LI
- GB
- UK
- CA
- US
- AU
- NZ
---

 

[Sampei.Nihira]

@LinuxFan58

It is interesting to note that your rule in uBoL that blocks Beacon (object) does not intercept JavaScript, does not intercept browser APIs, and does not intercept sendBeacon.
The navigator.sendBeacon() API is blocked by one of my rules that you are familiar with.
It allows data to be sent in the background even when the user leaves the page, without blocking loading and without being easily intercepted.
It is one of the preferred APIs for modern tracking.
Even though the percentage of website breakage, especially for payments, is high.

I chose it for greater Beacon coverage.
Let me show you the results of the rule's prevention as processed by ChatGPT 5.2:

 

[LinuxFan58]

@Sampei.Nihira

Yes you are right, but then I have to switch to AdGuard Mv3 or uBo Mv2. which I don't want at the moment (AG for geo political reasons and uBo because it lowers the speedometer 3.1 benchmark so much)

 

[Sampei.Nihira]

I am really happy with Cloudflare zero trust. Running 5 firewall policies and removed all browser extensions.

View attachment 294418

I would recommend that you at least create general rules in Brave's internal adblock to block these trackers that are not blocked at the DNS level.
In my opinion, 6-9 rules with general validity would be sufficient.



P.S.

What is Rule 2 based on?

 

[Sampei.Nihira]

Incredible, congratulations.
You have just exceeded your underestimated average user rating.

 

[LinuxFan58]

Okay I admit, could not do anything today because trains were cancelled due to excessive weather conditions (snow and storm Goretti). So I cancelled the meeting and started playing with Cloudflare. Wanted to increase privacy a little so I reduced the logs to block only and enabled removing sensitive information (free plan has fixed retention period). Watched another episode of Gangs of London and filled my time with the absolute summon of useless activity by changing ...

Spoiler: Custom block page with extra explanation line to show/know which policy blocked this domain

The use of setting your own blockpage is that you can add a custom reason per policy (reden: website website staat op de zwarte lijst van websites die schadelijke software verspreiden). I changed the background colour (because my wife found the default to much in your face)

 

[LinuxFan58]

Because of @Andy Ful malware filter testing and @Sampei.Nihira adfilter optimization testing, I added two extensions:

• Work profile: Avira Safe browsing with anti-tracking enabled. The mild anti-tracking compliments nicely with the mild advertisement blocking of Cloudflare. Also Avira's URL filtering provides best results when testing malware, phishing and fake shopping links in combination with Cloudflare and Google Safe Browsing.
• Surfing profile: Privacy Badger in learning mode (l know it can be misused, but it has never occurred in the wild) to compliment Brave's adblocking. This combo resulted in the lowest third-party exposure after a day of surfing.

Security and privacy wise I should be okay with Avira Safe Browsing and Privacy Badger extensions (one is bound to strict German privacy regulations and the other is developed by the Electronic Frontier Foundation).

Setup finalized

 

[Sampei.Nihira]

Because of @Andy Ful malware filter testing and @Sampei.Nihira adfilter optimization testing, I added two extensions:

• Work profile: Avira Safe browsing with anti-tracking enabled. The mild anti-tracking compliments nicely with the mild advertisement blocking of Cloudflare. Also Avira's URL filtering provides best results when testing malware, phishing and fake shopping links in combination with Cloudflare and Google Safe Browsing.
• Surfing profile: Privacy Badger in learning mode (l know it can be misused, but it has never occurred in the wild) to compliment Brave's adblocking. This combo resulted in the lowest third-party exposure after a day of surfing.

Security and privacy wise I should be okay with Avira Safe Browsing and Privacy Badger extensions (one is bound to strict German privacy regulations and the other is developed by the Electronic Frontier Foundation).

Setup finalized

Get this:

Could you get more?
Maybe, I don't have any experience with Brave's built-in adblock.

I would block 1p script on all websites outside your TLDs in your aggressive profile.

You would also get 3p script blocked at the same time.
Almost certainly 3p frames too.

+ Privacy/security without adding extensions.

However, I have some doubts about this aspect (frame) in PB.
It would be better to ask the AI.

I would leave PB in your moderate profile.

If you're interested in trying it, I'll write down the simple rules, which I'm sure you can write yourself.

 

[LinuxFan58]

Brave in Aggressive mode also blocks first party. I use PB in learning because it shows third-party exposure also. When those 3P are useless (from user experience perspective) connections I block them in PB. Until now I only added 1 domain.

I used uBol only allowing some trusted TLD's but the number of blocks were zero. Same with your rules in AG you pm-ed.

With my surfing behavior Brave Shields seem to do very well. This is why I want to know what the actual 3P exposure is.