Advanced Security Linux Mint Xfce practical maximum setup

Last updated
Apr 30, 2026
How it's used?
For work or educational use
Operating system
Linux
Other operating system
Linux Mint 22.3 Zena Xfce
On-device encryption
Other full-disk drive encryption software
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
N/A - Linux / Mac / Other operating system
Smart App Control
N/A - Linux / Mac / Other operating system
Network firewall
Enabled
About WiFi router
TP-Link triband with IPv6 disabled and all security features enabled (TP-link home care, SPI-firewall, IP-MAC binding). E-mail log message level is set to critical.
Real-time security
Sticking to safe standards and using Linux sandboxing (AppArmor, Firejail, Flatpak) to contain utilities, accessoires and applications.
Firewall security
Built-in Firewall for Mac/Linux
About custom security
  • Using only official stable repositories from verified publishers and de-installed all unused accessoires and applications.
  • Mildly hardened Linux by disabling P2P, remote access, old TLS versions and enabling ASLR system wide.
  • Enabled and created Firejail profiles with firecfg and stripped Flatpak permissions with flatseal.
  • Added OpenSnitch outbound application firewall to compliment inbound GuFW.
  • Installed logcheck with e-mail warning for security alerts & events
Periodic malware scanners
When I receive files from others I scan them with Virus Total. My half yearly data backups are scanned with Microsoft Defender :cool:
Malware sample testing
I do not participate in malware testing
Environment for malware testing
None
Browser(s) and extensions
Chrome with hardened policies and most site permissions on block with two browsing profiles (work and surfing) both using uBlockOrigin Lite with different rules and filters.
Secure DNS
  1. NextDNS in the Router with OISD and telemetry blocklists enabled (for IOT devices), allowing only common TopLevelDomains to connect.
  2. We use Quad9 as default DNS for our Laptops for problem free malware filters (and bypas router TLD firewall limitation)
  3. In the browser (DOH) I use ControlD free with OISD basic filter (mild and unattended adblocking)
Desktop VPN
Proton VPN free for Linux on-demand (out of home). At home I have very little use for VPN because our IP and IP location are changed regularly :-).
Password manager
Build-in
Maintenance tools
None
File and Photo backup
  • FreeFileSync quick on-demand backups to a partition on my internal SSD to which sandboxed utilities, desktop accessoires and applications have no access to.
  • The half yearly full backup saves to an external USB-SSD which is checked (afterwards) by Microsoft Defender on my wife's laptop (which has triple USB protection).
Subscriptions
    • None
System recovery
TimeShift (to another partition on 1 TB SSD)
Risk factors
    • Browsing to popular websites
    • Working from home
    • Making audio/video calls
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
AMD Ryzen 7 (5700U) laptop with 1 TB SSD and 16GB RAM
Notable changes
What I'm looking for?

Looking for maximum feedback.

Sampei.Nihira said:
@LinuxFan58

Think about it.;)

The Clinic | Reportajes, columnas, entrevistas, humor, memes y más.


View attachment 294762
Click to expand...
When I click on the link, the Top Level Domain firewall rule in AdGiard shows a blockpage (y)

1768669604297.png


After I choose Proceed anyway, I can acces the website (y)

1768669718832.png



While third-party connections outside Schengen and 5 Eyes are blocked (y),

1768669967421.png


Above behavior is exactly what I want, what am I missing, please explain?
 
Last edited:
  • Like
Reactions: Zero Knowledge and Sampei.Nihira
As you can see, your image is identical to mine, but I also have the 1p script block.

So total protection against XSS clients.
Total protection against JS fingerprinting.
First-party tracker blocking...

Ask the AI this simple question:

"Does blocking only 3p + 3p scripts + 3p frames eliminate all possible privacy/security issues?"

Of course, I occasionally have to write a 1p script exception rule.
But with only 9 TLDs, there are only 5 exception rules so far.
It's not a big deal for me.

Have a good evening.
 
  • +Reputation
Reactions: LinuxFan58
After six days od no False Positive (AdGuard TLD firewall breaking websites), I replaced AG by uBol (is a tad faster in Speedometer 3.1 than AG, 18.8 in stead of 18.7)

EDIT and yes the 8th day I encounter a TLD block again, so reverted back to AdGuard (using the log function I see what is blocked) :ROFLMAO:

In the past I had two classic bikes and could spend saturdays fiddling with carburetors, needles, yets and pre-ignition to optimize the engine. I recognize the same tweaking frenzy with uBol and AG in my two Brave profiles. :)
 
Last edited:
  • Like
Reactions: Zero Knowledge and Sampei.Nihira
Added policy specific explanation to personalized Cloudflare block page.

1776758669837.png

Rule 8 (partly), 9 are only effective when the bad-guys don't use a Content Delivery Network with server hubs in the whitelisted resolved IP geo locations. According to latest data nearly 80% of the "advanced" attacks from well known adversaries use trusted services (bypassing these rules). Reversely 80% of the unsophisticated attacks are delivered locally (that is why these rules often trigger block screens when playing with URLhaus links).
 
Last edited:
Added Microsoft Defender Browser Protection as only extension to my work profile.

1770239768893.png
 
Last edited:
  • Like
Reactions: Zero Knowledge
Back to 1 profile in Brave again :ROFLMAO: added Advertisements content category in Cloudflare Zero Trust with uBlockOriginLight in basic mode with all filters disabled and only (at the moment) 35 Custom cosmetic rules and 35 DNR rules. I occasionally enable Brave Adshields for a website (which Brave forgets when closing the browser).

uBol has a problem that when disabling protection somtimes DNR rules are still applied through Chromium mechanisms (the rules which are only updated when the extension is updated). I discovered that this is not the case when using custom DNR rules because these are implemented as dynamic rules (of Chromium is something totally different than Mv2 uBO's dynamic filtering).

So I copied the Kees1958 EU + US most used (around 1700 ABP-rules) into Custom DNR and they converted to ONLY 1 DNR rule (y)
 
Last edited:
  • Like
Reactions: oldschool and Zero Knowledge
LinuxFan58 said:
Back to 1 profile in Brave again :ROFLMAO: added Advertisements content category in Cloudflare Zero Trust with uBlockOriginLight in basic mode with all filters disabled and only (at the moment) 35 Custom cosmetic rules and 35 DNR rules. I occasionally enable Brave Adshields for a website (which Brave forgets when closing the browser).

uBol has a problem that when disabling protection somtimes DNR rules are still applied through Chromium mechanisms (the rules which are only updated when the extension is updated). I discovered that this is not the case when using custom DNR rules because these are implemented as dynamic rules (of Chromium is something totally different than Mv2 uBO's dynamic filtering).

So I copied the Kees1958 EU + US most used (around 1700 ABP-rules) into Custom DNR and they converted to ONLY 1 DNR rule (y)
Click to expand...

Even when selected:

"Automatically reload the page when you change the filter mode".:unsure:

__________________________________________________________________________________

Can you explain the filtering method better within/outside TLDs?
 
Sampei.Nihira said:
Even when selected:

1 "Automatically reload the page when you change the filter mode".:unsure:

__________________________________________________________________________________

2 Can you explain the filtering method better within/outside TLDs?
Click to expand...

1. Yes, but it seems to happen in basic mode mostly (then uBol has no running processes of itself, only uses Chromium)

2. Not using TLD filtering at the moment (because I went back to 1 profile for all).
 
  • Like
Reactions: Sampei.Nihira
uBol used to get my the highest Speedometer 3.1 benchmarks, but after latest update it fell back to 18.5 to 18.6. So I tried Adguard again and Brave Shields. When I disable CSP and Procedural filtering in Brave://flags for Brave shields and I enable only Brave AdShield (with Kees1958 and my custom rules), I am getting the highest speedometer 3.1 benchmarks (18.9 to 19.1).

I know it is useless tweaking, but when I have to wait for some jobs to finish in the evening every fortnight, I either play a game of chess or kill the time with some benchmarks every fortnight when there is nothing interesting to read on MT and my bookmarked news websites.
 
  • Like
  • +Reputation
Reactions: Zero Knowledge and Sampei.Nihira
I already had set powerplan to performance. Thanks for tip.

I wanted to equal speedometer 3.1 of my wife's Windows laptop (same HP only with 2GB SSD instead of my 1GB SSD) and that's achieved, so the urge is gone :-)
1771427681142.png
 
  • Applause
Reactions: Sampei.Nihira
My friend @Sampei.Nihira often posts impressive AI based evaluations of his security setup, here is what free ChatGPT said about mine. What surprised me that AI was not that good in seperating the content from the time line. Also stuff included in prictures have to be explicitely explained to AI model. From an initial 9.2 it increased to 9.8 (AI totally missed I use a seperate admin account with standard user and website permission hardening in Brave).

1771825794489.png


As seasoned forum @oldschool always post: be safe not paranoid which I agree security and usability should be in balance, that is why I am glad with AI assessed "practical maximum" and "practically attack-resistant for every day use".
 
Last edited:
  • Wow
  • Hundred Points
Reactions: Zero Knowledge and Sampei.Nihira
LinuxFan58 said:
My friend @Sampei.Nihira often posts impressive AI based evaluations of his security setup, here is what free ChatGPT said about mine. What surprised me that AI was not that good in seperating the content from the time line. Also stuff included in prictures have to be explicitely explained to AI model. From an initial 9.2 it increased to 9.8 (AI totally missed I use a seperate admin account with standard user and website permission hardening in Brave).

View attachment 295869

As seasoned forum @oldschool always post: be safe not paranoid which I agree security and usability should be in balance.
Funny that AI assessed it as "practical maximum" and "practically attack-resistant for every day use"
Click to expand...

Your security configuration is very efficient. (y)

I had fun comparing various security configurations using AI with ChatGPT account.

However, I used percentages.
If the reference parameter is x/10, many configurations seem quite similar.
The gap widens with x/100.
 
  • Like
Reactions: LinuxFan58
Yesterday I suddenly got problems in Thunderbird deleting the most recent e-mail in card view. It kept displayed, so I switched to Evolution in Flatpak

Advantage of Evolution you can create two unified inboxes (collecting all your inbox email accounts) one with known and one with senders not in you contacts using
1771950102572.png
 
Last edited:
  • Wow
Reactions: lokamoka820 and Sampei.Nihira
Given that you can do whatever you want on your PC, I wonder if it wouldn't be better to have Scam protection at the DNS level and therefore no reduction in the Speedometer 3.1 test score? :unsure:
 
  • Like
Reactions: lokamoka820

You may also like...