Security in Soplos Linux

Soplos Linux inherits the robustness and security of Debian. However, it is always recommended to take additional measures to protect your equipment, especially if you connect to public networks.

This guide will help you implement multiple layers of security to protect your system against common threats and vulnerabilities.

Security Fundamentals

Why Security Matters

Even though Linux systems are generally more secure than other operating systems, no system is completely immune to threats. Security is essential to:

  • Protect your personal data and privacy
  • Prevent unauthorized access to your system
  • Avoid malware and exploitation
  • Maintain system integrity and stability

Debian's Security Model

Soplos Linux benefits from Debian's strong security foundation:

  • Security updates: Regular patches for vulnerabilities
  • Package verification: All packages are cryptographically signed
  • Minimal default installation: Only essential services enabled
  • Strong permissions model: Proper file and user permissions by default

Defense in Depth

Security is not a single solution but multiple layers of protection:

  1. Physical security: Protect hardware access
  2. User security: Strong passwords and account policies
  3. Network security: Firewall and encrypted connections
  4. Application security: Keep software updated
  5. Data security: Encryption and backups
Most Important: Keep your system updated! The majority of successful attacks exploit known vulnerabilities that have already been patched.

Firewall (UFW)

Soplos Linux comes with UFW (Uncomplicated Firewall) installed by default, but inactive to avoid initial conflicts with user network services.

It is recommended to activate the firewall if your computer is directly exposed to the internet or on untrusted networks.

Basic UFW Commands

Terminal

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status

# Check detailed status with numbered rules
sudo ufw status numbered

# Disable firewall
sudo ufw disable

Managing Rules

Allow Connections

Terminal

# Allow specific port
sudo ufw allow 22/tcp        # SSH
sudo ufw allow 80/tcp        # HTTP
sudo ufw allow 443/tcp       # HTTPS

# Allow port range
sudo ufw allow 6000:6007/tcp

# Allow from specific IP
sudo ufw allow from 192.168.1.100

# Allow specific IP to specific port
sudo ufw allow from 192.168.1.100 to any port 22

Deny Connections

Terminal

# Deny specific port
sudo ufw deny 23/tcp         # Telnet

# Deny from specific IP
sudo ufw deny from 192.168.1.50

Delete Rules

Terminal

# Delete by rule number
sudo ufw status numbered
sudo ufw delete 3

# Delete by specification
sudo ufw delete allow 80/tcp

Application Profiles

UFW includes predefined profiles for common applications:

Terminal

# List available application profiles
sudo ufw app list

# Allow application
sudo ufw allow 'OpenSSH'
sudo ufw allow 'Apache Full'

# View application info
sudo ufw app info 'OpenSSH'

Default Policies

Terminal

# Set default policies (recommended)
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow routed packets (for router/gateway)
sudo ufw default deny routed

Logging

Terminal

# Enable logging
sudo ufw logging on

# Set log level (low, medium, high, full)
sudo ufw logging medium

# View firewall logs
sudo tail -f /var/log/ufw.log
Pro Tip: After enabling UFW, make sure SSH (port 22) is allowed if you use remote access, or you'll lock yourself out!

Graphical Management: GUFW

If you prefer not to use the terminal, Soplos Linux makes it easy to install GUFW, a simple graphical interface to control the firewall.

  1. Install GUFW from your package manager (Synaptic, Discover, GNOME Software) or terminal:
    sudo apt install gufw
  2. Open "Firewall Configuration" from the menu.
  3. Unlock the configuration (padlock) with your password.
  4. Change the "Status" switch to ON.

With this, your system will block unsolicited incoming connections by default, significantly improving your security.

User Account Security

Strong Passwords

Use strong, unique passwords for all accounts:

  • At least 12 characters long
  • Mix of uppercase, lowercase, numbers, and symbols
  • Avoid dictionary words and personal information
  • Never reuse passwords across different accounts

Password Managers

Consider using a password manager to generate and store secure passwords:

  • KeePassXC: Open-source, offline password manager
  • Bitwarden: Open-source, cloud-based option
  • pass: Command-line password manager

Terminal

# Install KeePassXC
sudo apt install keepassxc

# Install Bitwarden (Flatpak)
flatpak install flathub com.bitwarden.desktop

sudo vs root

Soplos Linux follows Debian's approach:

  • Don't use root account: The root account is disabled by default
  • Use sudo: Run administrative commands with sudo
  • Audit sudo access: Only trusted users should have sudo privileges

Terminal

# View users with sudo access
grep '^sudo:' /etc/group

# Add user to sudo group
sudo usermod -aG sudo username

Account Lockout

Protect against brute-force attacks:

Terminal

# Install fail2ban
sudo apt install fail2ban

# Check status
sudo systemctl status fail2ban

# View banned IPs
sudo fail2ban-client status sshd

SSH Security

If you use SSH for remote access, securing it is critical:

Key-Based Authentication

SSH keys are more secure than passwords:

  • Generate SSH key pair on your client machine
  • Copy public key to server
  • Disable password authentication
  • Test connection before closing current session

Terminal (Client)

# Generate SSH key (ED25519 is recommended)
ssh-keygen -t ed25519 -C "your_email@example.com"

# Copy key to server
ssh-copy-id user@server_ip

# Test connection
ssh user@server_ip

SSH Configuration

Harden your SSH server configuration:

Terminal (Server)

# Edit SSH config
sudo nano /etc/ssh/sshd_config

Recommended settings:

/etc/ssh/sshd_config

# Disable root login
PermitRootLogin no

# Disable password authentication (use keys only)
PasswordAuthentication no
ChallengeResponseAuthentication no

# Change default port (optional but adds security through obscurity)
Port 2222

# Allow only specific users
AllowUsers your_username

# Use Protocol 2 only
Protocol 2

Terminal

# Restart SSH service
sudo systemctl restart sshd

# Check SSH status
sudo systemctl status sshd
Important: Always test SSH connections in a separate terminal before closing your current session. If something goes wrong, you could lock yourself out!

Fail2ban for SSH

Fail2ban automatically bans IPs with too many failed login attempts:

Terminal

# Install fail2ban
sudo apt install fail2ban

# Create local config
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Edit configuration
sudo nano /etc/fail2ban/jail.local

Basic SSH jail configuration:

/etc/fail2ban/jail.local

[sshd]
enabled = true
port = 22  # Change if you changed SSH port
maxretry = 3
bantime = 3600  # Ban for 1 hour
findtime = 600  # 10 minutes window

Automatic Security Updates

Keeping your system updated is one of the most important security measures:

Unattended Upgrades

Install and configure automatic security updates:

Terminal

# Install unattended-upgrades
sudo apt install unattended-upgrades apt-listchanges

# Configure
sudo dpkg-reconfigure -plow unattended-upgrades

Configuration

Edit the configuration file for more control:

Terminal

# Edit main config
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Recommended settings:

50unattended-upgrades

// Automatically upgrade packages from security updates
Unattended-Upgrade::Origins-Pattern {
        "origin=Debian,codename=trixie-security";
};

// Email notifications (optional)
Unattended-Upgrade::Mail "your-email@example.com";
Unattended-Upgrade::MailReport "on-change";

// Remove unused dependencies
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatically reboot if needed
Unattended-Upgrade::Automatic-Reboot "false";  # Set to true if desired
Unattended-Upgrade::Automatic-Reboot-Time "03:00";
Debian Testing Consideration: Since Soplos is based on Debian Testing, be cautious with automatic updates. Security updates are important, but you may want to review major updates manually.

Monitoring

Terminal

# Check unattended-upgrades status
sudo systemctl status unattended-upgrades

# View logs
sudo cat /var/log/unattended-upgrades/unattended-upgrades.log

# Dry run to test configuration
sudo unattended-upgrade --dry-run --debug

System Hardening

Disable Unnecessary Services

Reduce attack surface by disabling unused services:

Terminal

# List all running services
systemctl list-units --type=service --state=running

# Disable unnecessary service
sudo systemctl disable service-name
sudo systemctl stop service-name

# Check service status
sudo systemctl status service-name

File Permissions

Protect sensitive files:

Terminal

# Secure home directory
chmod 750 ~/

# Find files with world-writable permissions
find / -perm -002 -type f -ls 2>/dev/null

# Find SUID files (potential security risk)
find / -perm /4000 2>/dev/null

AppArmor

Soplos Linux includes AppArmor for mandatory access control:

Terminal

# Check AppArmor status
sudo aa-status

# List profiles
sudo aa-status --verbose

# Install AppArmor utilities
sudo apt install apparmor-utils

Encryption

Full Disk Encryption (LUKS)

LUKS encryption is best set up during installation, but can encrypt additional partitions:

Warning: Encrypting a partition will erase all data. Always backup first!

File Encryption with GPG

Encrypt individual files or directories:

Terminal

# Install GPG (usually pre-installed)
sudo apt install gnupg

# Encrypt a file
gpg -c sensitive_file.txt

# Decrypt a file
gpg sensitive_file.txt.gpg

# Encrypt with your GPG key
gpg -e -r your_email@example.com file.txt

Password-Protected Archives

Terminal

# Create encrypted zip
zip -e archive.zip file1 file2

# Create encrypted 7z (stronger encryption)
7z a -p -mhe=on archive.7z files/

Privacy & Browsing Security

Browser Security

Essential browser security practices:

  • Keep browser updated
  • Use HTTPS Everywhere extension
  • Install uBlock Origin for ad/tracker blocking
  • Clear cookies regularly
  • Avoid saving passwords in browser (use password manager)

Privacy-Focused Browsers

  • Firefox: Pre-installed, good privacy settings
  • Brave: Built-in ad blocking
  • Tor Browser: Maximum anonymity

Terminal

# Install Tor Browser (Flatpak)
flatpak install flathub com.github.micahflee.torbrowser-launcher

DNS over HTTPS

Encrypt DNS queries to prevent monitoring:

Firefox

# In Firefox settings:
# Privacy & Security > DNS over HTTPS > Enable
# Choose provider: Cloudflare or Next DNS

Physical Security

BIOS/UEFI Password

Set a BIOS password to prevent unauthorized changes:

  • Access BIOS/UEFI setup (usually F2, F10, or DEL at boot)
  • Set supervisor/administrator password
  • Disable booting from USB/CD without password

Screen Lock

Configure automatic screen locking:

  • XFCE (Tyron): Settings → Screensaver → Enable lock screen
  • Plasma (Tyson): Settings → Screen Locking → configure timer
  • GNOME (Boro): Settings → Privacy → Screen Lock

Quick lock shortcuts:

  • XFCE: Ctrl+Alt+L
  • Plasma: Ctrl+Alt+L or Meta+L
  • GNOME: Super+L

USB Security

USB Caution: Never plug in unknown USB drives. They can contain malware or exploit firmware vulnerabilities.

Monitoring & Auditing

System Logs

Regularly check system logs for suspicious activity:

Terminal

# View authentication logs
sudo journalctl -u ssh -f

# Check failed login attempts
sudo journalctl _SYSTEMD_UNIT=sshd.service | grep "Failed"

# View all logs from today
sudo journalctl --since today

# Check kernel messages
sudo dmesg | tail

Rootkit Detection

Scan for rootkits and malware:

Terminal

# Install rkhunter
sudo apt install rkhunter

# Update database
sudo rkhunter --update

# Run scan
sudo rkhunter --check

# Install chkrootkit
sudo apt install chkrootkit
sudo chkrootkit

Active Connections

Terminal

# List active network connections
sudo ss -tulpn

# Check listening ports
sudo netstat -tulpn | grep LISTEN

# Show all active connections
sudo lsof -i

Common Threats & Protection

Phishing

Recognize and avoid phishing attempts:

  • Verify sender email addresses carefully
  • Don't click links in suspicious emails
  • Check URLs before entering credentials
  • Enable 2FA on important accounts

Malware on Linux

While less common than on Windows, Linux malware exists:

  • Only install software from trusted repositories
  • Avoid running scripts from unknown sources
  • Never use curl | bash installation methods
  • Check file permissions before executing

Social Engineering

The biggest security vulnerability is often human:

  • Be skeptical of unexpected requests
  • Verify identities through known channels
  • Don't share sensitive information over phone/email
  • Question urgency in requests

Security Best Practices Checklist

Daily Tasks

  • Lock screen when away from computer
  • Be cautious with email attachments and links
  • Use VPN on public WiFi

Weekly Tasks

  • Check for system updates: sudo apt update && sudo apt upgrade
  • Review active network connections
  • Check firewall status

Monthly Tasks

  • Review installed packages and remove unused ones
  • Check system logs for anomalies
  • Update passwords for critical accounts
  • Run rootkit scanner
  • Verify backup integrity

Security Audit Checklist

Quick Security Check:
  1. Is UFW enabled? sudo ufw status
  2. Are system updates current?
  3. Is automatic update configured?
  4. Are SSH keys used instead of passwords?
  5. Is fail2ban running?
  6. Are backups encrypted and current?
  7. Is screen lock enabled?
  8. Are unnecessary services disabled?

Incident Response

If you suspect a security breach:

  • Disconnect: Disconnect from network immediately
  • Change passwords: Change all important passwords from a different, secure device
  • Scan: Run antivirus/rootkit scans
  • Review logs: Check system logs for suspicious activity
  • Backup: Create backup of important data (if not compromised)
  • Consider reinstalling: For serious breaches, clean install may be necessary
Remember: Security is an ongoing process, not a one-time setup. Stay informed about new threats and keep your system updated!