In general, what you say is a new user can just install some major linux distro like Debian or Ubuntu or OpenSuse, and it is secure enough for a simple, non-server, home system. Just need to attend to backups.
The system secure from attacks over network from outside
The system is secure against attacks of the user from inside.
Regarding 1. I think most Linux distros are secure enough.
Regarding 2. it depends on the user. If that user runs random scripts copied from dark websites with root rights, then no distro is really secure.
part of my security setup is running as many applications/processes as possible in a sandboxed environment.
I make use of firejail for that matter (https://firejail.wordpress.com/ ).
It´s really well documented and its github-support is splendid.
It might be debatable whether or not implementing firejail for security reasons really is neccessary but to me it provides an additional layer of security.
At any rate, I use it for processes that open a port to the internet (e.g. browsers).
For online-banking it´s a must-have (at least to me):
I use OpenDNS, but some sort of third party DNS service is a good idea. It’ll block known malicious sites and could also be configured to block certain categories. Things like maybe guns, gambling, or porn could be blocked. Especially good to help prevent kids from seeing things you’d rather they didn’t.
A software firewall is nice to block unknown outbound requests, but this is optional.
I have my desktop set up as a server. I had to install open ssh server to enable this since it’s not part of the default Ubuntu installation.
If you take a look at /var/log/auth.log you’ll be amazed at the endless attempts by unauthorized users trying to log in. I see an average of about one attempt every two minutes, around the clock. They used to come from all over the world but in the last couple of years the tries are mostly from China. It’s fun to watch via the command “tail -f /var/log/auth.log”.
I set up authentication via public key encryption and disabled logins via password. Instructions to do this are well-documented online (and longer than I want to type).
My server is intended to be used only by me so there are only two entries in the authorized keys file (which is ~/.ssh/authorized_keys), one for each of my laptops. Sessions can also be opened by the operating system and you will see root, Gnome display manager, and “nobody” in addition to the authorized user(s). No unauthorized user has ever been authenticated. I’ve been using this setup for more than 10 years and estimate that there have be more than 2½ million unauthorized login attempts during that time. None have succeeded.
If you’re using only a browser and don’t have open ssh installed I think you are quite safe. The firewall in the router is sufficient. Also, turn off remote administration of your router. For several years I used ClamAV. It found only two instances of malware, both in Windows files. I no longer bother with that.
As stated in an earlier comment, the big risk is malware coming in via an email attachment. While there are hardly any worms, viruses, etc., in Linux there ARE some and new ones will surely appear. I think it’s wise to maintain good internet hygiene.
I looked at my auth.log file. It contains only local stuff.
I do have Open ssh, because I use ssh on my local network between 2 machines.
Can I restrict ssh to only working on the local net? There is no connection between the local net and the modem, except thru one computer which has dual ethernet ports.
the big risk is malware coming in via an email attachment.
I think it is important to keep reminding everyone about that.
There are more ways to accomplish that, already summarized here:
It’s just a way to download it. If you are cautios, and don’t start -say- Java programs from unknown source, you can be safe. TB, Evolution won’t execute anything on their own.
I consider having browser extensions and allowing them auto-update is a bigger risk. Bad guys hijacking a browser-extension, and turning it into a malware is a bigger risk, I think.
'm not sure how to restrict ssh to the local network but maybe that’s the default setting. To enable my desktop as a server I had to give it a fixed IP address (in the router) and also enable port forwarding (also in the router) in order that connection requests get sent to the server and not to, say, my phone.
It is surely not. Whithout any special actions, sshd is open to the world.
Correct! Additionally you could register at a free ddns provider, configure ddclient on your server appropriately, and you are ready to reach your home server from outside using a memorable domainname.
(Or you can use your routers builtin DDNS settings, but those aren’t so felexible, only limited numbers of DDNS providers are accessible)
I see spurts and waves of attempted hits on my kit…
I access my RPi4 from the intertubes (had DDNS setup via NoIP )
Not on port 22
root login over SSH is disabled
Anyway - sometimes it will go months without logging (/var/log/fail2ban.log) any hits or “jailing” ip addresses - sometimes they come in floods… Nearly EVERY time I “whois” their IP addresses or CIDR’s - they’re CHINESE owned IP addresses / subnets…
There is one distro (Solus) which takes a unique approach to this topic.
Solus is a user-only distro, ie it can not be set up as a server, it does not even have server daemons like ftpd or sshd in its repository.
It does have ftp and ssh, so you can ftp or ssh out of Solus, but not into it.
So if you want the ultimate in home user security, one approach is to use Solus. It makes it very difficult for you to do anything that may be insecure.
I am not sure if any other distro has that simple approach