Hardening Xubuntu 18.04.3 LTS

Apt

Configuring Apt.

Using HTTP with Apt.

sudo nano /etc/apt/sources.list

deb http://archive.ubuntu.com/ubuntu/ bionic main restricted universe multiverse deb-src http://archive.ubuntu.com/ubuntu/ bionic main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu/ bionic-security main restricted universe multiverse deb-src http://archive.ubuntu.com/ubuntu/ bionic-security main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu/ bionic-updates main restricted universe multiverse deb-src http://archive.ubuntu.com/ubuntu/ bionic-updates main restricted universe multiverse

sudo apt update -y
sudo apt install apt-transport-https curl debian-keyring -y

Using Tor with Apt.

sudo nano /etc/apt/sources.list.d/torproject.list

deb https://deb.torproject.org/torproject.org bionic main deb-src https://deb.torproject.org/torproject.org bionic main

curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
sudo apt update -y
sudo apt install apt-transport-tor tor deb.torproject.org-keyring -y
sudo nano /etc/apt/sources.list/torproject.list

deb tor://sdscoq7snqtznauu.onion/torproject.org bionic main deb-src tor://sdscoq7snqtznauu.onion/torproject.org bionic main

Update, upgrade and cleanup packages.

sudo apt update -y
sudo apt dist-upgrade -y
sudo apt autoremove -y

Uncomplicated Firewall

Installing and configuring UFW.

Install packages.

sudo apt install ufw gufw -y

Reset, enable or disable UFW.

sudo ufw reset
sudo ufw enable
sudo ufw disable

Deny, allow or limit all incoming requests by default.

sudo ufw default deny incoming
sudo ufw default allow incoming
sudo ufw default limit incoming

Deny, allow or limit all outgoing requests by default.

sudo ufw default deny outgoing
sudo ufw default allow outgoing
sudo ufw default limit outgoing

Disable or enable logging.

sudo ufw logging off
sudo ufw logging low
sudo ufw logging high

Deny, allow or limit incoming requests from a specific IP address to any IP address on a specific port.

sudo ufw deny in proto tcp from <ip-address> to any port <port>
sudo ufw allow in proto tcp from <ip-address> to any port <port>
sudo ufw limit in proto tcp from <ip-address> to any port <port>

Deny, allow or limit outgoing requests to a specific IP address on a specific port from any IP address.

sudo ufw deny out proto tcp to <ip-address> port <port> from any
sudo ufw allow out proto tcp to <ip-address> port <port> from any
sudo ufw limit out proto tcp to <ip-address> port <port> from any

Display the status, verbose status or numbered status of UFW.

sudo ufw status
sudo ufw status verbose
sudo ufw status numbered

ClamAV

Installing and configuring ClamAV.

Install packages.

sudo apt install clamav clamav-daemon clamav-freshclam clamtk -y

Update database.

sudo freshclam

Scan for viruses.

ClamAV is able to scan separate files or if necessary entire directories.

sudo clamscan <file>
sudo clamscan --recursive=yes --infected /home
sudo clamscan --recursive=yes --infected /home --remove
sudo clamscan --max-filesize=2000M --max-scansize=2000M --recursive=yes --infected /home
sudo clamscan --max-filesize=2000M --max-scansize=2000M --recursive=yes --infected /home --remove

AppArmor

Installing AppArmor.

Install packages.

Firejail

Installing and configuring Firejail.

Install packages.

sudo nano /usr/local/bin/firefox

#!/bin/bash /usr/bin/firejail —apparmor —seccomp —private —dns=1.1.1.1 —dns=1.0.0.1 /usr/bin/firefox -no-remote -private-window

sudo chmod +x /usr/local/bin/firefox

That’ll set it up so that by default, your Firefox profile will erase itself completely when you’re done with it.

After this, you’ll want to create a launcher for each of your sandboxed Firefox profiles using Firejail.

sudo cp /usr/share/applications/firefox.desktop /usr/share/applications/firefox-personal.desktop

firefox-personal

firejail --apparmor --seccomp --private=/home/user/Desktop/Firejail/Firefox/Personal --dns=1.1.1.1 --dns=1.0.0.1 firefox -no-remote -private %u
sudo cp /usr/share/applications/firefox.desktop /usr/share/applications/firefox-work.desktop

firefox-work

firejail --apparmor --seccomp --private=/home/user/Desktop/Firejail/Firefox/Work --dns=1.1.1.1 --dns=1.0.0.1 firefox -no-remote -private %u
sudo cp /usr/share/applications/firefox.desktop /usr/share/applications/firefox-banking.desktop

firefox-banking

firejail --apparmor --seccomp --private=/home/user/Desktop/Firejail/Firefox/Banking --dns=1.1.1.1 --dns=1.0.0.1 firefox -no-remote -private %u
sudo cp /usr/share/applications/firefox.desktop /usr/share/applications/firefox-shopping.desktop

firefox-shopping

firejail --apparmor --seccomp --private=/home/user/Desktop/Firejail/Firefox/Shopping --dns=1.1.1.1 --dns=1.0.0.1 firefox -no-remote -private %u

This will set it up in the same way that Firefox Multi-Account Containers would, only you're sandboxing everything with Firejail.

WireGuard

Installing and configuring WireGuard.

Install packages.

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt update -y
sudo apt install wireguard -y

wg-ipv4-ch1ro1

wg-ipv6-ch1ro1

sudo cp mullvadch1ro1.conf /etc/wireguard
sudo chown root:root -R /etc/wireguard && sudo chmod 600 -R /etc/wireguard

Start or stop WireGuard.

sudo wg-quick up mullvadch1ro1
sudo wg-quick down mullvad-ch1ro1

Enable or disable WireGuard start up on boot.

systemctl enable wg-quick@mullvadch1ro1
systemctl disable wg-quick@mullvadch1ro1