Hardening Manjaro

Now that I have a mostly functional system running and I think I have covered most of my bases securing my system I wanted extra input. After installing Manjaro I setup my computer level firewall (which is obviously only as good as the rules I set), installed Apparmor set it enforcing, installed and enabled fail2ban, and installed my VPN, setup all my encryption key pairs and disabled the root account. As for the hardware itself the HDD is encrypted and TPM enabled. Anything I missed in configuring my security (at least at the machine level).

See what Arch Wiki has to say about this :wink:


First you have to define against which types of attacks you want to be sufficiently secure against.

Are you running a public server on this machine? Then, yes, fail2ban might be a good idea. On a home machine, no.

A firewall is useless: all ports are blocked anyway because there is no service running on the ports. And if you start a service on ports (like a DLNA server or SSH, etc.) you actually want incoming connections.

What does your VPN protect you against?


All attacks. I understand that security is journey not a destination. The point of hardening a computer is to close and lock doors and utilize locks that serve ones purpose. The most secure computer is one that is locked in an access control room with no internet access, however said computer is of little use and probably only serves one very specific purpose.

Now for the specific questions. Public server no, a private server yes. And network security is a different matter all together as that is a different layer. So yes I have incoming request from my intranet but not internet and there are plans to open up my firewall to run an Apache server in the future. And no firewalls are not useless, they are necessity on any and all networks and should exist on multiple layers.

And the VPN does a couple things. It mask my public IP, it includes a PI hole service, and blocks malware and tracking software of various types. It also mask my traffic from my ISP. You might not care about privacy, and that your prerogative, but I do and will always utilize a VPN.

Yes, that is true for everyone expect your VPN Provider.

This is more an advertising promises of your VPN Provider as relativity.Also, this can be done by a filtered DNS server. No need for a VPN.

But not for your VPN Provider. I find it astonishing that many user trust VPN Provider from obscure company. Usually just located by a post box. But if you like to hand over your profile to such a company feel free to do it.

On the edge of a network, a firewall can do some good, on a client, that provides some server services, in such a network, it is useless.

No system is perfect, but fatalism is far worse. Regardless you can make whatever decision you want about your security and privacy. I on the other hand will continue to hold those things in high regard.


I find it rather funny that people actually think they can hide from traffic monitoring by the ISP, wake up you CAN’T…
All a VPN is good for is to bypass a block by your ISP/Country, because it acts as a proxy.

Sure you can use encryption etc… but the bits still need to travel over your ISP’s wires…
Instead of paying for a VPN, which IMHO is utterly stupid, you should use Tor as a Proxy/VPN which is free :wink:

Depending on what you plan to run on your Apache webserver, it is a sure way to open your doors wide open, unless you just serve plain static content eg NO-PHP etc that needs to be interpreted by the web server…

And last but not least:
If you don’t run any servers accessible by the public internet, no matter if it’s via a VPN or not, they can keep knocking on your doors but no program will answer so no way for them to get in…

PS: Your topic title is wrong it should say “Securing my compter” because “Hardening” is something completely different…

Welcome to Linux, which has no wide open legs like Micro$@$ :wink:

No one can’t hide the traffic, but we can encrypt it. The ISP is welcome see all my encrypted traffic they like. I don’t care that my ISP sees I am moving data, I do care that they know what data I am moving. And no a VPN is good for far more then what you state.

I do use Tor and it is free and SLOW.

Yes and that is exactly my point.

Yes and if they knock hard enough and long enough that is called DoS attach which fail2ban helps with.

No my title is correct.

1 Like

I recommend using qubes-os.org - it is a far better choice than jumping hoops with Manjaro.

Qubes is the only OS which is secure by design - as secure as possible - that is…

1 Like

I did my best in the matter. I have dealt with Apparmor, Firejail, browsers, firewall settings and so on. At some point I gave up because I just can’t check every Apparmor profile or lines of code. Also, there were problems all the time. Now I think so many smart people are working on the kernel and I have a good router. After an installation I turn on the firewall, type “sudo firecfg” (and have double authentication for all kinds of banking). Nothing more, it is enough obviously. Maybe disk encryption as well. Manjaro is fine for me.

@FreeRangeTux seems you have your mind already set in stone and inflexible to input from us, so what is your point of this wrongly titled topic? :thinking:

I personally don’t have time to waste on topic starters like these so im out…

(Topic on mute)

No worries your input isn’t mandatory. And yes my mind is made up in regards the steps I have already taken and my question isn’t what about what I have done but what else I might want to do. Which is the point of my correctly titled topic.

1 Like

@linux-aarhus I have looked at qubes and it serves a purpose just not my purpose.

… judging from your responses my suggestion would be:
learning what the effects of what you are doing actually are
vs what you apparently are convinced what they can achieve

… why the people here answered in the way they did …

It’s not what you don’t know that gets you in trouble.
It’s what you think you know for sure that just ain’t so.

no offense intended - just a piece of advise


@Nachlese your opinion is exactly that. I know what I know and my systems are setup the way I want them. The opinion of this group has nothing to do with it. I know what I am aiming for and I will get it. Regardless I never asked for opinions on what I have done but what else I could do.

Hi @FreeRangeTux

You could execute this tool and get an idea which parts of the system you could modify to harden your system a bit more.
I find that really helpful and used it on my web server to harden it a bit more.

I find your topic and your plan very interesting. I struggled myself with AppArmor (I find it hard to understand how to configure profiles and often the applications didn’t work in the end) and would like to ask if you followed a guide for all the steps you took so far or if you have a documentation, which you could share?
I’d love to tackle the AppArmor topic again, but I need some guidance (= easy to follow documentation).

@Schmu I do have Lynis and utilize the tool. It is a very helpful tool. As for Apparmor, I am learning it. Coming from Fedora I am accustomed to SELinux which accomplishes roughly the same result via different means. And on more global scale no I don’t utilize any singular guide rather I base my approach on years of tinkering and many guides from many different sources. But all told I aim to help secure my system from both physical and virtual intrusion and secure all by data both local and pass via internet. These efforts mean that I try to encrypt as much of data as possible, lock down my network connections with layered firewalls, utilize antivirus and malware countermeasures, and sandbox my systems.

I just wanted to recommend Fedora…

1 Like

Yep and normally that is my choice. However Fedora did not like my hardware and wouldn’t even boot the usb stick.

Assuming you are not a troll:

In terms of a VPN, there are 2 usecases:

  1. You are not at home: connect to your network at home and/or encrypt your traffic with your VPN Server INSIDE YOUR HOMENETWORK (use your router or whatever for this, but no external service)
  2. Geoblocking

In every other usecase you can decide if your data is given to your VPN Provider (whoever it is and I really hope you know where he is at) or your ISP. If you use a VPN, your data goes to your VPN Provider, if you aren’t it goes to your ISP.
That’s it for non HTTPS. For everything HTTPS: Your connection is encrypted anyways?!

SE Linux, way more advanced User Rights Management and a way smaller group of targets will provide you more “security”, but “hackers” will not come through your firewall in a home network anyways.
On this note: how would get through a Firewall with no services running on the other side (serious question)?

Hardening Linux is nearly the same as hardening Windows if you are just a home user: keep your system up to date. Use scriptblockers in your browser. Don’t download random Software. If something happens it’s mostly on you…

Linux just makes it easier to keep everything save with a system to manage your software and keep it up to date (and the above mentioned). All routers for the normal user I know will come with integrated firewall rules etc.

That’s everything to worry aout as a nromal user. Otherwise, if you are running a server with manjaro: Don’t?!