Advanced Security R3j3ct's Linux Mint 22.2 Xfce Home Laptop Config 2025

[LinuxFan58]

For internet etiquette even Linux users could take precautions not to spread malware which they may receive through mail. Using LMD and ClamAV fit this purpose.

But I agree on the low added value of adding ClamAV, because most ISPs use the free ClamAV also. I route my ISP email additionally through Google mail account (for extra malware check).

But thanks @R3j3ct for posting and @piquiteco for asking. I also bookmarked when the No-AV anxiety might catch me again.

 

[R3j3ct]

You don't really need to add security software for a Linux distro, but in case you want to learn a new OS, Linux Mint is very easy to follow as the author of the thread mentioned, and the developer even mentions in the upgrade steps how to remove deprecated libraries/applications/components, something I've never seen in any other Linux distro.

Linux anti-virus suites aren't as pointless as they once were

 

[piquiteco]

You had Me looking for notes! I couldn't install clamonacc for ClamAV Real-time, so i found it easier to do everything with LMD (Linux Malware Detect), these are the steps that pointed me where i needed to be! Must have winged it from there cause lol

Yes, LMD (Linux Malware Detect) is definitely easier. Your reply in post #17 has already helped me a lot and cleared up my mind. I've even added your post to my favorites so I can install and configure it in a few days. This will be very helpful to other Linux users who are entering the world of the

 

[R3j3ct]

Found the rest and put all together.

Complete Guide: install and integrate ClamAV with LMD (LINUX MALWARE DETECT)Linux Mint 22.2

 

[Sampei.Nihira]

I'm curious, considering that we have little information on Linux, is Brave or Firefox faster in the Speedometer 3.1 test?

Speedometer 3.1

 

[R3j3ct]

I'm curious, considering that we have little information on Linux, is Brave or Firefox faster in the Speedometer 3.1 test?

Speedometer 3.1

vpn and browser running. FireFox Firejailed Brave Flatpack

 

[Sampei.Nihira]

vpn and browser running. FireFox Firejailed Brave Flatpack

Thanks for the test.
If what I'm reading is correct (it's difficult to view these results immediately), it seems to me that Brave scores higher than Firefox in the test.

 

[R3j3ct]

Thanks for the test.
If what I'm reading is correct (it's difficult to view these results immediately), it seems to me that Brave scores higher than Firefox in the test.

Brave is faster then Firefox i have noticed in my setup. Only thing i have noticed is when using brave for say watching YouTube or streams online, it likes to make the laptop a little warm unlike Firefox. I have tried Brave both manual install & flatpack and both do it, i assume Brave pulls more resources . Brave is really there just as a backup browser. I have no complaints as a daily driver!

 

[piquiteco]

Found the rest and put all together.

Complete Guide: install and integrate ClamAV with LMD (LINUX MALWARE DETECT)Linux Mint 22.2

Even following the complete guide, I couldn't do it. The rfxn.com URL returns a 404 error: Not Found. I managed to find another updated URL, but even so, I still get an error when trying to start maldet.service. Thanks for the tip. But forget it LOL.

Spoiler: Failed to start maldet.service

 

[R3j3ct]

Even following the complete guide, I couldn't do it. The rfxn.com URL returns a 404 error: Not Found. I managed to find another updated URL, but even so, I still get an error when trying to start maldet.service. Thanks for the tip. But forget it LOL.

Spoiler: Failed to start maldet.service

View attachment 293821

This is were the fun i was talking about comes in and having ai help: Maldet's monitor mode, as i said above all help is from ai and guides. Trial and error, your not far from it being done.

Spoiler: When Done it will look like this

 

[piquiteco]

This is were the fun i was talking about comes in and having ai help: Maldet's monitor mode, as i said above all help is from ai and guides. Trial and error, your not far from it being done.

Spoiler: When Done it will look like this

View attachment 293826

Yes, Linux is like that, with its mistakes and successes. I don't give up so easily, but I believe it's some mistake on my part. See the screenshot. I think the error that causes Maldet.service to fail to start may be related to Configure LMD for Inotify. Well, I assume that's what it is.

Spoiler: Failed to start maldet.service

 

[R3j3ct]

says you need to install inotify-tools,then : configuring inotifywait

 

[R3j3ct]

Removed ClamAV Integrated with LMD (Linux Malware Detect)

 

[R3j3ct]

Spoiler: Linux Hardening

Kernel Hardening​

I’ve adjusted the kernel parameters to reduce information leaks and limit attack surfaces:

• Restricted kernel pointer exposure (kptr_restrict=1) and kernel message access (dmesg_restrict=1) to prevent leaking sensitive kernel info.
• Enabled heap protections (slab_nomerge=1, slub_debug=PZ) to harden kernel memory management.
• Disabled kernel features like kexec to prevent certain rootkit exploits.
• Set ptrace_scope=1 to restrict debugging and attachment by untrusted processes.
• Disabled core dumps from SUID programs (fs.suid_dumpable=0) to prevent leaking sensitive data.
• Restricted unprivileged BPF and user namespace cloning, adding layers of process isolation.

Network Security​

I’ve hardened my network stack by:

• Enabling TCP SYN cookies (tcp_syncookies=1) and RFC 1337 compliance for TCP.
• Activating reverse path filtering (rp_filter=1) to prevent IP spoofing.
• Disabling ICMP redirects and router advertisements for IPv4 and IPv6, reducing attack vectors.

Filesystem Protections​

To prevent malicious symlinks and hardlinks, I enabled:

• fs.protected_symlinks=1
• fs.protected_hardlinks=1
• Additional protections for FIFOs and regular files.

Performance & Usability Tweaks​

I fine-tuned memory management to keep my system responsive:

• Set vm.swappiness=0 to favor RAM over swap. (12gig installed)
• Adjusted cache pressure and dirty ratios to optimize disk and memory performance.

---

Boot Configuration​

I’ve modified my GRUB boot parameters to further enhance security:

• Added mitigations=auto for balanced CPU vulnerability mitigation.
• Enabled slab_nomerge to prevent certain kernel heap exploits.
• Included init_on_alloc=0 and init_on_free=0 for better performance, which are safe for desktop use.

---

Additional Security Measures​

• Enabled ufw firewall with default deny policies, only opening necessary ports.
• Set up automatic security updates with unattended-upgrades.
• Ensured AppArmor is active and enforcing profiles for application confinement.
• Use privacy-enhancing browser extensions (like uBlock Origin & Privacy Badger & Malwarebytes Browser Guard) for safe browsing.
• Regularly back up my system with Timeshift and external storage to safeguard against data loss.

---

Overall, this setup provides a solid security foundation while keeping the system fast and user-friendly. It’s a work in progress, but I feel confident that it strikes the right balance for my daily desktop use.

Spoiler: Linux Hardening - Steps

# **Linux Mint 22.2 Desktop Hardening Guide**

## **Overview**
This guide enhances your system's security through kernel parameters, boot configurations, and basic hardening techniques, while maintaining smooth daily usability.

---

# **Step 1: Configure Kernel Parameters with sysctl**

Create or edit a dedicated configuration file:

```bash
sudo nano /etc/sysctl.d/99-security-hardening.conf
```

Paste the following content:

```bash
# ==================== KERNEL SECURITY ====================
kernel.kptr_restrict = 1
kernel.dmesg_restrict = 1
kernel.printk = 3 3 3 3

#kernel.slab_nomerge = Set in Grub
kernel.slub_debug = PZ
kernel.kexec_load_disabled = 1

kernel.yama.ptrace_scope = 1
fs.suid_dumpable = 0
kernel.unprivileged_bpf_disabled = 1
kernel.unprivileged_userns_clone = 1

# ==================== NETWORK HARDENING ====================
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0

# ==================== FILESYSTEM PROTECTION ====================
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
fs.protected_fifos = 2
fs.protected_regular = 2

# ==================== MEMORY & PERFORMANCE ====================
vm.swappiness = 10 #Adjust based on your memory
vm.dirty_ratio = 10
vm.dirty_background_ratio = 5
vm.vfs_cache_pressure = 50
```

Save and exit (`CTRL+O`, `ENTER`, `CTRL+X`).

**Apply the new kernel parameters immediately:**

```bash
sudo sysctl --system
```

---

# **Step 2: Adjust GRUB Boot Parameters**

Edit the GRUB configuration:

```bash
sudo nano /etc/default/grub
```

Find the line starting with `GRUB_CMDLINE_LINUX_DEFAULT` and modify it to:

```bash
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash mitigations=auto slab_nomerge init_on_alloc=0 init_on_free=0"
```

Save and exit (`CTRL+O`, `ENTER`, `CTRL+X`).

*Note:* These parameters enable mitigations, harden kernel memory management, and optimize performance for desktop use.

Update GRUB:

```bash
sudo update-grub
```

---

 

[LinuxFan58]

What made you decide to ditch ClamAV and LMD and start hardening your Linux Mint setup?

What is also interesting is what is your source for these tweaks and how much safer do you feel after applying them ?

 

[ForgottenSeer 123960]

Spoiler: Linux Hardening

Kernel Hardening​

I’ve adjusted the kernel parameters to reduce information leaks and limit attack surfaces:

• Restricted kernel pointer exposure (kptr_restrict=1) and kernel message access (dmesg_restrict=1) to prevent leaking sensitive kernel info.
• Enabled heap protections (slab_nomerge=1, slub_debug=PZ) to harden kernel memory management.
• Disabled kernel features like kexec to prevent certain rootkit exploits.
• Set ptrace_scope=1 to restrict debugging and attachment by untrusted processes.
• Disabled core dumps from SUID programs (fs.suid_dumpable=0) to prevent leaking sensitive data.
• Restricted unprivileged BPF and user namespace cloning, adding layers of process isolation.

Network Security​

I’ve hardened my network stack by:

• Enabling TCP SYN cookies (tcp_syncookies=1) and RFC 1337 compliance for TCP.
• Activating reverse path filtering (rp_filter=1) to prevent IP spoofing.
• Disabling ICMP redirects and router advertisements for IPv4 and IPv6, reducing attack vectors.

Filesystem Protections​

To prevent malicious symlinks and hardlinks, I enabled:

• fs.protected_symlinks=1
• fs.protected_hardlinks=1
• Additional protections for FIFOs and regular files.

Performance & Usability Tweaks​

I fine-tuned memory management to keep my system responsive:

• Set vm.swappiness=0 to favor RAM over swap. (12gig installed)
• Adjusted cache pressure and dirty ratios to optimize disk and memory performance.

---

Boot Configuration​

I’ve modified my GRUB boot parameters to further enhance security:

• Added mitigations=auto for balanced CPU vulnerability mitigation.
• Enabled slab_nomerge to prevent certain kernel heap exploits.
• Included init_on_alloc=0 and init_on_free=0 for better performance, which are safe for desktop use.

---

Additional Security Measures​

• Enabled ufw firewall with default deny policies, only opening necessary ports.
• Set up automatic security updates with unattended-upgrades.
• Ensured AppArmor is active and enforcing profiles for application confinement.
• Use privacy-enhancing browser extensions (like uBlock Origin & Privacy Badger & Malwarebytes Browser Guard) for safe browsing.
• Regularly back up my system with Timeshift and external storage to safeguard against data loss.

---

Overall, this setup provides a solid security foundation while keeping the system fast and user-friendly. It’s a work in progress, but I feel confident that it strikes the right balance for my daily desktop use.

Spoiler: Linux Hardening - Steps

# **Linux Mint 22.2 Desktop Hardening Guide**

## **Overview**
This guide enhances your system's security through kernel parameters, boot configurations, and basic hardening techniques, while maintaining smooth daily usability.

---

# **Step 1: Configure Kernel Parameters with sysctl**

Create or edit a dedicated configuration file:

```bash
sudo nano /etc/sysctl.d/99-security-hardening.conf
```

Paste the following content:

```bash
# ==================== KERNEL SECURITY ====================
kernel.kptr_restrict = 1
kernel.dmesg_restrict = 1
kernel.printk = 3 3 3 3

kernel.slab_nomerge = 1
kernel.slub_debug = PZ
kernel.kexec_load_disabled = 1

kernel.yama.ptrace_scope = 1
fs.suid_dumpable = 0
kernel.unprivileged_bpf_disabled = 1
kernel.unprivileged_userns_clone = 1

# ==================== NETWORK HARDENING ====================
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0

# ==================== FILESYSTEM PROTECTION ====================
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
fs.protected_fifos = 2
fs.protected_regular = 2

# ==================== MEMORY & PERFORMANCE ====================
vm.swappiness = 10 #Adjust based on your memory
vm.dirty_ratio = 10
vm.dirty_background_ratio = 5
vm.vfs_cache_pressure = 50
```

Save and exit (`CTRL+O`, `ENTER`, `CTRL+X`).

**Apply the new kernel parameters immediately:**

```bash
sudo sysctl --system
```

---

# **Step 2: Adjust GRUB Boot Parameters**

Edit the GRUB configuration:

```bash
sudo nano /etc/default/grub
```

Find the line starting with `GRUB_CMDLINE_LINUX_DEFAULT` and modify it to:

```bash
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash mitigations=auto slab_nomerge init_on_alloc=0 init_on_free=0"
```

Save and exit (`CTRL+O`, `ENTER`, `CTRL+X`).

*Note:* These parameters enable mitigations, harden kernel memory management, and optimize performance for desktop use.

Update GRUB:

```bash
sudo update-grub
```

---

These hardening changes are accurate and align with established security best practices for the Linux kernel and network stack. These modifications effectively reduce the system's attack surface by restricting information leaks and mitigating common exploitation techniques without compromising desktop usability.

The configurations provided by your post target three primary areas of system resilience.

Kernel information leak prevention.
Exploit mitigation & memory hardening.
Network stack hardening.

Note on GRUB Parameters, your post mentions init_on_alloc=0 and init_on_free=0. While the Linux Kernel Self-Protection Project (KSPP) typically recommends setting these to 1 to zero out memory (mitigating use-after-free vulnerabilities), you correctly note that setting them to 0 is for performance optimization and is safe for standard desktop use. This is a reasonable trade-off for a home laptop.

 

[R3j3ct]

What made you decide to ditch ClamAV and LMD and start hardening your Linux Mint setup?

What is also interesting is what is your source for these tweaks and how much safer do you feel after applying them ?

The Clamav + LMD was a resource hog on my system, i just read something somewhere about it and wanted to try it. About the hardening, it will stay protecting while i continue to mess around with things.

Here are a few of my source's about the hardening, desktop just little different then server from what i and gathering. lynis jumped 5 - 6 pnts just by doing this.

Book of Zeus
ow and of course AI Helped
DeepSeek v3.2

 

[LinuxFan58]

@R3j3ct

I have only enabled ASLR system wide and like you disabled user access to logs and debugging stuff to limit snooping.

When I asked Brave's LEO AI how to set stop cache merging for users (seemed like a good idea), it showed me this. Not telling you did something wrong, iIt might be an AI-hallucination, but just informing you.

 

[R3j3ct]

@R3j3ct

I have only enabled ASLR system wide and like you disabled user access to logs and debugging stuff to limit snooping.

When I asked Brave's LEO AI how to set stop cache merging for users (seemed like a good idea), it showed me this. Not telling you did something wrong, iIt might be an AI-hallucination, but just informing you.

View attachment 294011

kernel.slab_nomerge isnt gonna hurt anything being in the systctl namespace, probably left there as note ( to set grub ) , it is correctly set in the grub.

 

[R3j3ct]

i have used some tips from this guide as well: GitHub - ME0094/Ubuntu-22.04-LTS-Hardening-Commands: Commands for hardening Ubuntu 22.04 LTS