What Security Hygiene practices do you faithfully do in Linux?

Here’s some examples:

  • VPN
  • Password Safe (like say, KeepassXC)
  • DISK encryption (EXT4 + LUKS, ZFS)
  • Actually use good, strong passwords, like from a password generating utility (KeepassXC has one built-in)
  • Install fail2ban along with all SSH servers.
  • Applying security updates (and I really like the “unattended-upgrades” package in Debian)
  • Install the “uBlock Origin” add-on in Firefox
  • Keep my Contacts, Bookmarks, Notes, and shared files and photos in Nextcloud.

…those are the ones I do, although I’m not a ZFS user…


Well, VPN 100 percent of the time. Currently AirVPN. Strong passwords for sure. I have an excellent memory, but I do use Keepass also.

I also do not visit questionable sites and since i am not a gamer that eliminates a lot of the most hacked sites, As for encryption I have “vaults” for the sensitive things on my HD.



Things I do faithfully:

  • Disable password access to sshd (keys only)
  • iptables to block any unrecognized traffic
  • LUKS + ext4 whole disk
  • review logs frequently
  • apply patches as soon as they’re available
  • use NextCloud for cloud storage, contacts, etc

I’ll also use TOR if doing anything I think is particularly sensitive.

1 Like
  • full-disk encryption (easy on Ubuntu 18.04 LTS)
  • browser settings:
  • turn off auto-fill & auto-save passwords
  • turn off 3rd party cookies
  • segregate surfing into VMs based on purpose (banking, school, shopping, etc.) with or without Firefox (Proton) VPN as necessary
  • password manager (KeePassXC)
  • browser plug-ins
  • Privacy Badger
  • uBlock Origin
  • https everywhere

Not Linux but worth including…

I have an OpenBSD network router because store-bought routers can be (or will eventually be) riddled with backdoors and bugs.

1 Like

one of the many things i do but one of the most important i think is i use a paid vpn that has p2p and tor options plus i set tor as a systemd service so at boot my machine is completely torrified and under many layers of anonymity. A big plus about learning to use tor like a pro is I can stream youtube through vpn + tor at 1080p so when ppl say tor is slow, they just don’t understand how to maximize there exp. Oh, I also manually edit and configure my torrc file.

1 Like

You encouraged me to up my game a bit and get my Wireguard VPN working on my phone as well. Before I was just using it on my laptop. This post is from my phone, through the VPN tunnel. Yay!

Strangely, the internet service on my phone now feels even snappier than before I used the VPN. Not slower-feeling, as you might expect. Go figure!

PS: The Wireguard app for Android (current ver. 0.0.20190708) was as smooth as gravel to understand and configure, but after about the 7th try I managed to get it together.

PPS: with version numbers like that (starts with 0.0), it’s not surprising that the mainline Linux kernel doesn’t feel ready to merge Wireguard.

1 Like

Yes, agreed. Rolling your own VPN server is very difficult. I’ve set up both OpenVPN, and now Wireguard too. Both were gruelling experiences, which took huge amounts of tinkering to get right.

You would do well to have networking skills like a professional Network Administrator, if you dare.

If you just need a Peer-to-peer VPN (with automatic firewall-punching goodness), I recommend Zerotier. Zerotier is one order of magnitude easier to set up than a Wireguard server, and Zerotier is two orders of magnitude easier to set up than an OpenVPN server.

1 Like

In addition to those above, I’ll add that there is a configuration you can add to Thunderbird that will remove links from all emails. It allows the text to be displayed, but it will no longer be ‘clickable’.

Think before you click !!!


i have protonvpn, it’s pretty sweet, and openvpn

That is what I am considering doing because I use ProtonMail and want to use its VPN service, too. Though I have probably to tinker with Proton and OpenVPN.

its actually very easy and great tutorials on proton-vpn github even easier, network setting> create new>import vpn config>enter password>done


Thank you for the tip.

I found setting up wireguard very straightforward. I haven’t tried setting up any other VPN so can’t compare. But that’s my two cents.

VPN is installed on the router. I’m in the process of setting up a new pfsense router soon as I can figure out how to get it to connect. I’ll use that to block a lot of ads and crypto-mining sites. And the hard drives in the desktop are in a just installed Icy Dock for easy ejection so they can be locked up when I travel. I’ve also got to figure out how to encrypt the OS drive since that was not done during installation.

1 Like

The thing about Wireguard is that all by itself, it just makes secure tunnels between hosts. That’s all it does, strictly speaking. To make a VPN solution out of these secure peer-to-peer tunnels (as is commonly expected from a VPN) you also have to combine iptables or other such firewalling rules with those secure tunnels (which wg-quick makes possible, but not in a simple way).

In essense, Wireguard is a framework, not a solution. I think it’s misleading for it to be called a VPN. Wireguard is a framework that a VPN solution could possibly be constructed out of, if you really know what you’re doing. Even wg-quick wasn’t solution-enough for me. I had to write a bash wrapper script to make it more user friendly for myself for day-to-day use. So it’s just barely a VPN “solution” for me, on the desktop.

If you followed some 3rd-party guide for Wireguard, and that made Wireguard easy for you, then I say great. But that 3rd-party guide was not an upstream, integral part of Wireguard.


I finally set up ProtonVPN. Was straightforward with protonvpn–cli. Thank you @mrgfy for mentioning the Github site.

So, some of my hygiene is using obviously a VPN when I want anonymity. Other things I do is having strong and individual passwords for everything including the login to my laptop. I use a master password for Firefox, too. A lot of things are adjustments in the browser like an ad-blocker, no tracking, blocking of cookies and avoiding Google and its products as much as possible including the search, though I am addicted to Youtube. I also use Firefox containers and for email I use ProtonMail.

There are a lot of things I still should do but that is it for now.

PS: Regular updates of the operating system, that is also very important especially if you have to support other people’s machines, like my wife’s.

1 Like

Gotcha, I find it usable for my limited needs; connecting to my home network from the internet. For that, the documentation available on the projects website was enough.

I don’t think it’s fair to claim it’s not a viable VPN though. Since it stands the test of the definition for it.

Well, I don’t say that Wireguard isn’t a viable VPN. It’s just that “the batteries are not included” for some very common use cases.

First and foremost, using Linux at all is my first security practice.

Not installing software from companies I don’t trust (especially ‘free’ software coming from a company that is probably scraping my data for it’s value instead).

Hosting my own stuff (work in progress).

Lots of the simple practices (like not enabling login for root at all, SSH keys or installing updates) we all do, right? So I won’t list those.

Firefox plugins Forget Me Not and Ghostery.

AirVPN to avoid profiling or to circumvent my ISPs opinion.

A simple iptables firewall on any internet reachable machine to filter out malformed, unneeded or excessive network traffic.

I don’t know if it counts but I tend to disable history and suggestions wherever I can, perhaps that’s a good thing for web browsing, stating explicitly what I want not clicking the first thing that comes up, but the intention is just that I like a clean computing experience that isn’t cluttered with helpful advice.

Maybe I should put some tape over the webcam :smiley:


I use a paid VPN, and switch the egress everytime, when I’m doing anything related to banking or personal information.

All my systems use luks encryption, desktop systems require my yubikey for authentication and authorization.

I will soon be getting a dedicated network firewall, and enforce firewall rules on all my machines. Ssh requires pubkey auth, and my keys get cycled out regularly.

I use password-store (standard Unix password manager) for password management. It’s simple, relies on gpg for encryption, and is integrated with git for easy sharing.

I run “track this” every once in a while, just to screw with data collection that can’t be avoided. I’ve started getting ads for all sorts of crazy stuff (like I’m apparently in the market for new breasts), but it’s worth it to see the trackers thrown off so much.

I run an ad blocker for most sites, but some I let the ads through.

The majority of my software is managed using containers and flatpaks, keeping the amount of data that can be accessed to a minimum.

Even with all my restrictions and self imposed paranoia, it’s not inconvenient to use Linux. Doing these same things on MacOS or Windows still leaves you unable to control where your data goes. Linux lets me lock it all down without making my system a pain to use!

1 Like