Malware?! - on Linux?! - ROTFL
If you believe that I have a bridge on sale.
Related topic: [How To] Getting started with OpenSnitch
Related topic: [How To] Getting started with firewalld
Synopsis
As for user accounts Linux is secure per design (Linux UAC), but that does not mean it cannot be compromised by ignorance or targeted attacks.
While it does not have the same public attention, it does happen, and one has to be proactive.
No software is safe!
While opensource projects like the Linux kernel is rigorously vetted, it is not safe.
Don’t be scared when you look at the following page
https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33
In a network connected system, and these days every system is network connected, there is always something from the outside that want to take control.
Protect your system
Any user whom turned to Linux to get away from tracking and profiling will immediately think Antivirus and perhaps Firewall where you should really turn it around and think
- Common Sense
- Backup
- Malware
- Firewall
- Application Firewall
- Antivirus
Let us review our options
Common Sense
This is a very important part of Basic System Security.
Use the principle of least privileges when you configure your user(s).
- If you are a rational and thinking human being, then you do not need antivirus
- Never open mails with unexpected attachments
- The vast majority of malware is targeting Microsoft Windows operating systems
- If you are a gamer then you should stay away from counterfeit games
- If you are using Wine stay away from counterfeit software and free media converters
- Think before you click on a link
- Think before filling out online forms
- Think before you trust the mail claiming to be your bank
- Think before you trust the mail claiming you must pay duty
- Think before you download and install that exciting application
- Think before you build that custom package
- Think before …
Anyone can upload to Canonical’s Snapstore and Flatpak’s Flathub not to mention appimages. Always verify the source as many is not created by the upstream vendor but created and uploaded by third-party.
Backup
It should go without saying, that keeping a cold backup of your important data is of the utmost importance.
How you are doing it is not important - what is important, is that do do - whether you store in cloud or on removable devices is not important - just do it - it is easier to recover if you do.
Malware
If you have intentions of using AUR or perhaps you are already using custom packages then you must be vigilant.
Do not blindly trust custom build scripts, appimages, snaps or flatpaks.
A custom package recipe may contain malware. This is not theoretical, it is a fact.
Here is what you need to know about Manjaro and AUR
If you are ever hit by a malware on Linux, which propagates to your system root, then - unless you have an academic interest, don’t waste time on finding it - replace your system disk and reinstall your system - or you could just boot a Manjaro Installation ISO and zero the system disk before reinstallation.
As an extra precaution after a hit - ensure none of the files in your home is executable.
Reading feedback provided by @denilsonsa I recognized his improvements.
cd $HOME
# change owner to the current user
sudo chown $USER:$USER . -R
# recursively remove execution from files
find . -type f -exec chmod 600 '{}' ';'
# recursively set execution on folders (allow navigating into the folder)
# and ensure only the owner can alter files inside home
find . -type d -exec chmod 06700 '{}' ';'
Old version - kept for historical purpose
cd $HOME
# change owner to the current user
sudo chown $USER:$USER . -R
# recursively remove execution from files
find . -type f | xargs -d'\n' chmod 600
# recursively set execution on folders (allow navigating into the folder)
find . -type d | xargs -d'\n' chmod 700
# recursively ensure that only the owner can alter files in folders
find . -type d | xargs -d'\n' chmod +s
Firewall
A firewall compares to the portmaster office of a harbour, which you must contact immediately upon arrival.
A firewall is also comparable to fence surrounding a property. All traffic to the property must enter through the gate.
The gate registeres all packages leaving the property; meaning if the property owner has send for the package, it is allowed to enter without further verification.
All unsoliciated packages to the property is rejected.
The property owner may create a list of suppliers which are allowed to enter property without being verified at the gate. Such packages is required to enter at a specific port e.g. groceries goes to the kitchen entrance.
You should make sure that you are not using overlapping firewall services - it is very hard to diagnose why a given service is not functional. Use principle - K.I.S.S - Keep It Stupidly Simple.
If you do not have any need for running a print server or a web server - use only the simplest version - only use advanced configuration if you really need it.
Basic firewall
Installation commands assumes your system is fully up-to-date
That is, you have run sudo pacman -Syu before installing any new packages.
Using nftables is the ultra simple and preferable configuration for an average laptop, workstation or home computer.
In the default configuration it will drop all connections except for the ssh service.
The package is most likely already installed - in case it is not
sudo pacman -S nftables
Then enable and start tne nftables.service
sudo systemctl enable --now nftables
If you don’t enable the sshd service - then no connections can be made into your system.
Your system will be visible on the network, that is, it will respond to ping (ICMP) requests.
If you want more control e.g. for a workstation or home computer which shares a printer you can use firewalld - ArchWiki or the older Uncomplicated Firewall - ArchWiki.
See some examples of common firewalld configuration tasks.
Application Firewall
Currently Manjaro provides opensnitch (OpenSnitch - Github) and portmaster (Portmaster - Safing.io) to provide control of the outgoing network traffic, as opposed to a normal firewall which controls the incoming traffic.
It is much harder to control outgoing traffic as the purpose of the traffic may not be obvious and therefore you may end up blocking traffic where it should have been allowed for an application to function.
Great care should be taken to examine the information from this type of application as it will take some time to configure the rules for outgoing traffic - and as a fact - you will be surprised - and possibly paranoid - when you realise how much traffic is passing from your system to the network and subsequently the internet.
Antivirus
This is highly depending on yourself and how you use your computer system.
I know a system admin and developer which has only had a single malware incident in 40 years. The same sysadmin also lost a lot of data in a human error once.
On a well configured, somewhat (minimally) hardened Linux system (minimal user privileges), the user cannot configure or alter system configuration.
This will ensure that any malware is confined to the user that introduced the malware - yes you lost your games to ransomware - but that is it - switch to a TTY, login as root, create a new user, reboot and login as that new user, then you are back.
Because Linux is designed to be secure - you will have very little need for antivirus - in most cases it is waste of money and resources.
I use the phrase very little need for antivirus because there is edge cases where an active file scanner is useful.
One example is a smtp mail service where you want to prevent malicious content and/or attachments.
Another example is a file server where you want to ensure the files stored is not malicious. That is no guarantee though as password protected archives cannot be scanned.